Text only | Text with Images

OPNsense Forum

Archive => 23.7 Legacy Series => Topic started by: davidolrik on December 04, 2023, 04:50:33 PM

Title: Acme Client sftp upload via jump host
Post by: davidolrik on December 04, 2023, 04:50:33 PM
Hi,

I'm trying to make a acme-client automation that sftp's a cert to a ubuntu box via a jump host.

sftp works on the command line like so:

Code Select
sudo -u root sftp -F /var/etc/acme-client/sftp-config/config user@host.behind.jump.host

I've configured ssh in /var/etc/acme-client/sftp-config/config and it seems to pickup my config, but I get a connection refused in the web ui like so:

Code Select

Failed to connect to host.
{ "actions": [ "connecting" ], "success": false, "connection_closed": true, "error": "Connection closed.", "connect_failed": true }


My ssh config looks like this:

Code Select

Host jump.host
    User user
    Port 22
    HostName <ip>
    HostKeyAlias jump.host
    IdentitiesOnly yes
    IdentityFile /var/etc/acme-client/sftp-config/id.ed25519
    PasswordAuthentication no

Host host.behind.jump.host
    User user
    Port 22
    HostName <private-ip>
    ProxyJump jump.host
    IdentityFile /var/etc/acme-client/sftp-config/id.ed25519


To me it seems that the web-ui is running as some user that isn't root.

Any hints would be much appriciated!

Title: Re: Acme Client sftp upload via jump host
Post by: davidolrik on December 04, 2023, 10:20:53 PM
Some further digging has found a workaround and a probable cause.

When running the uploader manually, it stops and asks for confirmation, and answering yes here lets it cache the host keys correctly and any subsequent upload now works.

Code Select

$ sudo ./upload_sftp.php --log --host=host.behind.jump.host --port=22 --identity-type=ed25519 --user=user test-connection
INFO: Logging to stdout enabled
INFO: No host key specified, using existing known_hosts entry for 'host.behind.jump.host'
The authenticity of host '[192.168.1.5]:22 (<no hostip for proxy command>)' can't be established.
ED25519 key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
No matching host key fingerprint found in DNS.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
INFO: SFTP: Warning: Permanently added '[192.168.1.5]:22' (ED25519) to the list of known hosts.
INFO: SFTP: Connected to host.behind.jump.host.
INFO: SFTP: sftp> pwd
INFO: SFTP: sftp> ls -la
INFO: SFTP: sftp> put '/tmp/sftp-upload-4PBEJw' 'sftp-upload-4PBEJw'
INFO: SFTP: Uploading /tmp/sftp-upload-4PBEJw to /home/user/sftp-upload-4PBEJw
INFO: SFTP: sftp> rm '/home/user/sftp-upload-4PBEJw'
INFO: SFTP: Removing /home/user/sftp-upload-4PBEJw
INFO: SFTP: sftp> exit


My "host.behind.jump.host" host has no public dns name, and is only known in the ssh config, and behind the jumphost.
Text only | Text with Images