See my comments below... > I've read the documentation you suggested - actually, I read > the whole page - but only half understand it so I have some > followup questions. > > Am I correct in understanding that Ant needs the original SSH > key, not the one generated by PuTTYgen and stored in Pageant? > Is that original key likely to be in the hidden .ssh > directory on the server? I just found the .ssh directory - > right out in the open in /home/rhino - and it contains three > files: authorized_keys, id_rsa, and id_rsa.pub. Am I correct > in assuming that the file I want is id_rsa? >
An ssh key pair should really be specific to the host that it is generated on. In other words, you should not move the private key around, but rather generate a new key pair on each host you wish to ssh from. > Okay, assuming I haven't wandered out into the weeds yet, how > do I pass the value in that file to my sshexec task? The > examples in the manual seem to find that file on the local > machine, not the server. How do I get it to my PC without > mangling it along the way or leaving it so that any fool with > a sniffer can't easily find it and read it in the clear? > You should generate the key pair on your localhost. > Just for the heck of it, I tried downloading > /home/rhino/.ssh/id_rsa to my PC via WinSCP3 then pointed to > that file in the sshexec task. Much to my delight the task > WORKED!!! Yahoo! > > So: did I do the right thing? That depends on your definition of right. If all you are interested in is making it work, you did the right thing. If you care about security, I would have to say no. > I'm a little uneasy about > having the id_rsa file on my PC, especially since you can > read it clearly with Notepad. Isn't that a security exposure? It is. You should carefully guard your private key(s). > Or is it harmless without other secret stuff on the server > that is hopefully encrypted and hidden behind firewalls, > permissions, etc.? Best way to protect your private key is with filesystem permissions and a passphrase when you generate the key. > > Also, will the id_rsa file ever change? In other words, will > I need to replace the version now on my PC with a newer > version somewhere down the road? Only if you generate a new key pair. Not necessary unless you suspect your private key was comprimised. > Hmm, maybe I was being overoptimistic when I said I > understood half of what I read in the documentation you cited ;-) No worries. We were all newbies at one point. > One other thought: would it make sense to get the developer's > to modify sshexec and scp so that they support a keyfile > parameter that points to the .ssh directory on the server, > maybe via an explicit URL like > keyfile="http://myserver.com/home/rhino/.ssh/id_rsa";? > The whole idea is that you don't have access to the server unless you have the private key that matches a public key on the server. Your fundamental understanding of ssh key authentication needs some work. I'll refer you to the documentation here: http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1 Read the Authentication section. Pay special attention to the 4th - 6th paragraphs. > > Rhino > > ----- Original Message ----- > From: "Anderson, Rob (Global Trade)" <[EMAIL PROTECTED]> > To: "Rhino" <[EMAIL PROTECTED]>; "ant-user" <user@ant.apache.org> > Sent: Tuesday, December 20, 2005 6:01 PM > Subject: RE: Question re sshexec > > > Actually my question was about the version of ssh you are > using on your > client machine, not the server, but both were answered. This > does help. > Putty stores ssh-keys in a different format than is expected > by openssh, > and the ant sshexec task. Please read the following section > of the putty > documentation... > > http://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter8.html#pubkey > > Read section 8.2.8 through section 8.2.12. > > You will need to point ant to the original private key that was > generated with openssl. Ant will not be able to use the one that putty > uses. > > -Rob Anderson > > > -----Original Message----- > > From: Rhino [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, December 20, 2005 2:51 PM > > To: ant-user > > Cc: Anderson, Rob (Global Trade) > > Subject: Re: Question re sshexec > > > > I've finally received an answer about our SSH setup from the > > administrator of the server. He's out of town for a few days > > and only checking email sporadically. > > > > I've lost the original email thread but I've copied and > > pasted from the email that I forwarded to our administrator > > and added his answer. > > > > --- > > > > Okay, in a nutshell, the administrator has this to say about > > Rob's question on the setup of SSH on the server: > > > > "I don't have an answer to that. The original key was made > > with Openssl / Openssh the key was then put on your computer > > and converted for use by Putty." > > > > I don't know if that is enough to answer your question; I > > suspect not. But I have root access to the server and the > > administrator's permission to do commands to get the version > > number for SSH or whatever else I need to do to answer the question. > > > > In other words, I'm pretty much on my own with respect to > > getting the information you need to help me. So, if you tell > > me how to figure out the things you need to know, I'm more > > than ready to do whatever it takes to get that information > > for you. I will happily sign on the server and do any command > > you like that isn't destructive. Just tell me what commands > > to run and I'll do them right away and report back. > > > > For what it's worth, I've just run the 'openssl' command on > > the server and when I got the prompt, I entered: version. The > > result was "0.9.7a Feb 19 2003". > > > > I would _REALLY_ like to get my sshexec/scp tasks working. I > > am putting together a workaround but it's fairly ugly and is > > more of my time than I wanted to spend: using sshexec and scp > > is definitely my preferred choice. > > > > Rhino > > > > > ----- Original Message ----- > > > From: "Anderson, Rob (Global Trade)" <[EMAIL PROTECTED]> > > > To: "Ant Users List" <user@ant.apache.org> > > > Sent: Monday, December 19, 2005 2:11 PM > > > Subject: RE: Question re sshexec task > > > > > > > > > It may be that your ssh keyfile is in the wrong format. What > > > version/vendor of ssh did you use to generate the keyfile? > > > > > > -Rob Anderson > > > > > >> -----Original Message----- > > >> From: Rhino [mailto:[EMAIL PROTECTED] > > >> Sent: Saturday, December 17, 2005 3:31 PM > > >> To: ant-user > > >> Subject: Question re sshexec task > > >> > > >> Is there any problem with blanks or apostrophes within the > > name of a > > >> keyfile in an sshexec task? I am running Ant 1.6.5 in > > Eclipse 3.1.1. > > >> > > >> Our environment changed recently so I need to modify my > > build scripts > > >> to use keys instead of passwords. After reading the > > sshexec article > > >> in the Ant manual, I wrote the following trivial task to > > display the > > >> current directory on our Linux server: > > >> > > >> <sshexec host="www.bongo.ca" username="rhino" > > >> keyfile="C:\Documents and Settings\Rodeo\Desktop\Bob's > > Server\Rodeos > > >> key.ppk" > > >> > > >> passphrase="snarfle" trust="true" > > >> > > >> command="pwd"/> > > >> > > >> > > >> When I executed this task, this is what I found in the output: > > >> > > >> [sshexec] Identity: com.jcraft.jsch.JSchException: invaid > > privatekey: > > >> C:\Documents and Settings\Rodeo\Desktop\Bob's > Server\Rodeos key.ppk > > >> > > >> BUILD FAILED > > >> > > >> E:\eclipse\3.1.1\eclipse\workspace\Resume_JDK_1.5.0\xml\tonge. > > >> xml:106: > > >> com.jcraft.jsch.JSchException: invaid privatekey: > > >> C:\Documents and Settings\Rodeo\Desktop\Bob's > Server\Rodeos key.ppk > > >> > > >> Although the message seems to be complaining about my > private key, > > >> the message contains the path to the key file. The path > to the key > > >> file is correct so I'm guessing that the sshexec task has > > a problem > > >> with embedded blanks or apostrophes in the path. > > >> > > >> Can anyone confirm that or suggest an alternate explanation? > > >> I'd like to get this task working again. > > >> > > >> Also, just a little thing but how do I notify the > > developer of this > > >> task about the typo in the error message; he/she's got "invalid" > > >> spelled without the 'l'. This is an optional task so I'm > > not sure if > > >> I have to contact them directly or if I can get a message > > to them via > > >> this mailing list. > > >> > > >> > > >> Rhino > > > > > > > > -- > > No virus found in this outgoing message. > > Checked by AVG Free Edition. > > Version: 7.1.371 / Virus Database: 267.14.1/207 - Release > > Date: 19/12/2005 > > > > > > > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.1.371 / Virus Database: 267.14.1/207 - Release > Date: 19/12/2005 > > > > > -- > No virus found in this outgoing message. > Checked by AVG Free Edition. > Version: 7.1.371 / Virus Database: 267.14.1/207 - Release > Date: 19/12/2005 > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
