Verifying SSH host key in Tectia and WinSCP SFTP clients - ssh

I have two scripts to upload files into SFTP server:
sftp2 --identity-key-file=D:\test_ssh2 -B d:\test.txt testUser#xxx.xxx.xxx.xxx
open sftp://testUser#xxx.xxx.xxx.xxx -privatekey=D:\test.ppk -hostkey="ssh-rsa 1536 xxxxxxxxxxxxxxxxxxxxxxxxxxx"
Please help to explain:
What is the difference between the two scripts?
Why the first script doesn't need any host key, while the second script needs it?
Can I call SFTP with private key without using any hostkey?

What is the difference between the two scripts?
The first is batch file using Tectia sftp2.exe client.
The second is WinSCP script file.
Why the first script doesn't need any host key, while the second script needs it?
Most SFTP/SSH clients will prompt you to verify host key fingerprint on the first connect. If you verify the host key, it gets cached and you won't get prompted the next time.
Tectia sftp2.exe and WinSCP are no different.
If your Tectia sftp2.exe script works as it is, you must have verified the host key in this client before manually.
While your WinSCP script contains an explicit fingerprint of the host key. So the script will work, even if you have not verified the host key manually with WinSCP before running the script. This is recommended use of WinSCP, as it makes your script portable (not dependent on a hidden cache of host keys). But if you prefer, you can verify the host key manually with WinSCP, the same way you have done with Tectia.
Can I call SFTP with private key without using any hostkey?
Private key has nothing to do with host key. So this question makes little sense. See WinSCP article on SSH key pairs to understand.

Related

What is hostkey in WinSCP script?

I am trying to automate a backup process with WinSCP. I am trying to set up a WinSCP script, but I have troubles with the SSH authentication.
My very simple script is this:
# Connect to SFTP server using a password
open sftp://myusername:mypw#mywebspace.com/ -hostkey="ssh-rsa 2048 xxxxxxxxxxx...="
# Upload file
put C:\pic.jpg /backup/
# Exit WinSCP
exit
The part I have troubles with is the -hostkey switch. I generated a key with PuTTYgen, and saved it on my webspace. Yet I don't know what to put into my script. Everything I try seems to get a "authentication failed" when running the script.
This is what I get in PuTTYgen:
Which of this should I put in the script? What exactly does that look like?
I'm grateful for all helpful advice, as I a'm new to this.
The host key is a public key of your SSH server. It has nothing to do with the key pair you generate for authentication to the server. What goes to the -hostkey switch is a fingerprint of the server's public key – Just follow the switch documentation. You use it to verify the server identity to avoid MITM attacks.
See WinSCP FAQ Where do I get SSH host key fingerprint to authorize the server?.
As you seem to get to the authentication phase ("authentication failed"), your immediate problem is not the host key. The authentication happens only after verifying the host key. As you seem to put a wrong value to the -hostkey switch, yet the host key is verified – it means that you have the host key cached in registry anyway. If you have problem with authentication, please first make sure you can login to the SSH server anyhow (e.g. from WinSCP GUI). And only then try to automate the process.
See also Understanding SSH key pairs.

SSH suddenly asking for DSA

After allowing an application to install ssh keys on my local machine, I can no longer connect to my Digital Ocean shell. (The app is not related to DO; totally different.) I get a
Permission denied (public key)
error that, with -vvv, debugs to
Trying private key: /Users/macbook/.ssh/id_dsa
no such identity: path/.ssh/id_dsa: No such file or directory
My keys are rsa. I have no idea why the machine is asking for dsa.
My .ssh/config file (which I have never read until now) has only information about the application I allowed access. Maybe it was overwritten. If this is the case, could you tell me how to rewrite my .ssh/config file?
My keys on my cloud server (accessed through a DO gui shell) and on my machine still match up. The folder permissions are ok. I've been using this for months with no trouble until now.
Any suggestions?
Edit:
This was probably a result of the third party application overwriting my .ssh/config file. Because the writing of this file was always automated for me, I never took any notice of it. If you try:
regenerating new keys
appending the new public key to the authorized_keys file on your server on a new line
writing a new .ssh/config file as so:
-
Host 111.11.11.1
User bob
IdentityFile ~/.ssh/new_file.pem
then you might make it. Somehow now I can't get a passphrase to work on the new keys.

Ansible: Change SSH key

I have an inventory of multiple servers. SSH access to these servers is secured using PEM key files. I would like to periodically change the PEM key used by my servers. So, I would like to use Ansible to do the following:
Generate a new PEM key file
For each server in my inventory, connect to the server using old PEM key file
Install new PEM key file
Test to ensure SSH with new key works and old key does not work
What is the best way to do this via Ansible?
You should split this in three playbooks.
The first to generate a new PEM key. This will run locally. See: https://docs.ansible.com/ansible/playbooks_delegation.html#local-playbooks
The second one will do the rollout. So it copies the key to all servers. You can use authorized_key or copy depending on what your preferred workflow is. But thats another question.
The third step then would be a testing playbook, maybe with an assert statement or just using ping to ensure the connection works.
When you have all this playbooks combine them in a single with include or add this three plays in one playbook in the right order. See: https://docs.ansible.com/ansible/playbooks_intro.html

Login to server using WinSCP.com (cmd line) without password

I am using Windows machine and I have WinSCP installed.
I am writing a script that logs in to the server and downloads file.
I do not want to store account password in the script. Is there anyway I can login to server with some-kind of host-key or private-key or something.
Yes, you can use the public key authentication. But for that you still have to store the private key along with your script. Normally the key is encrypted with a passphrase. To automate the login, you would have to store the passphrase to the script file anyway (using the -passphrase switch). So still, if anyone gets an access to your machine, he/she is still able to steal your identity, just as with the password. Though there's an advantage. You can have multiple keys (while only one password). If you use a special key for the script and the key is ever compromised, you can revoke it, while keeping the other keys.
Note that, if you are not absolutely sure of the physical and electronic security of the system on which you are connecting, there's hardly any way to setup an automatic authentication. If you are sure about the security, storing password in the script file is just ok.
Anyway, your question is mostly duplicate of:
How do I setup Public-Key Authentication?
For WinSCP specifics, see the guide to Setting up SSH public key authentication.
See also the WinSCP guide to Protecting credentials used for automation.
I had a similar issue on windows so I used Putty instead http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
If you need to generate a public key then use: http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe
I gave the public key + password to whoever owned the SFTP server to install it on his side.
I saved the private key on my side lest say on "C:\privatekey.ppk"
You don't use password on your script but you link to the private which you must have on you machine.
Then, when you want to automate a batch to download from the FTP server the Pageant in order to load the private key into session http://the.earth.li/~sgtatham/putty/latest/x86/pageant.exe
Then use the PSFTP to connect and perform actions http://the.earth.li/~sgtatham/putty/latest/x86/psftp.exe
So here is sample code for the batch file:
!--Loading the key to session--!
#C:\pageant.exe "C:\privatekey.ppk"
!--Calling the PSFTP.exe with the uaser and sftp address + command list file--!
#C:\psftp user#your.server.address -b C:\sftp_cmd.txt
Command list file (sftp_cmd.txt) will like like this:
mget "*.*" !--downloading every thing
!--more commands can follow here
close
Now, all you need to to schedule it in scheduled tasks *I wish it was simple as unix's cron job....

How does the GitHub authentification work?

If you follow the GitHub HowTo "Generating SSH Keys", you get three files in your ~/.ssh directory: known_hosts, id_rsa, and id_rsa.pub.
The file known_hosts is used for the server authentication, id_rsa is used for the client authentification (here is an article, that explains the difference).
Why should I create / why GitHub does need both -- a host and a user authentification files? How does the GitHub authentification work?
Thx
This is just plain old SSH authentication; nothing about it is specific to GitHub.
id_rsa and id_rsa.pub are the two halves of your key: the private key and the public key. Effectively, the public key is the lock for the private key. You put the lock (public key) on whatever servers you want easy access to, without too much worry that someone else will see it, because it's just a lock. You keep the (private) key on your machine, and use it to log into those servers; they see you have a key fitting the lock, and let you in.
(Not to say that you should put your public key on completely untrustworthy machines; there are malicious tricks that can take advantage of shortcuts like ssh -A.)
known_hosts doesn't actually have much to do with this; it's just where ssh stores the fingerprints of all the servers you've connected to, so it can throw up a big scary warning if the fingerprint changes. (That would mean it's not the same machine: either something has changed radically on the server side, or your connection has been hijacked.)
So, anyway, one of the protocols Git itself understands is SSH. When you use git#github.com:... as a repository URL, Git is just connecting over SSH. Of course, GitHub doesn't want you mucking around on their machines, so they only let you do Git things, not get a full shell.
As usual, the Arch wiki has a whole lot more words on this.
known_hosts stores the server's identity the first time you connect, so that you know the next time that you're connecting to the same server. This prevents someone from pretending to be the server the next time you connect (but sadly not the first time)
id_rsa is your secret key that proves that you are really you. Never give this away.
id_rsa.pub is the public key, its purpose for authentication is basically just to prove that you have the secret key without giving it out. This key you can give to anyone what needs it since there's nothing secret about it.
When you connect to the server, SSH first checks that the server has the correct key (ie it should match the one in known hosts. If the client is comfortable that the server is genuine, it uses its private key to sign the following data and sends it to the server;
string session identifier
byte SSH_MSG_USERAUTH_REQUEST
string user name
string service name
string "publickey"
boolean TRUE
string public key algorithm name
string public key to be used for authentication
The server verifies the signature using the public key (which you earlier uploaded to Github), and if it is correct, the client is authenticated.
The known_hosts file is used by ssh whenever you actually connect to a host via SSH. It stores a signed key of sorts for the server. Then, if it changes, you will know.
ssh-keygen -t rsa -C yourgithub#accountemail.com is used to generate the SSH key in which you will give the id_rsa.pub to github. Then, when you connect to github you have the private key id_rsa in your ~/.ssh folder which is then used to validate your information with github.
This is a very low-level explanation, but the private key (non .pub) file is your end, the .pub is for github and the known_hosts is for your box to know what is what.
You can also generate a config file in ~/.ssh for use to specify which key goes to which host..
authorized_keys and known_hosts are entirely different..
Your SSH server (sshd, ie) uses authorized_keys, or whatever file is defined within your /etc/ssh/sshd_config/ for knowing the public side of another key. So when a user connects to your server, they pass their private key, your SSH server verifies against the public key it has within authorized_keys and if it doesn't match, it doesn't work.
Github maintains an authorized_keys so-to-speak on their users. Your public key goes into your authorized_keys on your account and then when you connect via ssh to clone,push,etc, it checks your private key you send over with your public key they already know.