Topic "WinSCP, Amazon EC2, and the AWS Toolkit."

Author Message
stivostenberg
[View user's profile]

Joined: 2015-03-16
Posts: 8
Location: Mountain View, California
When you load the AWS toolkit for Visual Studio, you get a set of APIs that help immensely in working with AWS. All your credentials are stored in a credential store (like the .aws/credential file) which gives access to the KeyID and Access Key to the account through an API. When you connect to EC2Instances,you see a list of the instances, and you can right click to open either an SSH (Putty) or SCP (WinSCP) session to that instance. That request (lets use SCP as an example) opens a window where I can either enter a password, or "Use EC2 keypair to log on" with an option to save credentials.

I have written a program that will iterate through all the Profiles you have loaded on your system, then iterate through all regions to build a list of all EC2 instances and information across your accounts in a single window. I added filters on tags so you can, for example, list all machines in said list with the tag "FTP Server".

Now that I have such a list of servers, I would like to say "I need a file copied to all the servers in the filtered list". The logon credentials are not the same per profile, so I intend to use the
"Amazon.Runtime.AWSCredentials credential = new Amazon.Runtime.StoredProfileAWSCredentials(aprofile);"
to pull the keypair information from my credential store.

My problem is that I cannot determine how Visual Studio is passing the arguments to WinSCP to allow authentication using the keypair. I found the SFTPCopy function which looks really nice, but it takes the SshHostKeyFingerprint as an argument and not a keypair.

The complete code for my project is at https://github.com/StivOstenberg/AWSTrycorderPrototype . It works great for viewing and filtering EC2 instances, now trying to get it to interact with them using WinSCP. How do we submit the keypair instead of a password? And do we explicitly have to padd the fingerprint, or will it find in the certmgr?
Advertisements
stivostenberg
[View user's profile]

Joined: 2015-03-16
Posts: 8
Location: Mountain View, California
Some confusion created by the caching of credentials on my system. The "EC2 Keypair" is the RSA Key. (-----BEGIN RSA PRIVATE KEY-----...) I am not sure it cares about the AWS Access Key IDF and Secret Access Key. This is annoying because I am not sure how to get my program to recognize by the data in the credentials file the appropriate fingerprint to use. Usually I only have to enter said RSA key once and it is cached, but how do I pull that from the cache, or request it if not found so I can feed to WinSCP? (Eg search cache, if not found pop a dialog to let user enter it)
I suspect this is tied into Pageant and Putty somehow, but not sure. Certificates almost always confuse me.

So, to sum up, I need to figure out how to FIND the right SshHostKeyFingerprint to use if it is there, and enter it if not. Anybody know how this works? This may sadly be a Microsoft issue, not a WinSCP issue, but it relates to how they interoperate when using the API, and if we can solve this, I am sure it will prove useful to anybody using the API tools.
stivostenberg
[View user's profile]

Joined: 2015-03-16
Posts: 8
Location: Mountain View, California
Found a quote from Martin on the Stackoverflow July 2014 that states "Your code that uses scripting succeeds because you have the fingerprint cached. The .NET assembly never uses fingerprint cache.".

This is bothersome as that means I either have to implement my own cache (eek!) or I have to enter the key for each system I connect to, every time. This makes my automation program somewhat unwieldy to use regularly via API. Any suggestions on how to get around this? I have 132 systems I may potentially access. I think I can work around it using the Process winscp - new Process(); , but it makes the program less elegant.

Has this limitation changed?

P.S. I am impressed with the level of support Martin provides for this program, even if I am here whining. Think I need to add a Paypal button for him in my program once I get this working.....
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24555
Location: Prague, Czechia
The SshHostKeyFingerprint is server' host key to trust. It's not used for authentication.
See http://winscp.net/eng/docs/ssh_keys

Where can I see the SFTPCopy function?

I'd like to test the AWS toolkit. But if I go to
https://console.aws.amazon.com/iam/home?#security_credential
I see nothing. See attached screenshot.
Can you help me?
aws.png (54.69 KB) [Download]

Description: (none)

stivostenberg
[View user's profile]

Joined: 2015-03-16
Posts: 8
Location: Mountain View, California
Appears I was making things too complicated. I just tweaked the code to work with my UI, disabled the SSL Thumbprint, and it worked!!!!!

Code uploaded to Github. Need to test on more servers, and work out error handling.

github.com/StivOstenberg/EC2EventMonitor
stivostenberg
[View user's profile]

Joined: 2015-03-16
Posts: 8
Location: Mountain View, California
Hi Martin;
The root access key is not available online after it is generated, though I understand you can generate a new one at any time. Still working out all the certificates and access types for AWS myself. You could also create an IAMS user, which they encourage us to do, but we haven't.

http://docs.aws.amazon.com/general/latest/gr/managing-aws-access-keys.html

If, as you say, the thumbprint is the key to trust, then life is easier as I know assume all the servers I may talk to are valid, as I got the list from AWS itself. The SFTP code I grabbed from your site, and need to modify from commandline to work with this multiserver version. Attached the code below, as well as the Paypal donate function I intend to use. Please send me the information to feed that function, and I will add it to the code. (Since WinSCP does a lot more of the work then my cheezy program). My Email is megastiv@stiv.com.

I have the private SSH key for our service, which I use to connect, but I guess I don't understand where that is getting passed to WinSCP. Guess I will have to just try it and see if it magically picks it up. Thanks again for your help!
Code Examples.txt (2.78 KB) Private file

Description: The SFTP function I swiped from the WinSCP site, and the Paypal donate function.

martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24555
Location: Prague, Czechia
stivostenberg wrote:
If, as you say, the thumbprint is the key to trust, then life is easier as I know assume all the servers I may talk to are valid, as I got the list from AWS itself.

That's not a correct assumption.
The key it there to protect you from a man-in-the-middle attack. So while you get the hostnames to connect to from AWS, as you connect over untrusted network (Internet), you cannot know if you actually connect to AWS.

See the link above and also http://winscp.net/eng/docs/ssh_verifying_the_host_key

Feel free to point your PayPal button to yourself!
stivostenberg
[View user's profile]

Joined: 2015-03-16
Posts: 8
Location: Mountain View, California
Thanks again, Martin. Used the paypal button here to submit a more tangible "Thank you".
martin
[View user's profile]
Site Admin
Joined: 2002-12-10
Posts: 24555
Location: Prague, Czechia
Thanks!
Advertisements

You can post new topics in this forum






Search Site

What is WinSCP?

It is award-winning SFTP client, SCP client, FTPS client and FTP client integrated into one software program for file transfer to FTP server or secure SFTP server. [More]

And it's free!

Donate

About donations

$9   $19   $49   $99

About donations

Recommend

WinSCP Privacy Policy

WinSCP License