PSCP file from Windows to Linux using private/public keys - unix

I can transfer file using PSCP:
C:\>pscp -pw <password> -r -p <path of the file> user#Server:<path file to stored>
But not using the public/private key.
Steps followed:
Generate public and private keys using PuTTYgen.
Copy the public key to authorized_keys of Remote Server
Save the private key to key.ppk in Windows server
Then
C:\>pscp -i privatekey pathofthefile user#server:pathfiletostored
It gives "Fatal: Network error: Connection refused"
Can someone please help?

Use the following code:
C:\>pscp -i "path\of\the\privatekey\privatekey.ppk" C:\temp\example_file.txt user#server:/path/file/to/be/stored
Note the quotes for the private key path and the private key should be in .ppk format.
The connection refused error may also be due to the wrong port. In that case, you need to mention the correct port by the following code :
C:\>pscp -i "path\of\the\privatekey\privatekey.ppk" -P 8022 C:\temp\example_file.txt user#server:path/file/to/be/stored
Note that 8022 is the port number and the P is uppercase. Hope this helps.

Related

How to HTTPS (SSL) with self-hosted ASP.NET Core 2 app (httpsys)

I wrote a little ASP.NET Core 2 application. It runs as a service, so no IIS. It runs on a PC with Windows 7 SP1.
var host = WebHost.CreateDefaultBuilder(args)
.UseContentRoot(pathToContentRoot)
.UseHttpSys(options =>
{
options.Authentication.Schemes = AuthenticationSchemes.None;
options.Authentication.AllowAnonymous = true;
options.MaxConnections = null;
options.MaxRequestBodySize = 30000000;
options.UrlPrefixes.Add("http://*:5050");
})
.UseStartup<Startup>()
.UseApplicationInsights()
.Build();
if (isService)
{
host.RunAsService();
}
else
{
host.Run();
}
As you can see, I want to listen on port 5050. This is working fine without SSL.
My question is, how can I enable https for my application? Again: No IIS, no Domain-Name (no internet connection). Communication is just inside the internal network, so I want to use a self-signed certificate.
I read the documentation (HTTP.sys documentation;Netsh Commands;New-SelfSignedCertificate), but there is always something different to my situation (they use Krestel, or it is for using IIS). Also, I dont know how to get the App-ID (needed for netsh) for my Application. I tryed this: StackOverflow Get GUID but it doesn't work.
var assembly = typeof(Program).Assembly;
// following line produces: System.IndexOutOfRangeException
var attribute = (GuidAttribute)assembly.GetCustomAttributes(typeof(GuidAttribute), true)[0];
var id = attribute.Value;
Console.WriteLine(id);
So I am a bit confused about all the possabilitys and different configurations. And the docs don't consider my specific case.
I created a certificate, and I guess I need to store it on the "my" Store. (Where is that? cert:\LocalMachine\My) And then I need to assign my Applicaion ID and Port to it.
But I have no idea how to do that exactly. Can anyone help?
So I solve the problem in the following way:
First, if you want to know your own GUID, you will get it with the following code:
var id = typeof(RuntimeEnvironment).GetTypeInfo().Assembly.GetCustomAttribute<GuidAttribute>().Value;
Create a SelfSigned Certificate
Now create a SelfSigned-Certificate (Skip this if you already got one, or purchased one)
Run the following OpenSSL command to generate your private key and public certificate. Answer the questions and enter the Common Name when prompted.
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
Combine your key and certificate in a PKCS#12 (P12) bundle:
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
Install the certificate on the client:
For Windows 8 and higher:
Add Certificate to Windows Cert Store with PowerShell
PS C:> $certpwd = ConvertTo-SecureString -String "passwort" -Force –AsPlainText
PS C:> Import-PfxCertificate –FilePath D:\data\cert\certificate.p12 cert:\localMachine\my -Password $certpwd
Get Fingerprint (Hash) of certificate
PS C:\WINDOWS\system32> dir Cert:\LocalMachine\my
Install certificate (replace Hash, IP and Port with your values)
PS C:\WINDOWS\system32> $guid = [guid]::NewGuid()
PS C:\WINDOWS\system32> $certHash =
"A1D...B672E"
PS C:\WINDOWS\system32> $ip = "0.0.0.0"
PS C:\WINDOWS\system32> $port = "5050"
PS C:\WINDOWS\system32> "http add sslcert ipport=$($ip):$port
certhash=$certHash appid={$guid}" | netsh
You are done.
For Windows 7
Add Certificate to Windows Cert Store (note: use .pem file for this operation, because .p12 file seems to be not supported from certutil)
.\certutil.exe -addstore -enterprise -f "Root" C:\lwe\cert\certificate.pem
If his line throws the following error:
SSL Certificate add failed, Error 1312
A specified logon session does not exist. It may already have been terminated.
You have to do the steps manually (please insert the .p12 file when doing it manually, not .pem) :
Run mmc.exe
Go to File-> Add/Remove Snap-In
Choose the Certificates snap-in.
Select Computer Account
Navigate to: Certificates (Local Computer)\Personal\Certificates
Right click the Certificates folder and choose All Tasks -> Import.
Follow the wizard instructions to select the certificate. Be sure you check the export checkbox during wizard.
To get the hash of yor certificate, run the Internet Explorer, press Alt + X and go to Internet Options -> Content -> Certificates. Search your certificate and read the hash.
Now you can run the same commands as for Windows 8+:
Install certificate (replace Hash, IP and Port with your values)
PS C:\WINDOWS\system32> $guid = [guid]::NewGuid()
PS C:\WINDOWS\system32> $certHash =
"A1D...B672E"
PS C:\WINDOWS\system32> $ip = "0.0.0.0"
PS C:\WINDOWS\system32> $port = "5050"
PS C:\WINDOWS\system32> "http add sslcert ipport=$($ip):$port
certhash=$certHash appid={$guid}" | netsh
Edit your Code
After all, you have to set the UrlPrefixes to https. So in your Program.cs file you need to have:
var host = WebHost.CreateDefaultBuilder(args)
.UseContentRoot(pathToContentRoot)
.UseHttpSys(options =>
{
options.Authentication.Schemes = AuthenticationSchemes.None;
options.Authentication.AllowAnonymous = true;
options.MaxConnections = null;
options.MaxRequestBodySize = 30000000;
options.UrlPrefixes.Add("https://*:5050");
})
.UseStartup<Startup>()
.UseApplicationInsights()
.Build();

disk encryption escrow files on centos via kickstart

I'm trying to automate centos installs via PXE and kickstart with encrypted filesystems. In case we mislay the passphrase we want to use escrow files and encrypt them using the public key attached to an x509 certificate obtained from a web server. The relevant line in the kickstart file is
logvol /home --fstype ext4 --name=lv02 --vgname=vg01 --size=1 --grow --encrypted --escrowcert=http://10.0.2.2:8080/escrow.crt --passphrase=XXXX --backuppassphrase
Leaving the cert as PEM encoded on the web server rather than DER doesn't seem to matter, either work up to a point.
The filesystem is created and encrypted using the supplied passphrase and can be opened on reboot with no issues. Two escrow files are produced as expected and if by using the NSS database containing the private key and the first escrow file I obtain what I think is the passphrase but it doesn't unlock the disk. For example:
# volume_key --secrets -d /tmp/nss e04a93fc-555b-430b-a962-1cdf921e320f-escrow
Data encryption key:<span class="whitespace other" title="Tab">»</span>817E65AC37C1EC802E3663322BFE818D47BDD477678482E78986C25731B343C221CC1D2505EA8D76FBB50C5C5E98B28CAD440349DC0842407B46B8F116E50B34
I assume the string from 817 to B34 is the passphrase but using it in a cryptsetup command does not work.
[root#mypxetest ~]# cryptsetup -v status home
/dev/mapper/home is inactive.
Command failed with code 19.
[root#mypxetest ~]# cryptsetup luksOpen /dev/rootvg01/lv02 home
Enter passphrase for /dev/rootvg01/lv02:
No key available with this passphrase.
Enter passphrase for /dev/rootvg01/lv02:
When prompted I paste in the long numeric string but get the No key available message. However if I use the passphrase specified in the kickstart file or the backup escrow file the disk unlocks.
# volume_key --secrets -d /tmp/nss e04a93fc-555b-430b-a962-1cdf921e320f-escrow-backup-passphrase
Passphrase:<span class="whitespace other" title="Tab">»</span>QII.q-ImgpN-0oy0Y-RC5qa
Then using the string QII.q-ImgpN-0oy0Y-RC5qa in the crypsetup command works.
Has anyone any idea what I'm missing? Why don't both escrow files work?
I've done some more reading and the file ending in escrow is not an alternative passphrase for the luks volume but it contains the encryption key which is encrypted of course. When decrypted the long string is the encryption key and there's a clue in the rest of the text which I confess I didn't read very well.

aws scp Host key verification failed

We are using centos7 .If tried the below way with pem file included scp works but when pem file is removed its not working. Code was working earlier without pem file . After We moved to a different web server we are having Host key verification failed issues.
scp -i/home/centos/sshkeys/test.pem root#77.79.77.72:/usr/local//2016/Aug/31/ggea98c0-6f0f-11e6-86d9-2573a2e556aa.wav /var/www/html/tmp/ggea98c0-6f0f-11e6-86d9-2573a2e556aa.wav
Maybe your key was registered in ~/.ssh/config or it was your default key in ~/.ssh ? Check on the old server ?
Edited:
For example this is what I put in ~/.ssh/config
Host myserver
Hostname 52.100.100.100
User ubuntu
IdentityFile ~/dev/application/server-key.pem
It allow me to connect simply by ssh myserver. Maybe it was something like this that you had on your server.

Use a particular id_rsa key file per host

I hope this is the right place to post this.
I have a VM I usually connect from work. To connect from home I was given the following instructions:
Copy and paste ./ssh/id_rsa and ./ssh/id_rsa.pub from the work machine to the home machine. Also make a config file like:
# Debian VM
Host nacho4d.dev.acme.com
# IdentityFile ~/.ssh_acme/id_rsa
User nacho4d
ProxyCommand ssh ns.dev.acme.com -l nacho4d nc -w 1 %h %p
# Tunnel/springboard server
Host ns.dev.acme.com
# IdentityFile ~/.ssh_acme/id_rsa
User nacho4d
ProxyCommand ssh ts6.in.acme.com -l nacho4d nc -w 1 %h %p
So everything works good with:
$ ssh nacho4d.dev.acme.com
The problem is that I already have my own (non-work) private keys and I don't want to replace it with the work .ssh folder every time I need to use ssh. Too tedious.
How can I use a particular key, etc to connect to a specific server only?
I tried putting my files like:
~/.ssh/id_rsa → home private key
~/.ssh/id_rsa.pub → home public key
~/.ssh/config → config file like above but with IdentityFile enabled
~/.ssh_acme/id_rsa → work private key
~/.ssh_acme/id_rsa.pub → work public key
I thought that having a config file with IndentityFile should make ssh to use a particular key ( in this case pointing to ~/.ssh_acme/id_rsa) for that particular host, but I always get "Permission Denied" Connection closed by remote host.
Am I missing something? Perhaps do I need to supply the public key somewhere else too?
I checked ~./ssh/authorized_keys file in the VM and I have a ssh-rsa entry for the work-computer not the home computer (which Is I believe normal since I am using the keys provided by work.)
How come IdentityFile ~/.ssh_acme/id_rsa is not working as expected?
Do I really need to interchange my home/work keys everytime I need to connect to somewhere?
I am almost a beginner in ssh things, but something tells me there must be a clever way of doing this.
Any help is appreciated.
You don't need to specify which key works with which host, just rename the keys and add a IdentityFile line for each key:
IdentityFile ~/.ssh/id_rsa_dev_acme
IdentityFile ~/.ssh/id_rsa_in_acme
It's possible the keys in ~/.ssh_acme/id_rsa aren't being used because the permissions aren't correct on ~/.ssh_acme (0700) or ~/.ssh_acme/id_rsa (0600)
Finally, this question might be more relevant on http://unix.stackexchange.com

Password SSH authentication method in RCurl

I'm using the ftpUpload function in the RCurl package to upload files to an sftp file server. I'm having difficulty working out the authentication call.
Below is my call:
ftpUpload(what = "some-file.png",
to = "sftp://some-ftp-server.com:22/path/to/some-file.png",
verbose = TRUE,
userpwd = "my_userid:my_password")
As a result I get:
* About to connect() to some-ftp-server.com port 22 (#0)
* Trying some-ftp-server.com... * connected
* Connected to some-ftp-server.com (some ip address) port 22 (#0)
* SSH authentication methods available: publickey,password
* Using ssh public key file /home/.ssh/id_dsa.pub
* Using ssh private key file /home/.ssh/id_dsa
* SSH public key authentication failed: Unable to open public key file
* Authentication failure
* Closing connection #0
Error in function (type, msg, asError = TRUE) : Authentication failure
I wasn't the one to setup the sftp server, and I'm somewhat of an ssh noob -- apologies. What I do know is that I'm able to login using my_userid and my_password with Filezilla and that the server has an .htaccess and .htpasswd file.
I'm hoping that there is some way to authenticate using ftpUpload with just my userid and password. It seems that password is one of the two available methods, but I can't seem to get ftpUpload to understand that I'd like to use the later alone.
The .htpasswd file seems to contain my_userid:my_password, though the password portion is encrypted. I'm open to loading that in a certain place for ftpUpload to access, but I'm not sure how to point ftpUpload in the right directions.
Finally, I've tried playing around with and looking through the libcurl options listed here: http://www.omegahat.org/RCurl/philosophy.html and more fully explained here: http://curl.haxx.se/libcurl/c/curl_easy_setopt.html
Alas, no luck. Any help appreciated!
It seems a little late, but I am currently trying something similar (public key authentication, though) and got it working!
Here is what I did:
I did set up a public key authentication basically following the instructions at http://www.howtoforge.com/set-up-ssh-with-public-key-authentication-debian-etch
That is, I run on the server the command
ssh-keygen -t rsa -C "e#mail.com" -f "ir_rsa"
to generate a public and a private key. (Just as a sidenote, I first tried to use
puttygen on my local windows machine to create working keys but failed.)
Then I
add the public key to the authorized keys (still on the remote server)
mkdir ~/.ssh
chmod 700 ~/.ssh
cat id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
and copy both the public and private key file on the local machine where
R is running. Then I can upload a file from R using
require(RCurl)
ftpUpload(what = "myfile.txt",
to = "sftp://myusername#my.host.com:22/path/to/myfile",
verbose = TRUE,
.opts = list(
ssh.public.keyfile = "path/to/local/pubkeyfile",
ssh.private.keyfile = "path/to/local/privatekeyfile"
)
)

Resources