sometime, one have to access to old and legacy devices. they may do not support the current ciphers and key algorithms, so, we have to modify the “.ssh/config” File or provide some additional cli arguments.
If you have todo this regualary, you may wanna extend the current parameters with the legacy ones like this:
you never know ;)
mv /etc/ssh/ssh_config /etc/ssh/ssh_config-$(date "+%s")
you have to copy/paste as root
how to run your own SSH Chat Server
# add go
pkg_add go
# add user 'sshchat'
adduser
# switch user
su - sshchat
ftp https://github.com/shazow/ssh-chat/archive/v1.10.tar.gz
tar zxf v1.10.tar.gz
cd ssh-chat-1.10/
make build
# back to root
exit
cp /home/sshchat/ssh-chat-1.10/ssh-chat /usr/local/bin/
manage whiteliste ip in dedicated file
# create folder
mkdir -p /etc/pf.d
# sample file
echo "127.0.0.1" > /etc/pf.d/sshchat
# set permission
chmod 600 /etc/pf.d/sshchat
update pf.conf appropriate
even MacOS seems not hardly affected, better safe than sorry !
# get Version
brew info xz
# Cleanup Cache
brew cleanup -v -s --prune=all
# Downgrade
brew reinstall xz
# Update
brew update
# Upgrade
brew upgrade
# reboot
reboot
# confirm, 5.4.6 should be fine
xz -V
sha256: d2d6b0518ee60fc80381a2fb44dee61d06c02a7d4182045ff25d59f4894d1a10
do you wanna login into your cisco switches with ssh & public key. you can build your config easily and copy/paste it to your switch(es).
# get & convert public key
pubkey=$(cat ~/.ssh/id_rsa.pub |cut -d' ' -f 2 |fold -b -w 72)
# Username Switch
username=root
# Password for User
password=$(openssl rand -hex 12)
# Full Line
echo "username $username privilege 15 password $password"
# Build Config
cat << EOF
############################################
# Copy/Paste to your Cisco Devices - START #
############################################
conf t
# Set Version
ip ssh version 2
no aaa new-model
# Set User
username $username privilege 15 password $password
# Set Key
ip ssh pubkey-chain
username $username
key-string
$pubkey
exit
exit
exit
# vty Stuff
line vty 0 15
login local
transport input ssh
end
write
exit
############################################
# Copy/Paste to your Cisco Devices - END #
############################################
EOF
you should test it in a lab environment before running on productiv switches ;)
In SSH, the LogLevel option allows you to control the level of logging information generated by the SSH client and server.
There are several log levels you can use to adjust the verbosity of SSH logging. Here are the most commonly used log levels:
QUIET:
Suppresses all log messages, except for fatal errors. It provides the least amount of information.
FATAL:
Logs only fatal errors, indicating severe issues that may prevent the SSH session from being established.
ERROR:
Logs error messages, which are issues that might cause problems but don't necessarily prevent the session from being established.
INFO:
Logs informational messages, such as connection status and key exchange details. This is the default log level.
VERBOSE:
Provides more detailed logging than INFO, including additional debugging information.
DEBUG:
Generates detailed debugging messages. This level is useful when diagnosing connection and authentication issues.
DEBUG1, DEBUG2, DEBUG3:
Provides even more verbose debugging output, with DEBUG3 being the most detailed.
cat ~/.ssh/config
Host *
LogLevel QUIET
LogLevel FATAL
LogLevel ERROR
LogLevel INFO
LogLevel VERBOSE
LogLevel DEBUG
LogLevel DEBUG1
LogLevel DEBUG2
LogLevel DEBUG3
...
sha256: b62b3c4dc3fb31bf4d2cadbd8d3a632de0a9374ae4a2a6026d0b6d9d0bace367
wanna tunnel IP over SSH ? give a try ? Tested for you with … OpenBSD :)
do the following as root
echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf
sysctl net.inet.ip.forwarding=1
echo "inet 10.0.0.1 255.255.255.0 10.0.0.2" >> /etc/hostname.tun0
sh /etc/netstart tun0
sed -i '/PermitTunnel .*/PermitTunnel yes/' /etc/ssh/sshd_config
rcctl restart sshd
ssh-copy-id root@host2
do the following as root
echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf
sysctl net.inet.ip.forwarding=1
echo "inet 10.0.0.2 255.255.255.0 10.0.0.1" >> /etc/hostname.tun0
sh /etc/netstart tun0
sed -i '/PermitTunnel .*/PermitTunnel yes/' /etc/ssh/sshd_config
rcctl restart sshd
ssh-copy-id root@host1
now do ifconfig tun0 on Host1 and Host2 -> tunnel should be down
do you know that you can forward Variables through SSH ?
sha256: a09f31ecd22a35832bb0a2d937c44853f1a7d754d60c6a41f38153d5e56ce84f
made a few Slides about SSH Agent & Agent Forwarding with https://slides.com. Do you like it ? I do …
sha256: dd15fd6475246beedee7f6c61924134c76248cf5e28d7092283475c97e9f2f50
If you need multiple SSH keys with passphrases for educational purposes, you can generate them as follows. The passphrase is set in the comments of the corresponding public key.
cat << 'EOF' > /tmp/ssh-key-generator.sh
#!/usr/bin/env bash
# File
f=/tmp/id_ed25519
# Cleanup
test -f $f && rm $f $f.pub
# Gen Key
ssh-keygen -o -a 100 -t ed25519 -N "" -f ${f}
# Extact Password (last 8 Char from PubKey)
pw=$(cat ${f}.pub |cut -d" " -f 2 |gsed -E 's/^.{60}//')
pw2=$(echo $pw |gsed -E 's/\//x/g')
id=$(echo $pw2 |gsed -E 's/^....//')
# Rename
mv ${f} ${f}-${id}
mv ${f}.pub ${f}-${id}.pub
# Set Var
x="${f}-${id}"
f="$x"
# Prepare Password
cat << EOF2 > ${f}.x
#!/bin/sh
echo $pw2
EOF2
chmod +x ${f}.x
# Set Comment
ssh-keygen -c -C "Password: $pw2" -f ${f}
# Set Password
ssh-keygen -p -N "$pw2" -f ${f}
# Show Key
cat ${f}.pub
# Add to Agent
DISPLAY=1 SSH_ASKPASS="${f}.x" ssh-add ${f} < /dev/null
# Cleanup
rm ${f}.x
exit 0
EOF
cd /tmp
chmod +x /tmp/ssh-key-generator.sh
./ssh-key-generator.sh; ls -la /tmp/id*
user@host /tmp$ ./ssh-key-generator.sh; ls -la id_ed25519-*
Generating public/private ed25519 key pair.
Your identification has been saved in /tmp/id_ed25519
Your public key has been saved in /tmp/id_ed25519.pub
The key fingerprint is:
SHA256:IdJGeVPDOMrk9BidtIKrIzFBn8vNgjHVT8/sdSA9hik user@host
The key's randomart image is:
+--[ED25519 256]--+
| . .. .+.=* |
|. o .==EB=.* |
|.o oo=B*Boo o |
| .= ++=+.= . . |
|o. +.o S . . |
| o .. . |
|. o |
| . . |
| |
+----[SHA256]-----+
Old comment: user@host
Comment 'Password: S4seK144' applied
Key has comment 'Password: S4seK144'
Your identification has been saved with the new passphrase.
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKxvcjpd8DvAfdO0nZ34uCxalQHgN0XUSRxS4seK144 Password: S4seK144
Identity added: /tmp/id_ed25519-K144 (Password: S4seK144)
-rw------- 1 user wheel 464 Jan 25 22:36 id_ed25519-Bhxt
-rw-r--r-- 1 user wheel 100 Jan 25 22:36 id_ed25519-Bhxt.pub
-rw------- 1 user wheel 464 Jan 25 22:30 id_ed25519-GCow
-rw-r--r-- 1 user wheel 100 Jan 25 22:30 id_ed25519-GCow.pub
-rw------- 1 user wheel 464 Jan 25 22:36 id_ed25519-K144
-rw-r--r-- 1 user wheel 100 Jan 25 22:36 id_ed25519-K144.pub
sha256: 541867de7da5d482614e872eaf47c51578347c8ff3c2df980914795eb4515f61
buy a Key and give try …
pkg_add yubikey-manager-3.1.2p4
pkg_add yubikey-manager-3.1.2p4
quirks-6.42 signed on 2023-01-08T01:39:04Z
yubikey-manager-3.1.2p4:py3-click-7.1.2: ok
yubikey-manager-3.1.2p4:py3-pyusb-1.0.2p5: ok
yubikey-manager-3.1.2p4:pcsc-lite-1.9.8: ok
yubikey-manager-3.1.2p4:py3-cparser-2.19p2: ok
yubikey-manager-3.1.2p4:py3-cffi-1.15.1: ok
yubikey-manager-3.1.2p4:py3-cryptography-38.0.0p0: ok
yubikey-manager-3.1.2p4:py3-pyscard-2.0.3: ok
yubikey-manager-3.1.2p4:py3-openssl-22.0.0: ok
yubikey-manager-3.1.2p4:libyubikey-1.13p4: ok
yubikey-manager-3.1.2p4:json-c-0.16: ok
yubikey-manager-3.1.2p4:ykpers-1.20.0p2: ok
yubikey-manager-3.1.2p4: ok
The following new rcscripts were installed: /etc/rc.d/pcscd
See rcctl(8) for details.
--- +yubikey-manager-3.1.2p4 -------------------
NOTE: yubikey-manager (ykman) is only partially functional on OpenBSD.
Most of the "ykman fido xxx" commands (pin-setting and others) stall.
rcctl enable pcscd
rcctl start pcscd
you have to Attack your Yubikey via USB Port … … and ask dmesg about the latest news ;)