I want to copy a file from remote1 host to the remote2 host using fabric.
I am trying to pass the password for remote2 to the fabric run command, but it's still prompting for the remote2 password.
Anything wrong with my code?
run('echo "pass123" | scp my.tar root#1.2.3.4:')
run('"pass123" | scp my.tar root#1.2.3.4:')
Edit:
In our prod and stagging environments key auth is not supported.
The OpenSSH utilities, including scp, don't accept passwords on the command line or standard input. Whey they read a password, they explicitly open the process's TTY and read from that.
There are basically four approaches available to you:
Use key-based authentication instead of passwords.
Use a program like sshpass or expect to feed the password to scp through a PTY.
Download the OpenSSH source code and modify the software to work the way you want.
Find a way to transfer these files which doesn't involve using the OpenSSH clients software.
Related
I'm trying to set up an AWS instance for about 90 people where they can sftp in and drop files, but it appears that AWS blocks passwords for ssh and only allows in ssh keyed logins by default.
Does there exist a way to undo this behavior inside AWS and allow for normal ssh and thus sftp to occur? If I don't need to manage ssh keys along with user names and passwords that would be great.
You can enable Password Authentication following helloV's advice, however I would advise against this.
Why would you not just use SSH keys?
Each of these 90 people should have their own private key files that they use daily - each person who needs access to this machine, you should ask for their public key.
Take each developer's public key, and add them, line by line, to a file on the EC2 host at
/home/<user>/.ssh/authorized_keys
From here, each user will be able to login using
ssh -i /path/to/private/key <user>#ec2.host.com
sftp -oIdentityFile=~/.ssh/keyfile <user>#ec2.host.com
This is much more secure in that you will not need to have a single password shared between 90+ developers, that password which will at some point be written on a sticky note and lost, or someone changes and locks out the other 89 developers.
This also has advantages in that, if a single one of those 90 developers leaves the company, all you will need to do is remove their public key from _authorized_keys_ and that person looses access to the machine, you will not need to change that shared password for all users.
First open few terminal sessions to the EC2 machine, in case modifying SSH config fails, you still have an option to restore it to its old values.
Edit /etc/ssh/sshd_config (after saving a backup file to sshd_config.bak) and change the following lines to:
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication yes
In addition, if you want to disable key based authentication:
PubkeyAuthentication no
Save the file and restart the SSH daemon:
sudo service ssh restart
Create a new user and set a password or if a password has been already set for an existing user: open a new SSH session and you should be able to login using a password. If the solution didn't work, use any of the other open terminal sessions to restore the old sshd_config, restart the ssh service and continue debugging.
The critical part is to modify /etc/ssh/sshd_config on the server and restart the SSH server (usually "service sshd restart" - note it is "sshd", not "ssh" at least on Red Hat).
PasswordAuthentication yes
You may also want to run
sshd -t
before you run "service sshd restart", to make sure that you don't accidentally lock yourself out by a typo in the sshd_config file.
Using public keys for authentication probably makes more sense, depending on your scenario.
If you use public key authentication and have anything like 50 people, make sure you also manage the keys properly. See https://www.ssh.com/iam/ssh-key-management or NIST IR 7966 more information. Properly terminating keys for people who leave is also required by most compliance regulations if you happen to be in health care, finance, government, critical infrastructure, or anything else that is regulated. Shared passwords are expressly forbidden by most regulations and generally bad security practice.
You might also want to look at CryptoAuditor https://www.ssh.com/products/cryptoauditor/, which can enforce file transfer policies (direction etc), make sure you don't accidentally give people shell access if not needed, and it can record who did what (for both file transfers and shell access).
I'm writing a cross-platform app that I would like to run on Linux-based operating systems like Fedora and Ubuntu. I use QSerialPort and it works fine. I can use QSerialPortInfo to get a list of serial ports in the system and present them to the user who can select which one s/he wants to use.
However, on Linux systems, by default the user doesn't have permissions to the serial ports. I know that it is wrong to run my app with sudo and I also know that it is not user friendly to ask the user to run chmod 666 on the serial port manually every time the app is used. So I looked around and it seems to me that polkit is the answer, however I haven't been able to find any example which would show me how to do it.
Can you please tell me how to use polkit (formerly known as policykit) to request permission for my app to use a specific serial port?
EDIT:
What I'm looking for is a way to:
Check if the user has access to the serial port
If not, pop up a dialog that asks for permission (like the Gnome settings app for example)
If the user authenticated successfully, make the serial port available to the app.
Some more thoughts
I do NOT want to set up an udev rule that gives perimission to every serial port
I do NOT want to ask the user to run a script
I do NOT want my app to run as the superuser
I do NOT want any other actions performed as root, just the serial port access
Yes I've found the official polkit docs, but they are not very clear on how to do this.
General thinking:
It is not a good idea to try to make an application "universal".
I understand that you want your software to be easy to use, but for things like this (system's settings), you should rely on the system packagers.
At anytime, polkit can be replaced by another solution, or ressource's name can be changed, or whatever and your application would be no more usable.
I advise you to:
at most, raise a polkit windows that woulde ask for password
or better, to make distribution packages that will do the necessary tweaks through regular scripts
An idea
I didn't do it (but I played a lot in the past with pam :-) )
So here are links that I found and what I understood:
polkit acts the same way as sudo do: it allow you to run program with another identity (explanations)
so you can run your program either as root or as one having enough right access to the serial
So you could create:
an install script that allow to run your program with the good identity (e.g. example). That way you would ask root password once (at the install for creating the polkit policy), and each time the user wanted to run your program. That identity maybe root or any identity as long as that identity has R/W access.
a policy file: you can look either at 1 or documentation
a script for lauching your program containing something like this: pkexec <path>/<pgm>
Here are some pointers:
an admin guide to polkit: 3
(I'm a debian user but I like their docs)
the official documentation: https://www.freedesktop.org/software/polkit/docs/master/index.html
Is it possible to give the server password within the rsync command?
rsync -zvr source destination password
I am developing a web application in Django using rsync protocol. I use a form to take password input from the user. I want to use that password like this in the rsync command itself? How can I do it? I am sure there's a way using stdin, pipe or something like that. Thanks
From man rsync:
Some modules on the remote daemon may require authentication. If so, you will receive a password prompt when you connect. You can avoid the password prompt by setting the environment variable RSYNC_PASSWORD to the password you want to use or using the --password-file option. This may be useful when scripting rsync.
And regarding --password-file:
This option allows you to provide a password in a file for accessing a remote rsync daemon. Note that this option is only useful when accessing an rsync daemon using the built in transport, not when using a remote shell as the transport. The file must not be world readable. It should contain just the password as a single line.
So, either set the RSYNC_PASSWORD environment variable before calling rsync, or use a temporary file and pass it to the command; The first option is probably easier, using env:
env RSYNC_PASSWORD=PASSWORD rsync -zvr source destination
Update: Note this little nugget under --password-file:
Note that this option is only useful when accessing an rsync daemon using the built in transport, not when using a remote shell as the transport.
If you're not using the rsync built-in transport, but perhaps SSH, you cannot use this method to "automatically" authenticate. If you're using SSH, you should use public/private keys, or possibly the ASK_SSHPASS trick (See this).
I am wondering if someone can provide me with a couple c++ functions that would allow me to send and receive data over a telnet port.
I've also heard that I can create a program, and have it run via SSH, this would be preferred just because of the security benefits of SSH, are there any samples out there?
Update:
What I want to do, is create a console program users could use remotely via SSH or telnet. I am a C++ programmer.
Update 2: I know I was vague, I am creating an inventory system that I want to be accessible to our employees via SSH or telnet. I will be using sockets, and will often display data to the user via (telnet or through ssh) and accept input from them. I will have to implement sockets, and send data and receive data I know, is there a library for this?
I am not quite sure what you are asking here.
You can execute a remote program via:
ssh <user>#<machine> "<command>"
(Provided you have prepared a passphrase-less pubkey authentication; you'd be asked for a password / passphrase otherwise. The very first invokation will also require user input as SSH wants to verify the fingerprint of the remote machine.)
You could then capture the output of that command line (which is equivalent to the output of the remote command, unless ssh itself belches an error) via the usual means.
I seriously dont believe you want to implement telnet and SSH protocol all by your handwritten code!! That would be too difficult for you.
What I think you want to do is to "Run a command remotely". is it?
If yes then you you would need to execute the command as told by DevSolar but you will need to generate SSH keygen to be installed so that it doesnt ask for password at the prompt.
Else write an expect script.
I want a write a program that run an executable image without creating a new process... I want to do this because I want to use plink that send a password to a remote ssh server...
The plink program sends the password provided in command line .. If I use fork and exec functions someone can see the password provided in command line using process explorer or ps -aef or cat /proc//cmdline .. How to avoid this security hole..and this program has to be run on both linux and windows ..
Set up your SSH server to use RSA public/private key authentication instead of passwords. This is usually a better choice anyway for SSH in general. See http://www.google.com/search?q=set+up+ssh+rsa.
Most programs which accept a password on the command line also accept it via a file, a pipe, or an environment variable. Why not use one of these other mechanisms?
If your worry is that the password is visible, you may be better off encrypting the password. An encrypted password has little value to the observer, so you can use methods like exec() and fork()
To avoid being prompted for a password or using a plain text password in places where it could be "sniffed" from, you should almost certainly set up public-key authentication (assuming you're bound to plink...).
Using pipes is also a good solution.
I found a plink wrapper for unison that does what you need, mainly waiting for a password prompt on plink's STDOUT, then feeding it a response on STDIN.
Hope this works for you
well, why send the password in the beginning? use the password to encrypt some text+time stamp, and then send to authorize yourself?
and No, I don't know a way to call another program without creating a new process.