I have the following script to SSH into a server with wheel user. It is a test script that I want to use in many servers and applications. But rather than giving the passwords as plain text inside the script I want it to be hidden or encrypted and then decrypted when the script is run.
#!/usr/bin/expect -f
set timeout 2
set ip 78.47.1xx.xx
set port 22
set rootpwd adgajfgjagf
set wuser winner
set wpwd winner##!
spawn ssh -l $wuser $ip -p $port
expect -re "connecting (yes/no)?" {
send -- "yes\r"
}
expect -nocase -re "password:" {
send "$wpwd\r"
}
expect "# " {
send -- "su - root\r"
expect "Password: "
send -- "$rootpwd\r"
interact
} ## Heading ##
Why dont you use ssh key login instead?
For every machine you want to be able to connect, you have to ask for their public ssh-key and add them to autorized_keys. Then when connectig via ssh, those machines do not need to enter a password.
source: http://sshkeychain.sourceforge.net/mirrors/SSH-with-Keys-HOWTO/SSH-with-Keys-HOWTO-4.html
In the past, I've had to make do with obfuscation (yencode) and file permissions.
Related
I am trying to use plink(Putty link) to connect to test servers using a batch file so as to avoid any user prompts and executing shell scripts. But it is pausing by showing a user interactive prompt after logging in with username and password provided which I don't want.
Please provide any suggestion for why this is happening or if I need to change any settings in the configuration to make this work.
Below is the log for the same. I am expecting it to execute a shell script after this step before which it gets stopped and plink puts me in an interactive shell
D:\>plink -v -ssh xxx#xxx.xxx.xxx.xx.com –pw XXXXX
Looking up host "xxx#xxx.xxx.xxx.xx.com"
Connecting to xxx.xx.xxx.xx port 22
Server version: SSH-2.0-OpenSSH_5.1
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.63
Doing Diffie-Hellman group exchange
Doing Diffie-Hellman key exchange with hash SHA-256
Host key fingerprint is:
ssh-rsa 1024 a5:c3:96:57:53:7c:72:06:8d:86:09:76:27:3e:18:8d
Initialised AES-256 SDCTR client->server encryption
Initialised HMAC-SHA1 client->server MAC algorithm
Initialised AES-256 SDCTR server->client encryption
Initialised HMAC-SHA1 server->client MAC algorithm
Using username "xxx".
Attempting keyboard-interactive authentication
Access granted
Opening session as main channel
Opened main channel
Allocated pty (ospeed 38400bps, ispeed 38400bps)
Started a shell/command
Last login: Wed Mar 5 09:56:41 2014 from 10.34.39.22
←[?1034hxxxxavu2:←]2;xxx#xxxxavu2~ >
When using SSH, upon first connection you are required to verify a service host key in order to make a connection.
Through plink, the command line will generate a prompt, asking the user to "accept service host key? (y/n)".
Step 1: Fix the "Keyboard Interactive Authentication prompts from server"
Follow the URL instruction and Deselect the "Attempt keyboard Interactive auth (SSH-2) in your putty.
https://support.linuxacademy.com/hc/en-us/articles/360027730172-How-Can-I-Copy-and-Paste-into-Putty-on-Windows
Step 2: Below is the commands will fix the "verify a service host key" for every Linux server first SSH connection using plink.
echo yes| C:\PuTTY\plink.exe user-name#10.148.147.41 -pw *************** date
Step 3: Now you can immediately ran your next scripts like "server uptime checks" or "monitoring agent restart" using plink with -batch option (disable all interactive prompts)
C:\PuTTY\plink.exe -batch user-name#10.148.147.41 -pw *************** -m C:\uptime_linux.sh
C:\PuTTY\plink.exe -batch user-name#10.148.147.41 -pw *************** -m C:\monitoring-agent-check_linux.sh
Above mentioned information's 100% will help you to automate the linux tasks using plink utility.
It's giving you an interactive shell because you are not actually giving it a command to execute after connecting. Enclose your command in quotes, eg:
D:\>plink -v user#xxx.xxx.xxx.xxx -pw XXXXX "df -h"
I hope this is the right place to post this.
I have a VM I usually connect from work. To connect from home I was given the following instructions:
Copy and paste ./ssh/id_rsa and ./ssh/id_rsa.pub from the work machine to the home machine. Also make a config file like:
# Debian VM
Host nacho4d.dev.acme.com
# IdentityFile ~/.ssh_acme/id_rsa
User nacho4d
ProxyCommand ssh ns.dev.acme.com -l nacho4d nc -w 1 %h %p
# Tunnel/springboard server
Host ns.dev.acme.com
# IdentityFile ~/.ssh_acme/id_rsa
User nacho4d
ProxyCommand ssh ts6.in.acme.com -l nacho4d nc -w 1 %h %p
So everything works good with:
$ ssh nacho4d.dev.acme.com
The problem is that I already have my own (non-work) private keys and I don't want to replace it with the work .ssh folder every time I need to use ssh. Too tedious.
How can I use a particular key, etc to connect to a specific server only?
I tried putting my files like:
~/.ssh/id_rsa → home private key
~/.ssh/id_rsa.pub → home public key
~/.ssh/config → config file like above but with IdentityFile enabled
~/.ssh_acme/id_rsa → work private key
~/.ssh_acme/id_rsa.pub → work public key
I thought that having a config file with IndentityFile should make ssh to use a particular key ( in this case pointing to ~/.ssh_acme/id_rsa) for that particular host, but I always get "Permission Denied" Connection closed by remote host.
Am I missing something? Perhaps do I need to supply the public key somewhere else too?
I checked ~./ssh/authorized_keys file in the VM and I have a ssh-rsa entry for the work-computer not the home computer (which Is I believe normal since I am using the keys provided by work.)
How come IdentityFile ~/.ssh_acme/id_rsa is not working as expected?
Do I really need to interchange my home/work keys everytime I need to connect to somewhere?
I am almost a beginner in ssh things, but something tells me there must be a clever way of doing this.
Any help is appreciated.
You don't need to specify which key works with which host, just rename the keys and add a IdentityFile line for each key:
IdentityFile ~/.ssh/id_rsa_dev_acme
IdentityFile ~/.ssh/id_rsa_in_acme
It's possible the keys in ~/.ssh_acme/id_rsa aren't being used because the permissions aren't correct on ~/.ssh_acme (0700) or ~/.ssh_acme/id_rsa (0600)
Finally, this question might be more relevant on http://unix.stackexchange.com
I have searched several posting on this message and I am still getting the error when I attempt to do an "ldapsearch"
I have changed the slapd.conf to use a plain-text password and I am still getting the error. I have also made sure that there are no blank spaces in the file. The log file shows and iptables is turned off. I have attempted to follow the LDAP setup from
"http://www.itmanx.com/kb/centos63-openldap-phpldapadmin".
conn=1001 fd=15 ACCEPT from IP=[::1]:54486 (IP=[::]:389)
conn=1001 op=0 BIND dn="cn=Manager,dc=domain,dc=local,dc=pt" method=128
conn=1001 op=0 RESULT tag=97 err=49 text=
conn=1001 fd=15 closed (connection lost)
my server is running Centos 6.4 64.
below are the commands I am using
"ldapsearch -x -D cn=Manager,dc=domain,dc=local,dc=pt -w abc"
my slapd.conf file
database bdb
suffix "dc=domain,dc=local"
checkpoint 1024 15
rootdn "cn=Manager,dc=domain,dc=local"
rootpw abc
You need to generate your password like below -
slappasswd -h {CLEARTEXT}
enter password - abc
Do the search -
ldapsearch -x -h ipaddress(mention ip address) -D "cn=Manager,dc=domain,dc=local" -W
In the search you try to bind as:
cn=Manager,dc=domain,dc=local,dc=pt
but in the config the rootdn is:
cn=Manager,dc=domain,dc=local
This is of course "an invalid credential".
You are binding as the rootdn, which is to say the "root account" of your DIT. This account's password is, in this case, config-based. It is possible that while 'abc' is the configured password, it may not be the loaded password.
Case in point: Someone goes into the slapd.conf file and changes the rootdn password from 'xyz' to 'abc' but neglects to restart the OpenLDAP daemon. What will happen here is that 'abc' will NOT work until the process is restarted, and thus the OpenLDAP daemon will continue to honor the OLD password of 'xyz'.
I hope this helps...
Max
I connect to 8 different unix servers from Windows, using connection type 'SSH' in putty. I use the same username/password for each server.
Currently when I need to change passwords (every 60 days), I need to open putty, select the session I want to connect to, type my current password (in the putty window that opens), type "passwd", enter my current password, and then enter my new password.
Then I exit and repeat the process 7 times.
How can I convert this to an automated process where I simply need to supply a script/batch process with my old and new password?
Here is how I automated the process:
Download and install ActiveTCL Community Edition (download the 32 bit version, even if you are on 64 bit windows, as the 64 bit version does not have "Expect" which is what you need to run the automated script)
Open the tclsh85 executable that was created by the install
Run this command "teacup install Expect" (note, this is case sensitive. You may need to setup special http settings if you receive an error and/or are on vpn or using a proxy)
Download Putty's "plink.exe" and either place it in the bin directory of ActiveTCL (default install directory is "C:\Tcl\bin") or alter your "Path" environment variable to include the path to this executable (wherever you downloaded plink.exe). This is the command-line version of Putty which your script will use.
Anywhere on your drive, create a text file named "servers.txt" with a list of the servers (one per line). They should all share the same password, as the script will login to all of them with the same password (that you supply), and change the password to the one you supply.
In the same directory as "servers.txt" create a new text file called "ChangePassword.tcl" (or whatever you want to call it, but be sure its file type is "tcl"). Right click the file and edit in notepad (or whatever text editor you prefer) and paste this script in it.
package require Expect
exp_log_user 0
set exp::nt_debug 1
proc changepw {host user oldpass newpass} {
spawn plink $host
log_user 0
expect {
"login as: " { }
}
exp_send "$user\r"
expect "sword: "
exp_send "$oldpass\r"
expect "\$ "
exp_send "passwd\r"
expect "sword: "
exp_send "$oldpass\r"
expect "sword: "
exp_send "$newpass\r"
expect "sword: "
exp_send "$newpass\r"
set result $expect_out(buffer)
exp_send "exit\r"
return $result
}
label .userlbl -text "Username:"
label .oldpasslbl -text "\nOld Password: "
label .newpasslbl -text "\nNew Password: "
set username "username"
entry .username -textvariable username
set oldpassword "oldpassword"
entry .oldpassword -textvariable oldpassword
set newpassword "newpassword"
entry .newpassword -textvariable newpassword
button .button1 -text "Change Password" -command {
set fp [open "servers.txt" r]
set file_data [read $fp]
close $fp
set data [split $file_data "\n"]
foreach line $data {
.text1 insert end "Changing password for: $line\n"
set output [changepw $line $username $oldpassword $newpassword]
.text1 insert end "$output\n\n"
}
}
text .text1 -width 50 -height 30
pack .userlbl .username .oldpasslbl .oldpassword .newpasslbl .newpassword .button1 .text1
Save the script and then launch the ChangePassword.tcl file.
Here is a picture of what it looks like when you open the ChangePassword.tcl file:
The rest should be self explanatory. Note the program does not output when your password change was successful but it will tell you when it fails. Also note, this was my first tcl script (and first time using Expect) so the script is by no means "optimized" and could probably be improved but it gets the job done. Feel free to edit, or make suggestions/improvements.
Sounds like you want Expect, an extension of TCL that can mimic typing at a keyboard for a console application. See the examples for how to do this.
Now there is something you've written that worries me:
I connect to 8 different unix servers, using connection type 'SSH' in putty. I use the same username/password for each server.
Why aren't you using SSH keys for automating the logon?
Great article! Just elaborating on step-3. Please note the commands to provide Proxy server information in case "teacup install Expect" fails due to connectivity issue:
%teacup install Expect
Resolving Expect ... Not found in the archives.
...
Aborting installation, was not able to locate the requested entity.
child process exited abnormally
% teacup list teacup
0 entities found
Problems which occurred during the operation:
* http://teapot.activestate.com :
{connect failed connection refused} {can't read
"state(sock)": no such element in array while executing
"fileevent $state(sock) writable {}"} NONE
% teacup proxy "abcproxy.mycorp.com" 8080
Proxying through abcproxy.mycorp.com # 8080
% set http_proxy_user MyNetworkID
MyNetworkID
% set http_proxy_pass MyNetworkPassword
MyNetworkPassword
% teacup list teacup
entity name version platform
----------- ------ --------------- ----------
application teacup 8.5.16.0.298388 win32-ix86
----------- ------ --------------- ----------
1 entity found
% teacup install Expect
Resolving Expect ... [package Expect 5.43.2 win32-ix86 # http://teapot.activestate.com]
Resolving Tcl 8.4 -is package ... [package Tcl 8.6.1 _ ... Installed outside repository, probing dependencies]
Retrieving package Expect 5.43.2 win32-ix86 ...# http://teapot.activestate.com ...
Ok
Installing into C:/app/Tcl/lib/teapot
Installing package Expect 5.43.2 win32-ix86
%
How can we verify that SFTP access has been granted on a server, without installing any software/tools?
Most servers have curl and scp installed, which you can use to log into an SFTP server. To test if your credentials work using curl, you could do this:
$ curl -u username sftp://example.org/
Enter host password for user 'username':
Enter your password and if it works you'll get a listing of files (like ls -al), if it doesn't work you'll get an error like this:
curl: (67) Authentication failure
You could also try using scp:
$ scp username#example.org:testing .
Password:
scp: testing: No such file or directory
This verifies that you that you were able to log in, but it couldn't find the testing file. If you weren't able to log in you'd get a message like this:
Permission denied, please try again.
Received disconnect from example.org: 2: ...error message...
One of the many ways to check for SFTP access using password based authentication:
sftp username#serverName
or
sftp username#serverIP
And then entering password.
You will get "Permission denied, please try again." message if it fails otherwise you will be allowed inside the server with screen-
sftp>
You can test it fully works with commands like ls, mkdir etc.
Try logging in.
Not being snarky -- that really is probably the simplest way. By 'verify[ing] that SFTP access has been granted," what you're really doing is checking is a particular l/p pair is recognized by the server.
Alternatively, other than doing the "sftp -v" command mentioned above, you can always cat the SSH/SFTP logs stored on any server running sshd and direct them to a file for viewing.
A command set like the following would work, where 1.1.1 would be the /24 of the block you are trying to search.
cd /var/log/
cat secure.4 secure.3 secure.2 secure.1 secure |grep sshd| grep -v 1.1.1> /tmp/secure.sshd.txt
gzip -9 /tmp/secure.sshd.txt
G'day,
What about telnet on to port 115 (if we're talking Simple FTP) and see what happens when you connect. If you don't get refused try sending a USER command, then a PASS command, and then a QUIT command.
HTH
cheers,
In SFTP , the authentication can be of following types :
1. Password based authetication
2. Key based authentication
But if u r going for key based authentication then u have to prepare setup according to that and
proceed the login procedure.If the key based authentication fails it automatically asks for password means it automatically switches to password based mode. By the way if u want to verify u can use this on linux :
"ssh -v user#IP "
It will show u all the debug messages , and if the authentication is passed u will be logged in otherwise u will get "Permission denied". Hope this will help u.