SSH

SSH - Legacy Devices

Intro

sometime, one have to access to old and legacy devices. they may do not support the current ciphers and key algorithms, so, we have to modify the “.ssh/config” File or provide some additional cli arguments.

If you have todo this regualary, you may wanna extend the current parameters with the legacy ones like this:

Backup old config

you never know ;)

mv /etc/ssh/ssh_config /etc/ssh/ssh_config-$(date "+%s")

Install Updated Version

you have to copy/paste as root

SSHChat

SSH Chat

how to run your own SSH Chat Server

Setup

# add go
pkg_add go

# add user 'sshchat'
adduser

# switch user
su - sshchat
ftp https://github.com/shazow/ssh-chat/archive/v1.10.tar.gz
tar zxf v1.10.tar.gz
cd ssh-chat-1.10/
make build

# back to root
exit
cp /home/sshchat/ssh-chat-1.10/ssh-chat /usr/local/bin/

sshchat - ipfile

manage whiteliste ip in dedicated file

# create folder
mkdir -p /etc/pf.d

# sample file
echo "127.0.0.1" > /etc/pf.d/sshchat

# set permission
chmod 600 /etc/pf.d/sshchat

pf.conf

update pf.conf appropriate

XZ

MacOS

even MacOS seems not hardly affected, better safe than sorry !

# get Version
brew info xz

# Cleanup Cache
brew cleanup -v -s --prune=all

# Downgrade
brew reinstall xz

# Update
brew update

# Upgrade
brew upgrade

# reboot
reboot

# confirm, 5.4.6 should be fine
xz -V

Any Comments ?

sha256: d2d6b0518ee60fc80381a2fb44dee61d06c02a7d4182045ff25d59f4894d1a10

Cisco - SSH Key Auth

Intro

do you wanna login into your cisco switches with ssh & public key. you can build your config easily and copy/paste it to your switch(es).

Set & Check Variables

  • pubkey: read from ~/.ssh/id_rsa.pub
  • username: root
  • password: will be generated. or set it by hand
# get & convert public key
pubkey=$(cat ~/.ssh/id_rsa.pub |cut -d' ' -f 2 |fold -b -w 72)

# Username Switch
username=root

# Password for User
password=$(openssl rand -hex 12)

# Full Line
echo "username $username privilege 15 password $password"

SSH Pubkey Auth Config Snippet

# Build Config
cat  << EOF


############################################
# Copy/Paste to your Cisco Devices - START #
############################################

conf t

# Set Version
ip ssh version 2
no aaa new-model

# Set User
username $username privilege 15 password $password

# Set Key
ip ssh pubkey-chain 
username $username 
key-string
$pubkey
exit
exit
exit

# vty Stuff
line vty 0 15
 login local
 transport input ssh

end
write
exit

############################################
# Copy/Paste to your Cisco Devices - END   #
############################################


EOF

you should test it in a lab environment before running on productiv switches ;)

SSH LogLevels

Log Levels for SSH

In SSH, the LogLevel option allows you to control the level of logging information generated by the SSH client and server.
There are several log levels you can use to adjust the verbosity of SSH logging. Here are the most commonly used log levels:

QUIET:
Suppresses all log messages, except for fatal errors. It provides the least amount of information.
FATAL:
Logs only fatal errors, indicating severe issues that may prevent the SSH session from being established.
ERROR:
Logs error messages, which are issues that might cause problems but don't necessarily prevent the session from being established.
INFO:
Logs informational messages, such as connection status and key exchange details. This is the default log level.
VERBOSE:
Provides more detailed logging than INFO, including additional debugging information.
DEBUG:
Generates detailed debugging messages. This level is useful when diagnosing connection and authentication issues.
DEBUG1, DEBUG2, DEBUG3:
Provides even more verbose debugging output, with DEBUG3 being the most detailed.

Settings per User

cat ~/.ssh/config
  Host *
    LogLevel QUIET
    LogLevel FATAL
    LogLevel ERROR
    LogLevel INFO
    LogLevel VERBOSE
    LogLevel DEBUG
    LogLevel DEBUG1
    LogLevel DEBUG2
    LogLevel DEBUG3
    ...

Any Comments ?

sha256: b62b3c4dc3fb31bf4d2cadbd8d3a632de0a9374ae4a2a6026d0b6d9d0bace367

IP over SSH

wanna tunnel IP over SSH ? give a try ? Tested for you with … OpenBSD :)

Host1

do the following as root

echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf
sysctl net.inet.ip.forwarding=1

echo "inet 10.0.0.1 255.255.255.0 10.0.0.2" >> /etc/hostname.tun0
sh /etc/netstart tun0

sed -i '/PermitTunnel .*/PermitTunnel                      yes/' /etc/ssh/sshd_config
rcctl restart sshd

ssh-copy-id root@host2

Host2

do the following as root

echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf
sysctl net.inet.ip.forwarding=1

echo "inet 10.0.0.2 255.255.255.0 10.0.0.1" >> /etc/hostname.tun0
sh /etc/netstart tun0

sed -i '/PermitTunnel .*/PermitTunnel                      yes/' /etc/ssh/sshd_config
rcctl restart sshd

ssh-copy-id root@host1

now do ifconfig tun0 on Host1 and Host2 -> tunnel should be down

SSH Key Generator

If you need multiple SSH keys with passphrases for educational purposes, you can generate them as follows. The passphrase is set in the comments of the corresponding public key.

SSH Key Generator Script

cat << 'EOF' > /tmp/ssh-key-generator.sh
#!/usr/bin/env bash

# File
f=/tmp/id_ed25519

# Cleanup
test -f $f && rm $f $f.pub

# Gen Key
ssh-keygen -o -a 100 -t ed25519 -N "" -f ${f}

# Extact Password (last 8 Char from PubKey)
pw=$(cat ${f}.pub |cut -d" " -f 2 |gsed -E 's/^.{60}//')
pw2=$(echo $pw |gsed -E 's/\//x/g')
id=$(echo $pw2 |gsed -E 's/^....//')

# Rename
mv ${f}     ${f}-${id}
mv ${f}.pub ${f}-${id}.pub

# Set Var
x="${f}-${id}"
f="$x"

# Prepare Password
cat << EOF2 > ${f}.x
#!/bin/sh
echo $pw2
EOF2
chmod +x ${f}.x

# Set Comment
ssh-keygen -c -C "Password: $pw2" -f ${f}

# Set Password
ssh-keygen -p -N "$pw2" -f ${f}

# Show Key
cat ${f}.pub

# Add to Agent
DISPLAY=1 SSH_ASKPASS="${f}.x" ssh-add ${f} < /dev/null

# Cleanup
rm ${f}.x

exit 0
EOF

set Permission and run it

cd /tmp
chmod +x /tmp/ssh-key-generator.sh
./ssh-key-generator.sh; ls -la /tmp/id*

a few test runs

user@host /tmp$ ./ssh-key-generator.sh; ls -la id_ed25519-* 
Generating public/private ed25519 key pair.
Your identification has been saved in /tmp/id_ed25519
Your public key has been saved in /tmp/id_ed25519.pub
The key fingerprint is:
SHA256:IdJGeVPDOMrk9BidtIKrIzFBn8vNgjHVT8/sdSA9hik user@host
The key's randomart image is:
+--[ED25519 256]--+
| . .. .+.=*      |
|. o .==EB=.*     |
|.o oo=B*Boo o    |
| .= ++=+.= . .   |
|o. +.o  S . .    |
| o ..    .       |
|. o              |
| . .             |
|                 |
+----[SHA256]-----+
Old comment: user@host
Comment 'Password: S4seK144' applied
Key has comment 'Password: S4seK144'
Your identification has been saved with the new passphrase.
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKxvcjpd8DvAfdO0nZ34uCxalQHgN0XUSRxS4seK144 Password: S4seK144
Identity added: /tmp/id_ed25519-K144 (Password: S4seK144)
-rw-------  1 user  wheel  464 Jan 25 22:36 id_ed25519-Bhxt
-rw-r--r--  1 user  wheel  100 Jan 25 22:36 id_ed25519-Bhxt.pub
-rw-------  1 user  wheel  464 Jan 25 22:30 id_ed25519-GCow
-rw-r--r--  1 user  wheel  100 Jan 25 22:30 id_ed25519-GCow.pub
-rw-------  1 user  wheel  464 Jan 25 22:36 id_ed25519-K144
-rw-r--r--  1 user  wheel  100 Jan 25 22:36 id_ed25519-K144.pub

Any Comments ?

sha256: 541867de7da5d482614e872eaf47c51578347c8ff3c2df980914795eb4515f61

Yubikey - on OpenBSD

Running YubiKey on OpenBSD

buy a Key and give try …

Source

https://www.yubico.com/

Install Software

pkg_add yubikey-manager-3.1.2p4
pkg_add yubikey-manager-3.1.2p4
quirks-6.42 signed on 2023-01-08T01:39:04Z
yubikey-manager-3.1.2p4:py3-click-7.1.2: ok
yubikey-manager-3.1.2p4:py3-pyusb-1.0.2p5: ok
yubikey-manager-3.1.2p4:pcsc-lite-1.9.8: ok
yubikey-manager-3.1.2p4:py3-cparser-2.19p2: ok
yubikey-manager-3.1.2p4:py3-cffi-1.15.1: ok
yubikey-manager-3.1.2p4:py3-cryptography-38.0.0p0: ok
yubikey-manager-3.1.2p4:py3-pyscard-2.0.3: ok
yubikey-manager-3.1.2p4:py3-openssl-22.0.0: ok
yubikey-manager-3.1.2p4:libyubikey-1.13p4: ok
yubikey-manager-3.1.2p4:json-c-0.16: ok
yubikey-manager-3.1.2p4:ykpers-1.20.0p2: ok
yubikey-manager-3.1.2p4: ok
The following new rcscripts were installed: /etc/rc.d/pcscd
See rcctl(8) for details.
--- +yubikey-manager-3.1.2p4 -------------------
NOTE: yubikey-manager (ykman) is only partially functional on OpenBSD.
Most of the "ykman fido xxx" commands (pin-setting and others) stall.

PC/SC Smart Card Daemon

rcctl enable pcscd
rcctl start pcscd

Attack Key

you have to Attack your Yubikey via USB Port … … and ask dmesg about the latest news ;)