Forum / Remote Desktop Manager - Support (Deutsch)

Evaluation disaster: Key-based access to AWS EC2 Ubuntu server

  • Create an Issue
  • Cancel

Hi, I'm a bit stumped evaluating your product. I created a few individual bug and feature requests, but would like to describe my complete use case, so you have the whole context.

I have an AWS EC2 Ubuntu server, to which I need key-based SSH, SCP and SFTP access for both automated build-tools and manual administration.

I'm also evaluating jumpcloud to push public keys to the server, which works so far.

So first I create a private key entry. Here I immediately hit the first problem: There is no button to generate a key, just load or paste.

So I close the new key entry wizard and head over to the SSH Key Generator and generate a key. It doesn't remember my last used key size, so I have to remember to change the setting. Same for the comment. If there was a button in the private key entry, it could offer the same settings as in the currently saved key.

I generate the key and click save, and it offers to save by default as PKCS#8, which is the only format in the dropdown that is understood by neither (!) WinSCP nor FileZilla (this alone cost me hours to figure out). Please make the SSH Key generator suggest putty private key by default (understood by WinSCP and FileZilla), and / or save my last used setting.

Ok so I save as putty private key on the desktop, create the a new private key entry in RDM, and load the key from the desktop.

I'm already thinking ahead to key rotation, and what can go wrong with all those manual steps and pitfalls.

Next I want to test SSH access, and I look for PuTTY, but only see SSH Shell. I'm confused, because for SFTP there is built-in, WinSCP and FileZilla, but for SSH there is only one option. So is this built-in? PuTTY? Something else?

Anyway, I create the SSH entry, put hostname and pick the private key from the credentials repository.

Connection works immediately, nice! (jumpcloud had enough time to push the key in the meantime...)

Ok now SFTP access, first WinSCP: I create the entry, set the host, switch from FTP to SFTP and select the private key from the credentials repository.

Connection: Works immediately, nice!

But alas, I cannot create a new file in my user's home directory, the error message says "Unable to use key file <path to temp dir>". I head over to the temp dir, delete everything (because the path was in the temp dir root, not inside RDM subfolder). I open another WinSCP session, and see the putty key file appear, and then after successful connection immediately disappear. What?

I head back to the private key entry and change the type from "Data" to "File", although why would I then use RDM in the first place, if I have to store the key file somewhere else?

Ok, that worked, I was able to connect and create a new file in my home dir.

Now, I'm already thinking, what's the point in using RDM, if I cannot use WinSCP with the private key stored as data inside RDM data source?

Anyway, next I try to create a new folder in the root dir, which fails as expected because I am not logged in as root. I try to find the setting in the WinSCP entry properties to configure the server command to "sudo on login", but there is no such configuration available. There is for the built-in SFTP, but not for WinSCP (I created a feature request for this).

Now I give up with WinSCP, both problems (data key and sudo on login) are blockers.

Out of curiosity, I also try FileZilla, even though I know it cannot do sudo on login (or at least I do not know how). I also created a feature request on the FileZilla issue tracking site for this.

I create a new SFTP FileZilla entry, set the host, switch from FTP to SFTP and select the private key from the credentials repository.

I try to connect, but no, FATAL ERROR: No supported authentication methods available (server sent: publickey).

I open FileZilla standalone, create a new site, enter host, change protocol to SFTP, logon type key file and make sure to select the same (putty) key file (on the desktop) that I configured for the private key entry in RDM. And voilà connection works immediately.

So the RDM FileZilla connection with key-based authentication doesn't work at all?

Maybe I'm just going at this completely the wrong way, I don't know. I do know that I wasted all of christmas trying to figure all of this out for a single test user with a single test server.

And what about build automation, how would I manage keys for that?

Clock2 mths

Hi,

I am the product owner for the PAM (privileged access management) area of our Devolutions Password Server and I’m grateful that you’ve taken the time to describe this. Key generation and rotation would be a feature of the server. That being said, you go over the needed workflows in a way that makes it easier for us programmers to understand. I will try to find all of your tickets and aggregate all of this in one or more stories. I would like to offer a remote session with one of our second line specialists so we catch all of the subtleties as soon as possible. The one I had in mind comes back only on the 6th though. I could do it myself on the 3rd and record the session for our engineering team... Please let me know if it’s of interest to you. Having a clear input makes things much quicker to implement.

Best regards



Maurice Côté

signaturesignature

Clock2 mths

Thank you very much for listening.

I don't really have a workflow. I'm reading documents like https://tools.ietf.org/html/draft-ylonen-sshkeybcp-01, and I'm trying to do better than using root access for everything, but it's incredibly hard do get any work done.

Anyway, I will gladly do a remote session.

Clock2 mths

Hello,

Sorry for the delay of our response.

Please send us an email at ticket@devolutions.net to open a ticket so that we can schedule a remote session with you regarding this thread.

Best regards,



Jeff Dagenais
signaturesignature

Clock2 mths