EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Scalability question

Also by EldoS: RawDisk
Access locked and protected files in Windows, read and write disks and partitions and more.
#7802
Posted: 10/03/2008 12:28:32
by Vladimir Giszpenc (Basic support level)
Joined: 09/18/2008
Posts: 9

Quote

Please try to set TElCommandSSHTunnel.RequestTerminal property to false

That fixed it.

Quote

1) Open the 'su' command channel,
2) OnData fires returning the 'Password:' line,
3) Request a password from user and send it to the logical connection using its SendData/SendText method.

FYI
For some reason the Password prompt comes through OnExtendedData.
SendText is not implemented in C#.

SendData does not seem to flush on the server side unless I send a \r\n but when I do, it tells me that the password is incorrect.

Is there a way to send the password and then some way to send a flush signal?

Thanks,

Vlad
#7803
Posted: 10/03/2008 12:36:35
by Ken Ivanov (EldoS Corp.)

I assume that such behaviour is correct -- as 'su' expects the password to be terminated by the end-of-line character when reads it from keyboard. I suggest you to play with EOL characters -- try to pass \r, \n and \n\r combinations and check if one of them works.
#7804
Posted: 10/03/2008 13:01:47
by Vladimir Giszpenc (Basic support level)
Joined: 09/18/2008
Posts: 9

Quote

try to pass \r, \n and \n\r combinations and check if one of them works.

None of those works.
#7805
Posted: 10/04/2008 01:31:59
by Ken Ivanov (EldoS Corp.)

I've just tried to do the same with our test Linux environment (Red Hat Linux) and came to the following results:
a) Our Linux understands CR-LF (0x0D 0x0A) as EOL sequence.
b) Once the password is provided, the command channel is NOT closed and continues to operate in interactive mode, i.e. we can send additional commands to it using SendData() method. I suppose that su simply opens a shell with the needed rights and redirects its input and output to the SSH channel.
c) The method works only if RequestTerminal property is set to true.

Of course, the results we achieved might be specific to our versions of Linux/OpenSSH. However, they prove that such approach can be used. Please try to play with different settings (such as RequestTerminal, EOL sequences, server settings) -- it is likely that some configuration will make the things work.
#7806
Posted: 10/06/2008 14:23:46
by Vladimir Giszpenc (Basic support level)
Joined: 09/18/2008
Posts: 9

I don't mind adding it myself, but what is the use of SendData() without the trailing CRLF? Not all SSH servers wait on this?

Quote

The method works only if RequestTerminal property is set to true.


Thank you so much for that, it worked great. At this point since I need to maintain elevated state, I need to continue to use the tunnelConnection with the elevated privileges. If I do that, I am not able to send commands by adding them to the instance of TElCommandSSHTunnel and doing open().

In fact, I am getting a prompt. It looks suspiciously like TElShellSSHTunnel (and your fine sample). The one thing I can do is implement expect type functionality. It would fit nicely in your tool suite. It is a shame you guys have not written it. Event the free SharpSSH has it!

Btw, it is fall and you were supposed to revisit the decision over getting FIPS 140-2. I realize it is expensive.

Could you use someone else's library to do the cryptography and share the cost? For example, Mono has most if not all you need and is backed by Novell.

Still interested,

Vlad
#7809
Posted: 10/07/2008 00:23:46
by Ken Ivanov (EldoS Corp.)

Quote
I don't mind adding it myself, but what is the use of SendData() without the trailing CRLF? Not all SSH servers wait on this?

SSH is a multifunctional secure transport protocol. In general case it does not restrict in any way the type of data being tunneled through a secure channel. EOL sequences are specific to shells or other ASCII command- or terminal-based protocols. However, if the data tunneled are raw TCP data, there is no sense in adding EOLs to each chunk being sent.

Quote
I am not able to send commands by adding them to the instance of TElCommandSSHTunnel and doing open().

Yes, the elevated rights are valid only for the connection you've run 'su' on. All other tunnels are opened with the rights of the account that was used to log on using SSH authentication.

Quote
The one thing I can do is implement expect type functionality. It would fit nicely in your tool suite.

SecureBlackbox is a comprehensive Internet security library, not a general-purpose remote access tool. We specialize in security and data protection, and we leave all related tasks to the professionals in the corresponding areas. Sorry.

Quote
Could you use someone else's library to do the cryptography and share the cost?

We are working on improving our underlying cryptographic providers. Once this part of work is done, one will be able to use CryptoAPI and PKCS#11 cryptographic functionality. However, we cannot say when this will be available at the moment.
#7814
Posted: 10/07/2008 08:15:06
by Vladimir Giszpenc (Basic support level)
Joined: 09/18/2008
Posts: 9


I like your product. I just thought you might be interested in other automation tools. If you are not, that is OK with me.

Quote

one will be able to use CryptoAPI

That lives on Windows only. If you work with [URL=http://www.mozilla.org/projects/security/pki/nss/]NSS[/URL], you will have true cross platform functionality along with FIPS compliance. You could model your efforts on JSS which is a JAVA binding to NSS.

Thanks,

Vlad
#7816
Posted: 10/07/2008 08:51:32
by Eugene Mayevski (EldoS Corp.)

Quote
Vladimir Giszpenc wrote:
Could you use someone else's library to do the cryptography and share the cost?


If you need FIPS compliancy, you can create your own cryptoprovider, which will call any cryptographic library that you need, and use this cryptoprovider.


Sincerely yours
Eugene Mayevski
Also by EldoS: Rethync
The cross-platform framework that simplifies synchronizing data between mobile and desktop applications and servers and cloud storages

Reply

Statistics

Topic viewed 7455 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!