Security

pwgen

Little Function for your .zprofle

Demo

# Secure Password Generation
mypwgen() {
  # Complexity labels and corresponding options
  COMPLEXITY_NAMES=("basic" "with-specials" "secure")
  COMPLEXITY_OPTS=("" "-y" "-s")

  # Length and count patterns
  PATTERNS=("8 8" "16 8" "32 8")

  echo
  for i in $(seq 0 $((${#COMPLEXITY_NAMES[@]} - 1))); do
    name="${COMPLEXITY_NAMES[$i]}"
    opts="${COMPLEXITY_OPTS[$i]}"
    echo "### Complexity: $name ###"
    for pattern in "${PATTERNS[@]}"; do
        len=$(echo $pattern | cut -d' ' -f1)
        count=$(echo $pattern | cut -d' ' -f2)

        pwgen $opts $len $count | awk '{ printf "%-32s\n", $0 }' | column
        echo
    done
  done
}
root@yourhost % mypwgen 

### Complexity:  ###
euJuph5u                        	ohthuN2V                        	Xae0Ejoh                        	ViaF6aiw                        
ga0thooM                        	ohra7Koo                        	ouSh1ion                        	Kaif5gah                        

keechaidaipah2Qu                	gu5Eeshivaethi5e                	Shaehee8leeg7tee                	Eij3eyaiNgairooy                
goh2Giesheisuw9a                	Ohmohjook5suizei                	eequ0eeFau4aejie                	eezah3Ie9ai5Ahsh                

aomaegaf2moor3Yei7thaesh1tii0Ohp	aet3uu2oojiroohohPhoh3iJof9upohz	ohph5ooYo2shaeb1ahGh8sheekaek4vo	Aephu9oongee0zah2Phae1gaem7ae7Oo
ehemeinidahWei5ongaipah5eiHah0ae	BeiVae9iZu4iecijaim6OoG0ohheeyei	huThaiShie0pho6sai7dee8eizah6sho	yaeZepuoloaBohrui4iechaiyeiph7Lu

### Complexity: basic ###
El8ohF5x                        	ahgh2Ooc                        	MuoM4eet                        	OhXae1oj                        
joode9Wa                        	yoh4ooY9                        	Eili4ae1                        	kai3EiYo                        

faeViesoog3nouv3                	queifeiG4gatae1b                	aS3shub7Bies5wae                	Eshuameelahmuu0m                
eeth7Bee8Awuj9yi                	yiSoozang1veefoo                	iew2Anahjiwi0Een                	ahkae7gee9vuTeeF                

He1aiXeileo1eiYa0foe2Chophai4uar	uu2ahthi5shouque3Shaing9aejahghe	yireth8ne5mee4geexaiKough8Saepee	ahbie2aethah9ie5shahy3eezathohLa
iu3ohv6ahloo2ae9AotoLeiwahie3sa0	bies5Dahs6hei6sheiboh1ohje6Oot1o	zoh1aiTiethajae6Ire3iex8ci7oorai	Fei7Goh3phiegi9ohr4oonaiyeogh4ph

### Complexity: with-specials ###
Phai'l2j                        	Oobu(fi6                        	Izee"f1x                        	Vien?i7s                        
Ziez~ee0                        	Zei.C4aa                        	ie2Chai(                        	Eem0aik[                        

iG2oe|xeiNg1ophu                	Kop\eiJ3gui2Phoo                	aefah{Y2moh2hieg                	Aegie7phied(oomo                
Lei=thah1bieG]ah                	thaaLoohee_phah8                	saePej2Boo4ahZ@i                	Ugh2pho0oD8ahng)                

ud0ais/eexahqu0paece9am}ah&MoPh6	aingai!No2yoo7iu4eev1eighaiThegh	quoh{ghaeSohbiek_ee:K"ae4ooboiTh	eish]eiR-ev4Og4TuKohwu,a#s4ooGie
ShoomouReSh9oed}iekinuuluchae7Te	eiqua3hair4aeshioL"aLi9bafohx9ee	Ue6avu5quequ<ook{ee*z7iex8fah3ad	vu)Civiremeile6chahg~ehiqu;eihee

Any Comments ?

sha256:

SSH - Legacy Devices

Intro

sometime, one have to access to old and legacy devices. they may do not support the current ciphers and key algorithms, so, we have to modify the “.ssh/config” File or provide some additional cli arguments.

If you have todo this regualary, you may wanna extend the current parameters with the legacy ones like this:

Backup old config

you never know ;)

mv /etc/ssh/ssh_config /etc/ssh/ssh_config-$(date "+%s")

Install Updated Version

you have to copy/paste as root

SSHChat

SSH Chat

how to run your own SSH Chat Server

Setup

# add go
pkg_add go

# add user 'sshchat'
adduser

# switch user
su - sshchat
ftp https://github.com/shazow/ssh-chat/archive/v1.10.tar.gz
tar zxf v1.10.tar.gz
cd ssh-chat-1.10/
make build

# back to root
exit
cp /home/sshchat/ssh-chat-1.10/ssh-chat /usr/local/bin/

sshchat - ipfile

manage whiteliste ip in dedicated file

# create folder
mkdir -p /etc/pf.d

# sample file
echo "127.0.0.1" > /etc/pf.d/sshchat

# set permission
chmod 600 /etc/pf.d/sshchat

pf.conf

update pf.conf appropriate

XZ

MacOS

even MacOS seems not hardly affected, better safe than sorry !

# get Version
brew info xz

# Cleanup Cache
brew cleanup -v -s --prune=all

# Downgrade
brew reinstall xz

# Update
brew update

# Upgrade
brew upgrade

# reboot
reboot

# confirm, 5.4.6 should be fine
xz -V

Any Comments ?

sha256: d2d6b0518ee60fc80381a2fb44dee61d06c02a7d4182045ff25d59f4894d1a10

Cisco - SSH Key Auth

Intro

do you wanna login into your cisco switches with ssh & public key. you can build your config easily and copy/paste it to your switch(es).

Set & Check Variables

  • pubkey: read from ~/.ssh/id_rsa.pub
  • username: root
  • password: will be generated. or set it by hand
# get & convert public key
pubkey=$(cat ~/.ssh/id_rsa.pub |cut -d' ' -f 2 |fold -b -w 72)

# Username Switch
username=root

# Password for User
password=$(openssl rand -hex 12)

# Full Line
echo "username $username privilege 15 password $password"

SSH Pubkey Auth Config Snippet

# Build Config
cat  << EOF


############################################
# Copy/Paste to your Cisco Devices - START #
############################################

conf t

# Set Version
ip ssh version 2
no aaa new-model

# Set User
username $username privilege 15 password $password

# Set Key
ip ssh pubkey-chain 
username $username 
key-string
$pubkey
exit
exit
exit

# vty Stuff
line vty 0 15
 login local
 transport input ssh

end
write
exit

############################################
# Copy/Paste to your Cisco Devices - END   #
############################################


EOF

you should test it in a lab environment before running on productiv switches ;)

RSA - Weak Keys

Intro

Did you ever try to generate a small RSA Key ? Today, you should go with 3072 oder 4096 Bits, or use ECC.

With current Versions of OpenSSL, you can’t generate Key Smaller than 512 Bit.

128 Bit Key

import rsa

pubkey,privkey = rsa.newkeys(128)
print(pubkey.save_pkcs1('PEM').decode('UTF-8'))
print(privkey.save_pkcs1('PEM').decode('UTF-8'))

32 Bit Key

import rsa

pubkey,privkey = rsa.newkeys(32)
print(pubkey.save_pkcs1('PEM').decode('UTF-8'))
print(privkey.save_pkcs1('PEM').decode('UTF-8'))

16 Bit Key

import rsa

pubkey,privkey = rsa.newkeys(16)
print(pubkey.save_pkcs1('PEM').decode('UTF-8'))
print(privkey.save_pkcs1('PEM').decode('UTF-8'))

sample with 16Bit RSA Key

OpenBSD - gpg

gpg stuff

generate key

gpg --generate-key

change Passphrase

gpg --change-passphrase user-id

import key

gpg --import 92FFBB90C18B59AEF311F9C5D2E39FFEAC507F67.pub.gpg

list key

gpg -k 

sample

root@host # gpg -k 
[keyboxd]
---------
pub   ed25519 2024-01-02 [SC] [expires: 2027-01-01]
      F7118E072D426449DD9E4DE29674836DB8FECEDA
uid           [ultimate] root <root@host>
sub   cv25519 2024-01-02 [E] [expires: 2027-01-01]

encrypt

-r recipient -e encrypt

date > date
gpg -r F7118E072D426449DD9E4DE29674836DB8FECEDA -e date

sample

root@host # gpg -r F7118E072D426449DD9E4DE29674836DB8FECEDA -e date
root@host# ll date*                                                                                                                                                              
-rw-r--r--  1 root  wheel   29 Jan  2 15:14 date
-rw-r--r--  1 root  wheel  200 Jan  2 15:15 date.gpg

root@host# file date*
date:     ASCII text
date.gpg: data

decrypt

-d decrypt

macos - hdiutil

Intro

hdiutil is a command-line utility on macOS that allows users to create, manipulate, and convert disk images. Disk images are virtual disk files that can contain the entire file system structure, including files, folders, and metadata. hdiutil provides a variety of functions related to disk images, and it’s a powerful tool for managing disk-related tasks on a Mac.

Basic Usage

create

echo -n "geheim" |hdiutil create -encryption -stdinpass -size 10m -volname encdata test.dmg -fs HFS+J

mount ro

echo -n "geheim" |hdiutil mount -stdinpass -readonly test.dmg

mount rw

echo -n "geheim" |hdiutil mount -stdinpass test.dmg

create, strong, mount

echo -n "geheim" |hdiutil create -encryption AES-256 -stdinpass -attach -volname encdata -size 10m test.dmg -fs HFS+J

unmount

hdiutil unmount /Volumes/encdata

or

Nginx - IP

sometimes, you wanna restrict access to a webserver based on ip addresses. here a little howto.

Update nginx Config for your vhost

and forward temporary/permanent to a sorry host.

--->8- snip -8<---

    location / {
      allow 192.0.2.0/24;
      allow 2001:db8::/32;
      deny all;
      error_page 403 =301 https://sorry.your.domain;
    }

or move the ip’s to a dedicated file and include it here …

--->8- snip -8<---

    location / {
      include incl/admin_ip.txt;
      deny all;
      error_page 403 =301 https://sorry.your.domain;
    }

Admin IP’s

cat ../incl/admin_ip.txt

Debian behind TLS Proxy

Behind Corp Proxy

let’s assume you’re behing a Corp Proxy which enforce TLS Inspection, you don’t have the Proxy Cert and you want to Upgrade your Boxes …

… and of course, you do this in the LAB and for Research only and not your Productiv Environment!

TLS Inspection enabled

apt-get upate
W: Failed to fetch https://packages.sury.org/php/dists/bookworm/InRelease  Certificate verification failed: The certificate is NOT trusted.
The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: xx.xx.xx.xx yyyy]

Disable TLS Check

touch /etc/apt/apt.conf.d/99verify-peer.conf
echo >>/etc/apt/apt.conf.d/99verify-peer.conf "Acquire { https::Verify-Peer false }"

Update

apt-get update
apt-get upgrade

Any Comments ?

sha256: 40c39ed441b4690a8644cd63bfd2e6987f06a70c4f922eca14de5dcc27d4fb35