Posh-SSH
Posh-SSH copied to clipboard
darkoperator
Get Fingerprint
First of all, thank you for this module. I have been using it in various projects for a few years - not sure what I would have done without it!
Would it be possible to implement a function which returns the fingerprint of a specified target server?
Ideally the fingerprint would be obtained prior to authentication. It wouldn't make sense from a security perspective to authenticate against a server, obtain the fingerprint and then upon examination of the fingerprint realise you just connected to a rogue server and provided it with your credentials.
My objective is to programmatically obtain the fingerprint of a server and check whether it has been trusted (resides in the registry) using Get-SSHTrustedHost.
I had the same idea a while ago. It is doable. Will add it to the 3.0 list
From: thecliguy Sent: Friday, January 5, 2018 10:40 PM To: darkoperator/Posh-SSH Cc: Subscribed Subject: [darkoperator/Posh-SSH] Get Fingerprint (#189)
First of all, thank you for this module. I have been using it in various projects for a few years - not sure what I would have done without it! Would it be possible to implement a function which returns the fingerprint of a specified target server? Ideally the fingerprint would be obtained prior to authentication. It wouldn't make sense from a security perspective to authenticate against a server, obtain the fingerprint and then upon examination of the fingerprint realise you just connected to a rogue server and provided it with your credentials. My objective is to programmatically obtain the fingerprint of a server and check whether it has been trusted (resides in the registry) using Get-SSHTrustedHost. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
Thanks for the swift response. Have you any hints how I might hack something together temporarily?
I have written a script which uses Posh-SSH and the primary means of providing input and displaying output is a winforms GUI. The console window is hidden (using the Win32 API) and requests for console input are suppressed.
This arrangement all works just fine except one thing... When connecting to a server for the first time Posh-SSH tries to request for input on the console:
Server SSH Fingerprint
Do you want to trust the fingerprint zz:zz:zz:zz:zz:zz:z:zz:zz:zz:zz:zz:zz:zz:zz:zz
[] Y [] N [?] Help (default is "N"):
Because I suppress console input, the following error occurs: "Windows PowerShell is in NonInteractive mode. Read and Prompt functionality is not available."
So what I would like to do is obtain the fingerprint of the server and check if it has already been trusted:
- If it has been trusted, then we can just connect to the server.
- If it has not been trusted, then I will produce a prompt on my GUI to say:
"Do you want to trust the fingerprint zz:zz:zz:zz:zz:zz:z:zz:zz:zz:zz:zz:zz:zz:zz:zz"? Yes/No- Yes: Create a new trust entry using
New-SSHTrustedHostand the proceed to connect to the server. - No: Do not connect to the server.
- Yes: Create a new trust entry using
My plan is to make the key a parameter and no longer depend on the registry or prompt for 3.0, it the proper key is not given or force use it will create a terminating error
From: thecliguy Sent: Friday, January 5, 2018 11:18 PM To: darkoperator/Posh-SSH Cc: Carlos Perez; Comment Subject: Re: [darkoperator/Posh-SSH] Get Fingerprint (#189)
Thanks for the swift response. Have you any hints how I might hack something together temporarily? I have written a script which uses Posh-SSH and the primary means of providing input and displaying output is a winforms GUI. The console window is hidden (using the Win32 API) and requests for console input are suppressed. This arrangement all works just fine except one thing... When connecting to a server for the first time Posh-SSH tries to request for input on the console: Server SSH Fingerprint Do you want to trust the fingerprint zz:zz:zz:zz:zz:zz:z:zz:zz:zz:zz:zz:zz:zz:zz:zz [] Y [] N [?] Help (default is "N"): Because I suppress console input, the following error occurs: "Windows PowerShell is in NonInteractive mode. Read and Prompt functionality is not available." So what I would like to do is obtain the fingerprint of the server and check if it has already been trusted: • If it has been trusted, then we can just connect to the server. • If it has not been trusted, then I will produce a prompt on my GUI to say: "Do you want to trust the fingerprint zz:zz:zz:zz:zz:zz:z:zz:zz:zz:zz:zz:zz:zz:zz:zz"? o Yes: Create a new trust entry using New-SSHTrustedHost and the proceed to connect to the server. o No: Do not connect to the server. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
One more related feature. Now we do not have fingerprint in created sessiion will be fine if we can get it
$session = New-SSHSession ....
$session.Fingerprint
or something like this
i must second this request, a function to get the ssh fingerprint of a remote system and do nothing else would be extremely useful in automation especially when using RSJobs (hosts.json in use by another process error and when host keys change like a redeployed server).
edit: i found an option that will suffice for now (and hopefully will help others). This assumes you have OpenSSH (client) installed; it's available from GitHub (https://github.com/PowerShell/Win32-OpenSSH/releases) or in newer Windows OSes. the end dash ("-") is part of the line
$fp = ssh-keyscan HostNameHere | select-string "ed25519" | ssh-keygen -E md5 -lf - ($fp -split(" "))[1] -replace("md5:","") -replace (":0", ":")
it's not as clean as i would expect can be made by darkoperator and contributors but it works well enough for now.
thanks @MVKozlov, im looking forward to a module version with Get-SSHHostKey included