SSH

SSH - Cipher, Key, MAC

SSH

SSH Stuff

Supported Ciphers, Key, MAC on OpenBSD 7.1. Not all of them are good for useage, here is my recommendation.

for your sshd_config / ssh_config

Ciphers                aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes128-cbc

HostKeyAlgorithms      ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,
                       sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256

Kexalgorithms          curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,
                       diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

MACs                   hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

PubKeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,
                       rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
                       ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-25

List of all available Types

Cipher

ssh -Q cipher

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

HostbasedAcceptedAlgorithms

ssh -Q HostbasedAcceptedAlgorithms

ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256@openssh.com
webauthn-sk-ecdsa-sha2-nistp256@openssh.com
ssh-rsa-cert-v01@openssh.com
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com

HostKeyAlgorithms

ssh -Q HostKeyAlgorithms

ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256@openssh.com
webauthn-sk-ecdsa-sha2-nistp256@openssh.com
ssh-rsa-cert-v01@openssh.com
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com

KexAlgorithms

ssh -Q KexAlgorithms

diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup761x25519-sha512@openssh.com
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup761x25519-sha512@openssh.com

MAC

Message Authentication Code

OpenSSH 2FA Google Auth

Alpine, Linux, Security, SSH

Let’s give a try with Alpine Linux, OpenSSH and 2FA with Google Authenticator.

add Packages

apk add openssh openssh-server-pam google-authenticator openssh-doc google-authenticator-doc libqrencode

Configure GoogleAuth

touch /etc/pam.d/sshd
ln /etc/pam.d/sshd /etc/pam.d/sshd.pam

cat << 'EOF' >> /etc/pam.d/sshd.pam
account   include     base-account

auth      required    pam_env.so
auth      required    pam_nologin.so  successok
auth      required    /lib/security/pam_google_authenticator.so   echo_verification_code grace_period=57600 nullok
auth      required    pam_unix.so   md5 sha512
EOF

update sshd_config

cat << 'EOF' >> /etc/ssh/sshd_config
PasswordAuthentication no
AuthenticationMethods any
UsePAM yes
EOF

Restart SSHD

service sshd restart

Setup User

su - USERNAME
google-authenticator

Response

SSH - Signing Files

SSH, System

Signing Files with SSH 8.0

unsigned file

$ cat hosts
127.0.0.1 localhost
::1   localhost

1.2.3.4         egal

sign

$ ssh-keygen -Y sign -f id_rsa -n file hosts
Signing file hosts
Write signature to hosts.sig

signed file

$ cat hosts.sig
-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAAZcAAAAHc3NoLXJzYQAAAAMBAAEAAAGBALJB+O4WCOM7V56H1xigpd
uJem52Izwltl2cG9GQOO94HClebcr7C5aD24iI4wDcT9Ajv5/fu9cDVEXku83I/U0blUZe
oMd8qCIH+4O+RVYyCvKFyEkcZ6n+RRH1G5EgcP0UXtmo4J3p8Hyo/6jtPA/r28+idi84A6
7yW1cmC5GpIw24Vr5aqA3e3rCJdFBZThzsTrwu/DHzIueQstEQdldycUit4X9UPBaCVnov
+nhyijO9b8adzkTMxjcJAl65fdLUmwuJ5h3z0owdKOmrcNlbWxqTIuGU0in25ZDQVxLssc
WI8oW7vR5F7+cXSV7fYliTG/XPsCkD1KpWc/xSOr35bALRQpxD1+T48mrbKToZuzu4hage
cUSOvRI3R0hKIvcXYyf2SQoBfLNlpvl5CRcatlw2fMhFQPrVz0Bh543chEFsF4nxKQw8yq
riJbqkvhW8tzKCnMA7vyTRxey6uSDJrw0YchXIJdprNUlgM1t+z9J3AwC4ugpvhgVd6H0v
9QAAAAxob3N0cy5zaWduZWQAAAAAAAAABnNoYTUxMgAAAZQAAAAMcnNhLXNoYTItNTEyAA
ABgAB9zAZStPsSvPIBh66lAgGLE/JWPk0voZjTUz9pO5wl81aM6Kn1clY9n4jysEkiQ0xy
yy/tWgFzKi10mVfh/SJ34L2Mdo8t+vBnha1KNlkFwXZl+GXiCLlVl+ei6xpRfp9knheoIh
LyEHoxgkuI6lO0c8pi4ymNnrlfvkg9SvvZfSdXWUMfTWHDlHvFIGqMg3BWQu7ylTEgQVDF
obpqDInU3hkisfsywQRQh6KVVe8eSUc0qVH/FSSLoG8X/IX9Vh3g4tT/2FJPrE4k464yie
GdnLkp5edcnnE+jjoSQroMs52QWy2a3XXZC5KTaDL6w4mcry1RpavhXb5aJQ7o0852Pkc9
wDkwX/11JZhMmxNZbDlg+tHsWy12KUubKAxAjJ1HUFXMjTFI6HMu8WyU989e3dOTt/bL3W
l7sDo5P8SGv3/6+tJxugz9shz8WaN9Xz6Oh2AfCM6+IROXaeUgWMXtDmGS5bUZxUOSxHa1
ww7wzYR0NKXuOk3IeJMSQ2f97g==
-----END SSH SIGNATURE-----

verify file

allowed signers

$ cat /etc/allowed_signers
mail@world.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyQfjuFgjjO1eeh9cYoKXbiXpudiM8JbZdnBvRkDjveBwpXm3K+wuWg9uIiOMA3E/QI7+f37vXA1RF5LvNyP1NG5VGXqDHfKgiB/uDvkVWMgryhchJHGep/kUR9RuRIHD9FF7ZqOCd6fB8qP+o7TwP69vPonYvOAOu8ltXJguRqSMNuFa+WqgN3t6wiXRQWU4c7E68Lvwx8yLnkLLREHZXcnFIreF/VDwWglZ6L/p4coozvW/Gnc5EzMY3CQJeuX3S1JsLieYd89KMHSjpq3DZW1sakyLhlNIp9uWQ0FcS7LHFiPKFu70eRe/nF0le32JYkxv1z7ApA9SqVnP8Ujq9+WwC0UKcQ9fk+PJq2yk6Gbs7uIWoHnFEjr0SN0dISiL3F2Mn9kkKAXyzZab5eQkXGrZcNnzIRUD61c9AYeeN3IRBbBeJ8SkMPMqq4iW6pL4VvLcygpzAO78k0cXsurkgya8NGHIVyCXaazVJYDNbfs/SdwMAuLoKb4YFXeh9L/U=

verify

Honeypot

OpenBSD, Security, SSH

i like to run honeypots … ok, to be honest, it’s not a honeypot. It’s a productive maschine for me, but all the bots trying to get in get’s redirected to a Honeypot, the credentials were captured and last but not least, you can watch them live in your browser :)

http://honeypot.nolink.ch

btw. 100k failed login attempts in 10 Day …

have fun !

Any Comments ?

sha256: 8ae49e2283f894d5ab59ec16309f4f1d4aa547c0fd90705f969bae0d20d3b6f2

SSH Server behind Firewall

OpenBSD, SSH

got a Server behing NAT / Firewall ? Need Shell access to … ?

Server behind NAT/FW

user@server$ ssh -R 1234:localhost:22 my.public.jumpbox

Access Server

ssh my.public.jumpbox

user@jumpbox$ ssh -p 1234 localhost

user@server$

and you’re in :)

Any Comments ?

sha256: 81b4dc1d84f9f8bcbf5060f382853759fffa1e5824e2ae98ad5508a082db5dfd

Ed25519

SSH

like ssh and secure keys ?

Generate Secure Key

ssh-keygen -o -a 100 -t ed25519 -C "MyFamousComment"
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname)"
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname) at $(date \"+%Y-%m-%d\")"
ssh-keygen -o -a 100 -t ed25519 -C "$(whoami)@$(hostname) at $(date \"+%Y-%m-%d %H:%M\")"

What’s ed25519 ?

Wikipedia about Curve25519

2^{{255}}-19

Distribute Key

ssh-copy-id user@remotehost

Connect to Remote

Connect to Remove without Agent Forwarding (use this unless you know what you’re dooing …)

ssh -a remotehost

Connect with Agent Forwarding

or if you need Agent Forwarding