Bri Hatch | Personal | Work |
---|---|---|
Onsight, Inc bri@ifokr.org |
ExtraHop Networks bri@extrahop.com |
Copyright 2013-2014, Bri Hatch,
Creative Commons BY-NC-SA License
ssh-agent
for automation$ ssh-keygen -b 2048 -C foo@example.com -f /tmp/key Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): (enters passphrase) Enter same passphrase again: (enters passphrase again) Your identification has been saved in /tmp/key. Your public key has been saved in /tmp/key.pub. The key fingerprint is: 8b:07:14:c3:6e:f7:17:4c:78:0f:fb:94:71:ce:01:4b foo@example.com The key's randomart image is: +--[ RSA 2048]----+ | .o o E. | | .o. . * o..| | o. o = *.| | ... o + o| | ..S. + | | | +-----------------+
~/.ssh/id_rsa
:
$ cat ~/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,5543DF16C874A2B95AD8BCAFE383A8A9 N9K0VKkAROsq1siAPNgeD4enZiISszeP7LXj7tzvMkJ3gweGW7okvIhR/5iTIVih CjGCXb727YiDX/dHm0B8mPYTUPVHQ+xu+0FpuhKNP70erhI3jsimDO9PR3xZc6lx h2UaTKd7C7WwI9kyOdLrGrPIgAuoVpSpmJNOGjLZK54gooA7LfWZtK/o4CMDD1vf hlQ064qhIabk/j7FZ8LpjLf5TbEATaPRmpLrZOKABKVz0VfXEsw7sa8jqutNwB5e ... $ ls -l ~/.ssh/id_rsa -rw------- 1 xlr xlr 1766 Jan 21 11:50 id_rsa
~/.ssh/id_rsa.pub
:
$ cat ~/.ssh/id_rsa ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3k5ng5Fn0089ed99z8Yr elv4FqYbN4VNespZx4tiY/jPleNVxPVId8WnxYOn/C4cmeAFltmEV8xDRr7 bnnDfmRqGonrH2untJapB2p6cvv4u6VrG+UyfeZjJ2cPhCDdYzFqUCp+bPC 07ZbXpfX5a4MCHj+wI5bmIBy2TllxFPE8HESCEpY7cO2yFCMn6kn1cJJSw5 87BMgXr35TA+ZYj2Tur8NzQTSoSaT1lgqfCMoNLzsFf4V9wJAcvEI1WdvVP bdNOZBnVM7wIfUqmj7Iy8H03fm4MFkO5c2zBKVW9EHl43F19Ij0yZHZq0yg shSueK7PDQN07Gwak7NpYlzmBX foo@example.com $ ls -l ~/.ssh/id_rsa.pub -rw-r--r-- 1 xlr xlr 1766 Jan 21 11:51 id_rsa.pub
$ ssh somemachine -v -i /tmp/key OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012 debug1: Reading configuration data /home/xlr/.ssh/config ... debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /tmp/key debug1: Authentications that can continue: publickey,password debug1: Next authentication method: password xlr@somemachine's password:
That wasn't an improvement...
~/.ssh/authorized_keys
file on the SSH server.
$ scp /tmp/key.pub somemachine:key.pub $ ssh somemachine xlr@somemachine's password: (types password) somemachine$ mkdir ~/.ssh; chmod 700 ~/.ssh somemachine$ touch ~/.ssh/authorized_keys somemachine$ chmod 600 ~/.ssh/authorized_keys somemachine$ cat key.pub >> ~/.ssh/authorized_keys somemachine$ exit
ssh-copy-id
:
$ ssh-copy-id -i /tmp/key.pub somemachine xlr@somemachine's password: (types password)Now try logging into the machine, with
ssh
xlr@somemachine
,
and check ~/.ssh/authorized_keys
to make
sure we haven't added
extra keys that you weren't expecting.
$ ssh somemachine -v -i /tmp/key OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012 debug1: Reading configuration data /home/xlr/.ssh/config ... debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /tmp/key Enter passphrase for key '/tmp/key': (types pubkey password) somemachine$
ssh
tries these:~/.ssh/id_dsa
~/.ssh/id_ecdsa
~/.ssh/id_rsa
IdentiesOnly yes
can help.
Instead, stick them in an ssh-agent
.
$ eval $(ssh-agent) Agent pid 24028 $ echo $SSH_AUTH_SOCK /tmp/ssh-qcqvgHa24027/agent.24027 $ echo $SSH_AGENT_PID 24028 $ ssh-add -l The agent has no identities.
gnome-keyring-daemon
that may also support additional protocols, e.g. gpg.
$ ssh-add -l The agent has no identities. $ ssh-add /tmp/key Enter passphrase for /tmp/key: (passphrase) Identity added: /tmp/key (/tmp/key) $ ssh-add -l 2048 8b:07:41:c3:e6:f7:17:c4:78:0f:fb:94:71:ce:01:4b /tmp/key (RSA)
$ ssh -v somemachine -i /tmp/key ... debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /tmp/key debug1: Server accepts key: pkalg ssh-rsa blen 279 debug1: Authentication succeeded (publickey). somemachine$Look ma, no password!
(ssh-add|ssh-agent) -t lifetime
to
automatically purge credentials.ssh-add -x
locks your agent with a password,
ssh-add -X
unlocks.ssh-add -D
ssh-add -d pubkeyfile
$ ssh somemachine 'ssh-add -l' Could not open a connection to your authentication agent. $ ssh -A somemachine 'ssh-add -l' 2048 8b:07:41:c3:e6:f7:17:c4:78:0f:fb:94:71:ce:01:4b /tmp/key (RSA)
$ ssh -A -ttt epsilon3 ssh -ttt greatmachine greatmachine$
Notes:
ProxyCommand
and netcat
.
$ cat ~/.ssh/config Host greatmachine ProxyCommand ssh -q epsilon3 'nc %h %p' $ ssh greatmachine greatmachine$Notes:
%h
and %p
in the ProxyCommand
are replaced with the actual host and portGatewayPorts yes
to allow non-local use.
$ ping -q -c 10 192.168.15.68
PING 192.168.15.68 (192.168.15.68) 56(84) bytes of data.
10 packets transmitted, 0 received, +1 errors, 100% packet loss
$ ssh -L 8080:192.168.15.68:80 -Nf ssh-server
$ curl http://localhost:8080/index.html
<head><title>Welcome to 192.168.15.68!</title>
<body> ...
-Nf
prevents it from giving you a shell, and forks off in the background. For older ssh versions, you can use -f ssh-server sleep +99d
to emulate.
work$ ssh -R 8080:127.0.0.1:22 -N myhouse
Later...
myhouse$ ssh -p 8080 policy_violator@localhost policy_violator@localhost's password: (enters password) work$
Don't do this at home^H^H^H^H work!
$ ssh -Nf -D 9999 ssh-server $ curl --socks5 localhost:9999 http://192.168.15.68/
Similarly, you could configure your browser to use a SOCKS proxy
on localhost:9999
~/.ssh/authorized_keys
file.
$ cat ~/.ssh/authorized_keys ssh-rsa AAAANzaC1kc3MAAACBANJGoaoq+1gWhx781810vvf...EQQx7= key1@example.com no-port-forwarding ssh-rsa AAAAIpSVdm3aqGSMOgQ7P1...Pm1X8= key2@example.com no-agent-forwarding,no-X11-forwarding ssh-rsa AAA...xGGor= key3@example.com
sshd
man page. Some of the most
common options:
command=
restriction sounds great!
Prevent your keys from being used for any willy-nilly command.
Unfortunately:
from
authorized_keys
is painful
to the eyes
Enter authprogs
.
scp
today~/.ssh/authprogs.yaml
and
files in ~/.ssh/authprogs.d
directory.
authorized_keys
automagically
$ sudo pip install authprogs
Working on getting it packaged into Debian.
$ authprogs --install_key /path/to/id_rsa.pub $ tail -1 ~/.ssh/authorized_keys command="authprogs --run",no-port-forwarding ssh-rsa AAAAOg...Pm1X8= user@example.com $ authprogs --keyname push --install_key /path/to/push.pub $ tail -1 ~/.ssh/authorized_keys command="authprogs --keyname push --run",no-port-forwarding ssh-rsa AAAAGxNo22Hx...
Installation automatically disables port forwarding. Tweak manually if desired.
$ cat ~/.ssh/authprogs.yaml allow: - command: /bin/tar czvf /backups/www.tgz /var/www/ - command: /usr/bin/touch /var/www/.backups.complete
scp
support
$ cat ~/.ssh/authprogs.d/backups.yaml keyname: backups allow: - command: /bin/tar czvf /backups/www.tgz /var/www/ - command: /usr/bin/touch /var/www/.backups.complete -- keyname: backup_snagger allow: - rule_type: scp allow_download: true allow_recursion: true files: - /backups/www.tgz - /etc/
$ cat ~/.ssh/authprogs.d/admins.yaml from: - 192.168.1.1 - 192.168.1.2 allow: # Allow unrestricted ls - command: /bin/ls allow_trailing_args: true -- from: [192.168.0.10, 192.168.0.15, 172.16.3.3] allow: - command: ^sudo\s+/etc/init.d/apache2\s+(reload|restart)$ pcre_match: true
bash
-like processingfor
or while
authorized_keys
restrictions at pubkey install
timeIt's Open Source... what do you want to add? ;-)
$ ssh somemachine The authenticity of host 'somemachine' can't be established. RSA key fingerprint is b8:5a:1e:47:87:48:58:14:6b:d2:52:3c:50:55:f6:f7 Are you sure you want to continue connecting (yes/no)?
$ ssh somemachine The authenticity of host 'somemachine' can't be established. RSA key fingerprint is b8:5a:1e:47:87:48:58:14:6b:d2:52:3c:50:55:f6:f7 Are you sure you want to continue connecting (yes/no)? yes xlr@somemachine's password: (enters password) somemachine$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub 2048 b8:5a:1e:47:77:a8:f5:14:bc:d2:25:99:50:55:f6:f7 somehost (RSA)
If it's different, call the admininistrator!
(And change your passwords....)
VisualHostKey
for pretty pictures.
$ ssh -o VisualHostKey=yes somemachine The authenticity of host 'somemachine' can't be established. RSA key fingerprint is b8:5a:1e:47:87:48:58:14:6b:d2:52:3c:50:55:f6:f7 +--[ RSA 2048]----+ | .=*o..o | | +o+ . . | | o =.o . . | | + . | | o . | | . | +-----------------+ Are you sure you want to continue connecting (yes/no)? yes xlr@somemachine's password: (enters password)
somemachine$ ssh-keygen -v -l -f /etc/ssh/ssh_host_rsa_key.pub 2048 b8:5a:1e:47:77:a8:f5:14:bc:d2:25:99:50:55:f6:f7 somehost (RSA) +--[ RSA 2048]----+ | . . | | S . . | | = o o | | o * = . .| | + * +E +| | . ++=B+| +-----------------+
b8:5a:1e:47:87:48:58:14:6b:d2:52:3c:50:55:f6:f7 b8:5a:1e:47:77:a8:f5:14:bc:d2:25:99:50:55:f6:f7
$ head -3 ~/.ssh/config # Global configuration options VisualHostKey yes NumberOfPasswordPrompts 1 $ ssh somemachine Host key fingerprint is b8:5a:1e:47:87:48:58:14:6b:d2:52:3c:50:55:f6:f7 +--[ RSA 2048]----+ | .=*o..o | | +o+ . . | | o =.o . . | | + . | | o . | | . | +-----------------+ xlr@somemachine's password:
~/.ssh/known_hosts
file!
$ ssh -o VisualHostKey=yes somemachine
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
b8:5a:1e:47:77:a8:f5:14:bc:d2:25:99:50:55:f6:f7
Please contact your system administrator.
Add correct host key in /home/xlr/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/xlr/.ssh/known_hosts:14
remove with: ssh-keygen -f "/home/xlr/.ssh/known_hosts" -R somemachine
RSA host key for localhost has changed and you have requested strict checking.
Host key verification failed.
~/.ssh/known_hosts
known_hosts
keyssh-keygen
, and stick
into DNS.
$ ssh-keygen -r host.example.com \ -f /etc/ssh/ssh_host_rsa_key.pub somemachine IN SSHFP 1 1 8a181c1f137559eefc7b0c35fceb357af3651683
VerifyHostKeyDNS
to query DNS for keysyes
: automatically trust DNS (if secure)ask
: show DNS results and still ask to trustno
: Don't look up SSHFP records at allask
mode, or don't have DNSSEC enabled,
you'll still need to answer the question, but you'll get an indication
that the key is likely valid.
$ ssh -o VisualHostKey=yes somemachine
The authenticity of host 'somemachine' can't be established.
RSA key fingerprint is b8:5a:1e:47:87:48:58:14:6b:d2:52:3c:50:55:f6:f7
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?
/etc/ssh/ssh_known_hosts
files to ssh client machines.
ssh-keyscan
scp
, etc.
authprogs
;-)
Personal | Work |
---|---|
Bri Hatch |
Bri Hatch |
Copyright 2013-2014, Bri Hatch, Creative Commons BY-NC-SA License