Rhino wrote:
I've read the documentation you suggested - actually, I read the whole
page - but only half understand it so I have some followup questions.
Am I correct in understanding that Ant needs the original SSH key, not
the one generated by PuTTYgen and stored in Pageant? Is that original
key likely to be in the hidden .ssh directory on the server? I just
found the .ssh directory - right out in the open in /home/rhino - and it
contains three files: authorized_keys, id_rsa, and id_rsa.pub. Am I
correct in assuming that the file I want is id_rsa?
Okay, assuming I haven't wandered out into the weeds yet, how do I pass
the value in that file to my sshexec task? The examples in the manual
seem to find that file on the local machine, not the server. How do I
get it to my PC without mangling it along the way or leaving it so that
any fool with a sniffer can't easily find it and read it in the clear?
Just for the heck of it, I tried downloading /home/rhino/.ssh/id_rsa to
my PC via WinSCP3 then pointed to that file in the sshexec task. Much to
my delight the task WORKED!!! Yahoo!
So: did I do the right thing? I'm a little uneasy about having the
id_rsa file on my PC, especially since you can read it clearly with
Notepad. Isn't that a security exposure? Or is it harmless without other
secret stuff on the server that is hopefully encrypted and hidden behind
firewalls, permissions, etc.?
I'd say it is more dangerous to have your public key on the server.
on the PC, you can lock it down, especially if it is a laptop.
This is what I do. I had a laptop stolen in '04, and did have to revoke
all my keys, which took a while.
-encrypt the NTFS directory containing the keys
-remove all permissions from the dir except for the owner
And, here is the fancy bit: I keep my NTFS encryption key hidden in the
TPM module of the laptop. I need to present another password to that
hardware before the OS gets the key.
My system is still vulnerable if somebody grabs it while hibernated
(which is its usual off state), but with pin numbers used to turn the
HDD on as the bios, it is fairly secure.
-steve
Also, will the id_rsa file ever change? In other words, will I need to
replace the version now on my PC with a newer version somewhere down the
road?
Hmm, maybe I was being overoptimistic when I said I understood half of
what I read in the documentation you cited ;-)
One other thought: would it make sense to get the developer's to modify
sshexec and scp so that they support a keyfile parameter that points to
the .ssh directory on the server, maybe via an explicit URL like
keyfile="http://myserver.com/home/rhino/.ssh/id_rsa";?
Rhino
----- Original Message ----- From: "Anderson, Rob (Global Trade)"
<[EMAIL PROTECTED]>
To: "Rhino" <[EMAIL PROTECTED]>; "ant-user" <user@ant.apache.org>
Sent: Tuesday, December 20, 2005 6:01 PM
Subject: RE: Question re sshexec
Actually my question was about the version of ssh you are using on your
client machine, not the server, but both were answered. This does help.
Putty stores ssh-keys in a different format than is expected by openssh,
and the ant sshexec task. Please read the following section of the putty
documentation...
http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter8.html#pubkey
Read section 8.2.8 through section 8.2.12.
You will need to point ant to the original private key that was
generated with openssl. Ant will not be able to use the one that putty
uses.
-Rob Anderson
-----Original Message-----
From: Rhino [mailto:[EMAIL PROTECTED]
Sent: Tuesday, December 20, 2005 2:51 PM
To: ant-user
Cc: Anderson, Rob (Global Trade)
Subject: Re: Question re sshexec
I've finally received an answer about our SSH setup from the
administrator of the server. He's out of town for a few days
and only checking email sporadically.
I've lost the original email thread but I've copied and
pasted from the email that I forwarded to our administrator
and added his answer.
---
Okay, in a nutshell, the administrator has this to say about
Rob's question on the setup of SSH on the server:
"I don't have an answer to that. The original key was made
with Openssl / Openssh the key was then put on your computer
and converted for use by Putty."
I don't know if that is enough to answer your question; I
suspect not. But I have root access to the server and the
administrator's permission to do commands to get the version
number for SSH or whatever else I need to do to answer the question.
In other words, I'm pretty much on my own with respect to
getting the information you need to help me. So, if you tell
me how to figure out the things you need to know, I'm more
than ready to do whatever it takes to get that information
for you. I will happily sign on the server and do any command
you like that isn't destructive. Just tell me what commands
to run and I'll do them right away and report back.
For what it's worth, I've just run the 'openssl' command on
the server and when I got the prompt, I entered: version. The
result was "0.9.7a Feb 19 2003".
I would _REALLY_ like to get my sshexec/scp tasks working. I
am putting together a workaround but it's fairly ugly and is
more of my time than I wanted to spend: using sshexec and scp
is definitely my preferred choice.
Rhino
> ----- Original Message -----
> From: "Anderson, Rob (Global Trade)" <[EMAIL PROTECTED]>
> To: "Ant Users List" <user@ant.apache.org>
> Sent: Monday, December 19, 2005 2:11 PM
> Subject: RE: Question re sshexec task
>
>
> It may be that your ssh keyfile is in the wrong format. What
> version/vendor of ssh did you use to generate the keyfile?
>
> -Rob Anderson
>
>> -----Original Message-----
>> From: Rhino [mailto:[EMAIL PROTECTED]
>> Sent: Saturday, December 17, 2005 3:31 PM
>> To: ant-user
>> Subject: Question re sshexec task
>>
>> Is there any problem with blanks or apostrophes within the
name of a
>> keyfile in an sshexec task? I am running Ant 1.6.5 in
Eclipse 3.1.1.
>>
>> Our environment changed recently so I need to modify my
build scripts
>> to use keys instead of passwords. After reading the
sshexec article
>> in the Ant manual, I wrote the following trivial task to
display the
>> current directory on our Linux server:
>>
>> <sshexec host="www.bongo.ca" username="rhino"
>> keyfile="C:\Documents and Settings\Rodeo\Desktop\Bob's
Server\Rodeos
>> key.ppk"
>>
>> passphrase="snarfle" trust="true"
>>
>> command="pwd"/>
>>
>>
>> When I executed this task, this is what I found in the output:
>>
>> [sshexec] Identity: com.jcraft.jsch.JSchException: invaid
privatekey:
>> C:\Documents and Settings\Rodeo\Desktop\Bob's Server\Rodeos key.ppk
>>
>> BUILD FAILED
>>
>> E:\eclipse\3.1.1\eclipse\workspace\Resume_JDK_1.5.0\xml\tonge.
>> xml:106:
>> com.jcraft.jsch.JSchException: invaid privatekey:
>> C:\Documents and Settings\Rodeo\Desktop\Bob's Server\Rodeos key.ppk
>>
>> Although the message seems to be complaining about my private key,
>> the message contains the path to the key file. The path to the key
>> file is correct so I'm guessing that the sshexec task has
a problem
>> with embedded blanks or apostrophes in the path.
>>
>> Can anyone confirm that or suggest an alternate explanation?
>> I'd like to get this task working again.
>>
>> Also, just a little thing but how do I notify the
developer of this
>> task about the typo in the error message; he/she's got "invalid"
>> spelled without the 'l'. This is an optional task so I'm
not sure if
>> I have to contact them directly or if I can get a message
to them via
>> this mailing list.
>>
>>
>> Rhino
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.1/207 - Release
Date: 19/12/2005
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
