ssh-agent has a protocol whereby data can be sent to it to get signed by a particular private key:
http://api.libssh.org/rfc/PROTOCOL.agent
In Linux, with ssh-agent, you'd open a Unix domain socket to SSH_AUTH_SOCK and send the packets to that. Windows, however, doesn't have a Unix domain socket.
Any ideas?
Thanks!
The communication between putty and pageant has been done on the shared memory by using WIN32 APIs. I had implemented that protocol in Java with JNA. If you are interested in its protocol and want to learn how it runs on Windows, the following file may be useful,
https://github.com/ymnk/jsch-agent-proxy/blob/master/jsch-agent-proxy-pageant/src/main/java/com/jcraft/jsch/agentproxy/connector/PageantConnector.java
If you're implementing the protocol in C, you might reference the canonical PuTTY implementation. If you're implementing it in Python, the paramiko project implements the Putty Pageant protocol.
Best I understand, the protocol is the same, but the transport is different, using shared memory rather than sockets.
Related
I've recently been passed an embedded project where an MCU uses libwebsockets (version 3.1.0) to setup a websockets client. The MCU is connected to a SIMCOM modem for 4g connectivity.
Up until now the communication was non-secured: SSL context not set and modem configured to provide just a TCP link to the server. The server URI was a wss one, but security was not enforced.
I've now been asked to set the communication to use SSL/TLS with server and client authentication.
Having never used libwebsockets before and being short on time, my idea was to:
a) Leave libwebsockets set as it was, so with no SSL context set up.
b) Configure the modem to creat an SSL/TLS context and connect to the server through that one.
I did this and I can see my device sending the request to switch from http to websockets protocol, as well as the server's successful reply (code 101). But my problem is that the server's reply never gets processed by libwebsockets and the connection is dropped after a few seconds.
I can se3 that the bytes that make up the server's reply are received by the modem and passed into the MCU's buffer used to pass data into libwebsockets, but then the library never calls its net_recv method to actually read from such buffer.
Also, libwebsockets is currently built with TLS support and uses mbedTLS as SSL/TLS library. But, as said about, SSL context is currently left disabled (ssl_connection in the connection info struct is left set to 0).
So, I was wondering:
Is my approach something that can work at all? Or should I setup the SSL context from libwebsockets and let the modem setup just a TCP connection?
If I were to setup the SSL context from libwebsockets, is there a way to pass certificates and keys tot the library as just C arrays? Or do I have to have them stored as files on a filesystem and then pass their paths to the lib?
Also, I should add that the MCU has a second connection to the server, an HTTPS one, that one too setup with client and server authentication and that works with no problems at all. Therfore, I'm sure that the modem is correctly configured.
If needed, I will be able to provide more info on library configuration and used from Monday, because I'm currently travelling and don't have access to the code. But I wanted to get the ball rolling.
Thanks in advance for your help.
Yesterday, finally I had time to look at the code again. It turns out that the problem was in my code (this was always a strong possibility).
The local implementation of the net_send had a bug and returned always negative values. Thus, libwebsockets thought that the HTTP request to switch protocol had failed and hence was closing down the connection.
So, to answer the two questions above:
Yes, it's possible to setup libwebsockets to not handle SSL/TLS and then provide a SSL/TLS connection from a lower layer (the modem in my case).
It is possible to store certificates and keys in C arrays of bytes and pass them to libwebsockets if you create a custom platform implementation for your platform and create a custom implementation of POSIX like methods (open, close, read, etc).
By default the library expects to work on a POSIX like filesystem, though. So, realising a custom implementation can be a bit of a job.
The above is true for libwebsockets version 3.1.0. I haven't used any other version of the library, so things might have changed since then.
All in all, I think that configuring libwebsockets to handle SSL and the TLS handshake and then provide it with only a TCP connection is the best way of using the library.
I chose a different strategy for the wrong reasons (tight deadline + not being familiar with the codebase), but I'm definitely planning on reviewing my approach at a later date.
This is a pre-implementation question.
We have a working fabric(2.2) application with an org containing 2 peers, an intermediate CA with TLS enabled and are now planning to implement HSM to store org related private keys. I read from official doc and other articles that to use HSM we need to have PKCS11 enabled docker centOS images and the setup requires a complete rebuild of the binaries and network.
Can we setup HSM w/o disturbing the existing network?
Does peer's couchDB container requires to be reconfigured as well if the answer for Q1 is "yes"?
How do we transfer the available private keys from local MSP keystore to HSM slots?
What are the points to take care while implementing HSM along with TLS/TLS enable existing keys?
Do we have a ready script for this operation in any samples (I did not find it so far)?
(removed point 6 and rearranged)
I have seen very few people talking about implementing HSM with HLF, is there any major issue of usage.
Also please do provide a "take care" points before starting this operation.
Yes, if you have enough peers or orderers running. You will need to restart the peer or order to use HSM one-by-one after setting the environment variable or the yaml file (Or even rebuild the binary with PKCS11). Since you do it one-by-one, other nodes that are running will keep the network alive.
Nope.
Depends on the HSM provider. They will provide you a binary to do that either by GUI or command line, which usually import pkcs12 (cert, public and private key). After import into the HSM, you may remove the private keys from MSP keystore as the Orderer and Peer binary will use the HSM for private key operation. (Of course you should backup them somewhere else)
Key for TLS server or client has to be stored locally. HSM is not supported for TLS yet.
No.
I assume this is same question as number 3
Ya, there exist some issues like the Java Chaincode does not have HSM support and you will need to write the PKCS11 implementation yourself and override the cryptoPrimitive.java.
PKCS11 is a standard interface, not a standard protocol. Each HSM vendor has its own protocol (usually over TCP). They provide a library that speaks their proprietary protocol that you install in your application.
So a HSM is "just" another TCP based service running outside your cluster. To some extent, you connect to an HSM the same way you would connect to a LDAP server:
Get a PIN to the HSM (similar to a password) and store it... somewhere
Install a library (ex: hsm-provider.so) and its configuration file in your environment
Open any firewall, SecurityGroup, VPC and whatnot to ensure TCP/IP connectivity
Let you application talk natively to the device as it would connect to any other serivce.
The specifics (especially local configuration) depend on the HSM provider. Here is a script that configures an HSM emulated in software for Hashicorp Vault. YMMV but this software emulator separates the HSM part from the networking part.
Once you figure out the HSM part, I suggest you look into Utimaco HSM emulator (registration required). You connect to the emulator via a TCP/IP connection, making it as real as can be from Hyperledger's point of view.
We are planning to use Apache Mina SSHd - ssh client in our product. I need to identify if it supports ssh2 protocol.
I checked various resources thoroughly but couldn't able to find information around it. Could you please confirm if it supports ssh2 and how to use/ configure it.
Apache MINA SSHD implements version 2 of the SSH protocol. Version 1 is obsolete and no longer considered secure, and almost nobody uses it anymore. The RFCs it links to in the README on GitHub all cover version 2 of the protocol.
Note that because the library supports a large number of cryptographic algorithms, many of which are no longer secure, you should be careful if you are using settings other than the defaults (which, except for the use of the ssh-rsa signature algorithm, should be secure).
If you're looking for some basic setup documentation for a simple client, the README has a link to some documentation for that as well.
I have a packet interface to another entity, not a TCP connection but I need to do SSL on this interface by following SSL over TCP. Wonder if there is a library that has the following 3 APIs on SSL. They should be self-evident and they will fit well with the packet interface (not a stream/socket interface).
ssl = createSSL();
clearText = fromSSLPipe(ssl, encryptedData, len, &outputLen);
encryptedData = toSSLPipe(ssl, cleartext, len, &outputLen);
If there is no such library, could someone give some example(s) on how to implement them?
Thanks in Advance.
SSL/TLS uses frames with a size of up to 16k. So if this is enough for you, you can simple use SSL_write (will output a single SSL frame if data <16k) and SSL_read (will read single SSL frame and decrypt it) from openssl over a TCP connection. If you need encrypted UDP you can use DTLS, which is also implemented by openssl. While the openssl library is written in C there are interfaces for lots of languages, like perl, python, ruby...
I'd like to use a server between two machines (with no static IP). The only IP known to me is the server's IP address. I'd like to build/use a system that listens to 2 different ports within the server and whatever is received from localhost:portA is sent to localhost:portB and vise versa. Consequently, both machines (with java apps) can communicate through the server in the middle.
Please what is the best solution to do this. I'm working on linux system and I thought of using an SSH java API (hudson / ganymed-ssh-2) to build a port forwarding server application.
Some issue:
1) determining the size of the data transmitted to buffer read or not to forward it to the other port.
2)The speed of reading/writing bytes.
If you can use ssh protocol you can tunnel local or remote ports (this need support on server side). You can also think about an OpenSSH VPN (take a look on ssh -w option, this will create a real VPN (TUN/TAP device is required). ).
You can use the the ssh program. Take a look at the -L and -R options specifically.