Adding a key to SSH-Agent from within perl - perl

OK, so here's what I'm trying to do. I'm writing a program that will retrieve a keepass database from my phone (via ssh) and search through it for whatever password I'm interested in. I'd like to use the same password for the keepass database as the ssh-key that I've made for retrieving the keepass database, but I don't want to enter the password twice. So. Here's what I thought: I'll write a perl script that asks for the password once (via ssh-askpass) (That's my readpass function at the bottom. It works fine.) I can read the keepass, via that key, etc, and all is good.
But, I can't seem to figure out how to add the ssh-add without it prompting me for the password for the key again when I try to ssh to the phone.
I tried making a shell script that would simply echo an environment variable, and then setting SSH_ASKPASS to that script, (and setting the password in an environment variable and system'ing that... Like this:
my $key = readpass();
$ENV{"SSH_ASKPASS_ENV"} = $key;
$ENV{"SSH_ASKPASS"} = "/home/user/bin/ssh-askpass-env";
system("/usr/bin/ssh-add /home/user/.ssh/keepass-retriever");
ssh-askpass-env simply has:
#! /bin/sh
echo "${SSH_ASKPASS_ENV}"
But, that doesn't seem to do it, it still asks me for my password. I can verify that ssh-askpass-env is being called, and that it is getting the password.
I guess my question is: How can I add a key to ssh-agent from within perl using a prespecified password? (Since I've just read the password from readpass() below)
Thanks!
sub readpass() {
my $passwd = undef;
if (defined($ENV{"DISPLAY"})) {
if (open(PASSWD, "/usr/bin/ssh-askpass 'KeePass' |")) {
chomp($passwd = <PASSWD>);
close(PASSWD);
}
}
else {
ReadMode('noecho');
printf("Enter keepass password: ");
$passwd = ReadLine(0);
chomp($passwd);
ReadMode('normal');
}
return($passwd);
}

After reading the ssh-add man page, I found detaching the terminal worked:
system("/usr/bin/ssh-add /home/user/.ssh/keepass-retriever < /dev/null &>/dev/null");

Related

How do I use md5 authentication in Postgresql?

I am creating a role in postgresql. The documentation gives me the following example with clear-text password:
CREATE ROLE foo WITH LOGIN PASSWORD 'secret'
My task is to use MD5 instead of a clear-text password because it is not secure enough. However, the documentation merely mentioned the possibility to use md5 instead of a password, without giving any example code. I wonder how could I re-write the code above to implement MD5? Thank you in advance!
To change the authentication method:
Open a terminal window
Change into the postgres bin directory
Example: cd /usr/local/pgsql/bin
Note: Depending on your install environment the path to the bin directory may vary.
Type su – postgres and press Enter. This will change the logged in to the postgres user.
From the bin directory type ./psql
Type ALTER USER postgres password 'your shell account postgres password'; and press Enter. ALTER ROLE should be displayed.
Type \q and press Enter
Type vi /path to data directory/pg_hba.conf and press Enter
Modify the line at the bottom of the config file to resemble one of these examples.
Note: You will probably only have to change the word trust to md5. The line or lines should already exist.
host all postgres your.ip your.subnet md5
host all all your.ip your.subnet md5
Note: If you are using vi as the editor press i to insert text
Save the changes
Note: If you are using vi as the editor press i to insert then press :wq! to save the changes.
From the postgres bin directory type./pg_ctl restart -D /usr/local/pgsql/data and press Enter

Veeam extract utility for test passwords

I’m using the extract utility for test all the password of encrypted jobs and it work well. Just a problem when the password contain a double quotes (“).
I pass the good password but it seem that the extract utlity fails when we used password with double quote.
The main command i use is that one : .\Extract.exe -dir $full_dir -password $mdp
I got the error message “Password is incorrect”
obviously I already have verified the password and he is correct.
Does anyone have an idea ? or do i have to change all the password that contain a double quote ?

Execute commands to output window using powershell

I am creating a powershell script to change the sybase database account password. I am using isql.exe to change the password. Below are the steps I am trying to automate:
1) isql.exe -SServerName -UUserAccount -PPassword [Run this command and it should log you in with user account]
2) At this point it is waiting for you to run this command "sp_password 'oldPassword', 'newPassword'" [keyboard Enter]
3) GO [Keyboard Enter]
With the below script I built I am able to login, but unable to execute steps 2 and 3. I see that the screen is waiting for the input Step 2 and Step 3, but how should I write to it?
I am new to powershell, but I tried using Write-Output, Write-Host, Invoke-Expression, Invoke-Command for Step 2 and it did not work
$exe=$args[0] #argument which contains the path to isql.exe
$server=$args[1] #argument which contains server name
$user=$args[2] #argument which contains user account
$oldPassword=$args[3] #argument which contains current password
$newPassword=$args[4] #argument which contains new password
$severPrefix= '-S'
$userPrefix= '-U'
$passwordPrefix='-P'
$scriptPrefix='-E'
$spPasswordCmd= 'sp_password'+' '+ $oldPassword +','+ $newPassword
$serverArg = $severPrefix + $server
$userArg= $userPrefix + $user
$passwordArg= $passwordPrefix + $oldPassword
#Step 1- isql.exe -SserverName -UuserAcount -PoldPassword
&$exe $serverArg $userArg $passwordArg
#Step 2 - After login, execute "sp_password 'oldPassword', 'newPassword'"
#&$spPasswordCmd
#Step 3- Go
Read-Host -Prompt "Press Enter to continue"
What went wrong:
By entering the first command you entered "inside" ISQL prompt.
The powershell script won't send ISQL specific commands (Steps 2 & 3) to that session.
It seems to me that you have two options:
1.
You need to open an ISQL session and send a block of commands to that session.
This is a link about connections on Sysbase but I cannot test the things in there.
2.
By reading the ISQL docs, it seems that you can pass a file with commands to the steps 1:
Read in an operating system file containing a query for execution by
isql: isql -U alma -Ppassword < input_file The file must include a
command terminator. The results appear on your terminal. Read in an
operating system file containing a query and direct the results to
another file: isql -U alma -Ppassword < input_file > output_file
I would spend my time here first. See that in there you can find a link with instructions on how to write the sysbase commands file.
After trying lot of combination, finally I was able to get it to work. Posting my script so that it could be helpful for others.
$exe=$args[0] #argument which contains the path to isql.exe
$server=$args[1] #argument which contains server name
$user=$args[2] #argument which contains user account
$currentPassword=$args[3] #argument which contains current password
$newPassword=$args[4] #argument which contains new password
$outputFilePath=$args[5] #argument which containes spPassword file script path
$spPasswordCmd = "sp_password `'$currentPassword`',`'$newPassword`'"
# Create file:
$spPasswordCmd | Set-Content "$outputFilePath"
# Append to file:
"GO" | Add-Content "$outputFilePath"
isql -S"$server" -U"$user" -P"$currentPassword" -i"$outputFilePath"
write-host "**** Password Change Complete *****"
Read-Host -Prompt "Press Enter to exit.!"
After you login to Sybase using isql.exe, you would need to get into the session of isql.exe to change the password by calling sp_password. In your code, you're are simply executing the login command. I dont think you're getting into the session of isql.exe
Take a look at the below link, I guess it might be useful and probably better way to change the database account password.
https://www.cdata.com/drivers/sybase/powershell/

Bypass host key checking with Net::SCP

I'm using the Perl Net::SCP module to SCP tarballs to a remote server.
The remote server does not have a static IP, so every time the IP address changes the sending machine would need to accept the host key.
This breaks my script, as now I have to manually accept the host key each time the IP changes.
Is there a way I can have Net::SCP bypass host key checking?
I saw an option with Net::SCP::Expect, but I'm not sure if I would be required to use this module.
Solution
Yes, you can do that with the module Net::SCP::Expect in the following way (unix system assumed):
#!/usr/bin/perl
use strict;
use warnings;
use Net::SCP::Expect;
my $scp = Net::SCP::Expect->new(
host => 'localhost', # or target IP address
user => 'username',
password => 'mysecretpass',
auto_yes => 1, # automatically pass a 'yes' string to any yes/no questions
timeout => 5,
option => 'UserKnownHostsFile=/dev/null StrictHostKeyChecking=no' # the trick
);
# now send the file
$scp->scp('file.tar', 'TargetDirectory/') || die "scp() failed: $!\n";
Explanation
SCP actually uses SSH, so whenever the remote identity/fingerprint changes, the connection is no longer permitted because of security reasons. As you can probably imagine, this is for your own security because you could also be the victim of a "man in the middle attack" or similar things. Your machine has most likely saved all known fingerprints in the following file:
~/.ssh/known_hosts
And this causes the problem for you. In the Perl script above you can see how the options UserKnownHostsFile=/dev/null and StrictHostKeyChecking=no are passed to the constructor. These are actually SSH options, which can be either specified on the command line or in your machine's SSH configuration file. Since SCP uses the same options, you can pass them to the module and therefore completely bypass the identity check in your case.
Why does it work?
By replacing(*) the known_hosts file with /dev/null, you basically give it an empty file that cannot be modified. This allows you to completely ignore the safety check and your file will get sent as expected.
(*): of course it doesn't get replaced in the filesystem, but the module will just use it as the temporary location/path

openconnect password and cookie input

After 2-3 day search and work now i hope you can help ...
I want to use from openconnect in my program and for auth have 2 solution
1 - use from user and pass (but pass dont have any option for command line and only with standard input can input pass)
2 - used from cookie (but openconnect not work with cookie for me !)
For Cookie i do this
-send user with post method to server
-server ask for password
-send password with post method to server
-if all is ok and auth id = success
-read header and get cookie
open command line and send ip and cookie to openconenct
and Error !
Creating SSL connection failed
command line code
openconnect.exe vpn.server.ip --no-cert-check -C "webvpn=BPlUDg9oaTN2uQQ0DQvH7QopD3x5NahiCHQgTqKQ7KPJg38dSuvqLmYIo9Jskig; Secure,webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure,webvpnc=bu:/&p:t&iu:1/&sh:7350D46A8EE85D06&lu:/+CSCOT+/translation-table?textdomain%3DAnyConnect%26type%3Dmanifest&fu:profiles%2F/etc/ocserv/profile.xml&fh:6B5181182D2B5483FBB8D2AA1BCBACC9A70E2BA3; path=/; Secure"
for send user and pass with post method i use from C#
2 - for user and pass i do this work
use from command line for auto fill input with this code
type password | openconnect.exe vpn.server.ip -u username --no-cert-check
and
password | openconnect.exe vpn.server.ip -u username --no-cert-check
and
openconnect.exe vpn.server.ip -u username --no-cert-check < pas.txt
and again error !!!
Password: ReadConsole() failed: The handle is invalid.
now i want to know whats wrong in my code ??
or have any better solution for accept cookie or auto fill input ?
if you have any idea please tell me.
thanks and kind regards.
openconnect command line info
Openconnect Autofill Username and Password
There is a trade-off between convenience and security. Autofill user and password is not recommended in terms of security.
In case you need the convenience to make an autoconnection using openconnect here is a simple example steps:
Simple Steps Example
Create a plaintext password file
mypass.txt
contains only the password:
mysupersecretpassword
Create a script to call openconnect
myscript.sh contains two lines of command:
openconnect --protocol=gp vpn.mycompany.com --user=abc123 --passwd-on-stdin < mypass.txt
./myscript.sh
the second line ./myscript.sh is intentionally added to make the script loop forever thus create a persistent VPN connection.
Make script executable
In terminal line:
chmod +x myscript.sh
Run your script
run your script with a sudo privilege
sudo ./myscript.sh
to exit the loop just press CTRL + C
For More Security
For added security you can make the process not so simple:
put your script and password file in a protected/hidden directory that only root level user can access;
Encrypt the plaintext password file and make another script to decrypt and read the password for example using linux gpg, but you will still have to enter the encryption/decryption passphrase.
In ubuntu you can use this:
openconnect --script ./vpnc.sh target-domain --no-cert-check -u username --passwd-on-stdin < pass.txt
Hope this helps.