NEES Encryption
Table of Contents
We recently enabled the capability to encrypt session key (userid/password) for web services. We also enabled encryption for the ftp password. At some point in the future encryption will be mandatory. However, we must first create and distribute a Windows tool to encrypt strings.
The following two scripts demonstrate the use of encryption.
The first is the actual Linux script to encode a password. This script is available in the hub at /apps/bin/neescrypt
The second demonstates how the first script to create a web services call or an ftp URL.
#!/bin/bash # # neescrypt: Encrypt a string taken from the command line arguments. # and write encoded string to standard output. # Put this script in your PATH. # This is available for hub tools at /apps/bin/neescrypt # This script requires openssl and uuencode # # Example: # neescrypt password # TMPKEY=/tmp/neescrypt.pub$$ cat >$TMPKEY <<"EOF" -----BEGIN PUBLIC KEY----- MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANF/2+WgWArVDvfM3CorR8tmn/8Zq91V yVHnyruB88VaRVOiWf840ddm5up+7tlOQ9fdPycS9btLflLi0YhnMDMCAwEAAQ== -----END PUBLIC KEY----- EOF # # In addition to openssl RSA encryption using the above key, # there are four transforms required for NEES encryption. # 1. uuencode to convert encrypted string to base64 # 2. Remove uuencode header and trailer lines # 3. Insert %%% at beginning. # 4. Translate all + and / characters to _ and - # # This next line does all the above transforms to the command line arguments of neescrypt then writes encoded value to stdout echo $@ | /usr/bin/openssl rsautl -encrypt -inkey $TMPKEY -pubin | uuencode -m /dev/stdout | grep -v "^begin-base64\|^====" | sed '1i\%%%' | tr -d '\n' | tr +/ _- rm $TMPKEYhis is an example script for calling neescrypt
#!/bin/bash # # demo_neescrypt: show how to use neescrypt to call web services or ftp # # change these and also change the target data below to something you have access to userid="grodgers" passwd="mypassw0rd' # For web services we need to encrypt the userid and password as one string seperated by / encval=`neescrypt $userid/$passwd` echo "this demonstrates how to use neescrypt with web services " echo wget -q -O proj863.xml https://neesws.neeshub.org:9443/REST/Project/863?GAsession=$encval wget -q -O proj863.xml https://neesws.neeshub.org:9443/REST/Project/863?GAsession=$encval # For the ftp server you only encrypt the password enckeypw=`neescrypt $passwd` echo "this demonstrates how to use neescrypt with ftp" echo wget -q -O References.doc "ftp://$userid:$enckeypw@neesws.neeshub.org/home/NEES-2010-0863.groups/Documentation/References.doc" wget -q -O References.doc "ftp://$userid:$enckeypw@neesws.neeshub.org/home/NEES-2010-0863.groups/Documentation/References.doc"
Here’s a simple example of a python cgi-script as a nees encryption ‘service’.
#!/usr/bin/python
"""
A cgi script to call neesencrypt
usage: https://host/cgi-bin/neesencrypt.py?u=[username]&p=[password]
"""
import sys, os
from subprocess import Popen, PIPE
import cgi
form = cgi.FieldStorage()
print "Content-Type: text/html\n\n"
if "u" not in form or "p" not in form:
print "ERROR: missing u and/or p arguments"
sys.exit()
p = Popen("%s %s/%s" % ( "/private/bin/neesencrypt",
form["u"].value,
form["p"].value ), shell=True, stdout=PIPE)
sts = os.waitpid(p.pid, 0)[1]
print p.stdout.read()
