I have a google VM I've been sshing into every day for about six months.
Today all the sudden neither myself or my teammates can get into this machine, either SSH-ing from our own terminals or even trying to use the web terminal gcloud gives you so that I could manually edit the ~/.ssh information on the remote server.
The error each time is just Permission denied (publickey)
So far I have:
regenerated my local value for id_rsa.pub
uninstalled the google SDK, thinking on reinstallation it would have to cycle in new key values (I know it does some metadata exchange itself...)
deleting all the project SSH keys, then re-adding the newly generated one
reinstalled google sdk
used the gcloud sdk command line to force regenerate
oh yeah: obviously cycled the VM on and off to rule out random/silly reasons
I'm pretty lost at the moment. Any advice or people who have gone through similar it is appreciated. I've looked through these questions but either the advice didn't fix it, or it wasn't relevant to my situation:
GitHub Error Message - Permission denied (publickey)
How to solve Permission denied (publickey) error when using Git?
https://serverfault.com/questions/641453/unable-to-ssh-to-gce-permission-denied-publickey
I'm following the Using Images from Other Projects guide.
There is a project A in which I am granted compute.imageUser (not owner) and a project B that I own. Project A has a machine image which I want to use in project B to create a virtual machine.
Even after being granted access to them I can't see the machine images under the compute engine tab in the console of Project B.
Has someone experienced something similar to that and would like to help me out?
Thank you
First make sure you have a proper service account account name bound to the project A. Here's the step-by-step instruction how to find a correct service account (it sounds trivial but any misspelled character will result in access denied).
There are some limitations to that (make sure it's not the case):
You must grant the compute.imageUser role on the project level.
Granting the compute.imageUser role grants permissions to all images in the specific project. It is not possible to share specific images.
You must grant this role to specific users, and not to allAuthenticatedUsers or allUsers.
Furthermore - you can create your custom image and share it but you would have to get additional permissions in project A:
compute.images.create to create new images
compute.images.list to list images in the project
compute.disks.use if the image will be created from a disk
compute.disks.list if you want to grant users the ability to see a list of disks in the project
If you need access to just one or two images the latter solution (sharing custom images) may be best for you.
I'm looking to implement Resource Based Constrained Delegation in C++, which is new to Windows Server 2012.
Edit: Code for an IIS module that does this would also be great.
Rather than being the classic KCD where an account is allowed to delegate to a specific SPN, here accounts can be permitted to delegate to any programs being run by a specific user account.
Permission is granted by modifying the "-PrincipalsAllowedToDelegateToAccount" property of the user running the service being delegated to.
See this for more info: Resource Based Constrained Delegation
Can anyone provide me with code samples that implement this or useful resources?
Even references to commercial products that use this new feature could be useful.
Thanks,
Dave
To configure a resource service to allow a front-end service access on the behalf of users, use Windows PowerShell cmdlets.
To retrieve a list of principals, use the Get-ADComputer, Get-ADServiceAccount, and Get-ADUser cmdlets with the –Properties
PrincipalsAllowedToDelegateToAccount parameter.
To configure the resource service, use the New-ADComputer, New-ADServiceAccount, New-ADUser, Set-ADComputer,
Set-ADServiceAccount, and Set-ADUser cmdlets with the
–PrincipalsAllowedToDelegateToAccount parameter.
I already have Google authenticator installed in my iPhone and I'm using it to signin to my AWS root account. I want to add the ability to login with MFA using my Android phone as well, using a corresponding token-generator Android app.
Is it possible to add a second device and how exactly? Or is AWS root account MFA bind to one (virtual) device?
🚨 AWS finally provides support for adding additional MFA devices. 🚨
As of November 16, 2022:
https://aws.amazon.com/blogs/security/you-can-now-assign-multiple-mfa-devices-in-iam
I'm leaving the old answer below for reference, but it should no longer be needed.
You can only have one MFA device tied to your root account. You would need to setup a separate IAM user account for your separate device.
From the FAQ:
Q. Can I have multiple authentication devices active for my AWS account?
Yes. Each IAM user can have its own authentication device. However, each identity (IAM user or root account) can be associated with only one authentication device.
Update: So while it's not officially supported, here is one guy who claims he was able to register Google Authenticator on two devices by doing both at the exact same time with the same QR code. Granted he's not doing this with AWS, but it could be worth a try.
https://www.quora.com/Can-Google-Authenticator-be-used-on-multiple-devices
Update 2: I've started using Authy for MFA rather than Google Authenticator. One of the cool things Authy now supports is multi-devices for all your MFA tokens. I currently have my phone and my tablet setup with access to my AWS account using Authy Multi Device.
http://blog.authy.com/multi-device
Here is the solution;
When AWS MFA page shows the barcode, scan barcode from different devices (I've tried with 3) at the same time. They creates same code, filled form with same codes and it works.
This is not really a new answer, but it tries to clarify and to explain a little better (or at least differently) why different virtual devices can be considered to be one virtual device
At the moment (2020-05-07) you cannot have two different authentification devices for the same user. (like more than one of the following: a U2F usb key / a virtual device / a hardware device)
However you can install the same virtual device application on multiple devices (mobile phones / tablets / PCs) if you initialize them all with the same initialisation code (QR code)
The Virtual MFA device is just the implementation of the TOTP algorithm ( https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm )
each TOTP application has to be initialized with a 'secret' code (the QR code)
So if you scan the same QR code with different TOTP apps, then all of these apps can authenticate (they will behave indentical)
When initializing at AWS you are asked to enter two consecutive codes generated by your TOTP app.
(Just enter them from any of the apps, that you initialized with the QR code.
Or if you are really crazy. create one code with one app and then create another code with the other app. just enter the code that was generated first first)
Afterwards all virtual devices will work and are completely interchangable.
You could even 'archive' the QR code image in a safe place and add other virtual devices later (the QR code contains just the secret required to initialize the TOTP application). It does not expire.
From AWS Organizations documentation:
If you choose to use a virtual MFA application, then unlike our
recommendation for the management account root user, for member
accounts you can re-use a single MFA device for multiple member
accounts. You can address geographic limitations by printing and
securely storing the QR code used to configure the account in the
virtual MFA application. Document the QR code's purpose, and seal and
store it in accessible safes across the time zones you operate in,
according to your information security policy. Then, when access is
needed in a different geographic location, the local copy of the QR
code can be retrieved and used to configure a virtual MFA app in the
new location.
I actually tried using the same secret configuration key from AWS on an iPhone, iPad and an Android using Google Authenticator and they all worked fine. The same with what #Jaap did.
In addition to the solutions above:
1) You cannot make a QR-code reappear after attaching an MFA device to AWS account. So if you need to add another virtual MFA device, delete the existing device, reattach it, and make a screenshot of the QR-code (or save Secret code) and then scan this QR-code with another device.
2) The QR-code is not expiring. I could use my code weeks after initialization.
You can export your accounts from Google Authenticator to another device without losing access to them from your current device.
I discovered this when I was upgrading my mobile device and found that my new device would show the exact same MFA codes as my current device at the same time.
On your current MFA device, open Google Authenticator and tap "..." in upper right corner
In the menu, select "Export accounts", then tap "Continue"
You will see a list of accounts, so select the ones you want to enable on the new device and then tap "Export"
You will be shown a QR code, which you then scan from the new device
I setup cloudfoundry in my lab environment. I am trying to deploy openEMR (http://www.open-emr.org/) on it.
This application need some write permissions on files and folders. Application pushed successfully and running, but I don't know how to grant the write permissions on these files and folders. because of the permission, I stuck on installation and application did not installed.
Please tell me how I can grant write permission for the required folders and files.
Thanks
Rana Faisal Munir
The filesystem on Cloud Foundry is ephemeral, if you restart the application, anything written to the filesystem would be lost. I would look at other ways of persisting the data within the application.