WinSCP, Amazon EC2, and the AWS Toolkit.

Advertisement

stivostenberg
Joined:
Posts:
8
Location:
Mountain View, California

WinSCP, Amazon EC2, and the AWS Toolkit.

When you load the AWS toolkit for Visual Studio, you get a set of APIs that help immensely in working with AWS. All your credentials are stored in a credential store (like the .aws/credential file) which gives access to the KeyID and Access Key to the account through an API. When you connect to EC2Instances,you see a list of the instances, and you can right click to open either an SSH (PuTTY) or SCP (WinSCP) session to that instance. That request (lets use SCP as an example) opens a window where I can either enter a password, or "Use EC2 keypair to log on" with an option to save credentials.

I have written a program that will iterate through all the Profiles you have loaded on your system, then iterate through all regions to build a list of all EC2 instances and information across your accounts in a single window. I added filters on tags so you can, for example, list all machines in said list with the tag "FTP Server".

Now that I have such a list of servers, I would like to say "I need a file copied to all the servers in the filtered list". The logon credentials are not the same per profile, so I intend to use the
Amazon.Runtime.AWSCredentials credential =
    new Amazon.Runtime.StoredProfileAWSCredentials(aprofile);
to pull the keypair information from my credential store.

My problem is that I cannot determine how Visual Studio is passing the arguments to WinSCP to allow authentication using the keypair. I found the SFTPCopy function which looks really nice, but it takes the SshHostKeyFingerprint as an argument and not a keypair.

The complete code for my project is at https://github.com/StivOstenberg/AWSTrycorderPrototype. It works great for viewing and filtering EC2 instances, now trying to get it to interact with them using WinSCP. How do we submit the keypair instead of a password? And do we explicitly have to pass the fingerprint, or will it find in the certmgr?

Reply with quote

Advertisement

stivostenberg
Joined:
Posts:
8
Location:
Mountain View, California

Some more information.

Some confusion created by the caching of credentials on my system. The "EC2 Keypair" is the RSA Key. (-----BEGIN RSA PRIVATE KEY-----...) I am not sure it cares about the AWS Access Key IDF and Secret Access Key. This is annoying because I am not sure how to get my program to recognize by the data in the credentials file the appropriate fingerprint to use. Usually I only have to enter said RSA key once and it is cached, but how do I pull that from the cache, or request it if not found so I can feed to WinSCP? (Eg search cache, if not found pop a dialog to let user enter it)
I suspect this is tied into Pageant and PuTTY somehow, but not sure. Certificates almost always confuse me.

So, to sum up, I need to figure out how to FIND the right SshHostKeyFingerprint to use if it is there, and enter it if not. Anybody know how this works? This may sadly be a Microsoft issue, not a WinSCP issue, but it relates to how they interoperate when using the API, and if we can solve this, I am sure it will prove useful to anybody using the API tools.

Reply with quote

stivostenberg
Joined:
Posts:
8
Location:
Mountain View, California

Re: Some more information.

Found a quote from 2Martin on the StackOverflow July 2014 that states
Your code that uses scripting succeeds because you have the fingerprint cached. The .NET assembly never uses fingerprint cache.

This is bothersome as that means I either have to implement my own cache (eek!) or I have to enter the key for each system I connect to, every time. This makes my automation program somewhat unwieldy to use regularly via API. Any suggestions on how to get around this? I have 132 systems I may potentially access. I think I can work around it using the
Process winscp = new Process();
but it makes the program less elegant.

Has this limitation changed?

P.S. I am impressed with the level of support Martin provides for this program, even if I am here whining. Think I need to add a PayPal button for him in my program once I get this working.....

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,462
Location:
Prague, Czechia

Re: WinSCP, Amazon EC2, and the AWS Toolkit.

The SshHostKeyFingerprint is server's host key to trust. It's not used for authentication.
See https://winscp.net/eng/docs/ssh_keys

Where can I see the SFTPCopy function?

I'd like to test the AWS toolkit. But if I go to
https://console.aws.amazon.com/iamv2/home#/security_credentials
I see nothing. See attached screenshot.
Can you help me?

aws.png

Reply with quote

Advertisement

stivostenberg
Joined:
Posts:
8
Location:
Mountain View, California

Re: WinSCP, Amazon EC2, and the AWS Toolkit.

Hi Martin;
The root access key is not available online after it is generated, though I understand you can generate a new one at any time. Still working out all the certificates and access types for AWS myself. You could also create an IAMS user, which they encourage us to do, but we haven't.
https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds-programmatic-access.html

If, as you say, the thumbprint is the key to trust, then life is easier as I know assume all the servers I may talk to are valid, as I got the list from AWS itself. The SFTP code I grabbed from your site, and need to modify from commandline to work with this multiserver version. Attached the code below, as well as the Paypal donate function I intend to use. Please send me the information to feed that function, and I will add it to the code. (Since WinSCP does a lot more of the work then my cheezy program). My Email is megastiv@stiv.com.

I have the private SSH key for our service, which I use to connect, but I guess I don't understand where that is getting passed to WinSCP. Guess I will have to just try it and see if it magically picks it up. Thanks again for your help!
  • Code Examples.txt (2.78 KB, Private file)
Description: The SFTP function I swiped from the WinSCP site, and the Paypal donate function.

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,462
Location:
Prague, Czechia

Re: WinSCP, Amazon EC2, and the AWS Toolkit.

stivostenberg wrote:

If, as you say, the thumbprint is the key to trust, then life is easier as I know assume all the servers I may talk to are valid, as I got the list from AWS itself.
That's not a correct assumption.
The key is there to protect you from a man-in-the-middle attack. So while you get the hostnames to connect to from AWS, as you connect over untrusted network (Internet), you cannot know if you actually connect to AWS.

See the link above and also https://winscp.net/eng/docs/ssh_verifying_the_host_key

Feel free to point your PayPal button to yourself!

Reply with quote

Advertisement

You can post new topics in this forum