I have been tasked with swapping out PSFTP for Tectia SFTPG3 ftp client for a large number of ETL jobs that run unattended from the command line. We have some SFTP sites that we authenticate to by referencing a PPK file with the -i option. In these cases, we do not use a password. So using PSFTP the command is something like...
psftp.exe -i "C:\somepath\somesshkeyfile.PPK" someusername#somesftpsite.com
This works. If the key does not exist in the cache, we get get a response asking us if we want to cache it and our code responds to that. When I try the same thing with Tectia's SFTPG3.exe I still get prompted for a password which we do not have and does not exist. I have tried it with the -i option and their -K option. Same thing happens either way. Yesterday morning I emailed out contact at Tectia, and yesterday afternoon I copied the info email address on their website. I still have not heard back. Neither of these appear to work as expected.
sftpg3.exe -i "C:\somepath\somesshkeyfile.PPK" someusername#somesftpsite.com
sftpg3.exe -K "C:\somepath\somesshkeyfile.PPK" someusername#somesftpsite.com
Related
I'm looking into SOPS as a possible solution for us to encrypt secrets and push them to our repo.
I've been playing around with it and it's exactly what I need, except for a small issue. I'm hoping this is me just not finding the right documentation.
For the sake of simplicity let's say we have 2 AWS accounts, A and B.
In account A we've got:
Our "human" users who will be encrypting/decrypting secrets from their local machines.
KMS key
Role that users from other accounts can assume to use that KMS key.
In account B:
User a Jenkins script will use to decrypt secrets
To encrypt a file with my local user I'm doing:
sops --kms arnofthekey -e -i filename.yaml
And to decrypt it:
sops --kms arnofthekey -d -i filename.yaml
Works like a charm.
If I do it as my Jenkins user:
sops --kms arnOfTheKey+arnOfTheRole -e -i filename.yaml
sops --kms arnOfTheKey+arnOfTheRole -d -i filename.yaml
Everything works like a charm as long as I encrypt/decrypt in the same place.
I then tried to encrypt with Jenkins and decrypt locally. I got an error informing me I'm not allowed to asssume the role Jenkins used. Which is absolutely true.
Here's what I don't understand, the KMS key is the same one in both cases. However, I can see the encrypted file keeps a record of the role. I thought since the key is the same, this should work.
Is there some sort of configuration I'm missing?
Thanks!
Digging a bit more I found an open ticket from a year ago. I guess, at the moment, this is something that can't be done directly with sops.
https://github.com/mozilla/sops/issues/555
The solution I found was allowing my human users to assume the same role Jenkins does. Should've thought about it earlier :)
I'm trying to set up cloud hosting with Digital Ocean.
Please skip to the bold part with asterisks (***) for the actual problem. Everything below here, above that part is background info.
I need to generate an RSA key pair, so I navigate to my cd ~/.ssh/ directory, then:
ssh-keygen -t rsa
I already have existing id_rsa and id_rsa.pub files, so when prompted:
Enter file in which to save the key (/demo/.ssh/id_rsa):
I enter the following to create a new pair:
~/.ssh/id_cloudhosting
I'm then asked for a passphrase, which I simply press return for "no password":
Enter passphrase (empty for no passphrase):
I repeat the above for confirmation, and the final output looks as follows (just a demo image):
Now that I have two new files, id_cloudhosting and id_cloudhosting.pub I need to copy the contents of the public file to my Digital Ocean hosting 'Add SSH console'. I do that like so:
cat ~/.ssh/id_cloudhosting.pub
Which returns the contents of the file:
ssh-rsa
bUnChOFcOd3scrambledABCDEFGHIJKLMNOPQRSTUVWXYZnowIknowmy
ABCnextTIMEwontyouSINGwithmeHODOR demo#a
I paste the key into my hosting console and it saves successfully.
The next step is where the permission issues start: ****************
I need to "spin up a new server" - step four from their docs. So I enter the following:
cat ~/.ssh/id_worker.pub | ssh root#[my.hosting.ip.address] "cat >> ~/.ssh/authorized_keys"
Which should copy the public key as root to a newly created file called authorized_keys
This step never gets created because I'm immediately asked for a password to my host. I didn't ever create one! I pressed return (or enter) at that point, so I do the same when prompted, and get permission denied!
root#[host.ip.address]'s password:
Permission denied, please try again.
root#[host.ip.address]'s password:
Permission denied, please try again.
root#[host.ip.address]'s password:
Permission denied (publickey,password).
How can I rectify these permission denied issues?
EDIT: FIX BELOW
It seems as though, by using an unconventional (other than id_rsa) file, I needed to explicitly identify the file by doing the following:
ssh root#droplet.ip.address -i /path/to/private_key_file
...be sure not to use the public_key_file there. I am not connected to the server from my terminal. This is after destroying my previous droplet, creating a fresh one, with fresh key files, as #will-barnwell suggested
Assuming you have followed the linked guide up to and through Step Three, when you create a new server from their Web UI use the "Add SSH Keys" option and select the key you added to your account previously.
When actually spinning up a new server, select the keys that you would
like installed on your server from the "Create a Droplet" screen. You
can select as many keys as you like:
Once you click on the SSH key, the text saying, "Your
root password will be emailed to you" will disappear, and you will not
receive an email confirmation that your server has been created.
The command you were using was to add an ssh key to pre-existing server. Judging from the above quote I bet the password that you are being prompted for is in your email.
Why?
When you create a server on Digital Ocean ( or really most cloud hosting services ) a root password is automatically generated for you, unless you set the server up with an authorization key.
Using key authentication is definitely a good security choice, but make sure to read the instructions carefully, don't just copy/paste commands and expect it all to work out.
EDIT: OP's comments on the question have shed additional light on the matter.
New Advice: Blow your server away and set up the SSH keys as suggested, your server is probably unusable if it is not accepting your old SSH key and is prompting you for a password you don't have.
Be careful messing around with your last auth key, add a new one before removing an old one.
Is there a way to sync the images folder between my live server and the staging server? so when a new image is added to the live server it would be copied automatically to the staging.
Im currently on rackspace servers "both of them".
You haven't mentioned what operating system you're using, or how immediate you want this to happen. I would look into using rsync. Set up login using ssh key authentication (instead of password), and add a cron job that runs it regularly.
On live, as the user that does the copying run this command:
ssh-keygen
(Leave the passphrase empty).
Next copy the public key to the staging server (make sure you don't overwrite existing authorized_keys file, if it already exists you have to append id_rsa.pub to that file):
scp ~/.ssh/id_rsa.pub staging-server:.ssh/authorized_keys
Finally set up the cron-job:
echo '15,45 * * * * rsync -avz -e ssh /path/to/images staging-server:/path/to' | crontab -
This runs your script quarter past and quarter to every hour. For more info on the cron format, see the appropriate man page:
man 5 crontab
To understand the rsync options, check the rsync manpage. This command won't remove images on staging when you remove images on your live server, but there are options for that.
Also, remember to run the command manually once as the user in question, to accept ssh server keys and make sure key auth is working.
What are the ways of accessing exchange global address list(GAL) and doing some operation on them (like finding manager of a contact, etc.) in unix?
This can be done in pretty straightforward way in VBA Outlook App in windows. I am trying to find out a way of doing that in unix environment.
As long as LDAP is accessible on your exchange server, you can use that. Here is a small script I wrote to do just that, showing the ldapseach command it uses internally:
$ 411 -d -e joe.user
command is "/usr/bin/ldapsearch -y ${HOME}/.ssh/temp -x -b dc=ACME,dc=com -H ldap://app.corp.company.com:3268 '(mail=joe.user#*)'"
Joe User 555 329 3485 joe.user#acme.com, NY
A few comments:
at prior companies, you could do an unauthenticated bind. That was easier.
you can see I store my password in my .ssh directory temporarily. this is bad in theory
you can probably use any LDAP client. I wanted a simple script with no dependencies, so I parse ldapsearch output
I want to copy files from local machine to remote server through SCP command. I was able to copy files through Cygwin. Now I want to achieve this thru Qt. How do I invoke 'SCP' command? If I make use of QProcess, then how will I get to know about password prompt?
As fara as I know, you will hit the same issue with scp prompting for the password whichever way you try to call the command (even if you try writing a bash script that calls scp, for instance)
Possible solution I'm aware of includes:
create a public/private key and distribute them so that you do not need to be prompted with the password. An interesting paper on the topic is here
create an expect script and invoke it with QProcess
Require your users to use public keys and your problem is solved: https://hkn.eecs.berkeley.edu/~dhsu/ssh_public_key_howto.html
scp, ssh, sftp, etc. deliberately make it hard to take a password other than directly from the user. Specifically, things like expect will not work. And if they did, they wouldn't be secure.