I’m rather ignorant of SSL and ssh… but I’m wishing
for a “compatibility” layer of some kind so that I
could use the old telnet and ftp interfaces (which I
know) but do it securely.
In other words, something like:
require ‘ssh-compat’
SSH::Compat.setup(*whatever) do
# …whatever…
end
Now just use Net::FTP and Net::Telnet
“just as if” they were the originals
Blah blah blah…
all legacy code remains unchanged
SSH::Compat.quit # I don’t mind some “teardown”
# if it’s needed
Is this practical/reasonable?
Or is it Just As Easy to use the real secure ftp
and ssh stuff?
Or is it Just As Easy to use the real secure ftp
and ssh stuff?
I have no experience on this either way. But it seems like you could
implement this using SSH to establish a tunnel into a remote machine
then go local to telnet/ftp assuming they were running on the box.
The implementation you’re hinting at would lend itself really well to
ssh tunneling, I think. But I’m sure other people have much more
enlightened ideas.
I’m rather ignorant of SSL and ssh… but I’m wishing
for a “compatibility” layer of some kind so that I
could use the old telnet and ftp interfaces (which I
know) but do it securely.
In other words, something like:
require ‘ssh-compat’
SSH::Compat.setup(*whatever) do
# …whatever…
end
Now just use Net::FTP and Net::Telnet
“just as if” they were the originals
Blah blah blah…
all legacy code remains unchanged
SSH::Compat.quit # I don’t mind some “teardown”
# if it’s needed
Is this practical/reasonable?
Or is it Just As Easy to use the real secure ftp
and ssh stuff?
Thanks,
Hal
I’ve done exactly what you’re talking about in C before but not in Ruby.
You establish an SSH tunnel, then run your operations through it (for
FTP stick to passive mode), and then tear it down. It’s rather hairy,
you have to deal with authenticating to the remote host (probably a
password-less local identity file, which suddenly makes your machine
security-sensitive) or some trick with ssh-agent. And you also have to
deal with all the edge conditions involved in having a tunnel going as a
child process. (Like diddling your signal mask, making sure your code
doesn’t crash and leave the tunnel up, setting up an external wathcdog
to ensure same, etc.)
If your requirement is encrypted ftp, you’re probably better off using
scp and sftp, they work fine. Otherwise, I’d do the ssh tunnelling in an
outboard process built for the task, not inline as you have it.
Or is it Just As Easy to use the real secure ftp
and ssh stuff?
Hmm I am afraid there is no ideal solution for your problem
Did you hear of Net:SSH yet? Seems nice but I did not try it or hear
from it
yet. http://net-ssh.rubyforge.org/
Anyway the online documentation is very good and should not give you too
many problems.
I think it is time to start forgetting about ftp and telnet.
The most problematic issue is of course the caveats of passphrase less
keys
or ssh-agent security problems.
As far as I know there is no way around.
However using ssh/sftp with a key without passphrase is still a bunch
better
than using telnet/ftp.
It all depends on your exact application context. Maybe you can setup a
user
without a login shell to use your passphrase less key.
Take care that it is not readable for any other user.
I know it is not exactly what you asked for but as you got no answer
yet, I
thaught this might be helpfull.
Cheers
Robert
Thanks,
Hal
–
Deux choses sont infinies : l’univers et la bêtise humaine ; en ce qui
concerne l’univers, je n’en ai pas acquis la certitude absolue.
The implementation you’re hinting at would lend itself really well to
ssh tunneling, I think. But I’m sure other people have much more
enlightened ideas.
-Mat
Why bother? ssh, sftp, scp are no harder to use than telnet, ftp. What
OS are you using? For GNU/Linux + other Unix can use gftp as a gui
client to handle sftp and scp.
Why bother? ssh, sftp, scp are no harder to use than telnet, ftp. What
OS are you using? For GNU/Linux + other Unix can use gftp as a gui
client to handle sftp and scp.
copies of certain files on different servers. I have a tool that is
Any clearer?
Thanks, Hal. I just asked by way of thinking about if there is an easy
way
to solve this without reinventing any wheels. This may sound strange,
but
why not use tacked-up SSH tunnels? I’ve used that approach before, even
on
WAN links, and it’s workable if you write a little watchdog off a cron
job
that makes sure the tunnel stays up.
You still haven’t given a clear statement of the exact problem you’re
trying to solve.
Probably not. That’s because there are probably multiple problems
I have in mind.
Basically I want to talk securely to a machine that that knows ssh
while spending as little time as possible porting my old code that
uses ftp and telnet libs. (And spending as few neurons in the process
as I can.)
If you want more concrete examples: I have a habit of keeping multiple
copies of certain files on different servers. I have a tool that is
smart enough to sync them as needed each time I edit (no matter which
one I edited last). It works when the machines’ clocks are off, and
even when they are in different timezones.
Another app I have is to to do some remote config on a server – run
a command line app on the client, and it manipulates the server via
telnet and ftp.
But it’s not secure. And my host now is getting hard to access via
ftp, and impossible via telnet.
Basically I want to talk securely to a machine that that knows ssh
while spending as little time as possible porting my old code that
uses ftp and telnet libs. (And spending as few neurons in the process
as I can.)
I converted all the Ruby Q. software from FTP to SFTP about six
months ago. It’s really very close to the same thing. I couldn’t
have spent more than two hours with the learning time and converting
all three of my worker scripts. Here’s the general pattern:
require “net/sftp”
Net::SFTP.start(“url”, “username”, “password”) do |server|
begin
server.put_file(“local_path”, “server_path”)
Hmm, I do have my keys set correctly with that server, but I wouldn’t
think you need it with the password. The key is just a tool for
skipping password validation, right?
Sorry if I might post in on the wrong spot, because I wanted to talk about
ssh setup in general.
Hal if you have the luxury to be in a DMZ (and you might be as you
wanted to
use unsecure tools) you can defenitely afford to setup keys without
passphrases and than ssh behaves as rsh and sftp (almost) like ftp. (use
Edward’s tools anyway
You could also automate tunnelling, although really we work a lot with
tunnels, passing half pipe openVPN without SSL through them
I am talking Linux and open-ssh of course
Works like charm
Amazingly powerfull and stable
Not very easy to understand at first (needed two or three tutorials to
get
it)
A pain to tear down. (a security issue )
Ok this is getting long, I guess one has to get into ssh a little bit to
really evaluate all possible use cases.
Feel free to ask for help on ssh off list I will be glad to reply.
I should give some links to great ssh tutorials here I know, I’ll try
to
find the time to send them offlist.
Cheers
Robert
–
Deux choses sont infinies : l’univers et la bêtise humaine ; en ce qui
concerne l’univers, je n’en ai pas acquis la certitude absolue.
Albert Einstein
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
