disk encryption escrow files on centos via kickstart - encryption

I'm trying to automate centos installs via PXE and kickstart with encrypted filesystems. In case we mislay the passphrase we want to use escrow files and encrypt them using the public key attached to an x509 certificate obtained from a web server. The relevant line in the kickstart file is
logvol /home --fstype ext4 --name=lv02 --vgname=vg01 --size=1 --grow --encrypted --escrowcert=http://10.0.2.2:8080/escrow.crt --passphrase=XXXX --backuppassphrase
Leaving the cert as PEM encoded on the web server rather than DER doesn't seem to matter, either work up to a point.
The filesystem is created and encrypted using the supplied passphrase and can be opened on reboot with no issues. Two escrow files are produced as expected and if by using the NSS database containing the private key and the first escrow file I obtain what I think is the passphrase but it doesn't unlock the disk. For example:
# volume_key --secrets -d /tmp/nss e04a93fc-555b-430b-a962-1cdf921e320f-escrow
Data encryption key:<span class="whitespace other" title="Tab">»</span>817E65AC37C1EC802E3663322BFE818D47BDD477678482E78986C25731B343C221CC1D2505EA8D76FBB50C5C5E98B28CAD440349DC0842407B46B8F116E50B34
I assume the string from 817 to B34 is the passphrase but using it in a cryptsetup command does not work.
[root#mypxetest ~]# cryptsetup -v status home
/dev/mapper/home is inactive.
Command failed with code 19.
[root#mypxetest ~]# cryptsetup luksOpen /dev/rootvg01/lv02 home
Enter passphrase for /dev/rootvg01/lv02:
No key available with this passphrase.
Enter passphrase for /dev/rootvg01/lv02:
When prompted I paste in the long numeric string but get the No key available message. However if I use the passphrase specified in the kickstart file or the backup escrow file the disk unlocks.
# volume_key --secrets -d /tmp/nss e04a93fc-555b-430b-a962-1cdf921e320f-escrow-backup-passphrase
Passphrase:<span class="whitespace other" title="Tab">»</span>QII.q-ImgpN-0oy0Y-RC5qa
Then using the string QII.q-ImgpN-0oy0Y-RC5qa in the crypsetup command works.
Has anyone any idea what I'm missing? Why don't both escrow files work?

I've done some more reading and the file ending in escrow is not an alternative passphrase for the luks volume but it contains the encryption key which is encrypted of course. When decrypted the long string is the encryption key and there's a clue in the rest of the text which I confess I didn't read very well.

Related

aws scp Host key verification failed

We are using centos7 .If tried the below way with pem file included scp works but when pem file is removed its not working. Code was working earlier without pem file . After We moved to a different web server we are having Host key verification failed issues.
scp -i/home/centos/sshkeys/test.pem root#77.79.77.72:/usr/local//2016/Aug/31/ggea98c0-6f0f-11e6-86d9-2573a2e556aa.wav /var/www/html/tmp/ggea98c0-6f0f-11e6-86d9-2573a2e556aa.wav
Maybe your key was registered in ~/.ssh/config or it was your default key in ~/.ssh ? Check on the old server ?
Edited:
For example this is what I put in ~/.ssh/config
Host myserver
Hostname 52.100.100.100
User ubuntu
IdentityFile ~/dev/application/server-key.pem
It allow me to connect simply by ssh myserver. Maybe it was something like this that you had on your server.

PSCP file from Windows to Linux using private/public keys

I can transfer file using PSCP:
C:\>pscp -pw <password> -r -p <path of the file> user#Server:<path file to stored>
But not using the public/private key.
Steps followed:
Generate public and private keys using PuTTYgen.
Copy the public key to authorized_keys of Remote Server
Save the private key to key.ppk in Windows server
Then
C:\>pscp -i privatekey pathofthefile user#server:pathfiletostored
It gives "Fatal: Network error: Connection refused"
Can someone please help?
Use the following code:
C:\>pscp -i "path\of\the\privatekey\privatekey.ppk" C:\temp\example_file.txt user#server:/path/file/to/be/stored
Note the quotes for the private key path and the private key should be in .ppk format.
The connection refused error may also be due to the wrong port. In that case, you need to mention the correct port by the following code :
C:\>pscp -i "path\of\the\privatekey\privatekey.ppk" -P 8022 C:\temp\example_file.txt user#server:path/file/to/be/stored
Note that 8022 is the port number and the P is uppercase. Hope this helps.

plink puts me in an interactive shell prompt while executing batch

I am trying to use plink(Putty link) to connect to test servers using a batch file so as to avoid any user prompts and executing shell scripts. But it is pausing by showing a user interactive prompt after logging in with username and password provided which I don't want.
Please provide any suggestion for why this is happening or if I need to change any settings in the configuration to make this work.
Below is the log for the same. I am expecting it to execute a shell script after this step before which it gets stopped and plink puts me in an interactive shell
D:\>plink -v -ssh xxx#xxx.xxx.xxx.xx.com –pw XXXXX
Looking up host "xxx#xxx.xxx.xxx.xx.com"
Connecting to xxx.xx.xxx.xx port 22
Server version: SSH-2.0-OpenSSH_5.1
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.63
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 1024 a5:c3:96:57:53:7c:72:06:8d:86:09:76:27:3e:18:8d
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Using username "xxx".
Attempting keyboard-interactive authentication
Access granted
Opening session as main channel
Opened main channel
Allocated pty (ospeed 38400bps, ispeed 38400bps)
Started a shell/command
Last login: Wed Mar 5 09:56:41 2014 from 10.34.39.22
←[?1034hxxxxavu2:←]2;xxx#xxxxavu2~ >
When using SSH, upon first connection you are required to verify a service host key in order to make a connection.
Through plink, the command line will generate a prompt, asking the user to "accept service host key? (y/n)".
Step 1: Fix the "Keyboard Interactive Authentication prompts from server"
Follow the URL instruction and Deselect the "Attempt keyboard Interactive auth (SSH-2) in your putty.
https://support.linuxacademy.com/hc/en-us/articles/360027730172-How-Can-I-Copy-and-Paste-into-Putty-on-Windows
Step 2: Below is the commands will fix the "verify a service host key" for every Linux server first SSH connection using plink.
echo yes| C:\PuTTY\plink.exe user-name#10.148.147.41 -pw *************** date
Step 3: Now you can immediately ran your next scripts like "server uptime checks" or "monitoring agent restart" using plink with -batch option (disable all interactive prompts)
C:\PuTTY\plink.exe -batch user-name#10.148.147.41 -pw *************** -m C:\uptime_linux.sh
C:\PuTTY\plink.exe -batch user-name#10.148.147.41 -pw *************** -m C:\monitoring-agent-check_linux.sh
Above mentioned information's 100% will help you to automate the linux tasks using plink utility.
It's giving you an interactive shell because you are not actually giving it a command to execute after connecting. Enclose your command in quotes, eg:
D:\>plink -v user#xxx.xxx.xxx.xxx -pw XXXXX "df -h"

Use a particular id_rsa key file per host

I hope this is the right place to post this.
I have a VM I usually connect from work. To connect from home I was given the following instructions:
Copy and paste ./ssh/id_rsa and ./ssh/id_rsa.pub from the work machine to the home machine. Also make a config file like:
# Debian VM
Host nacho4d.dev.acme.com
# IdentityFile ~/.ssh_acme/id_rsa
User nacho4d
ProxyCommand ssh ns.dev.acme.com -l nacho4d nc -w 1 %h %p
# Tunnel/springboard server
Host ns.dev.acme.com
# IdentityFile ~/.ssh_acme/id_rsa
User nacho4d
ProxyCommand ssh ts6.in.acme.com -l nacho4d nc -w 1 %h %p
So everything works good with:
$ ssh nacho4d.dev.acme.com
The problem is that I already have my own (non-work) private keys and I don't want to replace it with the work .ssh folder every time I need to use ssh. Too tedious.
How can I use a particular key, etc to connect to a specific server only?
I tried putting my files like:
~/.ssh/id_rsa → home private key
~/.ssh/id_rsa.pub → home public key
~/.ssh/config → config file like above but with IdentityFile enabled
~/.ssh_acme/id_rsa → work private key
~/.ssh_acme/id_rsa.pub → work public key
I thought that having a config file with IndentityFile should make ssh to use a particular key ( in this case pointing to ~/.ssh_acme/id_rsa) for that particular host, but I always get "Permission Denied" Connection closed by remote host.
Am I missing something? Perhaps do I need to supply the public key somewhere else too?
I checked ~./ssh/authorized_keys file in the VM and I have a ssh-rsa entry for the work-computer not the home computer (which Is I believe normal since I am using the keys provided by work.)
How come IdentityFile ~/.ssh_acme/id_rsa is not working as expected?
Do I really need to interchange my home/work keys everytime I need to connect to somewhere?
I am almost a beginner in ssh things, but something tells me there must be a clever way of doing this.
Any help is appreciated.
You don't need to specify which key works with which host, just rename the keys and add a IdentityFile line for each key:
IdentityFile ~/.ssh/id_rsa_dev_acme
IdentityFile ~/.ssh/id_rsa_in_acme
It's possible the keys in ~/.ssh_acme/id_rsa aren't being used because the permissions aren't correct on ~/.ssh_acme (0700) or ~/.ssh_acme/id_rsa (0600)
Finally, this question might be more relevant on http://unix.stackexchange.com

godaddy cert not working with filezilla

here is what i have, running MS server 2008, IIS 7
from godaddy, a p7b intermediate file from godaddy and the cert in crt format. this is all they gave me. I need to get a private key file out of this to go with the crt and configure it to be used in filezilla. i tried just loading the p7b file into the private key section of filezilla server and that didnt work, didnt think it would. I have tried to extract the private key from the cert by creating a pfx file in the MMC then using openssl to extract the key using
openssl pkcs12 -in file.pfx -nocerts -out key.key
this returns something showing that the Microsofot Local Key set has no value.
I am completely lost on how to get this work, have been trying for a few days. Does anyone know how to get this to work with filezilla? Godaddy's support just doesnt seem to want to help.
Turns out this is what i needed:
c:\OpenSSL-Win32\bin>openssl pkcs12 -in file.pfx -nocerts –nodes -passin pass:123 | openssl rsa -out privatekey.pem
this got me a private RSA key, which is then put into filezilla as the private key and the cert in the cert field in filezillas settings. both of these files should be in a folder not protected by permissions and (not 100% sure on this part) should be in the same folder.
NOTE: this is after exporting private key from the MMC, this is the pfx file in question here, be sure the certificate is installed in IIS before doing this.

Resources