Thread: [Ssh-sftp-perl-users] Need help using passphrase with key pairs in Net::SFTP::Foreign

Brought to you by: dbrobins

ssh-sftp-perl-users

[Ssh-sftp-perl-users] Need help using passphrase with key pairs in Net::SFTP::Foreign

From: Russ B. <us...@gm...> - 2010-10-27 15:17:54

I have Net::SFTP::Foreign working fine when my key pairs have an empty
passphrase.  But I have been directed to no longer use key pairs that
are not protected by a passphrase.

In the code below I successfully use "Expect" to pass the passphrase,
complete the login and even list the contents of the remote directory.

 But I can not then get Net::SFTP::Foreign to to utilize the
connection that Expect has established ($conn). Documentation implies
that transport => $conn should do the trick but it is not working in
the example below.

Any help will be gratefully appreciated.

Note that I am using Net::SFTP::Foreign to control the Tectia ssh
client, which is installed at /opt/tectia/bin/sshg3.  I have no
trouble controlling sshg3 except when the key pair
has a non-empty passphrase.

#!/usr/bin/perl

use Net::SFTP::Foreign;
use Expect;

$Net::SFTP::Foreign = -1;
my $tectia_ssh_client = "/opt/tectia/bin/sshg3";
my %feed_server;
$feed_server{server} = "server01";
$feed_server{directory} = "/export/home/tuser";
my @sshargs = ('-v');
my $passphrase = "some secret group of words";
my $timeout = 20;
my $delay =120;
my $user = "tuser";
my $host = "server01";
my @pattern = "Passphrase for the private key:";
my $logfile = "/export/home/tuser/mylog.txt";

$Expect::Exp_Internal = 1;

my $conn = Expect->new;
$conn->raw_pty(1);
$conn->log_stdout(1);
$conn->log_file($logfile);
$conn->spawn("$tectia_ssh_client $user\@$host")
    or die "spawn command failed";
$conn->expect($timeout, @pattern);

$conn->send("$passphrase\n");
$conn->expect($timeout, "bash");
$conn->send("ls -l\n");
$conn->expect($delay, "bash");

###  === this is where things stop working ======

my  $sftp = Net::SFTP::Foreign->new(transport => $conn);

if (($sftp->error) || ($sftp->status)) {
     print "\n";
     print "transport did not connect!  $0\n";
     print "sftp error: ".$sftp->error."\n";
     print "sftp status: ".$sftp->status."\n";
} else {
   print "Got a connection without errors\n";
}

 eval {
      $files_in_directory = $sftp->ls("$feed_server{directory}");
  };

   if (($@) || ($sftp->error)) {
     print "sftp--> error: ".$sftp->error."\n";
     print "\n";
     print "Directory Listing Problem on host: $feed_server{server} $0\n";
     print "Directory = $feed_server{directory}\n";
     print "ERROR = $@\n";
  } else {
       print "File in directorty: \n";

       foreach (@$files_in_directory) {
         $longlist = $_->{longname};
         $shortname = $_->{filename};
         print $longlist;
      }
  }

Re: [Ssh-sftp-perl-users] Need help using passphrase with key pairs in Net::SFTP::Foreign

From: Russ B. <us...@gm...> - 2010-10-27 16:20:34

On Wed, Oct 27, 2010 at 11:42 AM, Salvador Fandino <sfa...@ya...> wrote:
>
>
> ----- Original Message ----
>> From: Russ Brewer <us...@gm...>
>> To: Ssh...@li...
>> Sent: Wed, October 27, 2010 5:17:47 PM
>> Subject: [Ssh-sftp-perl-users] Need help using passphrase with key pairs
>> in Net::SFTP::Foreign
>>
>> I have Net::SFTP::Foreign working fine when my key pairs have an empty
>> passphrase.  But I have been directed to no longer use key pairs that
>> are not protected by a passphrase.
>>
>> In the code below I successfully use "Expect" to pass the passphrase,
>> complete the login and even list the contents of the remote directory.
>>
>> But I can not then get Net::SFTP::Foreign to to utilize the
>> connection that Expect has established ($conn). Documentation implies
>> that transport => $conn should do the trick but it is not working in
>> the example below.
>>
>> Any help will be gratefully appreciated.
>
> Net::SFTP::Foreign supports authenticating using passphrase protected keys
> natively. Have you tried it?
>
>   $ssh = Net::SFTP::Foreign->new($host,
>                                  user => $user,
>                                  ssh_cmd => $tectia_ssh_client,
>                                  passphrase => $passphrase);
>   $ssh->error and die "unable to connect to $host: ". $ssh->error;
>
>
> - Salva
>
>
>

Salva,

Thank you for your prompt response.

Yes, I did try to use passphrase => $passphrase but it did not work.

 Please look at the code below.  When the script runs, I see the login
banner on the remote server and I see the the prompt for the
passphrase.  After several minutes, the script times out.   I turned
to Expect because my try with the script below was not working.

I have tested the key pairs and the passphrase works fine from the
command line.  I have no trouble logging in from the command line when
I type the passphrase by hand.  I have no problem using expect to
automate the login. So it appears that passphrase => $passphrase in
the following code is not being recognized.

#!/usr/bin/perl

use Net::SFTP::Foreign;

my $tectia_ssh_client = "/opt/tectia/bin/sshg3";
$feed_server{server} = "server01";
$feed_server{directory} = "/export/home/tuser";
@sshargs = ('-v');
$passphrase = "some group of words";
$user = "tuser";

  my $sftp = Net::SFTP::Foreign->new
    (
      host => $feed_server{server},
      user => $user,
      ssh_cmd=>$tectia_ssh_client,
      timeout=>20,
      passphrase => $passphrase,
      more => [@sshargs]
    );

if (($sftp->error) || ($sftp->status)) {
     print "\n";
     print "Login Problem on host: $feed_server{server} using key
pairs -- exiting perl script $0\n";
     print "sftp error: ".$sftp->error."\n";
     print "sftp status: ".$sftp->status."\n";
} else {
   print "Got a connection without errors\n";
}

 eval {
      $files_in_directory = $sftp->ls("$feed_server{directory}") or
die "Trapped DIE: Failed directory list for $feed_server{directory} on
server $feed_server{server}";
  };

   if (($@) || ($sftp->error)) {
    # reset $sig_die_alarm in preparation for some future
    # call to subroutine sig_die_alarm
     $sig_die_alarm = "false";
     print "sftp--> error: ".$sftp->error."\n";
     print "\n";
     print "Directory Listing Problem on host: $feed_server{server} --
exiting perl script $0\n";
     print "Directory = $feed_server{directory}\n";
     print "ERROR = $@\n";
  } else {
       print "File in directorty: \n";

       foreach (@$files_in_directory) {
         $longlist = $_->{longname};
         $shortname = $_->{filename};
         print $longlist;
      }
  }
#====================================================================

When the script is run, here is what I see:

SSH Tectia Client: Evaluation period will end in 12 days.
Product: SSH Tectia Client
Evaluation period will end in 12 days.
This server is running on an evaluation license.
It will expire after 16 days.
========================== WARNING! ====================================

This is a private computing system!  Access to this system is limited
to approved individuals authorized by Intelligent Decisions Inc.
Any attempted or unauthorized access, use, or modification is expressly
prohibited.  Unauthorized users may face criminal or civil penalties.
The use of this system may be monitored and recorded.  If the monitoring
reveals any possible evidence of criminal activity, the company can
provide the records to law enforcement.  By continuing to
access this system you consent to said monitoring and you agree that you
you have no expectation of a right to privacy while using this system.

========================== WARNING! ====================================

Key label: 1024-bit dsa, tuser@controlzone, Tue Oct 26 2010 15:05:04 -0400
File name: /export/home/tuser/.ssh2/id_dsa_1024_a
Passphrase for the private key:

## ---- A long pause until timeout occurs right here, then I get the
following error messages

Login Problem on host: server01 using key pairs -- exiting perl script
./test_basic_passphrase.pl
sftp status: No connection
sftp status: No connection
sftp--> error: Passphrase not requested as expected: 0

Directory Listing Problem on host: server01 -- exiting perl script
./test_basic_passphrase.pl
Directory = /export/home/tuser
ERROR = Trapped DIE: Failed directory list for /export/home/tuser on
server server01 at ./test_basic_passphrase.pl line 40.

Re: [Ssh-sftp-perl-users] Need help using passphrase with key pairs in Net::SFTP::Foreign

From: Salvador F. <sfa...@ya...> - 2010-10-27 16:48:49




----- Original Message ----
> From: Russ Brewer <us...@gm...>
> To: Salvador Fandino <sfa...@ya...>
> Cc: ssh...@li...
> Sent: Wed, October 27, 2010 6:20:27 PM
> Subject: Re: [Ssh-sftp-perl-users] Need help using passphrase with key pairs in 
>Net::SFTP::Foreign
> 
> On Wed, Oct 27, 2010 at 11:42 AM, Salvador Fandino <sfa...@ya...>  
wrote:
> >
> >
> > ----- Original Message ----
> >> From:  Russ Brewer <us...@gm...>
> >> To: Ssh...@li...
> >>  Sent: Wed, October 27, 2010 5:17:47 PM
> >> Subject:  [Ssh-sftp-perl-users] Need help using passphrase with key pairs
> >> in  Net::SFTP::Foreign
> >>
> >> I have Net::SFTP::Foreign working  fine when my key pairs have an empty
> >> passphrase.  But I have been  directed to no longer use key pairs that
> >> are not protected by a  passphrase.
> >>
> >> In the code below I successfully use  "Expect" to pass the passphrase,
> >> complete the login and even list  the contents of the remote directory.
> >>
> >> But I can not then  get Net::SFTP::Foreign to to utilize the
> >> connection that Expect has  established ($conn). Documentation implies
> >> that transport =>  $conn should do the trick but it is not working in
> >> the example  below.
> >>
> >> Any help will be gratefully  appreciated.
> >
> > Net::SFTP::Foreign supports authenticating using  passphrase protected keys
> > natively. Have you tried it?
> >
> >    $ssh = Net::SFTP::Foreign->new($host,
> >                                   user => $user,
> >                                   ssh_cmd => $tectia_ssh_client,
> >                                   passphrase => $passphrase);
> >   $ssh->error  and die "unable to connect to $host: ". $ssh->error;
> >
> >
> >  - Salva
> >
> >
> >
> 
> Salva,
> 
> Thank you for your prompt  response.
> 
> Yes, I did try to use passphrase => $passphrase but it did  not work.
> 
>  Please look at the code below.  When the script runs, I  see the login
> banner on the remote server and I see the the prompt for  the
> passphrase.  After several minutes, the script times out.   I  turned
> to Expect because my try with the script below was not  working.
> 
> I have tested the key pairs and the passphrase works fine from  the
> command line.  I have no trouble logging in from the command line  when
> I type the passphrase by hand.  I have no problem using expect  to
> automate the login. So it appears that passphrase => $passphrase  in
> the following code is not being  recognized.
> 
> 
> 
> #!/usr/bin/perl
> 
> use  Net::SFTP::Foreign;
> 
> 
> my $tectia_ssh_client =  "/opt/tectia/bin/sshg3";
> $feed_server{server} =  "server01";
> $feed_server{directory} = "/export/home/tuser";
> @sshargs =  ('-v');
> $passphrase = "some group of words";
> $user =  "tuser";
> 
> 
>   my $sftp = Net::SFTP::Foreign->new
>      (
>       host => $feed_server{server},
>        user => $user,
>        ssh_cmd=>$tectia_ssh_client,
>        timeout=>20,
>       passphrase => $passphrase,
>        more => [@sshargs]
>     );
> 
> if  (($sftp->error) || ($sftp->status)) {
>      print  "\n";
>      print "Login Problem on host: $feed_server{server} using  key
> pairs -- exiting perl script $0\n";
>      print "sftp error:  ".$sftp->error."\n";
>      print "sftp status:  ".$sftp->status."\n";
> } else {
>    print "Got a connection without  errors\n";
> }
> 
>  eval {
>       $files_in_directory =  $sftp->ls("$feed_server{directory}") or
> die "Trapped DIE: Failed directory  list for $feed_server{directory} on
> server $feed_server{server}";
>    };
> 
>    if (($@) || ($sftp->error)) {
>     # reset  $sig_die_alarm in preparation for some future
>     # call to  subroutine sig_die_alarm
>      $sig_die_alarm = "false";
>       print "sftp--> error: ".$sftp->error."\n";
>      print  "\n";
>      print "Directory Listing Problem on host:  $feed_server{server} --
> exiting perl script $0\n";
>      print  "Directory = $feed_server{directory}\n";
>      print "ERROR =  $@\n";
>   } else {
>        print "File in directorty:  \n";
> 
>        foreach (@$files_in_directory) {
>           $longlist = $_->{longname};
>           $shortname = $_->{filename};
>          print  $longlist;
>       }
>    }
> #====================================================================
> 
> 
> When  the script is run, here is what I see:
> 
> SSH Tectia Client: Evaluation  period will end in 12 days.
> Product: SSH Tectia Client
> Evaluation period  will end in 12 days.
> This server is running on an evaluation license.
> It  will expire after 16 days.
> ========================== WARNING!  ====================================
> 
> This is a private computing  system!  Access to this system is limited
> to approved individuals  authorized by Intelligent Decisions Inc.
> Any attempted or unauthorized  access, use, or modification is expressly
> prohibited.  Unauthorized  users may face criminal or civil penalties.
> The use of this system may be  monitored and recorded.  If the monitoring
> reveals any possible evidence  of criminal activity, the company can
> provide the records to law  enforcement.  By continuing to
> access this system you consent to said  monitoring and you agree that you
> you have no expectation of a right to  privacy while using this system.
> 
> ========================== WARNING!  ====================================
> 
> 
> Key label: 1024-bit dsa,  tuser@controlzone, Tue Oct 26 2010 15:05:04 -0400
> File name:  /export/home/tuser/.ssh2/id_dsa_1024_a
> Passphrase for the private  key:
> 
> 
> 
> 
> ## ---- A long pause until timeout occurs right here,  then I get the
> following error messages
> 
> 
> Login Problem on host:  server01 using key pairs -- exiting perl  script
> ./test_basic_passphrase.pl
> sftp status: No connection
> sftp  status: No connection
> sftp--> error: Passphrase not requested as expected:  0

Maybe the tectia client is not opening /dev/tty for interaction with the user 
but just using stderr.

Could you trace your script at the OS level with ktrace, truss, strace or 
similar and send my the output (your keys and passphrases may be visible in the 
output, so don't use the real ones). Use the required options to include child 
processes in the tracing.

Cheers,

- Salva

Re: [Ssh-sftp-perl-users] Need help using passphrase with key pairs in Net::SFTP::Foreign

From: Salvador F. <sfa...@ya...> - 2010-10-28 11:14:09




----- Original Message ----
> From: Russ Brewer <us...@gm...>
> To: Salvador Fandino <sfa...@ya...>
> Sent: Thu, October 28, 2010 12:24:36 AM
> Subject: Re: [Ssh-sftp-perl-users] Need help using passphrase with key pairs in 
>Net::SFTP::Foreign
> 
> Salva,
> 
> The attached output was generated with command:
> 
> truss -f -o  truss.out ./test_basic_passphrase.pl

Hi,

That confirms my suspicion: the tectia client is not sending the passphrase 
prompt to /dev/tty but to stderr and the module does not see it.

Working around that from inside the module is not going to be easy and I don't 
have the time to solve it right now or for the next days.

So, we are back at logging from the outside and using the "transport" feature to 
pass back the initialized connection to the module... but before exploring that 
way I see you are in a Solaris box and the native SSH client works flawless with 
Net::SFTP::Foreign, do you have any reason to not use that client instead?

- Salva

Re: [Ssh-sftp-perl-users] Need help using passphrase with key pairs in Net::SFTP::Foreign

From: Russ B. <us...@gm...> - 2010-10-28 13:39:15

Salva,

The Department of Defense (DoD) may implement new ssh configuration
guidelines that require all installed ssh clients and servers to be
running in FIPS 140-2 compatibility mode.  Tectia corporation
(formerly named SSH.com) has obtained FIPS certification for its ssh
product. Tectia is under consideration because it would standardize
the ssh software used on Windows and UNIX servers and provide a
corporate stamp of approval that FIPS requirements have actually been
met.

While openssl has achieved FIPS certification, my concern is that it
might be difficult to prove that OpenSSH was built in a manner that
maintained openssl's FIPS validity. SUN's native client is not
currently built with a FIPS operating mode.

Presently Net::SSH::Perl and Net::SFTP are used by our automated file
transfer scripts.  The crypto packages used by these modules are not
likely to be put through the costly FIPS certification process for the
ssh client they generate.  Since Net::SFTP::Foreign controls the
installed ssh client, installing FIPS certified Tectia software is one
solution being explored. This solution seemed promising and has tested
very well in FIPS mode while the key pairs had empty passphrases.

However, another (currently draft) requirement specifies that user
passphrases be generated by FIPS certified software. The Tectia
ssh-keygen-g3 utility (in FIPS mode) will not allow key pair
generation with an empty passphrase.  This led to our testing the
Tectia software with passphrases.

I do not need a work-around immediately, since I am working to meet
currently draft standards that do not yet have an announced
implementation date. But the sooner I can chart a course of action,
the better. That is, I could migrate my scripts from Net::SFTP to
Net::SFTP::Foreign if I new for sure that the passphrase issue would
be resolved in a month or two. I could also begin the migration if I
knew that passwords could always be used instead of passphrases.

How certain is it that a passphrase work-around can be created? If
created, how long would it take, in light of your many existing
obligations?

Do you believe this Tectia passphrase issue also applies to passwords?
I can test that today.

Is passing the passphrase to stderr instead of /dev/tty an issue that
Tectia might consider for its own prompt attention?

I appreciate the time you have spent helping analyze this issue and
your willingness to implement a work-around, time constraints
permitting.

Russ

Note: I am not affiliated with Tectia in any way.  I have simply been
asked to evaluate its use in FIPS compliant mode relative to a planned
migration from Net::SFTP to Net::SFTP::Foreign.

On Thu, Oct 28, 2010 at 7:14 AM, Salvador Fandino <sfa...@ya...> wrote:
>
>
>
>
> ----- Original Message ----
>> From: Russ Brewer <us...@gm...>
>> To: Salvador Fandino <sfa...@ya...>
>> Sent: Thu, October 28, 2010 12:24:36 AM
>> Subject: Re: [Ssh-sftp-perl-users] Need help using passphrase with key pairs in
>>Net::SFTP::Foreign
>>
>> Salva,
>>
>> The attached output was generated with command:
>>
>> truss -f -o  truss.out ./test_basic_passphrase.pl
>
> Hi,
>
> That confirms my suspicion: the tectia client is not sending the passphrase
> prompt to /dev/tty but to stderr and the module does not see it.
>
> Working around that from inside the module is not going to be easy and I don't
> have the time to solve it right now or for the next days.
>
> So, we are back at logging from the outside and using the "transport" feature to
> pass back the initialized connection to the module... but before exploring that
> way I see you are in a Solaris box and the native SSH client works flawless with
> Net::SFTP::Foreign, do you have any reason to not use that client instead?
>
> - Salva
>