Post a reply

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Re: Subject closed.

Thanks!
stivostenberg

Subject closed.

Thanks again, Martin. Used the PayPal button here to submit a more tangible "Thank you".
martin

Re: WinSCP, Amazon EC2, and the AWS Toolkit.

stivostenberg wrote:

If, as you say, the thumbprint is the key to trust, then life is easier as I know assume all the servers I may talk to are valid, as I got the list from AWS itself.

That's not a correct assumption.
The key is there to protect you from a man-in-the-middle attack. So while you get the hostnames to connect to from AWS, as you connect over untrusted network (Internet), you cannot know if you actually connect to AWS.

See the link above and also https://winscp.net/eng/docs/ssh_verifying_the_host_key

Feel free to point your PayPal button to yourself!
stivostenberg

Re: WinSCP, Amazon EC2, and the AWS Toolkit.

Hi Martin;
The root access key is not available online after it is generated, though I understand you can generate a new one at any time. Still working out all the certificates and access types for AWS myself. You could also create an IAMS user, which they encourage us to do, but we haven't.
https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds-programmatic-access.html

If, as you say, the thumbprint is the key to trust, then life is easier as I know assume all the servers I may talk to are valid, as I got the list from AWS itself. The SFTP code I grabbed from your site, and need to modify from commandline to work with this multiserver version. Attached the code below, as well as the Paypal donate function I intend to use. Please send me the information to feed that function, and I will add it to the code. (Since WinSCP does a lot more of the work then my cheezy program). My Email is megastiv@stiv.com.

I have the private SSH key for our service, which I use to connect, but I guess I don't understand where that is getting passed to WinSCP. Guess I will have to just try it and see if it magically picks it up. Thanks again for your help!
stivostenberg

Re: WinSCP, Amazon EC2, and the AWS Toolkit.

Appears I was making things too complicated. I just tweaked the code to work with my UI, disabled the SSL thumbprint, and it worked!

Code uploaded to Github. Need to test on more servers, and work out error handling.
https://github.com/StivOstenberg/AWSTrycorderPrototype
stivostenberg

Re: Some more information.

Found a quote from 2Martin on the StackOverflow July 2014 that states
Your code that uses scripting succeeds because you have the fingerprint cached. The .NET assembly never uses fingerprint cache.

This is bothersome as that means I either have to implement my own cache (eek!) or I have to enter the key for each system I connect to, every time. This makes my automation program somewhat unwieldy to use regularly via API. Any suggestions on how to get around this? I have 132 systems I may potentially access. I think I can work around it using the
Process winscp = new Process();

but it makes the program less elegant.

Has this limitation changed?

P.S. I am impressed with the level of support Martin provides for this program, even if I am here whining. Think I need to add a PayPal button for him in my program once I get this working.....
stivostenberg

Some more information.

Some confusion created by the caching of credentials on my system. The "EC2 Keypair" is the RSA Key. (-----BEGIN RSA PRIVATE KEY-----...) I am not sure it cares about the AWS Access Key IDF and Secret Access Key. This is annoying because I am not sure how to get my program to recognize by the data in the credentials file the appropriate fingerprint to use. Usually I only have to enter said RSA key once and it is cached, but how do I pull that from the cache, or request it if not found so I can feed to WinSCP? (Eg search cache, if not found pop a dialog to let user enter it)
I suspect this is tied into Pageant and PuTTY somehow, but not sure. Certificates almost always confuse me.

So, to sum up, I need to figure out how to FIND the right SshHostKeyFingerprint to use if it is there, and enter it if not. Anybody know how this works? This may sadly be a Microsoft issue, not a WinSCP issue, but it relates to how they interoperate when using the API, and if we can solve this, I am sure it will prove useful to anybody using the API tools.
stivostenberg

WinSCP, Amazon EC2, and the AWS Toolkit.

When you load the AWS toolkit for Visual Studio, you get a set of APIs that help immensely in working with AWS. All your credentials are stored in a credential store (like the .aws/credential file) which gives access to the KeyID and Access Key to the account through an API. When you connect to EC2Instances,you see a list of the instances, and you can right click to open either an SSH (PuTTY) or SCP (WinSCP) session to that instance. That request (lets use SCP as an example) opens a window where I can either enter a password, or "Use EC2 keypair to log on" with an option to save credentials.

I have written a program that will iterate through all the Profiles you have loaded on your system, then iterate through all regions to build a list of all EC2 instances and information across your accounts in a single window. I added filters on tags so you can, for example, list all machines in said list with the tag "FTP Server".

Now that I have such a list of servers, I would like to say "I need a file copied to all the servers in the filtered list". The logon credentials are not the same per profile, so I intend to use the
Amazon.Runtime.AWSCredentials credential =
    new Amazon.Runtime.StoredProfileAWSCredentials(aprofile);

to pull the keypair information from my credential store.

My problem is that I cannot determine how Visual Studio is passing the arguments to WinSCP to allow authentication using the keypair. I found the SFTPCopy function which looks really nice, but it takes the SshHostKeyFingerprint as an argument and not a keypair.

The complete code for my project is at https://github.com/StivOstenberg/AWSTrycorderPrototype. It works great for viewing and filtering EC2 instances, now trying to get it to interact with them using WinSCP. How do we submit the keypair instead of a password? And do we explicitly have to pass the fingerprint, or will it find in the certmgr?