If you you need a customized SSH/SFTP server, Apache Mina SSHD will make it easy for you. This article leverages it for the use case of recovering SFTP passwords from Broadcom’s Automic® Automation (formerly UC4). Check out the Chatty SSHd github repository.
Obfuscation is not encryption
In my current project, I am working with a customer team on modernizing their legacy Automic/UC4 landscape. The product is used for multiple purposes there. Among others:
- batch orchestration,
- distributed reliable scheduling and
- file-based integration with external partners over SFTP.
I might elaborate on our great DSL based approach to standardizing batch workflows and enabling continuous delivery and self-service for Automic/UC4 in another article. This time I want to focus on the SFTP transfers. The canonical way to do SFTP in Automic/UC4 is the Rapid Automation FTP Agent.
The product designers of Automic/UC4 have a weird conception of security. The product is full of idiosyncratic design decisions. It’s a wonder, that it was never featured on Fefes Blog, yet. One of the stranger things is Automic’s use of encryption. Passwords entered into the system (Login objects, SFTP passwords, …) are supposed to be encrypted on storage. If you look closer, they are not encrypted, but only obfuscated. The system can read them without being provided with a secret key. The key seems to be baken into the system. (Furthermore, they use a proprietary encryption scheme. No, not only one! They use multiple different schemes.)
Restoring locked-in passwords
A long, long time ago in a galaxy not so far away, former team members decided that it might be a great idea to keep all SFTP account data in Automic’s database exclusively. Spoiler: It’s not. While you can use the SFTP connection objects without trouble, retrieving the passwords and storing them somewhere else is not possible by default. This is obviously not due to actual security implications; the agent can still recover them. It’s the UI that doesn’t provide this functionality.
Approach 0: Hack Automic
You could now go and start Automic’s application in a debugger, break the algorithm and decrypt the information. It would probably be fun. However, I am afraid of the legal implications. Also, there is a simpler way to expose the obfuscated passwords: Create a dummy SFTP server, that exposes the desired data to you.
Approach 1: Patch OpenSSHd
In our situation, this approach didn’t work out. Shipping a docker image to our DMZ was impossible. The complete DMZ is still stuck on a good old VM-based infrastructure, with access being limited to unprivileged users. Packaging OpenSSHd differently would be possible but inconvenient.
Approach 2: Create a customized Apache MINA sshd fatjar
I needed a solution which creates dead simple deployables: A single self-contained file, executable as an unprivileged user, to start up our “chatty” SSH server.
At the mentioned customer, I had the choice between 2 technologies: Go and Java. Both feature established SSH/SFTP implementations. For Go you could use SFTPGo or the more low-level crypto/ssh package + pkg/sftp. I didn’t try it, though.
The app class containing the main method is simple:
Don’t forget to configure your
log4j2.xml properly and enable log level
debug for the
Build it and run it:
When trying to connect with
and entering some passwords, you should see something along the lines of
Et voilà, your chatty SSH server is ready to restore the freedom of your passwords. Just run it on the same server as your RA FTP Agent and configure your SFTP connections to use host
localhost without changing the remaining connection details.
If you were paying attention, you’ll have noticed that this trick can be used to reveal the password of any SSH client connecting with our dummy Apache MINA server. Does it make you feel vulnerable? It should. Go password-less and use public key authentication!
By the way, the same approach can be used to fire up a customized SSH/SFTP server programmatically. For example, this feature is useful when you want to create automatic end-to-end tests for your SFTP integration solutions. Your Apache Mina SSH Server makes a great test double!