Articles related to real life scenarios involving java, frameworks and libraries configurations and salt-stack. The topics includes Core Java, Hibernate, Spring MySQL, Multithreading, Java NIO, jQuery, c3p0, Connection pooling, salt state, pillar, grain etc.

Monday, July 16, 2018

Setup SFTP tunnel through bastion/jump server with agent forwarding

11:22 PM Posted by Unknown No comments

Setup SFTP ssh tunnel through bastion/jump server with agent forwarding

Someone has said "With Security comes complexity". In some cases operational or otherwise, while configuring private network with bastion/jump server you require SFTP/SCP access to the private servers.
  • This is assuming you already have SSH configuration done for ssh jumping, if not follow the steps in (link)

Assumptions and Definition

We have 3 servers/machines here to work with.
  • LocalMachine: You Computer running macOS or Ubuntu/Linux
  • Bastion: Bastion/Jump Server having public access to port 22/SSH port.
  • PriNetServer: A server which is running in private network but is accessible through Bastion/JumpServer
Assumptions
  • You are able to connection to Bastion server through SSH and have root access or at least sudo access to restart ssh
  • Bastion server is able to connect to PriNetServer through SSH using SSH Agent Forwarding.
Here's the steps to enable SFTP ssh tunnel through bastion/jump server.

SSH Configuration on the Bastion server

SSH Daemon config changes

  • Edit /etc/ssh/sshd_config
  • Make sure to enable the following options.
AllowTcpForwarding yes PermitTunnel yes AllowAgentForwarding yes PermitOpen any
  • If you want to enable tunneling for a specific user you can do the following
Match User app AllowTcpForwarding yes ...
  • Restart ssh service ssh restart

User specific configuration for port forwarding/tunneling automation

  • We are going to use app user in this example.
  • Create or Edit app user ssh config file /home/app/.ssh/config
  • Add the following.
Host PriNetServer HostName 10.0.0.4 #Private IP Address of PriNetServer User app Port 22 LocalForward 30022 127.0.0.1:22 # This forwards bastion port 30022 to 22 port of PriNetServer

LocalMachine Setup

Once all the setup done in Bastion server. You now should be able to create a tunnel thorugh bastion to access SFTP of the PriNetServer
  • In this example I am using scp for SFTP access, you can use any other program like filezilla.

Create Tunnel/Forward Port

ssh -A -L 30022:localhost:30022 app@<bastion_server_host_or_ip> -t ssh PriNetServer
In the above command -A is for enable AgentForwarding, -Lis used for port forwarding. In this it is asking SSH to create a tunnel from your LocaMachine's port 30022 to 30022 port of the Bastion server. You can use any unused port for tunneling.
The last part -t is the command to be executed once you have sshed into the bastion server. You can remove that and manually ssh PriNetServer once you are on bastion server.

Now that the tunnel is ready, I will upload a file to the PriNetServer and download the same file from there.

  • Run the following command to upload file.
scp -P 30022 /tmp/hello.test app@localhost:/tmp/
  • Run the following command to download a file.
scp -P 50022 app@localhost:/tmp/hello.test /tmp/hello.testdloaded

The process can be used for tunneling or any port forwarding. Like mysql port etc.

Sunday, July 15, 2018

Using Chrome Secure Shell to connect to your AWS instances/Key Protected instances

1:51 AM Posted by Unknown 1 comment

Using Chrome Secure Shell to connect to your AWS instances/Key Protected instances.

There are many tools available to SSH into your key auth enabled instances. On Windows mainly the putty, on macOS and Linux Distros mainly termnial. If you use variety of OSes and you want similar terminal experiance everywhere or you are using ChromeOS. you can use Chrome Secure Shell.
I mainly use it on Windows because it feel much more like terminal with better scrolling specifically.
Here's how to connect to your key auth protected instances using Secure Shell.

Pre Requisites

  • Protect your key with passphrase.
    • Follow steps in this post to protect your key with passphrase.
    • You should always protect your keys with passphrase and specially while using it with SecureShell because it uses HTML5 FileSystem which is relatively new and may have unfound exploits. Here's the reference
  • Prepare your keys for specific SecureShell requirements.
SSH connection using key pair in SecureShell has specific requirements.
  • Only PEM key will not suffice. You need to have PrivateKey and PublicKey.
  • If you only have a pem file. You need to extract public key from it. Follow steps in this post
  • The private key and public key must have the same name.
  • The PrivateKey should have no extention and the PublicKey should have .pub extention.
  • Example:
    • If you have a key named MainKey.pem or any name you want, you must create a public key from it and rename them to the following.
    • PrivateKey (MainKey.pem) > MainKey
    • PublicKey (MainKey.pub) > MainKey.pub

Steps

  • Install Secure Shell
  • Open Secure Shell from Chrome by entering the following in the Chrome Search Box chrome://apps/ and Click Secure Shell, OR directly enter the following in Chrome search bar chrome-extension://pnhechapfaindjhompbnflcldabbghjo/html/nassh.html
  • The SS app opens up, ready for you to configure. Here's how it looks. 

  • Fill up the details
    • Name of the connection - keep it short without spaces you will be able to use it to open SSH connection easily. I will come to that later.
    • SSH username
    • SSH Host
    • SSH Port
    • Now import the kyes by Clicking on Import...
      • This will open up file selector, select the two file in this example MainKey and MainKey.pub and click Open

    • That's it. Now click on Connect or hit Enter to connect.
    • If you have passphrase for the key, It will ask you to enter passphrase.
    • Once connected you should see the server prompt. 

Pro Tip

  1. You can connect to any of the saved connection by entering ssh <profile name> in the Chrome search box/omnibox. 

  1. You can bookmark connections for easy accessiblity.
  2. You can connect to multiple instance in one click. For DevOps there are many cases where we want to connection multiple instances while doing something. Here's how I do that.
  • Bookmark all the connections
  • Move all the bookmarks into a Folder.
  • Right Click on the Bookmark folder and click Open All in new Window

Protect your AWS key/Private key with passphrase

12:37 AM Posted by Unknown No comments

Protect your aws key with passphrase

All of us have faced this, when you generate a new key from AWS. It does not have passphrase to it. One should never use keys without passphrase, it is a huge security risk.
Here's how to add passphrase to any existing key file. Just run the following command and enter the passphrase twice.
Note: Make sure to remember passphrase, if you forget you will lose access to all the instances using the key.
ssh-keygen -p -f somekey.pem
The output will be the following.
Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase.