I am having lots of problems with this.
I have the following code
try {
final SSHClient ssh = new SSHClient();
PKCS8KeyFile keyFile = new PKCS8KeyFile();
keyFile.init(new File(Thread.currentThread().getContextClassLoader().getResource("development.pem").toURI()));
ssh.loadKnownHosts();
ssh.addHostKeyVerifier("ec2-XX-XX-XX-XX.compute-1.amazonaws.com", 22, "ff:59:aa:24:42:b1:a0:9f:c9:4c:73:34:fb:95:53:c2:b8:37:a8:f8");
// ssh.addHostKeyVerifier("ec2-XX-XX-XX-XX.compute-1.amazonaws.com", 22, "90:1e:4d:09:42:c4:16:8a:4c:dc:ae:c2:60:14:f9:ea");
ssh.connect("ec2-XX-XX-XX-XX.compute-1.amazonaws.com");
ssh.auth("ec2-user", new AuthPublickey(keyFile));
Session session = ssh.startSession();
Command sudo = session.exec("sudo su -");
System.out.println("sudo=" +sudo.getOutputAsString());
Command whoami = session.exec("whoami");
System.out.println("whoami=" + whoami.getOutputAsString());
} catch (Exception e) {
e.printStackTrace();
}
The first addHostKeyVerifier is using the fingerprint on the AWS console, the commented out one is the one that it keeps telling me it is failing against. Where am i meant to get the correct key from.
If i use the second key it passes verification then fails afterwards.
I am using SSHJ version 0.8.1
This worked for me.
For your PEM file you need to use the OpenSSHKeyFile key provider.
SSHClient ssh = new SSHClient();
OpenSSHKeyFile keyFile = new OpenSSHKeyFile();
File file = new File("c:\\full\\path\\to\\keyfile.pem");
keyFile.init(file);
Personally, I just surpressed the host key verification to always return true. But I'm sure your way is more secure (if it works).
ssh.loadKnownHosts();
ssh.addHostKeyVerifier((a, b, c) -> true);
The username for AWS depends on your image. Very often it is "root". In my case, it was "ubuntu".
ssh.connect("ec2-54-165-233-48.compute-1.amazonaws.com");
ssh.auth("ubuntu", new AuthPublickey(keyFile));
Session session = ssh.startSession();
(Note: I'm using version 0.26.0 though.)
Related
I try to request a new certificate via EST protocol from the EST test service URL “https://testrfc7030.com/”. The program uses Bouncy Castle for this.
I have already configured the EST service’s TA and my client certificate obtained from them. I also use the BC JSSE provider to get access to the “tls-unique” channel binding value.
eSTService = new JsseESTServiceBuilder(Config.CredAdmin.caHost, trustManagers)
.withKeyManagers(keyManagers)
.withProvider(BouncyCastleJsseProvider.PROVIDER_NAME)
.withChannelBindingProvider(new ChannelBindingProvider() {
//Use an anonymous binding provider that supports linking
//Identity and POP Information (RFC7030, Section 3.5.), that
//relies on Channel Bindings for TLS (RFC5929) using "tls-unique".
public boolean canAccessChannelBinding(Socket sock) {
boolean ret = sock instanceof BCSSLSocket;
if (!ret)
//should never happen
MyUtils.LambdaLogger.error("Can't get channel binding value, check if BouncyCastleJsseProvider could be loaded.");
return ret;
}
public byte[] getChannelBinding(Socket sock, String binding) {
BCSSLConnection bcon = ((BCSSLSocket)sock).getConnection();
if (bcon == null) {
//should never happen
MyUtils.LambdaLogger.error("Can't get \"%s\" channel binding value, check if BouncyCastleJsseProvider could be loaded.", binding);
return null;
}
byte[] ret = bcon.getChannelBinding(binding);
MyUtils.LambdaLogger.debug("retrieved %d bytes \"%s\" channel binding value", ret.length, binding);
return ret;
}
})
.build();
and
Security.addProvider(new BouncyCastleJsseProvider());
When I configure EST service port 9443 – that requires my client cert but no TLS channel binding – I do get a new certificate:
However, when I configure port 443 – that also needs TLS channel binding – although I get 12 bytes of “tls-unique” from BC JSSE, these won’t get accepted by the EST service testrfc7030.com, so it gives me an HTTP 401 – Unauthorized:
My problem is, I don’t know, what’s wrong:
my code
the BC JSSE implementation of “tls-unique” (RFC 5929)
the EST service’s implementation of “tls-unique” (RFC 5929)?
Does someone have an implementation that works with the EST service “testrfc7030.com:443” art has at least an idea, what's wrong?
---Update 1---
I'm creating the ContentSigner as following:
ContentSigner signer =
new JcaContentSignerBuilder(MyUtils.Crypto.sha256WithRSAEncryption)
.setProvider(BouncyCastleProvider.PROVIDER_NAME)
.build(keyPair.getPrivate());
and the csrBuilder:
PKCS10CertificationRequestBuilder csrBuilder =
new PKCS10CertificationRequestBuilder(
new X500Name(subjectDN),
SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded()));
csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest, extGen.generate());
with
ExtensionsGenerator extGen = new ExtensionsGenerator();
...
This we then use as following:
EnrollmentResponse resp = eSTService.simpleEnrollPoP(false, cb.csrBuilder, cb.signer, null);
Based on the input by Peter we were able to fix this problem as following:
//just for testrfc7030.com
ESTAuth auth = new JcaHttpAuthBuilder(null, "estuser", "estpwd".toCharArray())
.setNonceGenerator(new SecureRandom())
.setProvider("BC")
.build();
EnrollmentResponse resp = eSTService.simpleEnrollPoP(false, cb.csrBuilder, cb.signer, auth);
It turned out, that testrfc3070 requires the following authentication schemes:
Port 443: requires HTTP user auth + identity POP linking
Port 8443: requires HTTP user auth but no identity POP linking
Port 9443: requires user auth with client certificate (obtained via Port 8443 or Port 443) but no identity POP linking
identity POP linking = TLS channel binding
Trying to move from jcifs to jcifs-ng (the latest jar jcifs-ng-2.1.2.jar) to copy files to/from remote.
My code using old jcifs:
System.setProperty("jcifs.smb.client.responseTimeout", "10000");
System.setProperty("jcifs.smb.client.soTimeout", "2000");
if (winsIPList.trim().equals("")) {
System.setProperty("jcifs.smb.client.dfs.disabled", "true");
} else {
System.setProperty("jcifs.smb.client.dfs.disabled", "false");
System.setProperty("jcifs.netbios.wins", winsIPList.trim());
System.setProperty("resolveOrder", "DNS");
}
NtlmPasswordAuthentication auth = new
NtlmPasswordAuthentication(filesrvDomainIP, filesrvDomainUser,
filesrvDomainPassword);
smbRemoteFile = new SmbFile("smb:" + remoteFile.replace("\\", "/"), auth);
<here the code to copy file>
Found few examples in stackoverflow, but looks like they are old.
Part of them include usage of NtlmPasswordAuthentication(context, DomainIP, DomainUser,DomainPassword) which is deprecated in the last jcifs-ng package.
Others use
SmbFile smbRemoteFile = new SmbFile(remoteFile, someContext)
which is reported as undefined by compiler
Could somebody provide an example that works?
Working example:
BaseContext baseCxt = null;
Properties jcifsProperties = new Properties();
jcifsProperties.setProperty("jcifs.smb.client.enableSMB2", "true");
jcifsProperties.setProperty("jcifs.smb.client.dfs.disabled","true");
Configuration config = new PropertyConfiguration(jcifsProperties);
baseCxt = new BaseContext(config);
auth = baseCxt.withCredentials(new NtlmPasswordAuthenticator(DomainIP, DomainUser,
DomainPassword));
SmbFile smbRemoteFile = new SmbFile("smb:" + remoteFile.replace("\\", "/"), auth);
According to this issue: jcifs-ng Issue #36: Chicken/egg relationship between CIFSContext and credentials
Class NtlmPasswordAuthentication is replaced by NtlmPasswordAuthenticator.
So you might replace your NtlmPasswordAuthentication usage with:
NtlmPasswordAuthenticator auth = new NtlmPasswordAuthenticator(domain, username, password)
Besides, this answer might be helpful.
I would like to fetch recent, unread emails with a specific subject in a particular folder from my gmail account. I am using JavaMail API as below but it returns 0 results. However if I just use subjectTerm alone, I see results. Please let me know where am I going wrong. Thank you.
Please note that I used messages[0] below instead of looping through messages array for code simplicity to paste it here.
public void openMailBox(String hostname, String username, String password, String folderName, String subject) throws MessagingException, GeneralSecurityException, IOException{
props = System.getProperties();
props.setProperty("mail.store.protocol", "imaps");
props.setProperty("mail.imaps.host", "imap.gmail.com");
props.setProperty("mail.imaps.port", "993");
props.setProperty("mail.imaps.ssl.enable", "true");
props.put("mail.imaps.ssl.socketFactory", new MailSSLSocketFactory());
session = Session.getInstance(props);
store = session.getStore();
store.connect(username, password);
folder = store.getFolder(folderName);
folder.open(Folder.READ_ONLY);
messages = folder.search(getSearchTerm(subject));
if (messages[0].isMimeType("multipart/*")){
Multipart multipart = (Multipart) messages[0].getContent();
for(int i=0;i<multipart.getCount();i++) {
BodyPart bodyPart = multipart.getBodyPart(0);
if (bodyPart.isMimeType("text/*")) {
msg = msg+bodyPart.getContent().toString();
}
}
}else{
msg = messages[0].getContent().toString();
}
System.out.println(msg);
folder.close(true);
store.close();
}
public SearchTerm getSearchTerm(String subject){
subjectTerm = new SubjectTerm(subject);
unseenFlagTerm = new FlagTerm(new Flags(Flags.Flag.SEEN), false);
recentFlagTerm; = new FlagTerm(new Flags(Flags.Flag.RECENT), true);
return new AndTerm(subjectTerm, new AndTerm(unseenFlagTerm, recentFlagTerm));
}
}
What mail server are you using?
Some mail servers don't implement the RECENT flag in any useful way, so messages might not be marked RECENT. Try leaving out the RECENT term and see if you get more results.
If that doesn't help, add code to dump out the flags for all messages and then post the JavaMail debug output that shows the flags for all messages along with the search request and response.
Note also that some IMAP servers don't fully or correctly implement the SEARCH command and so can't handle the kind of search you're doing.
Finally, note that you don't need to set the socketFactory property unless you're using MailSSLSocketFactory in a more interesting way than you've show in your example code above.
I'm trying to connect to a remote computer using java and Jacob in order to get some WMI Information about the remote computer.
For localhost I'm using the code below and it works fine.
String host = "localhost";
String connectStr = String.format("winmgmts:\\\\%s\\root\\CIMV2", host);
ActiveXComponent axWMI = new ActiveXComponent(connectStr);
// other code to get system information
But if I change localhost to another ip/hostname I got the following error:
Exception in thread "main" com.jacob.com.ComFailException: Can't find moniker
at com.jacob.com.Dispatch.createInstanceNative(Native Method)
at com.jacob.com.Dispatch.<init>(Dispatch.java:99)
at com.jacob.activeX.ActiveXComponent.<init>(ActiveXComponent.java:58)
at easyticket.classes.WmiExtended.main(WmiExtended.java:28)
and the row that throws the exception is:
ActiveXComponent axWMI = new ActiveXComponent(connectStr);
EDIT
I tried passing username/password using WbemScripting
String host = "192.168.7.106";
ActiveXComponent axWMI = new ActiveXComponent("WbemScripting.SWbemLocator");
axWMI.invoke("ConnectServer", new Variant(host+",\"root\\cimv2\",\"username\",\"password\""));
but I got this error:
Exception in thread "main" com.jacob.com.ComFailException: Invoke of: ConnectServer
Source: SWbemLocator
Description: The RPC server is unavailable.
How can I solve it? How can I pass username/password and if is needed the domain???
I'm using Windows 8 and I'm trying to connect to win8/win7/winxp/win2003server computers.
After some searches I managed to solve my problem...
Here's the code if anyone need it.
ActiveXComponent wmi = new ActiveXComponent("WbemScripting.SWbemLocator");
Variant variantParameters[] = new Variant[4];
variantParameters[0] = new Variant(_IPADDRESS);
variantParameters[1] = new Variant("root\\cimv2");
variantParameters[2] = new Variant("username");
variantParameters[3] = new Variant("password");
ActiveXComponent axWMI;
try
{
Variant conRet = wmi.invoke("ConnectServer", variantParameters);
axWMI = new ActiveXComponent(conRet.toDispatch());
}catch(ComFailException e)
{
axWMI = null;
}
if (axWMI == null)
return false;
I have a tomcat-hibernate-hsqldb setup and I want to use SSL to secure data transfer between my application and hsqldb. However, I need to pre install a certificate which can be used at any deployment. I do not want to use a new certificate for each new deployment site. For this, if I just use a self-signed certificate issues to any random Common Name and then install the same certificate in the trust store of tomcat, then I get this exception
java.net.UnknownHostException: Certificate Common Name[random name] does not match host name[192.168.100.10]
I need to disable hostname verification in this setup, but all the info I found on web points to the mechanism of disabling it for HttpsURLConnection.
I believe hsqldb has a custom code to do it, in the file
org.hsqldb.serverHsqlSocketFactorySecure
Here is the method, which does this:
protected void verify(String host, SSLSession session) throws Exception {
X509Certificate[] chain;
X509Certificate certificate;
Principal principal;
PublicKey publicKey;
String DN;
String CN;
int start;
int end;
String emsg;
chain = session.getPeerCertificateChain();
certificate = chain[0];
principal = certificate.getSubjectDN();
DN = String.valueOf(principal);
start = DN.indexOf("CN=");
if (start < 0) {
throw new UnknownHostException(
Error.getMessage(ErrorCode.M_SERVER_SECURE_VERIFY_1));
}
start += 3;
end = DN.indexOf(',', start);
CN = DN.substring(start, (end > -1) ? end
: DN.length());
if (CN.length() < 1) {
throw new UnknownHostException(
Error.getMessage(ErrorCode.M_SERVER_SECURE_VERIFY_2));
}
if (!CN.equalsIgnoreCase(host)) {
// TLS_HOSTNAME_MISMATCH
throw new UnknownHostException(
Error.getMessage(
ErrorCode.M_SERVER_SECURE_VERIFY_3, 0,
new Object[] {
CN, host
}));
}
}
Is there a way to somehow bypass this mechanism and disable hostname validation?
Asked the same question on hsqldb forums and got to know that there is no workaround to this. The only thing you could do is to comment out the code which is calling the verify method and then rebuild the jar. I am still puzzled why hsqldb didn't use the HostnameVerifier (http://docs.oracle.com/javase/6/docs/api/javax/net/ssl/HostnameVerifier.html), which would have made it easier to write a custom Hostname Verifier.