Archive

Rsync & Scp for the AWS "ec2-user" to use with the CA Identity Suite vApp

  • 1.  Rsync & Scp for the AWS "ec2-user" to use with the CA Identity Suite vApp

    Posted 10-24-2018 07:16 PM

    Team,

     

    When you set up a Linux/UNIX instance for AWS, you will be offered a chance to create a new or use an existing client cert file.   

     

    This client cert file will be offered in PEM format; which is human readable text file with banner messages around the cert, e.g.  ----BEGIN RSA PRIVATE KEY----

     

     

    After you download this file, you will pull the private key from this PEM file; and save it to a PPK file format for use with Putty or MobaXTerm or FileZilla or WinScp tools.     

     

    Example of using PuttyKeyGen to convert PEM to PPK

     

     

     

    You can also use these public/private components of the client cert for authentication between cluster members for CA Identity Suite vApp on AWS.

     

     

     

     

     

     

     

     

    Example and location below:

     

    Step 1: ###############    View the files under .ssh folder for ec2-user  ###############   

     

    ec2-user@ip-10-0-0-126 VAPP-14.2.0 (10.0.0.126 / 18.207.101.119):~/.ssh > pwd
    /home/ec2-user/.ssh


    Step 2:  ###############  There will be only one or two (2) files before any work #########

     

    authorized_keys  is the public cert of the AWS cert.   

    -   If you open the PPK file, and compare, you will see the same information.

    known_hosts  will not exist until you attempt to use a remote ssh connection.

       -  As you are asked to open connections, the prompt will ask if you would like to add this new entry to the known_hosts file.

    id_rsa  is a direct copy of authorized_keys

       -  certain CLI processes look for these expected file names.

    id_dsa is a direct copy of the full PEM file provided by AWS. 

       - This file contains the private key of the cert.

       -  Guard this file closely.

    Ensure all file owner and permission modes (0600) is correct for ec2-user.

     

     


    ec2-user@ip-10-0-0-126 VAPP-14.2.0 (10.0.0.126 / 18.207.101.119):~/.ssh > ls -lart
    -rw------- 1 ec2-user ec2-user 392 Oct 16 20:49 id_rsa
    -rw------- 1 ec2-user ec2-user 392 Oct 16 20:49 authorized_keys
    drwx------ 7 ec2-user ec2-user 4096 Oct 23 21:16 ..
    -rw-r--r-- 1 ec2-user ec2-user 222 Oct 23 22:00 known_hosts
    -rw------- 1 ec2-user ec2-user 1696 Oct 23 22:34 id_dsa
    -rw------- 1 ec2-user ec2-user 1696 Oct 23 22:34 aws-new.pem

     

     

     


    Step 3: ############### Test with RSYNC process ###########################

    - You can see that id_rsa is being requested.


    ec2-user@ip-10-0-0-126 VAPP-14.2.0 (10.0.0.126 / 18.207.101.119):/tmp > touch aaaa
    ec2-user@ip-10-0-0-126 VAPP-14.2.0 (10.0.0.126 / 18.207.101.119):/tmp > rsync -iaz -v -e ssh /tmp/aaaa "10.0.0.89":/tmp/
    Enter passphrase for key '/home/ec2-user/.ssh/id_rsa':
    sending incremental file list
    <f+++++++++ aaaa

    sent 86 bytes received 31 bytes 78.00 bytes/sec
    total size is 0 speedup is 0.00

     


    Step 4: ############### Test with SCP process with full debug/verbose view ##################

    - You will be able to observe both id_rsa and id_dsa are being requested.

     


    ec2-user@ip-10-0-0-126 VAPP-14.2.0 (10.0.0.126 / 18.207.101.119):/tmp > touch bbbb
    ec2-user@ip-10-0-0-126 VAPP-14.2.0 (10.0.0.126 / 18.207.101.119):/tmp > scp -4 -v -oCheckHostIP=no -oConnectTimeout=60 -oNumberOfPasswordPrompts=0 -oStrictHostKeyChecking=no -oGSSAPIAuthentication=no -oConnectionAttempts=5 /tmp/bbbb 10.0.0.89:/tmp/bbbb
    Executing: program /usr/bin/ssh host 10.0.0.89, user (unspecified), command scp -v -t /tmp/bbbb
    OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: /etc/ssh/ssh_config line 58: Applying options for *
    debug1: Connecting to 10.0.0.89 [10.0.0.89] port 22.
    debug1: fd 3 clearing O_NONBLOCK
    debug1: Connection established.
    debug1: identity file /home/ec2-user/.ssh/id_rsa type 1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/ec2-user/.ssh/id_rsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/ec2-user/.ssh/id_dsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/ec2-user/.ssh/id_dsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/ec2-user/.ssh/id_ecdsa type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/ec2-user/.ssh/id_ecdsa-cert type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/ec2-user/.ssh/id_ed25519 type -1
    debug1: key_load_public: No such file or directory
    debug1: identity file /home/ec2-user/.ssh/id_ed25519-cert type -1
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_7.4
    debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
    debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000
    debug1: Authenticating to 10.0.0.89:22 as 'ec2-user'
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: algorithm: curve25519-sha256
    debug1: kex: host key algorithm: ecdsa-sha2-nistp256
    debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
    debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
    debug1: kex: curve25519-sha256 need=20 dh_need=20
    debug1: kex: curve25519-sha256 need=20 dh_need=20
    debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
    debug1: Server host key: ecdsa-sha2-nistp256 SHA256:nqT2CqmvFx1h8JjXm9pghKkfcckQmS3ESHCbedzCHu8
    debug1: Host '10.0.0.89' is known and matches the ECDSA host key.
    debug1: Found key in /home/ec2-user/.ssh/known_hosts:1
    debug1: rekey after 4294967296 blocks
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: rekey after 4294967296 blocks
    debug1: SSH2_MSG_EXT_INFO received
    debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: /home/ec2-user/.ssh/id_rsa
    debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
    debug1: Trying private key: /home/ec2-user/.ssh/id_dsa
    debug1: Authentication succeeded (publickey).
    Authenticated to 10.0.0.89 ([10.0.0.89]:22).
    debug1: channel 0: new [client-session]
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: pledge: network
    debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
    debug1: Sending environment.
    debug1: Sending env LANG = en_US.UTF-8
    debug1: Sending command: scp -v -t /tmp/bbbb
    Sending file modes: C0664 0 bbbb
    Sink: C0664 0 bbbb
    bbbb 100% 0 0.0KB/s 00:00
    debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
    debug1: channel 0: free: client-session, nchannels 1
    debug1: fd 0 clearing O_NONBLOCK
    debug1: fd 1 clearing O_NONBLOCK
    Transferred: sent 2984, received 2232 bytes, in 0.1 seconds
    Bytes per second: sent 33965.1, received 25405.5
    debug1: Exit status 0

     

     

    This process is useful, if there are any files in the ec2-user home folder or tmp files, e.g. PATCHES, that you would like to copy from server to server, but not place under the /opt/CA/VirtualAppliance/custom/IdentityManager   folder structure and using the sync_vapp  ALIAS.

     

     

     

     

    Cheers, 

     

    Alan