Maybe not the best worded question, but hopefully it's a straightforward problem.
The scenario is SSHing from a personal account on box A to a generic account on box B. The script running on box B needs to capture the personal account name for logging purposes. Is there any way of capturing this, either via SSH itself or some information captured by the shell? We are using ssh2 (Reflections), and KornShell (ksh) on Solaris.
If you have full control of the client machine, you can deploy identd to get the username.
Full procedure to get name from script:
Walk up process tree, find sshd
Walk netstat -p to find the remote IP and port.
Connect to client on port 113 and ask.
You may have to disable privilege separation for this to work as-is; however it should be trivial to modify to work w/o it.
You can't log the remote username reliably
You can log the IP of the connection (see the SSH_CONNECTION variable)
You could have a standard where they use an alias for ssh that logs the remote username as part of the login process, or where they store their username in a .ssh/environment file (but allowing environments to be set may require ssh/sshd config changes).
alias sshblah='ssh blah "REMOTEUSER=$USER; bash'
(Except that doesn't work, and I haven't tried to figure out why - and it would be different if you use tcsh, etc).
You can use environment passing in this manner, and select which variables you allow to be set. You'd have to get the users to set some alternate to $USER, like $REMOTE_USER=$USER, and then allow $REMOTE_USER to pass through. And you're trusting they don't set it incorrectly, or forget to set it (you can handle that case with a little annoyance by modifying this mechanism).
Note that you almost have to trust the client connecting to tell you who the user is - you can make it hard/annoying to spoof the username, but unless you use per-user certificates instead of a generic login/password they all know, you can't verify who connected.
Related
I want to make a script that asks the user for username and password and uses these for a few things at once, including connecting to OpenVPN without needing to either
store the password on the disk
ask the user for the data many times over
for example you can run net use with user and password to mount shares, however openVPN seemingly only has an option to pass a file with username and password.
On Linux there seemingly are solutions like this, however I don't seem to find anything similar for windows yet.
Is there a solution?
This is my situation:
I have a linux server/media center with a windows client.
My goal is to remote control rhythmbox amongst other things.
I've done this using plink (windows based cli ssh toy).
The problem is that starting up an ssh session logging in and sending a command is understandably slow as hell. When I had a windows server I used a tool called psexec which was almost instantaneous.
Is there any way to speed this process up? Either somehow sending the commands with the login request which should show some improvement. Or by maintaining a persistent ssh connection which I can use. (plink dcs at the end of the command).
More info: On my windows machine I'm using a bat like:
plink -ssh -l username -pw pass myipaddress "/home/username/bin/skip"
On my linux machine the skip bash file is something like:
//needed to get around a x11 error caused by controlling rhythmbox over sshif its an ssh connection copy the dbusaddressfirhythmbox-client --next //the cli wrapper for rhythmbox
Further Research:
The only way to go seems to keep an ssh connection open/maintained as a service. This seems doable as there is a demand due to setting up ssh tunnels (to bypass firewalls). From there I'd need a way to send the command line commands to this existing connection or reuse that connection.
The other option is of course to NOT use ssh. Hell I already have a connection through samba file shares and there is no lag there. I bet I could put a service linux side that checks for a modified file. Then have an ap client side that modifies said file. Amazingly hacky but so far it seems like the best option. And by best I mean the only one that cuts control lag. There has got to be a better way than this, I can't be the only nerd using linux as a media-center that wants remote controls. This kind of moves the topic from stackoverflow to superuser but that's ok.
You could user an SSL certificate to get rid of the login part. Alternatively, build yourself a small HTTP server which uses an "exotic" port for controlling your media player (amarok, btw, has one build-in)
Switching to something like mpd will bypass the ssh issue, although I give no guarantee that changing tracks will be any faster.
If anyone is curious, I ended up implementing an http based server with php to execute commands server side. And client side I used curl.exe to allow me to have nice click-able buttons without the overhead of a web-browser.
Also nice since it allowed me to implement an in browser UI which is great to use from any machine with internet, ones that don't have ssh installed. And works wonderfully from my phone as a remote control (which I can use from a country away if I so chose...)
is there a way of how to connect to mysql dbf on a remote server and run sql queries using windows command line?
Yes, you can connect to a different host by running mysql -h 123.45.67.89.
Please note that there are a few security implications:
You will have to grant yourself access. You will need to run something like GRANT ALL on db_name.table TO user#your_ip IDENTIFIED BY 'password'. db_name, table and your_ip can be * but beware of opening your server to hackers.
You will have to open your server's firewall if you are not on the same LAN. Again, ymmv and you should be aware not to open the door to exploits.
You may want to use SSL and use secure-auth in order to protect your traffic and credentials.
Hope that helps.
MySQL has a command-line client, where you can run queries. If you don't want to allow remote connections to the database on the server, you can still script things into a batch. There are command-line telnet/ssh clients, that either accept external file as a list of commands to run remotely, or you can pass it with the input stream redirection (less then symbol) to them.
When opening a connection to server - most clients are programmed so that the only way to specify the login password is by typing it in from keyboard (yeah, they don't use default input stream). Things like that make it hard to script it. However, it may be possible to set up a certificate based login on SSH - you'd actually have to research that.
If the server that's hosting the MySQL database is also a web server - you could also think about putting some script (PHP, Perl, Python, Ruby - whatever you like) on the password protected area, that would allow you to execute queries by simply making a HTTP(S) queries on that script. Although, Windows doesn't have a command-line HTTP(S) client, you can always get something like wget.exe and perform queries with it. Note, that if you choose this approach - I strongly advice to put that script under HTTPS - if discovered by malicious user, it could be lethal to your data.
You could use telnet, or SSH if you want to be more secure.
If the MySQL is running on Linux or BSD, you need a Telnet or SSH connection through something like putty
This will open a command line on the remote server. The command is mysql. There will be issues around authentication of remote users (as you would expect).
If the remote server is running Windows, you have a whole different set of issues.
I'm not sure you can connect to a remote Windows server and control it this way.
I should say I'm not sure HOW you could connect to a remote Windows server and use it this way. But no doubt it's possible.
I have a shell script on a Unix box which when executed sets the DISPLAY variable dynamicaly to the clients ip address and if the client has some sort of x windows up and running then it launches say a program ike xcalc.
I would want the shell script to launch the x windows say like exceed session on the winodws client when the shell script is executed is this possible if so how ?
regards
Edwards
The general answer to that is "no, not unless you explicitly enable it."
Think about this in a general sense. Your questions is "Is my PC security so weak that external computers can connect in start programs on it, without a password or certificate?"
Clearly this effectively would mean that your PC had zero security. So for your sake, I sincerely hope that the answer to your question is "No".
If in your case the answer is "Yes", then perhaps it's time to abandon Windows 98?
This might be something worth asking on ServerFault too, since it's somewhat of a gray area between programming and system administration.
Are clients logged in via a shell to the server? Rather than setting the DISPLAY variable to their IP address, I highly recommend using SSH and some sort of client (openssh on Linux, PuTTY on Windows) that will automagically set the DISPLAY variable when you login.
The procedure would look like this:
Start an X server the client (eXceed, Xorg, etc)
Use PuTTY/SSH to login to the server with X11 forwarding turned on (-X for openssh, Connection | SSH | X11 for PuTTY)
Start the X11 program
The nice thing about this setup is that it's easy to tell if the client has an X server running - the DISPLAY variable will be set if so, but unset if not.
You say that you want to start a session on the Windows client when they login - do you want to see, for example, a login similar to what you would see if you were at the machine? In that case, you might want to use XDMCP.
What is the best way to send a password to a Windows Service? Our application needs a password in order to start. I don't care that services are "normally" supposed to run without user interaction. Its good enough for us that an operator can start the application and then log off.
On a unix system, I would just echo the password over stdin but the service has no stdin.
Currently, we use the DPAPI to just store the password using CryptProtectData. While this, works, it presents other problems that are beginning to become troublesome.
I'm guessing that I'll need to use some form of IPC between the service and the application that is sending the password but I'm not sure which method is appropriate, if any.
Thanks
Two main options:
You could listen on a socket on startup and wait for the required password to be supplied (maybe embed an SSH server in there, so that the password cannot be snooped over the wire)
My preferred option would be to read the password from a configuration file (that can be secured to the minimum readership) or registry setting (again, sufficiently secure such that only your service and administrators can read/change it)
Thanks for responding Rowland.
You could listen on a socket on
startup and wait for the required
password to be supplied (maybe embed
an SSH server in there, so that the
password cannot be snooped over the
wire)
I considered that but without certificate verification, wouldn't that leave us open to a man in the middle attack?
My preferred option would be to read
the password from a configuration file
(that can be secured to the minimum
readership) or registry setting
(again, sufficiently secure such that
only your service and administrators
can read/change it)
We're trying to follow "defense in depth" as much as possible such that if an attacker compromised the machine, he would not able to access our application.
You can use kerberos mutual authentication. There are few options and examples there.
But just wondering. On a compromised machine, There may be a key logger. So typing the password is never secure if you want to maintain security in this environment. The same problem exist afaik for unix terminals.
DPAPI in UserMode is really the best option, and storing the encrypted data in a protected location, e.g. registry key with limited ACL.
What exactly were the problems that are beginning to be troublesome? Maybe we can just solve those...
What exactly were the problems that
are beginning to be troublesome? Maybe
we can just solve those...
Currently, the application runs as the Local System account.
Our application stores a number of credentials in an encrypted file and uses the DPAPI (in UserMode) for the encryption.
Thus, when the application is installed, the installer is run as the Local System account. We also have a set of tools that ship with the application, some of which need access to this encrypted file and thus, they too need to run as the Local System account.
By the time the application is installed and started, we're heavily dependent on that account.
We're running into problems because one of our users wants to use the application to access a shared network drive. The Local System account has no such privileges and we can't simply run our service as a different user because our encrypted information is protected under the Local System Account.
We've tried to avoid the process of setting up a user account just for our application because it is installed across many different customers and environments, all of whom have wildly different security policies.
You can access a remote drive from a service running under system account. However, you will need to have credentials & share information to connect to the remote machine. You can use the API wnetaddconnection to gain access. Probably your encrypted file can store this credential as well.