Results 1 to 9 of 9

Thread: scripting secure file transfers?

  1. #1
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670

    Question scripting secure file transfers?

    Does anyone know of a way to script secure file transfers that run automatically?

    I support an output management system that can transfer print jobs to a system instead of a printer using FTP and a plain-text password file. Basically, when you send a print job to a queue that is an FTP destination, the output managment system kicks off a Perl script using the Net::FTP module to transfer the file, and it references the plain-text password file for the appropriate password for the destination system. The whole system right now makes me sick because of the plain-text passwords, and I'm trying to get around it by using scp instead. I'm having trouble getting around the password problem, though. It thought about including a line at the head of the Perl script to start an ssh-agent and run ssh-add to add an RSA or DSA authentication key created without a passphrase, but that would greatly compromise the account this is running under. Any other suggestions? This script has to be able to run automatically, without intervention.
    /* You are not expected to understand this. */

  2. #2
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Actually,
    You can use net::scp and an RSA key or just execute scp...
    An easy method is to add a non-priv user, set up RSA/DSA keys, Then within the key(.ssh/authorized_keys)make some modifications like command=, from=, and various things like that before the key.
    EX:
    command=*cat >> pflog*,from=*firewall*,no-port-forwarding,
    no-X11-forwarding,no-agent-forwarding,no-pty 102435823048999354794546
    387730268448993843509453678937752623781590692383465714412310547850845
    002743725739940385332209432179012664317663101851362676488696898502309
    227231929637769105487294380073461038245801883934544973368435992775028
    741798113678310035476893561892917648628649037238909042041894298934725
    815994839373584 root@firewall


    man sshd to get the full details about locking it down. I've done this for firewall logging, and never had any issues.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  3. #3
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    That's great info, hogfly, thanks! The only problem I see is the output management system I'm using will kick this Perl script off as a fork, so the user running the script will be the same user the system runs under. I may be able to get away with setting the script to swich user id's upon execution (suid), but that may be prohibited by the local configuration of the HP-UX kernel (on the host system). This method may be the best way around this. Many thanks again for your help!
    /* You are not expected to understand this. */

  4. #4
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    what i have done to script my sftp transfers it to first setup a PKI and then once that is done, sftp has the ability to have batch transfers for example,

    first you would spread around your public key and get that communication working,
    then you would write your sftp batch file

    ex (i don't know if this works, i am just making it up for an example so you see what i mean):
    lcd /usr/dudeman/transfer
    put *
    quit

    then you would run sftp with the batch flag (either -b or -B depending on openssh or ssh.com)

    you could then cron the whole thing and you would have a daily auto sftp transfer

    seeing that you have HP-UX, i am going to assume that you are running openssh like we are. if you don't want to use public key passwordless, then you could also use the ssh agent (if you don't already know how): http://www.cs.berkeley.edu/~dtliu/sshinterop.html
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  5. #5
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    roswell: I'd also suggest you learn to love expect. once you start using it..you'll wonder why you didn't start sooner.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  6. #6
    Senior Member roswell1329's Avatar
    Join Date
    Jan 2002
    Posts
    670
    Oh, I DO love expect, but in this case it's not really practical. This script needs to be run autonomously, and I'm not about to hardcode a password into this thing. I think the best way to do this is to use the limitations in the authorized_keys file to greatly reduce the accessibilty through a passwordless transfer.
    /* You are not expected to understand this. */

  7. #7
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Expect is not the answer.

    The answer is to configure ssh so that you can connect with no password using public key authentication (i.e. the local private key is stored unencrypted).

    Then you can scp all you like without being prompted for anything, and it will all be done through secure communications.

    Slarty

  8. #8
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    It was one suggestion..that's all. Hence why I gave the ssh answer first, because that's the way to do it that makes the most sense..
    *shrug*
    good luck roswell
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  9. #9
    Senior Member
    Join Date
    Jul 2002
    Posts
    339
    Originally posted here by slarty
    Expect is not the answer.

    The answer is to configure ssh so that you can connect with no password using public key authentication (i.e. the local private key is stored unencrypted).

    Then you can scp all you like without being prompted for anything, and it will all be done through secure communications.

    Slarty
    I suggest using ssh-agent since:
    - you can have your local private key stored encrypted with a passphrase you chose
    - still you need only to be prompted once for the passphrase

    Authentication data need not be stored on any other machine, and authentication passphrases never go over the network. However, the connection to the agent is forwarded over SSH remote logins.

    Run ssh-agent to run the agent and ssh-add to add your local encrypted private key.

    Peace always,
    <jdenny>
    Always listen to experts. They\'ll tell you what can\'t be done and why. Then go and do it. -- Robert Heinlein
    I\'m basically a very lazy person who likes to get credit for things other people actually do. -- Linus Torvalds


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •