Qt-interest Archive, April 2008
ssh password
Message 1 in thread
Hi,
I'm starting with QT and trying to log on ssh via QProcess, but all I've
found on lists and google is that ssh doesn't read the password from stdin,
and the only way is using the private key mechanisms (which really works).
Just to be sure, since the archives I found was a bit old, not mentioning QT
4.3, is there a way to pass the password or I'll need to use something like
expect C++ lib?
Thanks in advance,
Fabio
Message 2 in thread
Thanks a lot Ivan, I`ll try this :)
Now, to be more specific, what I`m really trying to do as a first step is an
application that logs on a system via ssh to use the OpenBSD`s authpf
features (http://cvs.openbsd.org/faq/pf/authpf.html).
It works as an automatic firewall rule updater, when the user logs via ssh
the system updates the user`s rules, with username and IP address, when the
user closes the connection, the rules get removed.
Since most of the clients use Windows, an ideal solution would rely just on
QT to be portable among Unix and Windows.
Is there a way to derive from QTcpSocket or some another approach to get a
full portable application?
A second step (just wondering), would be an application tha sends commands
(via ssh) and read back the command output to interpret and provide some
statiscs on a graphical window and if the user wants to open an ssh session
on the server, open a terminal on Unix and an ssh client like Putty on
Windows.
Any directions?
Fabio
On Wed, Apr 9, 2008 at 6:07 AM, Ivan Korobov <ikorobov@xxxxxxxxxxxxx> wrote:
> Hi Fabio,
>
>
>
> You could try to use SSH_ASKPASS environment variable to pass your
> password to ssh process.
>
>
>
> Idea is as following:
>
> 1. Before launching ssh via QProcess, create a temporary script file
> that prints the password to stdout, e.g. something like:
>
> #!/bin/sh
>
> echo "<your password>"
>
>
>
> 2. Put path of this temporary file into SSH_ASKPASS environment
> variable:
>
> QProcess process;
>
> QStringList env = QProcess::systemEnvironment();
>
> env << "SSH_ASKPASS=" << <path to the temporary script file>;
>
> process.setEnvironment(env);
>
>
>
> 3. Launch ssh via QProcess created above
>
>
>
> When ssh client reaches the point of asking a password, it executes the
> script found in SSH_ASKPASS environment variable and gets the password.
>
>
>
> Hope this helps.
>
>
>
> Best regards,
>
> Ivan.
>
>
>
> *From:* Fabio Almeida [mailto:mentesan@xxxxxxxxx]
> *Sent:* Wednesday, April 09, 2008 8:13 AM
> *To:* qt-interest@xxxxxxxxxxxxx
> *Subject:* ssh password
>
>
>
> Hi,
>
> I'm starting with QT and trying to log on ssh via QProcess, but all I've
> found on lists and google is that ssh doesn't read the password from stdin,
> and the only way is using the private key mechanisms (which really works).
>
> Just to be sure, since the archives I found was a bit old, not mentioning
> QT 4.3, is there a way to pass the password or I'll need to use something
> like expect C++ lib?
>
> Thanks in advance,
>
> Fabio
>
Message 3 in thread
Fabio Almeida wrote:
> It works as an automatic firewall rule updater, when the user logs via
> ssh the system updates the user`s rules, with username and IP address,
> when the user closes the connection, the rules get removed.
I'm no security expert, but do you really think it's a good idea to
allow ssh access to a firewall using a password stored in a file? At
the very least, you should be sure to delete the script that echos the
password immediately after starting the ssh process. However, if I were
you, I'd find a more secure method, given the value of the prize is
control of the firewall, especially if the relevant accounts can alter
rules or automatically get packets passed if they connect.
Cheers,
Darrik
>
> Since most of the clients use Windows, an ideal solution would rely just
> on QT to be portable among Unix and Windows.
>
> Is there a way to derive from QTcpSocket or some another approach to get
> a full portable application?
>
> A second step (just wondering), would be an application tha sends
> commands (via ssh) and read back the command output to interpret and
> provide some statiscs on a graphical window and if the user wants
> to open an ssh session on the server, open a terminal on Unix and an ssh
> client like Putty on Windows.
>
> Any directions?
> Fabio
>
> On Wed, Apr 9, 2008 at 6:07 AM, Ivan Korobov <ikorobov@xxxxxxxxxxxxx
> <mailto:ikorobov@xxxxxxxxxxxxx>> wrote:
>
> Hi Fabio,
>
>
>
> You could try to use SSH_ASKPASS environment variable to pass your
> password to ssh process.
>
>
>
> Idea is as following:
>
> 1. Before launching ssh via QProcess, create a temporary
> script file that prints the password to stdout, e.g. something like:
>
> #!/bin/sh
>
> echo "<your password>"
>
>
>
> 2. Put path of this temporary file into SSH_ASKPASS
> environment variable:
>
> QProcess process;
>
> QStringList env = QProcess::systemEnvironment();
>
> env << "SSH_ASKPASS=" << <path to the temporary script file>;
>
> process.setEnvironment(env);
>
>
>
> 3. Launch ssh via QProcess created above
>
>
>
> When ssh client reaches the point of asking a password, it executes
> the script found in SSH_ASKPASS environment variable and gets the
> password.
>
>
>
> Hope this helps.
>
>
>
> Best regards,
>
> Ivan.
>
>
>
> *From:* Fabio Almeida [mailto:mentesan@xxxxxxxxx
> <mailto:mentesan@xxxxxxxxx>]
> *Sent:* Wednesday, April 09, 2008 8:13 AM
> *To:* qt-interest@xxxxxxxxxxxxx <mailto:qt-interest@xxxxxxxxxxxxx>
> *Subject:* ssh password
>
>
>
> Hi,
>
> I'm starting with QT and trying to log on ssh via QProcess, but all
> I've found on lists and google is that ssh doesn't read the password
> from stdin, and the only way is using the private key mechanisms
> (which really works).
>
> Just to be sure, since the archives I found was a bit old, not
> mentioning QT 4.3, is there a way to pass the password or I'll need
> to use something like expect C++ lib?
>
> Thanks in advance,
>
> Fabio
>
>
--
[ signature omitted ]
Message 4 in thread
Yes Darrik, you are right, that`s why I`m searching for a way to ask the
users password on a LineEdit and pass to the function without need to use
hardcode or the file method, etc.
The point is that I just need to open an ssh connection to the OpenBSD
firewall to get the user properly connected. I think if I can make this
work, the other thing, an application that uses ssh to execute and read
ouput from commands will be a matter of implementing the proper funcionality
without need to worry again with the autentication scheme.
The automatic firewall rule updater is already implemented on
OpenBSD`s Authpf, if you use Putty to open an ssh connection it works, I
just want to make a little app so that the users can have a nice little
window to log on the firewall system.
Portability is important as well.
Thanks for the reply.
Fabio
On Wed, Apr 9, 2008 at 3:01 PM, Darrik Mazey <darrik@xxxxxxxxxxxxxxxxxx>
wrote:
> Fabio Almeida wrote:
> > It works as an automatic firewall rule updater, when the user logs via
> > ssh the system updates the user`s rules, with username and IP address,
> > when the user closes the connection, the rules get removed.
>
> I'm no security expert, but do you really think it's a good idea to
> allow ssh access to a firewall using a password stored in a file? At
> the very least, you should be sure to delete the script that echos the
> password immediately after starting the ssh process. However, if I were
> you, I'd find a more secure method, given the value of the prize is
> control of the firewall, especially if the relevant accounts can alter
> rules or automatically get packets passed if they connect.
>
> Cheers,
> Darrik
>
> >
> > Since most of the clients use Windows, an ideal solution would rely just
> > on QT to be portable among Unix and Windows.
> >
> > Is there a way to derive from QTcpSocket or some another approach to get
> > a full portable application?
> >
> > A second step (just wondering), would be an application tha sends
> > commands (via ssh) and read back the command output to interpret and
> > provide some statiscs on a graphical window and if the user wants
> > to open an ssh session on the server, open a terminal on Unix and an ssh
> > client like Putty on Windows.
> >
> > Any directions?
> > Fabio
> >
> > On Wed, Apr 9, 2008 at 6:07 AM, Ivan Korobov <ikorobov@xxxxxxxxxxxxx
> > <mailto:ikorobov@xxxxxxxxxxxxx>> wrote:
> >
> > Hi Fabio,
> >
> >
> >
> > You could try to use SSH_ASKPASS environment variable to pass your
> > password to ssh process.
> >
> >
> >
> > Idea is as following:
> >
> > 1. Before launching ssh via QProcess, create a temporary
> > script file that prints the password to stdout, e.g. something like:
> >
> > #!/bin/sh
> >
> > echo "<your password>"
> >
> >
> >
> > 2. Put path of this temporary file into SSH_ASKPASS
> > environment variable:
> >
> > QProcess process;
> >
> > QStringList env = QProcess::systemEnvironment();
> >
> > env << "SSH_ASKPASS=" << <path to the temporary script file>;
> >
> > process.setEnvironment(env);
> >
> >
> >
> > 3. Launch ssh via QProcess created above
> >
> >
> >
> > When ssh client reaches the point of asking a password, it executes
> > the script found in SSH_ASKPASS environment variable and gets the
> > password.
> >
> >
> >
> > Hope this helps.
> >
> >
> >
> > Best regards,
> >
> > Ivan.
> >
> >
> >
> > *From:* Fabio Almeida [mailto:mentesan@xxxxxxxxx
> > <mailto:mentesan@xxxxxxxxx>]
> > *Sent:* Wednesday, April 09, 2008 8:13 AM
> > *To:* qt-interest@xxxxxxxxxxxxx <mailto:qt-interest@xxxxxxxxxxxxx>
> > *Subject:* ssh password
> >
> >
> >
> > Hi,
> >
> > I'm starting with QT and trying to log on ssh via QProcess, but all
> > I've found on lists and google is that ssh doesn't read the password
> > from stdin, and the only way is using the private key mechanisms
> > (which really works).
> >
> > Just to be sure, since the archives I found was a bit old, not
> > mentioning QT 4.3, is there a way to pass the password or I'll need
> > to use something like expect C++ lib?
> >
> > Thanks in advance,
> >
> > Fabio
> >
> >
>
>
> --
> Darrik Mazey
> Developer
> DMT Programming, LLC.
> P.O. Box 91
> Torrington, CT 06790
> mobile: 330.808.2025
> office: 330.785.1269
> darrik@xxxxxxxxxxxxxxxxxx
>
> --
> To unsubscribe - send a mail to qt-interest-request@xxxxxxxxxxxxx with
> "unsubscribe" in the subject or the body.
> List archive and information: http://lists.trolltech.com/qt-interest/
>
>
Message 5 in thread
Hi Fabio,
On Wednesday 09 April 2008 20:26:40 Fabio Almeida wrote:
> Yes Darrik, you are right, that`s why I`m searching for a way to ask the
> users password on a LineEdit and pass to the function without need to use
> hardcode or the file method, etc.
Why use passwords at all? You could switch to using public key authentication
instead. If someone has a relevent private key they are allowed in, if they
don't then they are not. The firewall administrator controls who's public
keys are granted access by means of the ~/.ssh/authorized_keys file on the
firewall.
Take a look at ssh-keygen on unix systems for how to generate the key pairs. I
can't recall how to do this in putty right now but I'm sure the help system
will tell you.
Kind regards,
Sean
--
[ signature omitted ]
Message 6 in thread
On Wednesday 09 April 2008 21:07:15 Sean Harmer wrote:
> Hi Fabio,
>
> On Wednesday 09 April 2008 20:26:40 Fabio Almeida wrote:
> > Yes Darrik, you are right, that`s why I`m searching for a way to ask the
> > users password on a LineEdit and pass to the function without need to use
> > hardcode or the file method, etc.
>
> Why use passwords at all? You could switch to using public key
> authentication instead.
I should also ask why you need users to have shell access to the firewall in
the first place? Normally firewalls should be tied down to allow access to
the minimum number of admins possible to reduce the risk of local exploits
allowing root access to the system. What is it you are trying to achieve with
your program?
Sean
--
[ signature omitted ]
Message 7 in thread
Hi Sean,
I want to use OpenBSD`s Authpf system, it works like this:
The Firewall`s users shell is not a common shell (/bin/sh, /bin/csh)
it`s /usr/sbin/authpf , so when the user opens an ssh connection, the
authpf manages his rules, stored on a file in the directory
/etc/authpf/users/<username>, the authpf shell provides no interaction
with the system besides inserting the user`s apropriate rules, if the
file <username> is not present he try to use a default generic rule
file.
When the user closes his connection, the Authpf system automatically
removes his rules from the Firewall.
Full documentation about Authpf can be found here:
http://cvs.openbsd.org/faq/pf/authpf.html
So the litlle program only needs to open an ssh connection, after this
I want to make another tool, something like a console for servers
management, I just want to use the secure ssh channel for issuing
commands and generate reports from the outputs (uptime, df, netstat),
etc.
Something like a side bar with server names, when the user selects a
server, the tool connect to the server via ssh, interpret and show
some brief statistics, if the admin wants to connect via ssh he clicks
a button and have an ssh session with Putty (if Windows) or a
Konsole, Gnome Terminal, Xterm, etc on Unix Systems. (one connection
for automatic system diagnostics an another for manual admin
intervention).
That`s all, for now it`s just some ideas :)
On Wed, Apr 9, 2008 at 5:11 PM, Sean Harmer
<sean.harmer@xxxxxxxxxxxxxxxxx> wrote:
>
> On Wednesday 09 April 2008 21:07:15 Sean Harmer wrote:
> > Hi Fabio,
> >
> > On Wednesday 09 April 2008 20:26:40 Fabio Almeida wrote:
> > > Yes Darrik, you are right, that`s why I`m searching for a way to ask the
> > > users password on a LineEdit and pass to the function without need to use
> > > hardcode or the file method, etc.
> >
> > Why use passwords at all? You could switch to using public key
> > authentication instead.
>
> I should also ask why you need users to have shell access to the firewall in
> the first place? Normally firewalls should be tied down to allow access to
> the minimum number of admins possible to reduce the risk of local exploits
> allowing root access to the system. What is it you are trying to achieve with
> your program?
>
>
>
>
> Sean
>
> --
> To unsubscribe - send a mail to qt-interest-request@xxxxxxxxxxxxx with "unsubscribe" in the subject or the body.
> List archive and information: http://lists.trolltech.com/qt-interest/
>
>
--
[ signature omitted ]
Message 8 in thread
Hi,
On Wednesday 09 April 2008 21:54:35 Fabio Almeida wrote:
> Hi Sean,
>
> I want to use OpenBSD`s Authpf system, it works like this:
<snip>
OK I see. Since you are using ssh as the authentication mechanism you can
still use the public key auth method which negates the need to have the
password stored anywhere on the client machine. Instead, only the private key
is required and this can be further protected with a pass-phrase proper file
permissions etc. Ssh-agent can ease the use of such pass-phrases.
Hope this helps,
Sean
--
[ signature omitted ]
Message 9 in thread
Try this: http://sourceforge.net/projects/libssh2/
On 4/9/08, Fabio Almeida <mentesan@xxxxxxxxx> wrote:
> Hi,
>
> I'm starting with QT and trying to log on ssh via QProcess, but all I've
> found on lists and google is that ssh doesn't read the password from stdin,
> and the only way is using the private key mechanisms (which really works).
>
> Just to be sure, since the archives I found was a bit old, not mentioning QT
> 4.3, is there a way to pass the password or I'll need to use something like
> expect C++ lib?
>
> Thanks in advance,
>
> Fabio
>
--
[ signature omitted ]
