I have successfully connected to my sever using the openssl s_client -connect command. Now I want to send the following value 0x2003 during the session but I don't find the way to send it as a hex. I was also considering to translated to ASCII but the 03 is the 'End of Text' character but I don't know how to type it. Any help would be more than welcome!
The echo command does work fine, although I have to say that for windows you will have to use the printf instead of echo (Need to install Cygwing).
What if I want to send another command in the same session? With the command below the session is closed once the command is sent. So I would like to keep the session open and send hex values whenever I need. Is there a way?
Thanks in advance!
On Linux you can use the pipe as explained in this answer. Luckily the echo command allows the translation you're thinking about by using \x03
For example try this to send your ASCII 03 char in the URL and in the cookie value :
(echo -e 'GET /foo\x03bar HTTP/1.1\r\nHost: stackoverflow.com\r\nCookie:cookie foo\x03bar\r\n\r\n' ; sleep 5) | openssl s_client -servername stackoverflow.com -connect stackoverflow.com:443
Related
How do I pass a known fingerprint (such as SHA256:BcOkb1S0zuj5A1CDxpOSuD2hnAArV1A3wKY7iOlks) to SSH, so that I don't need to manually answer the prompt?
I tried the following, which does not seem to work:
ssh some-user#my-domain.com <<EOF
SHA256:BcOkb1S0zuj5A1CDxpOSuD2hnAArV1A3wKY7iOlks
EOF
To add to the comment "You could prepare the complete entry and then copy it to the ~/.ssh/known_hosts file.", that preparation would be done using ssh-keyscan:
ssh-keyscan -H 192.168.1.162
# or
ssh-keyscan my-domain.com
If you have a known fingerprint, you can also double-check it, if is still valid.
Is it possible to interact/bypass a dialog popup when running a curl command?
My example involves running a curl command within a jenkins build that is using a p.12 certificate for authentication.
curl -v -k -E dev_key.p12:password https://jira.dev.organisation.co.uk:443/rest/api/2/issue/MYSTATS-2213
So if I do this within my regular terminal I will get a popup first time round asking stating example wants to access key in your keychain with allow/always allow buttons after which I can make my curl requests uninterrupted. But for some reason when running the same command in a Jenkins pipeline I just get the error (which is the outcome if you press cancel on the popup)
SSL can't load the certificate and it's private key
Is there a way around this?
UPDATE
So I have found there is a --cacert option to pass through which I guess verifies the dev_key but when I export my ca certificate its a .crt file. is the right format?
For SSL (https), curl option -E expects a certificate in PEM format (not PKCS#12). From man page:
-E, --cert <certificate[:password]>
[...]
The certificate must be in PKCS#12 format if using Secure Transport, or
PEM format if using any other engine.
[...]
I need to remove the passphrase from an SSL private key file. I'm using
openssl rsa -in in.key.pem -out out.key.pem
to do that. The issue I'm facing is that the passphrase for that keyfile (the passphrase is being generated on a different machine somewhere) looks something like this:
~Casdfghetc
As you've probably figured out, the "~C" part of that passphrase spawns a new command line and leaves me unable to correctly enter the passphrase. Quoting, double-quoting and so forth don't work.
I'm using putty to connect to this shell, hopping through a golden host (powerbroker). This is a productive, secure environment, so I cannot log into the machine any other way. Any tips on how I can get this to work?
Way 1. As http://www.jedi.be/blog/2010/08/27/ssh-tricks-the-usual-and-beyond/ points out:
Escape sequences are only recognized after a newline
So, when asked for a passphrase, you can do the following:
Type some letter before typing your passphrase, e.g. a.
Press Backspace key to undo/remove it.
Type your passphrase as usual.
Way 2. On my system, pressing "~?" shows the following help:
Supported escape sequences:
~. - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - request rekey
~V/v - decrease/increase verbosity (LogLevel)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)
So, to insert tilde (~) right after newline, I need just to press it twice (~~). Probably, the same is true for you system: just type ~~Casdfghetc instead of ~Casdfghetc.
I am creating a script file programmatically and call psftp.exe as follows:
psftp user#hostname.com -pw password -b psftpscript.txt
but it prompts for user input
The server's host key is not cached in the registry. You have no
guarantee that the server is the computer you think it is. The
server's rsa2 key fingerprint is: [ssh-rsa 1024 somekey]
If you trust this
host, enter "y" to add the key to PuTTY's cache and carry on
connecting. If you want to carry on connecting just once, without
adding the key to the cache, enter "n". If you do not trust this host,
press Return to abandon the connection. Store key in cache? (y/n)
I need it to be completely prompt free, automatic.
I tried -batch parameter but it just abandons the connection
I had the same problem with running a unattended script in Windows Server 2008's 'sandbox' like environment. I ended up running the following which enters the y at the prompt for you:
echo y | psftp user#hostname.com -l username -pw password -b psftpscript.txt
Hope this helps!
Note: I only had to run the echo y once and removing it for the 2nd run didn't ask for the key to be cached anymore.
When you run it the first time, it will show you your key for the server.
Copy the key and then on your command line, specify your host key like this:
psftp example.com -hostkey 06:15:d4:3b:e4:e8:23:c0:d6:6d:45:47:7e:bd:8d:74 -l yourusername -pw yourpassword -batch
You can create a file as input containing just a y and carriage return then run
psftp user#hostname.com -pw password -b psftpscript.txt < filename.txt
Thanks to James from http://www.sqlservercentral.com/Forums/Topic281954-9-1.aspx for such a simple solution
This doesn't answer your question directly, but provides a possible workaround:
Launch a command prompt as the user who will be running your script and manually accept the certificate. Then upon future connections, you won't have the issue.
Given your need, beyond what has been stated, this may or may not work. I came to this question with the same problem and ended up resolving it using the approach I've just described.
In .Net, I found that the above method didn't work quite as expected. The trick was to use .Net's built-in input redirection - and not the < operator. Here's what the code looks like now:
System.Diagnostics.Process proc = new System.Diagnostics.Process();
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = "c:\\psftp.exe";
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.RedirectStandardInput = true;
proc.StartInfo.Arguments = strIP + " -v -l " + strUsername + " -pw " + strPassword + " -b " + strBatchFilename;
proc.Start();
StreamWriter myStreamWriter = proc.StandardInput;
myStreamWriter.WriteLine("Y\n"); //override the public key question <---
myStreamWriter.Close();
proc.WaitForExit();
proc.Close();
I had the problem where I didn't have the permission to delete \ rename file over the remote server and the files contains time stamp.
So I needed to download files by name.
The psftp can't accept params (or any way I was aware of) and I couldn't dynamically change the file names according to the current date.
So, from the batch file which I'm calling the psftp commands I created the commands dynamically and with the file with the relevant time stamp.
I could copy only the today files which is better the then copy everything each time.
cd "C:\Files"
echo cd outbound > C:\SFTP\temp.txt
echo mget file_%date:~10,4%%date:~4,2%%date:~7,2%*.csv >> C:\SFTP\temp.txt
echo quit >> C:\SFTP\temp.txt
echo close >> C:\SFTP\temp.txt
C:\SFTP\psftp user#ftp.address.com -b C:\SFTP\temp.txt
close
exit
The "echo cd outbound > C:\SFTP\temp.txt" cleaned the old file and start writing the content of the new file.
The "echo mget file_%date:~10,4%%date:~4,2%%date:~7,2%.csv >> C:\SFTP\temp.txt" resulted in creating the the command: "mget file_20151008.csv " which downloads all files which starts with "file_20151008..." the next 2 rows just ended the action and the line "C:\SFTP\psftp user#ftp.address.com -b C:\SFTP\temp.txt" execute it.
as results temp.txt looks like this:
cd outbound
mget file_20151008*.csv
quit
close
I ended up adding the key to cache by entering 'y' to the prompt. I had to do it only once, and after that no more prompts, it works good.
I think it should also be noted that if you are intending to use psftp in an unattended manner that you MUST include the -batch option. This will ensure that psftp does not provide any interactive prompts.
In the event user input would be required, psftp would abort. (e.g. ask user to cache host key, ask for password, etc.)
This will ensure that your process doesn't 'hang' and allow your automation to alert someone that there is an issue.
I think there is a problem with your command line.
Usage: psftp [options] [user#]host
Try:
psftp -pw password -b psftpscript.txt user#hostname.com
None of the above suggestions worked for me, but I did figure out something that DID work for me.
I made 2 entries in my batch file for it to work.
The first entry causes a connection to cache in the registry.
The second entry will connect automatically because now the hostkey is cached in the registry.
echo y | psftp.exe username#hostname.com -pw password
psftp.exe username#hostname.com -pw password -v -be -batch -b psftp_upload_command.bat
How can you make SSH read the password from stdin, which it doesn't do by default?
based on this post you can do:
Create a command which open a ssh session using SSH_ASKPASS (seek SSH_ASKPASS on man ssh)
$ cat > ssh_session <<EOF
export SSH_ASKPASS="/path/to/script_returning_pass"
setsid ssh "your_user"#"your_host"
EOF
NOTE: To avoid ssh to try to ask on tty we use setsid
Create a script which returns your password (note echo "echo)
$ echo "echo your_ssh_password" > /path/to/script_returning_pass
Make them executable
$ chmod +x ssh_session
$ chmod +x /path/to/script_returning_pass
try it
$ ./ssh_session
Keep in mind that ssh stands for secure shell, and if you store your user, host and password in plain text files you are misleading the tool an creating a possible security gap
You can use sshpass which is for example in the offical debian repositories. Example:
$ apt-get install sshpass
$ sshpass -p 'password' ssh username#server
You can't with most SSH clients. You can work around it with by using SSH API's, like Paramiko for Python. Be careful not to overrule all security policies.
Distilling this answer leaves a simple and generic script:
#!/bin/bash
[[ $1 =~ password: ]] && cat || SSH_ASKPASS="$0" DISPLAY=nothing:0 exec setsid "$#"
Save it as pass, do a chmod +x pass and then use it like this:
$ echo mypass | pass ssh user#host ...
If its first argument contains password: then it passes its input to its output (cat) otherwise it launches whatver was presented after setting itself as the SSH_ASKPASS program.
When ssh encounters both SSH_ASKPASS AND DISPLAY set, it will launch the program referred to by SSH_ASKPASS, passing it the prompt user#host's password:
An old post reviving...
I found this one while looking for a solution to the exact same problem, I found something and I hope someone will one day find it useful:
Install ssh-askpass program (apt-get, yum ...)
Set the SSH_ASKPASS variable (export SSH_ASKPASS=/usr/bin/ssh-askpass)
From a terminal open a new ssh connection without an undefined TERMINAL variable (setsid ssh user#host)
This looks simple enough to be secure but did not check yet (just using in a local secure context).
Here we are.
FreeBSD mailing list recommends the expect library.
If you need a programmatic ssh login, you really ought to be using public key logins, however -- obviously there are a lot fewer security holes this way as compared to using an external library to pass a password through stdin.
a better sshpass alternative is :
https://github.com/clarkwang/passh
I got problems with sshpass, if ssh server is not added to my known_hosts sshpass will not show me any message, passh do not have this problem.
I'm not sure the reason you need this functionality but it seems you can get this behavior with ssh-keygen.
It allows you to login to a server without using a password by having a private RSA key on your computer and a public RSA key on the server.
http://www.linuxproblem.org/art_9.html