How do you generate user accounts for 400 users to do a load testing?
Htdigest forces you to type in a password each time, I have tried dos pipes like
echo password > htdigest -c realm username%1
htdigest -c realm username%1 < password.txt
but it is not working...
You can also check out the python script that trac distributes on their website for htdigest passwords, you can then automate it:
Generating htdigest passwords without Apache
They also suggest something along these lines will work:
It is possible to use md5sum utility to generate digest-password file using such method:
$ printf "${user}:trac:${password}" | md5sum - >>user.htdigest
and manually delete " -" from the end and add "${user}:trac:" to the start of line from 'to-file'.
I have tested this on FreeBSD, not sure if this will work on Linux or Windows, so you may need to modify it a little:
(echo -n "user:realm:" && echo -n "user:realm:testing" | md5) > outfile
outfile contains:
user:realm:84af20dd88a2456d3bf6431fe8a59d16
Same thing with htdigest:
htdigest -c outfile2 realm user
output in outfile2
user:realm:84af20dd88a2456d3bf6431fe8a59d16
They are both the same, thereby proving correctness of the command line implementation!
(Aside: On unix/linux the first one should be:
echo password | htdigest -c realm username$1
)
As htdigest doesn't have any nice way to pass the password in, I would use expect to automate the process.
An example from http://www.seanodonnell.com/code/?id=21:
#!/usr/bin/expect
#########################################
#$ file: htpasswd.sh
#$ desc: Automated htpasswd shell script
#########################################
#$
#$ usage example:
#$
#$ ./htpasswd.sh passwdpath username userpass
#$
######################################
set htpasswdpath [lindex $argv 0]
set username [lindex $argv 1]
set userpass [lindex $argv 2]
# spawn the htpasswd command process
spawn htpasswd $htpasswdpath $username
# Automate the 'New password' Procedure
expect "New password:"
send "$userpass\r"
expect "Re-type new password:"
send "$userpass\r"
It's left as an exercise to the user to convert this for Windows if required.
Here is a script that will read in a list of user names, generate a random password for each, and output them to both an htdigest file, and a plain text file. It has been tested on Linux, but may need to be modified for other systems. In particular, md5sum may be md5, and head does always accept the -c flag.
#!/bin/bash
# auth realm for digest auth
AUTH_REALM=MyRealm
# file locations
# a file containing a list of user names,
# one name per line, e.g.,
# $ cat users.txt
# joe
# curly
# larry
USER_FILE=users.txt
# htdigest file, needs to exist
HTDIGEST_FILE=passwd.htdigest
# insecure password file
PASSWD_FILE=passwd.txt
# read the names from the user file
while read username
do
# generate a pseudo-random password
rand_pw=`< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c8`
# hash the username, realm, and password
htdigest_hash=`printf $username:$AUTH_REALM:$rand_pw | md5sum -`
# build an htdigest appropriate line, and tack it onto the file
echo "$username:$AUTH_REALM:${htdigest_hash:0:32}" >> $HTDIGEST_FILE
# put the username and password in plain text
# clearly, this is terribly insecure, but good for
# testing and importing
echo "$username:$rand_pw" >> $PASSWD_FILE
done < $USER_FILE
This is what the input and results look like, first the user names file:
$ cat users.txt
joe
curly
larry
Running the script:
$ ./load_users.bash
The resulting htdigest file:
$ cat passwd.htdigest
joe:MyRealm:2603a6c581f336f2874dbdd253aee780
curly:MyRealm:fd3f9d87bba654439d5ba1f32c0286a8
larry:MyRealm:c1c3c0dc50a9b97e9f7ee582e3fce892
And the plain text file:
$ cat passwd.txt
joe:aLnqnrv0
curly:3xWxHKmv
larry:7v7m6mXY
Related
I'm trying to write a batch script in Windows to take a list of IP addresses and ping them. Once a site doesn't respond, I want Windows to take all of the unresponsive IP addresses, and parse them through a comparison file that has the IP and physical street addresses of these systems. Once the unresponsive sites are parsed through the comparison file, I want the end result to be the matching info from the compare file for only the sites that are unresponsive. I already have script written for Linux that does this same thing, but I wanted a Windows version for some of the customers I work with who aren't Linux savvy.
Here is my script:
#Echo Off
Set "ServerList=C:\Users\<mylogin>\ip.txt"
Set "LogFile=C:\Users\<mylogin>\PingResults.txt"
If Not Exist "%ServerList%" Exit /B
>"%LogFile%" (For /F UseBackQ %%A In ("%ServerList%"
) Do Ping -n 1 %%A|Find "TTL=">Nul&&(Echo Yes [%%A] > Nul)||Echo No [%%A])
findstr /f:%LogFile sites.txt > Down.txt
The script itself seems to execute just fine, but it doesn't put anything in the final output file of Down.txt, I'm positive I have something wrong in my findstr command.
Below is my Linux script that does this exact same thing. Yeah it's clunky but it gets the job done:
#!/bin/bash
# Script to test ssh connectivity using expect script
rm -f results.txt
clear
echo "Please be patient while the script runs..."
while read user ip port pass; do
${PWD}/test_ssh_edge_device.sh $user $ip $port $pass >> results.txt
done < rekor_edge_device_list.txt
#This will boil down the results of the ping script so only the IP address is left
cat results.txt | grep -B1 time > refined.txt
cat refined.txt | grep -Eo "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" > refinedip.txt
#This will take the boiled down IP addresses and check them against the compare file, final output will be all system info for only downed systems
list=refinedip.txt
rm -f iplist.txt
exec 3<&0
exec 0<$list
while read line
do
cat compare.txt | grep $line >> iplist.txt
done
exec 0<&3
cat iplist.txt
I am creating a restricted user without shell for port forwarding only and I need to execute a script on login via pubkey, even if the user is connected via ssh -N user#host which doesn't asks SSH server for a shell.
The script should warn admin on connections authenticated with pubkey, so the user connecting shouldn't be able to skip the execution of the script (e.g., by connecting with ssh -N).
I have tried to no avail:
Setting the command at /etc/ssh/sshrc.
Using command="COMMAND" in .ssh/authorized_keys (man authorized_keys)
Setting up a script with the command as user's shell. (chsh -s /sbin/myscript.sh USERNAME)
Matching user in /etc/ssh/sshd_config like:
Match User MYUSERNAME
ForceCommand "/sbin/myscript.sh"
All work when user asks for shell, but if logged only for port forwarding and no shell (ssh -N) it doesn't work.
The ForceCommand option runs without a PTY unless the client requests one. As a result, you don't actually have a shell to execute scripts the way you might expect. In addition, the OpenSSH SSHD_CONFIG(5) man page clearly says:
The command is invoked by using the user's login shell with the -c option.
That means that if you've disabled the user's login shell, or set it to something like /bin/false, then ForceCommand can't work. Assuming that:
the user has a sensible shell defined,
that your target script is executable, and
that your script has an appropriate shebang line
then the following should work in your global sshd_config file once properly modified with the proper username and fully-qualified pathname to your custom script:
Match User foo
ForceCommand /path/to/script.sh
If you only need to run a script you can rely on pam_exec.
Basically you reference the script you need to run in the /etc/pam.d/sshd configuration:
session optional pam_exec.so seteuid /path/to/script.sh
After some testing you may want to change optional to required.
Please refer to this answer "bash - How do I set up an email alert when a ssh login is successful? - Ask Ubuntu" for a similar request.
Indeed in the script only a limited subset on the environment variables is available:
LANGUAGE=en_US.UTF-8
PAM_USER=bitnami
PAM_RHOST=192.168.1.17
PAM_TYPE=open_session
PAM_SERVICE=sshd
PAM_TTY=ssh
LANG=en_US.UTF-8
LC_ALL=en_US.UTF-8
PWD=/
If you want to get the user info from authorized_keys this script could be helpful:
#!/bin/bash
# Get user from authorized_keys
# pam_exec_login.sh
# * [ssh - What is the SHA256 that comes on the sshd entry in auth.log? - Server Fault](https://serverfault.com/questions/888281/what-is-the-sha256-that-comes-on-the-sshd-entry-in-auth-log)
# * [bash - How to get all fingerprints for .ssh/authorized_keys(2) file - Server Fault](https://serverfault.com/questions/413231/how-to-get-all-fingerprints-for-ssh-authorized-keys2-file)
# Setup log
b=$(basename $0| cut -d. -f1)
log="/tmp/${b}.log"
function timeStamp () {
echo "$(date '+%b %d %H:%M:%S') ${HOSTNAME} $b[$$]:"
}
# Check if opening a remote session with sshd
if [ "${PAM_TYPE}" != "open_session" ] || [ $PAM_SERVICE != "sshd" ] || [ $PAM_RHOST == "::1" ]; then
exit $PAM_SUCCESS
fi
# Get info from auth.log
authLogLine=$(journalctl -u ssh.service |tail -100 |grep "sshd\[${PPID}\]" |grep "${PAM_RHOST}")
echo ${authLogLine} >> ${log}
PAM_USER_PORT=$(echo ${authLogLine}| sed -r 's/.*port (.*) ssh2.*/\1/')
PAM_USER_SHA256=$(echo ${authLogLine}| sed -r 's/.*SHA256:(.*)/\1/')
# Get details from .ssh/authorized_keys
authFile="/home/${PAM_USER}/.ssh/authorized_keys"
PAM_USER_authorized_keys=""
while read l; do
if [[ -n "$l" && "${l###}" = "$l" ]]; then
authFileSHA256=$(ssh-keygen -l -f <(echo "$l"))
if [[ "${authFileSHA256}" == *"${PAM_USER_SHA256}"* ]]; then
PAM_USER_authorized_keys=$(echo ${authFileSHA256}| cut -d" " -f3)
break
fi
fi
done < ${authFile}
if [[ -n ${PAM_USER_authorized_keys} ]]
then
echo "$(timeStamp) Local user: ${PAM_USER}, authorized_keys user: ${PAM_USER_authorized_keys}" >> ${log}
else
echo "$(timeStamp) WARNING: no matching user in authorized_keys" >> ${log}
fi
I am the author of the OP; I came to the conclusion that what I need to achieve is not possible using SSH only to the date (OpenSSH_6.9p1 Ubuntu-2, OpenSSL 1.0.2d 9 Jul 2015), but I found a great piece of software that uses encrypted SPAuthentication to open SSH port and it's new version (to the date of this post, it's GitHub master branch) has a feature to execute a command always that a user authorizates successfully.
FWKNOP - Encrypted Single Packet Authorization
FWKNOP set iptables rules that allow access to given ports upon a single packet encrypted which is sent via UDP. Then after authorization it allow access for the authorized user for a given time, for example 30 seconds, closing the port after this, leaving the connection open.
1. To install on an Ubuntu linux:
The current version (2.6.0-2.1build1) on Ubuntu repositories to the date still doesn't allow command execution on successful SPA; (please use 2.6.8 from GitHub instead)
On client machine:
sudo apt-get install fwknop-client
On server side:
sudo apt-get install fwknop-server
Here is a tutorial on how to setup the client and server machines
https://help.ubuntu.com/community/SinglePacketAuthorization
Then, after it is set up, on server side:
Edit /etc/default/fwknop-server
Change the line START_DAEMON="no" to START_DAEMON="yes"
Then run:
sudo service fwknop-server stop
sudo service fwknop-server start
2. Warning admin on successful SPA (email, pushover script etc)
So, as stated above the current version present in Ubuntu repositories (2.6.0-2.1build1) cannot execute command on successful SPA. If you need this feature as of the OP, but it will be released at fwknop version (2.6.8), as can it is stated here:
https://github.com/mrash/fwknop/issues/172
So if you need to use it right now you can build from github branch master which have the CMD_CYCLE_OPEN option.
3. More resources on fwknop
https://help.ubuntu.com/community/SinglePacketAuthorization
https://github.com/mrash/fwknop/ (project on GitHub)
http://www.cipherdyne.org/fwknop/ (project site)
https://www.digitalocean.com/community/tutorials/how-to-use-fwknop-to-enable-single-packet-authentication-on-ubuntu-12-04 (tutorial on DO's community)
I am the author of the OP. Also, you can implement a simple logwatcher as the following written in python3, which keeps reading for a file and executes a command when line contains pattern.
logwatcher.python3
#!/usr/bin/env python3
# follow.py
#
# Follow a file like tail -f.
import sys
import os
import time
def follow(thefile):
thefile.seek(0,2)
while True:
line = thefile.readline()
if not line:
time.sleep(0.5)
continue
yield line
if __name__ == '__main__':
logfilename = sys.argv[1]
pattern_string = sys.argv[2]
command_to_execute = sys.argv[3]
print("Log filename is: {}".format(logfilename))
logfile = open(logfilename, "r")
loglines = follow(logfile)
for line in loglines:
if pattern_string in line:
os.system(command_to_execute)
Usage
Make the above script executable:
chmod +x logwatcher.python3
Add a cronjob to start it after reboot
crontab -e
Then write this line there and save it after this:
#reboot /home/YOURUSERNAME/logwatcher.python3 "/var/log/auth.log" "session opened for user" "/sbin/myscript.sh"
The first argument of this script is the log file to watch, and the second argument is the string for which to look in it. The third argument is the script to execute when the line is found in file.
It is best if you use something more reliable to start/restart the script in case it crashes.
I have made two scripts:
This one fetches IP address & Hostnames:
#!/bin/bash
for i in `cat ~/script/hosts.txt`
do HOSTNAME=`echo $i|awk -F: '{print $1}'`
IP=`echo $i|awk -F: '{print $2}'`
TIMESTAMP=`date +%Y-%m-%d`
~/script/expect.sh $HOSTNAME $IP
done
This one does SSH into the devices:
#!/usr/bin/expect
set timeout 20
set HOSTNAME [lindex $argv 0]
set IP [lindex $argv 1]
exp_internal 1
spawn ssh -o StrictHostKeyChecking=no root#$IP
exit
I want to make a script to bakcup multiple device configurations.
Problem is that SSH is failing due to following errors:
$ ./main.sh
spawn ssh -o StrictHostKeyChecking=no root#10.102.82.235
: Name or service not knownname 10.102.82.235
spawn ssh -o StrictHostKeyChecking=no root#10.102.82.239
: Name or service not knownname 10.102.82.239
When I debug, I see the following error
spawn id exp4 sent <ssh: Could not resolve hostname 10.102.82.235\r\r: Name or
service not known\r\r\n>
: Name or service not knownname 10.102.82.235
I think the issue is due to these characters: "\r\r", "\r\r\n"
Is there any way I can filter these out?
Not an answer, but your shell script can use much improvement:
#!/bin/bash
while IFS=: read -r host ip; do
timestamp=$(date +%Y-%m-%d %T)
~/script/expect.sh "$host" "$ip"
done < ~/script/hosts.txt
Notes:
don't use for line in `cat file` to read the lines of a file -- a for loop reads words from a file
use $(...) for command substitution, not `...` -- improved readability, and easy to nest
don't use UPPERCASE_VARIABLES -- those should be reserved for the shell's use.
your (unused) TIMESTAMP variable actually contains a date, no time.
quote your "$variables" unless you can explain why you want them unquoted.
I have a string as below, I needed to exactly match if string "abc.properties abc Scanner directory: /xyz/xzy/" is present.
I am using the below awk command.
It considers as successful if even a part of string, say, abc.properties is present. But, my criteria is to check for the exact string i.e. "abc.properties abc Scanner directory: /xyz/xzy/".
Can somebody please help?
echo $s | awk 'BEGIN { FS="\n"; RS="";} /abc.properties abc Scanner directory: \/xyz/xzy\// {print $1}'
String is as below:
spawn ssh -oStrictHostKeyChecking=no -oCheckHostIP=no -o ServerAliveInterval=600 -o ServerAliveCountMax=3 -o ConnectTimeout=30 xyz#123.abc.com Password: Creating directory '/home/xyz'. Authorized uses only. All activity may be monitored and reported. Successful login using -u option. If you want to allow X traffic please use -x option. Usage: /111/11/111/111 [policy] -x [target user] su from xyz to abc [abc#xyz ~]$ /111/111/111/111/111/111.sh /111/11/instance/111/111/111/111/ Verifying JVM setting for domain: /111/11/11/11/1111/111/111// abc.properties abc Scanner directory: /xyz/xzy/ [abc#xyz ~]$ exit 0 logout
The output is as below:
$ echo $s | awk 'BEGIN { FS="\n"; RS="";} /abc.properties abc Scanner directory: \/xyz/xzy\// {print $1}'
spawn ssh -oStrictHostKeyChecking=no -oCheckHostIP=no -o ServerAliveInterval=600 -o ServerAliveCountMax=3 -o ConnectTimeout=30 xyz#123.abc.com Password: Creating directory '/home/xyz'. Authorized uses only. All activity may be monitored and reported. Successful login using -u option. If you want to allow X traffic please use -x option. Usage: /111/11/111/111 [policy] -x [target user] su from xyz to abc [abc#xyz ~]$ /111/111/111/111/111/111.sh /111/11/instance/111/111/111/111/ Verifying JVM setting for domain: /111/11/11/11/1111/111/111// abc.properties abc Scanner directory: /xyz/xzy/ [abc#xyz ~]$ exit 0 logout
I am trying to add a key to ssh-agent and want ssh-add to read the password from the key file I'm using. How is this possible?
How do I automate this process from the shell script?
Depending on your distribution and on the version of ssh-add you may be able or not to use the -p option of ssh-add that reads the passphrase from stdin in this way:
cat passfile | ssh-add -p keyfile
If this is not working you can use Expect, a Unix tool to make interactive applications non-interactive. You'll have to install it from your package manager.
I have written a tool for you in expect. Just copy the content in a file named ssh-add-pass and set executable permissions on it (chmod +x ssh-add-pass). You can also copy it to /usr/bin or /usr/local/bin to be accessible from the $PATH search.
#!/bin/bash
if [ $# -ne 2 ] ; then
echo "Usage: ssh-add-pass keyfile passfile"
exit 1
fi
eval $(ssh-agent)
pass=$(cat $2)
expect << EOF
spawn ssh-add $1
expect "Enter passphrase"
send "$pass\r"
expect eof
EOF
The usage is simply: ssh-add-pass keyfile passfile
Similar to the answer by kenorb, but doesn't save the secret in a file:
$ SSH_ASKPASS=/path/to/ssh_give_pass.sh ssh-add $KEYFILE <<< "$KEYPASS"
where ssh_give_pass.sh is:
#!/bin/bash
# Parameter $1 passed to the script is the prompt text
# READ Secret from STDIN and echo it
read SECRET
echo $SECRET
If you have you secret in a $KEYPASSFILE, read it into a variable first with
KEYPASS=`cat $KEYPASSFILE`
Also make sure that ssh_give_pass.sh is not editable by unauthorized users - it will be easy to log all secrets passed through the script.
Here is some workaround for systems not supporting -p:
$ PASS="my_passphrase"
$ install -vm700 <(echo "echo $PASS") "$PWD/ps.sh"
$ cat id_rsa | SSH_ASKPASS="$PWD/ps.sh" ssh-add - && rm -v "$PWD/ps.sh"
where ps.sh is basically your script printing your passphrase. See: man ssh-add.
To make it more secure (to not keep it in the same file), use mktemp to generate a random private file, make it executable (chmod) and make sure it prints the passphrase to standard output once executed.
On my Ubuntu system, none of the answers worked:
ssh-add did not support the -p option.
ssh-add ignored SSH_ASKPASS, insisting on prompting for the passphrase on the controlling terminal.
I wanted to avoid installing additional packages, especially expect.
What worked in my case was:
password_source | SSH_ASKPASS=/bin/cat setsid -w ssh-add keyfile
password_source isn't really a program: it just represents whatever feeds the passphrase to ssh-add. In my case, it is a program that executes setsid and writes the passphrase to its stdin. If you keep your passphrase in a file, you are responsible for making the simple modifications: I will not enable you to hurt yourself.
setsid was already installed, and detaches the controlling terminal so that ssh-add will not try to use it to prompt for the passphrase. -w causes setsid to wait for ssh-add to exit and make its return code available. /bin/cat has the same effect as the script Ray Shannon provided, but uses a standard tool instead of replicating its functionality with a script.
With this minimal changes worked for me this bash script of #enrico.basis
#!/bin/bash
if [ $# -ne 2 ] ; then
echo "Usage: ssh-add-pass passfile keyfile"
exit 1
fi
eval 'ssh-agent -s'
passwordToFileSSH=$1
pathFileSSH=$2
expect << EOF
spawn ssh-add $pathFileSSH
expect "Enter passphrase"
send "$passwordToFileSSH\r"
expect eof
EOF
The best way is to generate a key without a passphrase