ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Anderson, Rob (Global Trade)" <Rob.Ander...@nike.com>
Subject RE: Question re sshexec
Date Wed, 21 Dec 2005 18:32:48 GMT
See my comments below...

> I've read the documentation you suggested - actually, I read 
> the whole page - but only half understand it so I have some 
> followup questions.
> 
> Am I correct in understanding that Ant needs the original SSH 
> key, not the one generated by PuTTYgen and stored in Pageant? 
> Is that original key likely to be in the hidden .ssh 
> directory on the server? I just found the .ssh directory - 
> right out in the open in /home/rhino - and it contains three
> files: authorized_keys, id_rsa, and id_rsa.pub. Am I correct 
> in assuming that the file I want is id_rsa?
> 

An ssh key pair should really be specific to the host that it is
generated on. In other words, you should not move the private key
around, but rather generate a new key pair on each host you wish to ssh
from.

> Okay, assuming I haven't wandered out into the weeds yet, how 
> do I pass the value in that file to my sshexec task? The 
> examples in the manual seem to find that file on the local 
> machine, not the server. How do I get it to my PC without 
> mangling it along the way or leaving it so that any fool with 
> a sniffer can't easily find it and read it in the clear?
> 

You should generate the key pair on your localhost.

> Just for the heck of it, I tried downloading 
> /home/rhino/.ssh/id_rsa to my PC via WinSCP3 then pointed to 
> that file in the sshexec task. Much to my delight the task 
> WORKED!!! Yahoo!
> 
> So: did I do the right thing? 

That depends on your definition of right. If all you are interested in
is making it work, you did the right thing. If you care about security,
I would have to say no.

> I'm a little uneasy about 
> having the id_rsa file on my PC, especially since you can 
> read it clearly with Notepad. Isn't that a security exposure? 

It is. You should carefully guard your private key(s).

> Or is it harmless without other secret stuff on the server 
> that is hopefully encrypted and hidden behind firewalls, 
> permissions, etc.?

Best way to protect your private key is with filesystem permissions and
a passphrase when you generate the key.

> 
> Also, will the id_rsa file ever change? In other words, will 
> I need to replace the version now on my PC with a newer 
> version somewhere down the road?

Only if you generate a new key pair. Not necessary unless you suspect
your private key was comprimised.

> Hmm, maybe I was being overoptimistic when I said I 
> understood half of what I read in the documentation you cited ;-)

No worries. We were all newbies at one point.

> One other thought: would it make sense to get the developer's 
> to modify sshexec and scp so that they support a keyfile 
> parameter that points to the .ssh directory on the server, 
> maybe via an explicit URL like 
> keyfile="http://myserver.com/home/rhino/.ssh/id_rsa"?
> 

The whole idea is that you don't have access to the server unless you
have the private key that matches a public key on the server. Your
fundamental understanding of ssh key authentication needs some work.
I'll refer you to the documentation here:

http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1

Read the Authentication section. Pay special attention to the 4th - 6th
paragraphs.

> 
> Rhino
> 
> ----- Original Message -----
> From: "Anderson, Rob (Global Trade)" <Rob.Anderson@nike.com>
> To: "Rhino" <rhino1@sympatico.ca>; "ant-user" <user@ant.apache.org>
> Sent: Tuesday, December 20, 2005 6:01 PM
> Subject: RE: Question re sshexec
> 
> 
> Actually my question was about the version of ssh you are 
> using on your
> client machine, not the server, but both were answered. This 
> does help.
> Putty stores ssh-keys in a different format than is expected 
> by openssh,
> and the ant sshexec task. Please read the following section 
> of the putty
> documentation...
> 
> http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter8.html#pubkey
> 
> Read section 8.2.8 through section 8.2.12.
> 
> You will need to point ant to the original private key that was
> generated with openssl. Ant will not be able to use the one that putty
> uses.
> 
> -Rob Anderson
> 
> > -----Original Message-----
> > From: Rhino [mailto:rhino1@sympatico.ca]
> > Sent: Tuesday, December 20, 2005 2:51 PM
> > To: ant-user
> > Cc: Anderson, Rob (Global Trade)
> > Subject: Re: Question re sshexec
> >
> > I've finally received an answer about our SSH setup from the
> > administrator of the server. He's out of town for a few days
> > and only checking email sporadically.
> >
> > I've lost the original email thread but I've copied and
> > pasted from the email that I forwarded to our administrator
> > and added his answer.
> >
> > ---
> >
> > Okay, in a nutshell, the administrator has this to say about
> > Rob's question on the setup of SSH on the server:
> >
> > "I don't have an answer to that. The original key was made
> > with Openssl / Openssh the key was then put on your computer
> > and converted for use by Putty."
> >
> > I don't know if that is enough to answer your question; I
> > suspect not. But I have root access to the server and the
> > administrator's permission to do commands to get the version
> > number for SSH or whatever else I need to do to answer the question.
> >
> > In other words, I'm pretty much on my own with respect to
> > getting the information you need to help me. So, if you tell
> > me how to figure out the things you need to know, I'm more
> > than ready to do whatever it takes to get that information
> > for you. I will happily sign on the server and do any command
> > you like that isn't destructive. Just tell me what commands
> > to run and I'll do them right away and report back.
> >
> > For what it's worth, I've just run the 'openssl' command on
> > the server and when I got the prompt, I entered: version. The
> > result was "0.9.7a Feb 19 2003".
> >
> > I would _REALLY_ like to get my sshexec/scp tasks working. I
> > am putting together a workaround but it's fairly ugly and is
> > more of my time than I wanted to spend: using sshexec and scp
> > is definitely my preferred choice.
> >
> > Rhino
> >
> > > ----- Original Message -----
> > > From: "Anderson, Rob (Global Trade)" <Rob.Anderson@nike.com>
> > > To: "Ant Users List" <user@ant.apache.org>
> > > Sent: Monday, December 19, 2005 2:11 PM
> > > Subject: RE: Question re sshexec task
> > >
> > >
> > > It may be that your ssh keyfile is in the wrong format. What
> > > version/vendor of ssh did you use to generate the keyfile?
> > >
> > > -Rob Anderson
> > >
> > >> -----Original Message-----
> > >> From: Rhino [mailto:rhino1@sympatico.ca]
> > >> Sent: Saturday, December 17, 2005 3:31 PM
> > >> To: ant-user
> > >> Subject: Question re sshexec task
> > >>
> > >> Is there any problem with blanks or apostrophes within the
> > name of a
> > >> keyfile in an sshexec task? I am running Ant 1.6.5 in
> > Eclipse 3.1.1.
> > >>
> > >> Our environment changed recently so I need to modify my
> > build scripts
> > >> to use keys instead of passwords. After reading the
> > sshexec article
> > >> in the Ant manual, I wrote the following trivial task to
> > display the
> > >> current directory on our Linux server:
> > >>
> > >> <sshexec host="www.bongo.ca" username="rhino"
> > >> keyfile="C:\Documents and Settings\Rodeo\Desktop\Bob's
> > Server\Rodeos
> > >> key.ppk"
> > >>
> > >> passphrase="snarfle" trust="true"
> > >>
> > >> command="pwd"/>
> > >>
> > >>
> > >> When I executed this task, this is what I found in the output:
> > >>
> > >> [sshexec] Identity: com.jcraft.jsch.JSchException: invaid
> > privatekey:
> > >> C:\Documents and Settings\Rodeo\Desktop\Bob's 
> Server\Rodeos key.ppk
> > >>
> > >> BUILD FAILED
> > >>
> > >> E:\eclipse\3.1.1\eclipse\workspace\Resume_JDK_1.5.0\xml\tonge.
> > >> xml:106:
> > >> com.jcraft.jsch.JSchException: invaid privatekey:
> > >> C:\Documents and Settings\Rodeo\Desktop\Bob's 
> Server\Rodeos key.ppk
> > >>
> > >> Although the message seems to be complaining about my 
> private key,
> > >> the message contains the path to the key file. The path 
> to the key
> > >> file is correct so I'm guessing that the sshexec task has
> > a problem
> > >> with embedded blanks or apostrophes in the path.
> > >>
> > >> Can anyone confirm that or suggest an alternate explanation?
> > >> I'd like to get this task working again.
> > >>
> > >> Also, just a little thing but how do I notify the
> > developer of this
> > >> task about the typo in the error message; he/she's got "invalid"
> > >> spelled without the 'l'. This is an optional task so I'm
> > not sure if
> > >> I have to contact them directly or if I can get a message
> > to them via
> > >> this mailing list.
> > >>
> > >>
> > >> Rhino
> >
> >
> >
> > --
> > No virus found in this outgoing message.
> > Checked by AVG Free Edition.
> > Version: 7.1.371 / Virus Database: 267.14.1/207 - Release
> > Date: 19/12/2005
> >
> >
> >
> 
> 
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.371 / Virus Database: 267.14.1/207 - Release 
> Date: 19/12/2005
> 
> 
> 
> 
> -- 
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.371 / Virus Database: 267.14.1/207 - Release 
> Date: 19/12/2005
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message