(OT) secure web updates from Windows

Brian K. White brian at aljex.com
Wed Mar 30 15:45:32 PST 2005


----- Original Message ----- 
From: "Bill Campbell" <bill at celestial.com>
To: <filepro-list at lists.celestial.com>
Sent: Wednesday, March 30, 2005 5:21 PM
Subject: (OT) secure web updates from Windows


>I have somebody who wants to be able to update a web site which I
> have under a /home/$user/public_html directory to allow updating
> with normal shell tools.  The only secure methods I know to allow
> 'Net access to this are sftp and ssh or perhaps webdav via a SSL
> (https) connection.
>
> We do not allow password authentication using ssh since I've had
> problems with dictionary attacks on bad user passwords permitting
> ssh access to user's directorys where an IRC ``bot'' is run.
>
> I've played a bit with puttygen to generate public/private key
> pairs, but haven't found the magic incantations that openssh-3.9p1
> likes using putty (and I don't know that putty handles file
> uploads in any case).
>
> Any suggestions from folks who have to put up with Windows?

I use puttygen to generate keys that work with openssh on sco/linux/freebsd
and used psftp in batch files to upload/download files using the key.

What is the specific question?
The only "trick" is that you have to use cut & paste to get the public key 
that openssh likes.
It's not obvious, but the window that displays the generated key is one 
long, wrapped, line.
You start highlighting at the absolute top-left, pull the mouse down right 
outside the window and let the window scroll upwards until it stops and the 
absolute bottom-right is highlighted.
Then paste that into a text editor and save the file as 
something-meaningful.pub that matches the *.ppk that puttygen will create 
when you tell it to save the private key to a file.
I often do it by logging in via ssh with a password, get authorized_keys up 
in mcedit or vi, get on a new line and paste right into the ssh session.

The only grief is that psftp does not have any sort of globbing so all 
operations must use explicit filenames.
pscp can do some globbing (or maybe it's just that it can do whole 
directories) but I think pscp is protocol 1 only.

I wrote up directions for users to get putty, run puttygen, and install the 
key on the server, all with windows batch and psftp only (no shell access at 
all even via ssh) that I could post. But I am allowing password 
authentication. That's how they get themselves onto the box the first time 
to create the .ssh directory and the authorized_keys file. Once that is done 
the keys work and password is no longer needed, but it allows them to 
replace their keys as often as they want and allows them to use FileZilla to 
access their directory. FileZilla provides the convenience that psftp lacks 
as far as globbing and manipulating whole dirctories and trees, not to 
mention a nice graphical two-panel explorer type interface. I don't know how 
a user could get set up otherwise, unless you collected and installed keys 
for them at least the first time. If they are very careful it'd be possible 
to replace their own key once they can get in, but every time they try it 
they risk locking themselves out. If you were going to install keys for 
them, you'd probably want to make them read-only owned by root or some other 
non-user so that the user can't lock themselves out. Actually, I guess you'd 
want to generate the keys yourself and give the private one to the user 
(*.ppk) rather than require them to generate them and give you the public 
one. You may want to supply directions for using putty to create a saved 
session that has the keys filename in it and then use psftp with the command 
line option to use that saved session. I think everything can be done with 
just (more) command line options also.

Brian K. White  --  brian at aljex.com  --  http://www.aljex.com/bkw/
+++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++.
filePro BBx  Linux SCO  Prosper/FACTS AutoCAD  #callahans Satriani



More information about the Filepro-list mailing list