I've made a .bat file to get the SHA1 of my Android app so I don't need to type the command each time
keytool -list -v -keystore "Path/To/My/Key.jks"
When I run the bat file I get asked for the password. Is it possible to either put the password in the command e.g. something like --password MyPassword, or in the .bat file wait for the Enter your password line, and then send the password? I don't have any experience really with .bat files so I don't know if that's possible to do or not.
I looked at the --help for keytool and the only password flags I could see were for changing the password, not specifying it.
The keytool that ships with the Oracle JDK allows you to specify it on the command line with -storepass, you were doing keytool -help instead of keytool -list -help. (I suppose the Android version is the same.)
C:\>keytool.exe -list -help
keytool -list [OPTION]...
Lists entries in a keystore
Options:
-rfc output in RFC style
-alias <alias> alias name of the entry to process
-keystore <keystore> keystore name
-storepass <arg> keystore password
-storetype <storetype> keystore type
-providername <providername> provider name
-providerclass <providerclass> provider class name
-providerarg <arg> provider argument
-providerpath <pathlist> provider classpath
-v verbose output
-protected password through protected mechanism
Use "keytool -help" for all available commands
Specify the keystore password using the -storepass option:
keytool <commands and options> -storepass changeit
changeit being the default keystore password, but use whatever.
For example, to add a certificate using the default password:
keytool -importcert -trustcacerts -alias mycert -file mycert.cer -keystore .../lib/security/cacerts -storepass changeit
As #sastorsl said, if you are worried about putting your password in clear text in your command or script (and you should), you should put your password in a secure file (with 0400 permissions, in Linux) or in an environment variable.
Now keytool does have a similar construct to openssl's file:<filename>, if your password is in a file:
keytool <commands and options> -storepass:file <pass_file>
If your password is in an environment variable:
keytool <commands and options> -storepass:env <pass_var>
Disclaimer: I have tested the -storepass:file option in Bash (not in Windows), but the documentation does not seem to have any difference according to the OS.
From the Oracle keytool doc:
-storepass [:env | :file ] argument
The password that is used to protect the integrity of the keystore.
If the modifier env or file isn’t specified, then the password has the value argument, which must contain at least six characters. Otherwise, the password is retrieved as follows:
env: Retrieve the password from the environment variable named argument.
file: Retrieve the password from the file named argument.
Note: All other options that require passwords, such as -keypass, -srckeypass, -destkeypass, -srcstorepass, and -deststorepass, accept the env and file modifiers. Remember to separate the password option and the modifier with a colon (:).
If you are worried about storing your password in a script, and for it to turn up in your command line history - which you should be, store the password in a separate file instead, secure it, and reference it.
NB! This is Linux / bash specific, and OP seems to be on windows, but I hope this can help somebody else.
keytool -list -v -keystore "Path/To/My/Key.jks" -storepass $(cat < <(cat bin/.pw))
If only keytool would have the file:<filename> construct which the openssl client has.
Related
Trying here to see if anyone has worked out LDAP auth against AD with rundeck. I am using the JRE running method for rundesk. Here is what I have done so far:
I have set up the jaas-ldap.conf as shown on Rundeck authentication users page
I have requested for a ssl certificate from my admin. To use ldaps rundeck requires ssl cert or so it's written on their site. After getting the cert, they mention following two steps:
Once a certificate has been obtained. There are two options for adding the certificate. The first involves updating the truststore for the JRE. If that is not possible or not desirable, then one can set the truststore to be used by the jvm, using any arbitrary truststore that contains the appropriate certificate.
Both options require importing a certificate. The following would import a certificate called, AD.cert into the /etc/rundeck/ssl/truststore.
keytool -import -alias CompanyAD -file AD.cert -keystore /etc/rundeck/ssl/truststore -storepass adminadmin
To add the certificate to the JRE, locate the file $JAVA_HOME/lib/security/cacerts and run
keytool -import -alias CompanyAD -file AD.cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
To verify your CA has been added, run keytool list and look for CompanyAD in the output.
keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
This is where I am running into issue. I have imported my certificate to the java truststore under $JAVA_HOME/lib/security/cacerts. The ssl.properties files also ask for a keystore, keystore.password, key.password parameters. Now, am I supposed to create a new keystore or omit these and just use the truststore variables?
I also tried creating a new keystore (.jks) and imported the same ssl certificate to it setting keypass and storepass. This did not help. I am getting error saying java.io.IOException: Keystore was tampered with, or password was incorrect
I am deploying the jar using - java -Dloginmodule.conf.name=jaas-ldap.conf -Dloginmodule.name=ldap -Drundeck.ssl.config=ssl.properties -jar rundeck-launcher-2.6.4.jar
I'd appreciate help passing through this.
There is no need to ask your admin for the ssl certificate. If your organization uses ldaps and the certificate installed on the ldap server is a self signed cert which is not in your keystore, then you need to add the cert to your JVM keystore. Now to get that certificate run the below query
openssl s_client -connect <ldapserver>:636
This will give some output with -----BEGIN CERTIFICATE----- and ---------END CERTIFICATE--------. Copy the text between these strings to a file ldap.cert.
keytool -import -alias CompanyAD -file ldap.cert -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit.
If your keystore is tampered probably you may have to reinstall Java in the system.
I am using Jenkins on a Windows7 system. I would like to use it to execute a batch script on a remote Windows system. The batch script will be used to flash a development board and run some tests. I came across psexec.exe. That works well through a command prompt window--I can connect and run the script without any issues, but when I try to have Jenkins do it, I get the following output:
PsExec v2.11 - Execute processes remotely
Copyright (C) 2001-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
The handle is invalid.
Connecting to ABCDEFG...
Couldn't access ABCDEFG:
Connecting to ABCDEFG...
Build step 'Execute Windows batch command' marked build as failure
The command I am using in both cases is:
psexec.exe \\ABCDEFG -u "DOMAIN\username" -p "password" "C:\test.bat"
The user associated with username has administrator privileges on the remote system (ABCDEFG is not the real name of the system).
Can anyone help me figure out why it is not working through Jenkins? Or, is there an easier/better way to execute a batch script on a remote Windows system through Jenkins?
Thanks to all your help, especially Technext, I have a solution.
I needed run "services.msc", find "Jenkins", right click on it, and go to "Properties". Once the properties windows appeared, I had to click the "Stop" button to stop Jenkins, open the "Log On" tab, enter in my username and password (the username I used when running through command prompt), and start Jenkins again. That got rid of the "handle is invalid" message in Jenkins.
Update:
A better solution was to go onto the system I was using psexec.exe to get onto, go to Control Panel > User Accounts > Give other users access to this computer. Click on "Add..." and type in the username and domain Jenkins uses to run its commands (to find this, open your Jenkins in a browser window, go to Manage Jenkins > System Information and look for USERNAME and USERDOMAIN under Environment Variables). Make sure you give it Administrator rights. Then click ok. Now psexec.exe shouldn't have the "handle is invalid" issue.
Sorry, I don't have enough reputation for comments, but is the single \ a typo? Since
The handle is invalid.
probably means that the computer address is invalid. Try
psexec.exe \\ABCDEFG -u "DOMAIN\username" -p "password" "C:\test.bat"
Notice the two backslashes to access a locally mapped computer.
otherwise if that does not work i recommend the # tag
psexec.exe #servername.txt -u "DOMAIN\username" -p "password" "C:\test.bat"
where #servername.txt is a textfile containing only the servernames, one per line. The file parameter handles the formatting of \
ex servername.txt
ABCDEFG
COMPUTER2
EDIT: also found after some quick googling that it can be related to windows security.
Check out that a simple restart of the remote machine doesn't solve the problem. Also, adding parameters -h and -accepteula may help. Modified command:
psexec.exe \\ABCDEFG -u "DOMAIN\username" -p "password" -h -accepteula "C:\test.bat"
I execute below code from Jenkins pipeline groovy script to connect dynamically created VM as a resource on Jenkins master. Below code connect dynamically created VM as resource on Jenkins master with 4 executors. You can change the number of executors based on your requirement.
bat label: 'ConnectResource', script: """
#echo OFF
C:\\apps\\tools\\psexec \\\\${machine_ip} -u ${machine_ip}\\${machine_username} -p ${machine_password} -accepteula -d -h -i 1 cmd.exe /c "cd C:\\apps\\jenkins\\ & java -jar C:\\apps\\jenkins\\swarm.jar -master http://pnlv6s540:8080 -username ${jenkins_user_name} -password ${jenkins_user_password} -name ${machine_ip}_${BUILD_NUMBER} -labels ${machine_ip}_${BUILD_NUMBER} -deleteExistingClients -disableClientsUniqueId -executors 4" & ping 127.0.0.1 -n 60 > nul
"""
I want to copy some file to a remote Linux system from my Windows PC using pscp (from putty). I wrote a small script that call the pscp commands in this way:
"C:\Users\hp\Desktop\pscp.exe" -scp C:\Users\hp\Desktop\scripts\* root#192.168.1.177:/root/scripts
"C:\Users\hp\Desktop\pscp.exe" -scp C:\Users\hp\Desktop\scripts2\* root#192.168.1.177:/root/scripts2
pause
But when I launch this bat script, I'm asked to input the password, so I input the password manually.
Is there a way to input the password automatically through the batch file?
pscp -pw yourPasswordHere C:\Users\testUser\Downloads\test.sh testUser#123.123.123.123:/home/testUser
I've noticed that no one posted sample of that command with -pw option.
From putty documentation
5.2.2.6 -pw passw login with specified password
If a password is required to connect to the host, PSCP will
interactively prompt you for it. However, this may not always be
appropriate. If you are running PSCP as part of some automated job, it
will not be possible to enter a password by hand. The -pw option to
PSCP lets you specify the password to use on the command line.
You can work this stuff out for yourself. Use the /? option to see the help. The pertinent parts are included below.
>pscp /?
PuTTY Secure Copy client
Release 0.60
Usage: pscp [options] [user#]host:source target
pscp [options] source [source...] [user#]host:target
pscp [options] -ls [user#]host:filespec
Options:
......
-l user connect with specified username
-pw passw login with specified password
......
Use the -l and -pw options to specify a user and password.
So whilst that answers the specific question that you asked, the real opportunity for you is to learn how to obtain documentation from command line utilities.
Use putty to set up a remote login without a password. This will involve the puttygen command. You will need a private key and the target will need a public key. Once you verified that you have a good private key file and login without typing a password, you can reference it with the "-i" private key option on pscp. You might be able to set up the key without the putty connect if it isn't allowed, but this is the easiest way. Just say no to passwords in the clear:
C:\Users\riglerjo>pscp -i .ssh\rigler_rsa.ppk test.txt rigler#rigler.org:.
test.txt | 0 kB | 0.0 kB/s | ETA: 00:00:00 | 100%
If your coping a local file to remote directory use:
pscp -pw yourPasswordHere C:\Users\testUser\Downloads\test.sh testUser#10.10.10.10:/home/testUser
If your coping a remote file to local directory use:
pscp -pr yourPasswordHere testUser#10.10.10.10:/home/testUser/test.sh C:\Users\testUser\Downloads\
sshpass -p'password' pscp -A -H "ip" -t 20 -l root /var/www/html/temp_santosh.txt /tmp/
You can use sshpass with -p option just before pscp
I'm trying to download a file from sftp site using batch script. I'm getting the following error:
Permission denied (publickey,password,keyboard-interactive).
Couldn't read packet: Connection reset by peer
When running the command:
sftp -b /home/batchfile.sftp <user>#<server ip>:<folder>
the batchfile.sftp includes these data:
password
lcd [local folder]
cd [sftp server folder]
get *
bye
Note: It's working when running at the prompt as
sftp <user>#<server ip>:<folder>
But I need the ability to enter the password automatically.
You'll want to install the sshpass program. Then:
sshpass -p YOUR_PASSWORD sftp -oBatchMode=no -b YOUR_COMMAND_FILE_PATH USER#HOST
Obviously, it's better to setup public key authentication. Only use this if that's impossible to do, for whatever reason.
If you are generating a heap of commands to be run, then call that script from a terminal, you can try the following.
sftp login#host < /path/to/command/list
You will then be asked to enter your password (as per normal) however all the commands in the script run after that.
This is clearly not a completely automated option that can be used in a cron job, but it can be used from a terminal.
I advise you to run sftp with -v option. It becomes much easier to fathom what is happening.
The manual clearly states:
The final usage format allows for automated sessions using the -b
option.
In such cases, it is necessary to configure non-interactive authentication
to obviate the need to enter a password at connection time (see
sshd(8) and ssh-keygen(1) for details).
In other words you have to establish a publickey authentication. Then you'll be able to run a batch script.
P.S.
It is wrong to put your password in your batch file.
You mention batch files, am I correct then assuming that you're talking about a Windows system? If so you cannot use sshpass, and you will have to switch to a different option.
Two of such options, that follow diametrically opposite philosophies are:
psftp: command-line tool that you can call from within your batch scripts; psftp is part of the PuTTY package and you can find it here http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Syncplify.me FTP Script: a scriptable FTP/S and SFTP client for Windows that allows you to store your password in encrypted "profile files"; check it out here http://www.syncplify.me/products/ftp-script/
Either way, switching from password to PKI authentication is strongly recommended.
PSFTP -b path/file_name.sftp user#IP_server -hostkey 1e:52:b1... -pw password
the file content is:
lcd "path_file for send"
cd path_destination
mput file_name_to_send
quit
to have the hostkey run:
psftp user#IP_SERVER
You need to use the command pscp and forcing it to pass through sftp protocol. pscp is automatically installed when you install PuttY, a software to connect to a linux server through ssh.
When you have your pscp command here is the command line:
pscp -sftp -pw <yourPassword> "<pathToYourFile(s)>" <username>#<serverIP>:<PathInTheServerFromTheHomeDirectory>
These parameters (-sftp and -pw) are only available with pscp and not scp. You can also add -r if you want to upload everything in a folder in a recursive way.
This command will help you
sshpass -p MYPASSWORD sftp MYUSERNAME#HOST
I have a problem. When I open command prompt this is already entered C:\Documents and Settings\Chris>
In my Java program file, there are 3 java folders, i.e jdk1.6.0_13, jdk1.6.0_18 and jdk1.6.0_23...I figured the last two must be updates. this is what I entered on the Command Prompt.
C:\Program Files\Java\jdk1.6.0_13\bin>keytool.exe -list -alias androiddebugkey -keystore "C:\Documents and Settings\Chris.android\debug.keystore" -storepass android -keypass android
After hitting 'Enter', the awful message that says "....is not recognized an internal or external command, operable program or batch file' appeared. What did I do wrong?
Use this command to get your MD5 fingerprint.
C:\Program Files\Java\jdk1.6.0_16\bin>keytool -list -alias androiddebugkey
-keystore "Your debug key location" -storepass android -keypass android
You can also get a full tutorial at http://www.androidcookers.co.cc/2011/12/show-google-map-on-your-android-app.html