Maxims, rules of thumb and other observations on human cognition and sociocultural affectations

This will be added to on an irregular basis...
  • What is said to humans directly is received with skepticism and considered with dubiousness while that which is heard in passing, especially that which most conforms to their mentality or prejudices, is readily believed.
  • Humans have a certain cognitive latency between exposure to new information or experiences and the ability to think dispassionately and intellectually about it.
  • Humans have a certain cognitive spectrum starting with the moment of exposure to new information or experiences and ending with some point at which the thing is effectively "in the past" for them.
  • This cognitive spectrum is linked to the emotional process often referred to as shock, anger, denial and acceptance.
  • The more and faster information or experiences are presented to people and the closer the quarters and the lesser the distance between people, the more their early reactions in the passionate emotional stage are reflected back to them in the manner of responses to those reactions from others in light of those responses.
  • The more outrages which are suffered without sufficient time to allow emotional bleed-off, the farther the bar for subsequent reaction and outrage are pushed, and the more further events must progress before reaction and outrage.
  • It is possible for serious detriments to eventually sit below this threshold for long enough for their damaging effects to build and multiply until their entire society undergoes some reactive convulsion.
Bookmark and Share

Thursday, June 25, 2009

Stupid Network Tricks: SSH on Windows

Go here to find out about installing SSH on Windows in the first place.

Now go here to find my reply on getting “strictmodes yes” in ssh’s conf to work on Windows or read my copy below. After all, I did write it.

I found that in order for StrictModes yes to work on Windows XP Home edition, there is a simpler way of making the permissions correct than rebooting to safe mode.

First, the account you're doing the set-up from must be an admin acct if it isn't the one you're setting up for, and second, the acct you're setting up for must be an admin. For instance, let's call the acct we're setting up for "spike".

As you said, spaces are not well handled by this code. I found putting the home directory just off of c:\ was the best thing. I also decided to go with the .ssh notation so frequently used and so:

c:\spike\.ssh

Which is where the authorized_keys file must go. BUT, and here is the EXTREMELY HUGE ROSEANNE BARR SIZED BUT, you MUST NOT do it willy-nilly. I tried Windows Explorer AND at the command prompt. Both times it failed. Rebooting to safe mode was no help despite hours of messing with the permissions. What I found worked was much much simpler.

Once password based authentication is working for that acct, you log in to the server as that acct. Once at the prompt in Putty, you change directory to c:\ and then mkdir spike and cd spike and then mkdir .ssh. Now you've made those folders SOLELY as the userid in question and NOT as the system acct or the admin acct you may have been logged into Windows with.

Next trick, you take advantage of inheritance and change your directory in the Putty session window to wherever you made the authorized_keys file. Then copy authorized_keys c:\spike\.ssh\ and it copies to it. Now, thanks to inheritance that defaults on file and folder permissions under XP Home on NTFS, the folders AND the authorized_keys file will have the appropriate permissions.

DO NOT BY ANY MEANS modify those folders or that file from anywhere but within Putty, logged in as the userid in question. ANY other userid modification can cause it to change permissions and break StrictModes yes. At least, that's the way it has been behaving so far.
To test, I run Putty against the OpenSSH service running on the same machine by pointing at localhost.
Of course, having NTFS as the filesystem is also a must for this to work at all.

Also, to make it look in the home directory, edit the registry to make home c:\ and then use:
AuthorizedKeysFile /home/%u/.ssh/authorized_keys
Which in the example I gave would cause it to look in c:\spike\.ssh\authorized_keys. StrictModes yes should now work.

I also added this follow-on.

I forgot that you should also try using CACLS.EXE from c:\ and then you should get something like the following using my "spike" userid example.

C:\>cacls spike
C:\spike BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Users:(CI)(special access:)
FILE_APPEND_DATA
BUILTIN\Users:(CI)(special access:)
FILE_WRITE_DATA

This is the state of permissions on my home directory with my current setup and StrictModes yes is working fine with it.

Not that most people see a need to get SSH to a Windows machine running such that they can do at a command prompt everything they could do at a DOS prompt, but you never know.

This way, you can set your config on that machine to require a key and not allow passwords.

If you want, farther down is this:

So you want to use SFTP with Ipswich WS_FTP Pro... (well, you might...)
(This is for version 9.01 btw...)
First, go into WS_FTP Pro.
Options...
SSH
Client Keys
Create...
Then, Export and name your key how you like and then go into WordPad and look at the .pub file you exported.
This is how the Ipswitch WS_FTP Pro key will look when exported and viewed in WordPad:
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "Created by Ipswitch WS_FTP Pro"
(key gibberish)
(more key gibberish)
(yet more key gibberish)
(even more key gibberish)==
---- END SSH2 PUBLIC KEY ----
This is the correct format for a Unix box running OpenSSH. It isn't correct for OSSHfW.
Note the "==" at the end of the key. That is EXTREMELY important to have. Actually, you only really need the one “=” near as I can tell but why take chances I figure.
This is how it should look in the authorized_keys file for OpenSSH for Windows:

ssh-rsa (all the key gibberish in one line)== wsftp

You need the entire thing on ONE line, ONE return at the end, ONE key per line. The space and then the wsftp is my choice to identify the line as being my remote WS_FTP key. You could call it “susan” if you wanted.
So go to the copy of authorized_keys you left where you built it before copying within the SSH session and then edit it, putting in the key in the above format. When done, you should have something like this:

ssh-rsa (all the first key gibberish in one line)== spike
ssh-rsa (all the sftp key gibberish in one line)== wsftp

Once the editing is done, SSH in as before and go to the directory where your proper authorized_keys file is sitting and issue the command “rename authorized_keys authorized_keys.bak”, without using the quotes of course. Go to the directory where the edited authorized_keys is and copy it to the directory you were just in and then get out of the SSH session and go to Services in Windows and restart the OSSHfW service. Now restarted, it should have that key in its config.
Now you can go to WS_FTP and set up the site. This is what you need in addition to the address of the site and account information.

Site Options
Advanced
Server Type SFTP/SSH
Remote Port (the one you run OSSHfW on)
SSH
SSH Keypair (the key you created)

Try it out now and you should be able to SFTP using the key login. I generated the keys at work, e-mailed the public key to myself and when I got it at home, edited it and added it to my file and restarted the service. Next day it worked like a dream.

I use it to transfer files downloaded at work to my home machine and it works fine. The most important thing to remember is that the key generated by with the Export function to the .pub file must be correctly edited. “ssh-rsa”(space)”key gibberish here”==(space)”your identifier here” is the format and it goes ALL ON ONE LINE, each key on a separate line.

Well, there you go. Next up, Tor, Stunnel, SocksCap, and Freenet among other stuff.

Bookmark and Share

Posted by -suitepotato- at 18:19

Subscribe to: Comment Feed (RSS)