Monday, March 24, 2014

Check for a blank SSH key passphrase


I found out one of my co-workers was not using a passphrase to secure his SSH keys. This is very insecure way to do business. Many people leave passphrase blank because they do not know how to setup a SSH agent, or can't be bothered with setting up the SSH agent. If you don't know to set up a SSH agent refer to my How to setup SSH Keys post. I came up with a way to check all the accounts on the servers I manage. I wanted to know how many other people where not practicing good security. I have tested this script on Solaris 10, Red Hat Linux (RHEL 5) and SuSe (SLES 11.2).

What the script does.
The script mounts the share that all the users home directories auto-mount from.  This way the user needs not to be logged in for me to check there keys. I then copy all the names of the users home directories into a file. The script checks then checks for the word  ENCRYPTED in the id_rsa file. If the word ENCRYPTED is in the file then the passphrase is set. The temp files are then removed and the share unmounted.

This my script I came up with.
#!/bin/bash
# This script is for checking for a blank passphrase. Meaning no passphrase
to secure your SSH file.
# Script most be run as root.
# Example: sudo ./check-sshkeys

mount share:/vol/home /mnt
ls /mnt >/tmp/ls
for s in `cat /tmp/ls`
do echo -e "\e[1m User $s \033[0m "
if ls /mnt/$s/.ssh/id_rsa 2>/dev/null
        then grep ENCRYPTED /mnt/$s/.ssh/id_rsa || echo -e "No RSA
passphrase"
        else echo "RSA key not found"
fi
if ls /mnt/$s/.ssh/id_dsa 2>/dev/null
        then grep ENCRYPTED /mnt/$s/.ssh/id_dsa || echo -e "No DSA
passphrase"
        else echo "DSA key not found"
fi
done
rm /tmp/ls
umount /mnt

Draw backs
Now there are ways that a user can get around this, like putting the word ENCRYPTED in the right file. But most users will not do this, so this should still work for most users. The script above will need to be modified in order to check users who don't have their home directories auto-mounted.

I can't take all the credit for this, I had some help. Below I have posted the link to the forum were I  asked for help on this script.

Ref:
Is there a way to check a users SSH key to see if the passphrase is blank

Tuesday, March 18, 2014

Using SCP on Windows Command Prompt

In this post, I show how to move files between a Windows machine and a UNIX machine, using the command line. When I say a UNIX machine, I mean all UNIX based operating systems such as UNIX, Linux, FreeBSD and Mac OS. In this post I will be using the free PuTTY utility called PSCP.

As you know SSH is not supported in Windows, you will need to download a 3rd party program.
The People who make PuTTY, which gives SSH terminal emulation on Windows machines, has a program called PSCP. PSCP gives you the ability to use SCP or SFTP form the Windows command prompt.

You could use a GUI program that lets you SCP or SFTP the files. The issue with this approach is that an application with a GUI has limitations. If you use a command line tool, like PSCP, to move the files then you can also put it in a script. A script that can be used by the Windows Task manager or the UNIX crontab. PSCP is free and doesn't need to be installed.

Download pscp from  PuTTY download page.

After you download PSCP move it to your My  Documents folder. As the program doesn't need to be installed, It is ready to use as soon as you download it. All you need to do, to use PSCP is follow the examples below.

Run the command as shown below to move files from the Windows machine to a UNIX machine
Command Prompt
C:\> pscp.exe files man@earth:/path

Run the command as shown below to move files form a UNIX machine to a Windows machine.
Command Prompt
C:\> pscp.exe man@earth:/path/files  C:/path/

In the example above, man is the user name and earth is the name of the UNIX server. The user name can be left off if the user account in Windows have the same name as the user account on the UNIX server. I would highly recommend that you use the same user name on both systems.

Some options
If you want to force the use of ether SCP or SFTP add -scp or -sftp right after pscp.exe. If you want to use a SSH agent to manage you SSH Keys add the -agent option. I will go more into how to use SSH Key with PSCP in a future post.

Draw Back
In the method I shown here, you must start the SCP or SFTP session from the Windows machine. The Windows machine can't accept incoming requests, because there is no SSH sever running on the the Windows machine.

References
PuTTY documention