Van Dyke and cripting - capturing connection authentication attributes?

[dverbern]

** UPDATE **

I've achieved what I wanted by using PowerShell and the VRALib COM object, part of VShell. I found I was able to use regular expressions to read the important lines from the debug log and store for future reference. An excerpt of my script is provided below in the interests of sharing.

Hello,

I'm using VShell on a Windows Server.
Is it possible, using automation or scripting of some kind, to capture the specific SFTP authentication parameters that are used for a connection to a 3rd party?

Specifically, when I use establish a connection to another party via FTP over SSH, we generate logs that tell us the name/version of the 3rd party's SFTP server, what algorithms they support or exclude, etc, then we see the process whereby 'SEND' and 'RECV' ciphers/algorithms common to each party are adopted and the connection goes ahead. I'd love to be able to capture those attributes for each 3rd party connection somehow, as it would serve dual purposes:

1) It's a form of live documentation on the specific attributes each connection is currently using.
2) It is a form of monitoring, in that changes in any of those elements would help myself and 3rd party understand where/if any changes have occurred.

Of course, I could read the verbose logs we generate at the time of any connection, but if there are any other methods available, that would be great to know.

[jdev]

dverbern,

Algorithms and ciphers associated with each connection's encryption negotiation are visible only in VShell's log file -- and only if Debug log messages have been enabled in the Logging category of VShell's control panel before clients' connection attempts are made.

Parsing VShell debug logs is currently the only way to capture this information about the algorithms negotiated for each connection's encryption attributes.

I've recorded a feature request on your behalf for the ability to in some way more easily capture the encryption attributes of each connection. If we come up with a better/easier way, we'll post here in this public forum thread.

--Jake

[dverbern]

G'day Jake!

I was just about to update my ticket to say exactly that, that the actual negotiated KEX, ciphers, etc, seems to not be part of the VRALib object.

I've been able to successfully make a connection using PowerShell and VRALib (that's cool in itself!) and when I look at the VRALib Object itself, it does show me a bunch of useful attributes about the connection, but mostly it is comprised of attributes I myself defined prior to connection.

Okay, I can see the lines in the debug log I want, like "Selected Send Mac = hmac-sha1", so I'll try to find a way to tail the log just as I connect to gather that stuff.

Thank you Jake, I consider my question resolved. If you have any customer interest in getting PowerShell equivalents of some of the VBScripts, I'd happy to share.

[jdev]

Thanks for the offer to share your example VRALib-leveraging powershell code.

I've created a feature request on your behalf for some way in VRALib to more easily extract the selected algorithms instead of parsing the log file. I don't have any ETA as to when or if this would be added to VRALib's capabilities, but we'll post here if something becomes available.

--Jake

[dverbern]

Here is the solution I eventually came up with, it's using PowerShell and the VRAlib COM Object that is available to VShell users. My scripting skills aren't amazing and what follows is a heavily edited version of the script in place in our environment, but it seems to do the trick.

Again, the purpose of this is to determine exactly what attributes make up a successful connection between you and the 3rd party's server and store against any potential changes in future at your end or 3rd parties end.

Code:

# Use the VRALib COM object to connect to 3rd party with VShell and subsequently interrogate its debug log
# file to retrieve the 'selected' algorithms and other details.
#
# The purpose of this script is basically to be able to account for any changes of configuration between our SFTP environment or that
# of the 3rd parties we connect to, over time.
#
# Author:  Daniel Verberne (dverbern@gmail.com)
# Date:    18/10/2019


# In my scenario I use this 3rdPartyVendorName to guide the script to a subfolder on file system storing the relevant XML connection details
# for that 3rd party, but also used for naming the authentication log file
$3rdPartyVendorName = Read-Host "Enter the name of the 3rd party whose connection you'd like to perform to capture SFTP authentication settings"
$OutputFilePath = "C:\Temp\$3rdPartyVendorName.AuthenticationHistory.txt"

# Create an instance of the VRALib COM Object, part of Van Dyke VShell.
$VRALibCOMObject = New-Object -ComObject VRALib.Connection

# Start defining some of the attributes we'll use as part of connecting with VRALib.

# Define a log file for VRALib to produce as part of connecting to 3rd party, for us to analyze.
# I've opted to store in %windir%\temp, but your environment may vary.
# Basically, I don't need to keep this log, I just want to analyze it and keep the 
# analysis and keep growing that history, but the original log can continue to be deleted on each script run.
$TemporaryVRALibDebugLogFile = "C:\Windows\Temp\$3rdPartyVendorName.AuthenticationAnalysis.log"

# In the section below, populate these values however you wish.
# In my case, per-vendor configuration for how VShell should connect is stored in separate XML files, which I can easily read
# with PowerShell and use that content to populate these variables.

$VRALibCOMObject.Hostname = $Hostname
$VRALibCOMObject.Username = $Username
$VRALibCOMObject.Password = $HedwigXML.HedwigCfg.Password
$VRALibCOMObject.SetPrivateKeyFile($PrivateKeyPath)
$VRALibCOMObject.AutoAcceptHostKey = $AutoAcceptHostKey
$VRALibCOMObject.DebugLevel = $DebugLevel
# Give the log file generated from this script a slightly different name to the normal logs generated by Hedwig.
$VRALibCOMObject.DebugLogFile = $TemporaryVRALibDebugLogFile
# Other settings outside the Hedwig XML
# We don't want VShell trying all agent keys, we want to be explicit to avoid authentication failures.
$VRALibCOMObject.TryAllAgentKeys = $VRALibCOMObject.TryAllAgentKeys = $FALSE
# Tell VShell where to search for host keys, grab whatever setting currently in registry for VShell itself.
$VShellServerRegistryPath = 'HKLM:\SOFTWARE\VanDyke\VShell\Server'
$VRALibCOMObject.HostKeyDatabasePath = Get-ItemProperty $VShellServerRegistryPath -Name 'Host Key Filenames' | Select-Object -ExpandProperty 'Host Key Filenames'

# Try to CONNECT
#===============
try
{

    $VRALibCOMObject.Connect($VRALibCOMObject.Hostname)
    # Record the exact date/time we connected in format that VRALib uses in its debug log file.
    $ConnectDateTime = (Get-Date).ToString("dd/MM/yyyy hh:mm:ss tt") | Get-Date

} catch {}

# To use AFTER connection established
#====================================
If (!($VRALibCOMObject.IsConnected))
{
    Write-Warning "For some reason, the connection is failed to occur, please investigate"
    Exit;
}

# Below we can gather some information about the connection DIRECTLY from the VRALib Object:

$RemoteIdentString = $VRALibCOMObject.RemoteIdentString
$RemoteIP = $VRALibCOMObject.RemoteIP
$RemoteVersion = $VRALibCOMObject.RemoteVersion
$AvailableRemoteKexAlgorithms = $VRALibCOMObject.ServerKexAlgorithms
$AvailableRemoteHostKeyAlgorithms = $VRALibCOMObject.ServerHostKeyAlgorithms
$AvailableRemoteCipherAlgorithms = $VRALibCOMObject.ServerCipherAlgorithms
$AvailableRemoteMacAlgorithms = $VRALibCOMObject.ServerMacAlgorithms
# Compression and decompressing algorithms seem to be one and the same.
$AvailableRemoteCompressionAlgorithms  = $VRALibCOMObject.ServerCompressionAlgorithms
$AvailableRemoteDecompressionAlgorithms = $AvailableRemoteCompressionAlgorithms

# Now the tricky part, we want to read through the debug log we've asked VRALib to produce.
# We know the sort of entries that interest us and we're using regular expressions to find 
# each of those and extract the contents we care about.

# Check if hostname is same as remote IP or if different.  We can store both if different.
If (!($RemoteIP -eq $VRALibCOMObject.Hostname))
{
    $RemoteIP = "$($VRALibCOMObject.Hostname) ($RemoteIP)"
}

# Gather up contents of the VRALib Debug log, but need to disconnect first to release VShell's hold on the log file.
If ($VRALibCOMObject.IsConnected)
{
    $VRALibCOMObject.Disconnect()
}

# Make copy of the log file, as this PowerShell script seems to lock the log.
Copy-Item -Path $($VRALibCOMObject.DebugLogFile) -Destination $LogFileCopy -Force:$TRUE

# The following section we are reading the VRALib Debug log file, line by line.
# For each line, we're seeing if the contents match EITHER of the regular expressions
# in the SWITCH statement.  

foreach($Line in [System.IO.File]::ReadLines($LogFileCopy))
{
    Switch -Regex ($Line)
    { 
        '\[LOCAL\].\:.Selected.Kex.Method.\=.(?<CaptureGroup>.*)$'
        {$SelectedKexMethod = $Matches['CaptureGroup']}
        '\[LOCAL\].\:.Selected.Host.Key.Algo.\=.(?<CaptureGroup>.*)$'
        {$SelectedHostKeyAlgo = $Matches['CaptureGroup']}
        '\[LOCAL\].\:.Selected.Send.Cipher.\=.(?<CaptureGroup>.*)$'
        {$SelectedSendCipher = $Matches['CaptureGroup']}
        '\[LOCAL\].\:.Selected.Send.Mac.\=.(?<CaptureGroup>.*)$'
        {$SelectedSendMac = $Matches['CaptureGroup']}
    }
}

# Maybe not necessary, but I'm choosing to tie together all the results
# into a new custom object with the data I think is important.

$objConnection = [pscustomobject] @{
    '3rd Party' = $3rdPartyVendorName
    'Date/time of this test' = $ConnectDateTime
    'Remote Host/IP/ID/Version' = "$RemoteIP, $RemoteIdentString, $RemoteVersion"
    Username = $VRALibCOMObject.Username
    Password = $VRALibCOMObject.Password
    'Private Key Path' = $HedwigXML.HedwigCfg.PrivateKeyFilePath
    'Available Remote Kex Methods' = $AvailableRemoteKexAlgorithms
    'Selected Kex Methods' = $SelectedKexMethod
    'Available Remote Host Key Algo' = $AvailableRemoteHostKeyAlgorithms
    'Selected Host Key Algo' = $SelectedHostKeyAlgo
    'Available Cipher Algo' = $AvailableRemoteCipherAlgorithms
    'Selected Cipher Algo' = $SelectedSendCipher
    'Available Remote Mac Algo' = $AvailableRemoteMacAlgorithms
    'Selected Mac Algo' = $SelectedSendMac 
}


# Outputting the data


# Here I'm simply outputting that custom object to a text file, in append mode, so it'll grow over time.

$objConnection | Out-File $OutputFilePath -Encoding ascii -Append

# Let's add in a horizon line of sorts to divide up the individual runs of the script a little.
$HorizontalLine = '=========================================================================================================================================================================================="'
$HorizontalLine | Out-File $OutputFilePath -Encoding ascii -Append

# Remove temporary log file created during this script.
Remove-Item -Path $LogFileCopy -Force:$TRUE -Confirm:$FALSE

Write-Host "`nScript ended - results accumulating in output file $OutputFilePath"