IT notes

GPG RemoteForward

To Forward your SSH session if using a Yubikey and gpg-agent: For example to connect from a MacOS to a Linux VM: On the client, add this to your ~/.ssh/config Host foo Hostname X.X.X.X ForwardAgent yes RemoteForward /run/user/1000/gnupg/S.gpg-agent /Users/monkey/.gnupg/S.gpg-agent.extra RemoteForward /run/user/1000/gnupg/S.gpg-agent.ssh /Users/monkey/.gnupg/S.gpg-agent.extra.ssh (remote socket) (local socket) To find the local socket in your mac/client do: gpgconf --list-dirs agent-extra-socket To find the remove socket, in the Linux VM, do:

ssh comment

Create a new pair of ssh keys RSA with a custom comment: ssh-keygen -C "monkey" -t rsa -b 4096 -o -a 100 -f /tmp/monkey

ssh only password

When using ssh if you only need to use password (no keys): ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no <host>

Bypass AllowTcpForwarding

To bypass AllowTcpForwarding no try using socat and nc: socat TCP-LISTEN:<local port>,reuseaddr,fork "EXEC:ssh <server> nc localhost <remote port>" For example from your desktop run: socat TCP-LISTEN:8080,reuseaddr,fork "EXEC:ssh nc 3000" This will listen on local port 8080 connect via ssh to and use nc to connect


When using ssh, if then doing something like sudo -i the environment vars are gone, to preserve modify your sudoers (/usr/local/etc/sudoers or /usr/local/etc/sudoers.d/devops) and add something like: Defaults env_keep += "SSH_TTY SSH_CONNECTION SSH_CLIENT" In this case, it will preserve your SSH environment vars.

ssh wireshark

To analyze traffic remotely over ssh: ssh [email protected] sudo tcpdump -U -s0 -i pflog0 -w -| wireshark -k -i - In case need an specific port: ssh [email protected] sudo tcpdump -U -s0 -i pflog0 -w - 'port 5984' | wireshark -k -i - To ignore trafic from ssh: ssh [email protected] sudo tcpdump -U -s0 -i pflog0 -w - 'not port 22' | wireshark -k -i - Or:

Block SSH on MacOS

To block incoming ssh connections, edit the /etc/pf.conf and add the following line at the bottom: block in log quick proto tcp from any to any port 22 You can use vim or use something like this: sudo sh -c "echo 'block in log quick proto tcp from any to any port 22' >> /etc/pf.conf" Then reload the pfrules: sudo pfctl -Fa -f /etc/pf.conf For this to work the firewall must be enabled.


To create a git repository and access to it via ssh: $ ssh $ mkdir my-new-repo $ cd my-new-repo $ git --bare init To access your repo (clone it): $ git clone ssh://[email protected]:2222/~user/my-new-repo

ssh CanonicalDomains

SSH Canonicalization CanonicalDomains # CanonicalizeFallbackLocal no CanonicalizeHostname yes Host * IdentityFile ~/.ssh/exampleCOM User foo Host * IdentityFile ~/.ssh/exampleNET User foo Host * User foo IdentityFile ~/.ssh/exampleORG more info:

ssh permissions are too open

To set mode 0400 to all your ssh keys: $ find ~/.ssh/* -type f -name "id*" -not -iname "*.pub" -exec chmod 0400 {} \+


To save SSH keys in macOS Sierra keychain add this to ~/.ssh/config: Host * AddKeysToAgent yes UseKeychain yes Keychain changes Prior to macOS Sierra, ssh would present a dialog asking for your passphrase and would offer the option to store it into the keychain. This UI was deprecated some time ago and has been removed. Instead, a new UseKeychain option was introduced in macOS Sierra allowing users to specify whether they would like for the passphrase to be stored in the keychain.

ssh update Host Keys

To create new ssh keys on the server: ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa -b 521 To check the fingerprint: ssh-keygen -lf ssh_host_ecdsa_key On the client side: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed.

two factor authentication with ssh

Two-Factor-Authentication “2FA” with SSH Install google authenticator and libqrencode: pkg install pam_google_authenticator pkg install libqrencode Edit /etc/pam.d/sshd an add the following line to the auth section: # auth auth sufficient no_warn no_fake_prompts auth requisite no_warn allow_local #auth sufficient no_warn try_first_pass #auth sufficient no_warn try_first_pass #auth required no_warn try_first_pass auth required /usr/local/lib/ Add this to/etc/ssh/sshd_config: CallengeResponseAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive This setup will do a “publickey + verification code”, without password, in case you require password edit the /etc/pam.


pdsh - issue commands to groups of hosts in parallel Install: brew install pdsh Usage: pdsh -R ssh -w ^servers.txt "<command>" In where servers.txt is something like: one-liner: pdsh -b -w ",," "<command>" -b Disable ctrl-C status feature so that a single ctrl-C kills parallel job. (Batch Mode)

haproxy ssh

HTTPS and SSH on the same port Using HAProxy to server SSH and SSL available on the same port: global maxconn 1000000 spread-checks 3 log /var/run/log local0 notice daemon tune.ssl.default-dh-param 2048 defaults mode http balance roundrobin option http-server-close option abortonclose option dontlognull option redispatch timeout check 3s timeout client 30s # Client and server timeout must match the longest timeout connect 5s timeout http-keep-alive 5s timeout http-request 10s # A complete request may never take that long.

tmux ssh

Tmux multiple ssh connections with synchronized panels If need to debug/check in real-time multiple servers via ssh, this can be used. tmux script #!/bin/sh TARGET="tmux-ssh" SSH_USER="devops" i=0 while read line do if [ $i == 0 ] then tmux new-window -a -n ${TARGET} "ssh -l ${SSH_USER}${line}" else tmux split-window -t "${TARGET}" "ssh -l ${SSH_USER}${line}" && \ tmux select-layout -t "${TARGET}" tiled fi let i++ done < "${1:-/dev/stdin}" tmux set-window-option -t ${TARGET} synchronize-panes on hosts If the input is json, jq can be used to extract hosts, assuming your output is similar to:

bastion ssh

ProxyJump This is the easiest (new) way: Host 10.* ProxyJump [email protected]:2222 Using ProxyCommand Replace your.bastion.tld with your bastion server and set your bastion username in the ProxyCommand: Host bastion Hostname your.bastion.tld ForwardAgent yes Host 10.10.* ProxyCommand ssh <your-username>@bastion -W %h:%p example To login with user devops to server $ ssh -l devops or $ ssh [email protected] SSH sockets To speed up more when using the bastion host things this can be added at the top of the ~/.

ssh ed25519

Generate your new ssh ed25519 key: $ ssh-keygen -o -a 1000 -t ed25519

ssh proxy

SSH SOCKS5 proxy Route web traffic securely without a VPN using a SOCKS tunnel with ssh: $ ssh -D 8080 -f -C -q -N [email protected] -D 8080 tells ssh to launch a SOCKS server on port 8080 locally. -f Forks the process to the background. -C Compresses the data before sending it. -q Uses quiet mode. -N Tells SSH that no command will be sent once the tunnel is up.

ssh escape sequences

While using ssh your connection may become idle or unresponsive in any case instead of waiting you can simple terminate the connection by sending a escape sequence: ~. SSH escape sequences sequence description ~. terminate connection (and any multiplexed sessions) ~B send a BREAK to the remote system ~C open a command line ~R request rekey ~V/v decrease/increase verbosity (LogLevel) ~^Z suspend ssh ~# list forwarded connections ~& background ssh (when waiting for connections to terminate) ~?