SSH

SSH - Cipher, Key, MAC

SSH Stuff Supported Ciphers, Key, MAC on OpenBSD 7.1. Not all of them are good for useage, here is my recommendation. Recommended for your sshd_config / ssh_config Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes128-cbc HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256 Kexalgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512, diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com PubKeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-25 List of all available Types Cipher ssh -Q cipher 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com HostbasedAcceptedAlgorithms ssh -Q HostbasedAcceptedAlgorithms ssh-ed25519 ssh-ed25519-cert-v01@openssh.com sk-ssh-ed25519@openssh.com sk-ssh-ed25519-cert-v01@openssh.com ssh-rsa rsa-sha2-256 rsa-sha2-512 ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 sk-ecdsa-sha2-nistp256@openssh.

OpenSSH 2FA Google Auth

Let’s give a try with Alpine Linux, OpenSSH and 2FA with Google Authenticator. add Packages apk add openssh openssh-server-pam google-authenticator openssh-doc google-authenticator-doc libqrencode Configure GoogleAuth touch /etc/pam.d/sshd ln /etc/pam.d/sshd /etc/pam.d/sshd.pam cat << 'EOF' >> /etc/pam.d/sshd.pam account include base-account auth required pam_env.so auth required pam_nologin.so successok auth required /lib/security/pam_google_authenticator.so echo_verification_code grace_period=57600 nullok auth required pam_unix.so md5 sha512 EOF update sshd_config cat << 'EOF' >> /etc/ssh/sshd_config PasswordAuthentication no AuthenticationMethods any UsePAM yes EOF Restart SSHD service sshd restart Setup User su - USERNAME google-authenticator Response

AGE - Encrypt Files with SSH Keys

Stumbled upon something that I’ve missed for a long time: encrypting files with the ssh public key :) Source https://github.com/FiloSottile/age Install Package OpenBSD (and most others *nix systems) got a package for age. Just install it. doas pkg_add age Asymmetric Encryption Asymmetric Encryption encrypts and decrypts the data using two separate yet mathematically connected cryptographic keys. These keys are known as a ‘Public Key’ and a ‘Private Key’. Together, they’re called a ‘Public and Private Key Pair’

SSH - Signing Files

Signing Files with SSH 8.0 unsigned file $ cat hosts 127.0.0.1 localhost ::1 localhost 1.2.3.4 egal sign $ ssh-keygen -Y sign -f id_rsa -n file hosts Signing file hosts Write signature to hosts.sig signed file $ cat hosts.sig -----BEGIN SSH SIGNATURE----- U1NIU0lHAAAAAQAAAZcAAAAHc3NoLXJzYQAAAAMBAAEAAAGBALJB+O4WCOM7V56H1xigpd uJem52Izwltl2cG9GQOO94HClebcr7C5aD24iI4wDcT9Ajv5/fu9cDVEXku83I/U0blUZe oMd8qCIH+4O+RVYyCvKFyEkcZ6n+RRH1G5EgcP0UXtmo4J3p8Hyo/6jtPA/r28+idi84A6 7yW1cmC5GpIw24Vr5aqA3e3rCJdFBZThzsTrwu/DHzIueQstEQdldycUit4X9UPBaCVnov +nhyijO9b8adzkTMxjcJAl65fdLUmwuJ5h3z0owdKOmrcNlbWxqTIuGU0in25ZDQVxLssc WI8oW7vR5F7+cXSV7fYliTG/XPsCkD1KpWc/xSOr35bALRQpxD1+T48mrbKToZuzu4hage cUSOvRI3R0hKIvcXYyf2SQoBfLNlpvl5CRcatlw2fMhFQPrVz0Bh543chEFsF4nxKQw8yq riJbqkvhW8tzKCnMA7vyTRxey6uSDJrw0YchXIJdprNUlgM1t+z9J3AwC4ugpvhgVd6H0v 9QAAAAxob3N0cy5zaWduZWQAAAAAAAAABnNoYTUxMgAAAZQAAAAMcnNhLXNoYTItNTEyAA ABgAB9zAZStPsSvPIBh66lAgGLE/JWPk0voZjTUz9pO5wl81aM6Kn1clY9n4jysEkiQ0xy yy/tWgFzKi10mVfh/SJ34L2Mdo8t+vBnha1KNlkFwXZl+GXiCLlVl+ei6xpRfp9knheoIh LyEHoxgkuI6lO0c8pi4ymNnrlfvkg9SvvZfSdXWUMfTWHDlHvFIGqMg3BWQu7ylTEgQVDF obpqDInU3hkisfsywQRQh6KVVe8eSUc0qVH/FSSLoG8X/IX9Vh3g4tT/2FJPrE4k464yie GdnLkp5edcnnE+jjoSQroMs52QWy2a3XXZC5KTaDL6w4mcry1RpavhXb5aJQ7o0852Pkc9 wDkwX/11JZhMmxNZbDlg+tHsWy12KUubKAxAjJ1HUFXMjTFI6HMu8WyU989e3dOTt/bL3W l7sDo5P8SGv3/6+tJxugz9shz8WaN9Xz6Oh2AfCM6+IROXaeUgWMXtDmGS5bUZxUOSxHa1 ww7wzYR0NKXuOk3IeJMSQ2f97g== -----END SSH SIGNATURE----- verify file allowed signers $ cat /etc/allowed_signers mail@world.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyQfjuFgjjO1eeh9cYoKXbiXpudiM8JbZdnBvRkDjveBwpXm3K+wuWg9uIiOMA3E/QI7+f37vXA1RF5LvNyP1NG5VGXqDHfKgiB/uDvkVWMgryhchJHGep/kUR9RuRIHD9FF7ZqOCd6fB8qP+o7TwP69vPonYvOAOu8ltXJguRqSMNuFa+WqgN3t6wiXRQWU4c7E68Lvwx8yLnkLLREHZXcnFIreF/VDwWglZ6L/p4coozvW/Gnc5EzMY3CQJeuX3S1JsLieYd89KMHSjpq3DZW1sakyLhlNIp9uWQ0FcS7LHFiPKFu70eRe/nF0le32JYkxv1z7ApA9SqVnP8Ujq9+WwC0UKcQ9fk+PJq2yk6Gbs7uIWoHnFEjr0SN0dISiL3F2Mn9kkKAXyzZab5eQkXGrZcNnzIRUD61c9AYeeN3IRBbBeJ8SkMPMqq4iW6pL4VvLcygpzAO78k0cXsurkgya8NGHIVyCXaazVJYDNbfs/SdwMAuLoKb4YFXeh9L/U= verify

Honeypot

i like to run honeypots … ok, to be honest, it’s not a honeypot. It’s a productive maschine for me, but all the bots trying to get in get’s redirected to a Honeypot, the credentials were captured and last but not least, you can watch them live in your browser :) http://honeypot.nolink.ch btw. 100k failed login attempts in 10 Day … have fun ! sha256: 8ae49e2283f894d5ab59ec16309f4f1d4aa547c0fd90705f969bae0d20d3b6f2

SSH Server behind Firewall

got a Server behing NAT / Firewall ? Need Shell access to … ? Server behind NAT/FW user@server$ ssh -R 1234:localhost:22 my.public.jumpbox Access Server ssh my.public.jumpbox user@jumpbox$ ssh -p 1234 localhost user@server$ and you’re in :) sha256: 81b4dc1d84f9f8bcbf5060f382853759fffa1e5824e2ae98ad5508a082db5dfd

Ed25519

like ssh and secure keys ? Generate Secure Key ssh-keygen -o -a 100 -t ed25519 -C "MyFamousComment" ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)" ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname) at $(date \"+%Y-%m-%d\")" ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname) at $(date \"+%Y-%m-%d %H:%M\")" What’s ed25519 ? Wikipedia about Curve25519 Distribute Key ssh-copy-id user@remotehost Connect to Remote Connect to Remove without Agent Forwarding (use this unless you know what you’re dooing …)