IT notes

sudo SSH_CONNECTION

When using ssh, if then doing something like sudo -i the environment vars are gone, to preserve modify your sudoers (/usr/local/etc/sudoers or /usr/local/etc/sudoers.d/devops) and add something like: Defaults env_keep += "SSH_TTY SSH_CONNECTION SSH_CLIENT" In this case, it will preserve your SSH environment vars.

ssh wireshark

To analyze traffic remotely over ssh: ssh [email protected] sudo tcpdump -U -s0 -i pflog0 -w -| wireshark -k -i - In case need an specific port: ssh [email protected] sudo tcpdump -U -s0 -i pflog0 -w - 'port 5984' | wireshark -k -i - To ignore trafic from ssh: ssh [email protected] sudo tcpdump -U -s0 -i pflog0 -w - 'not port 22' | wireshark -k -i -

Block SSH on MacOS

To block incoming ssh connections, edit the /etc/pf.conf and add the following line at the bottom: block in log quick proto tcp from any to any port 22 You can use vim or use something like this: sudo sh -c "echo 'block in log quick proto tcp from any to any port 22' >> /etc/pf.conf" Then reload the pfrules: sudo pfctl -Fa -f /etc/pf.conf For this to work the firewall must be enabled.

Git SSH

To create a git repository and access to it via ssh: $ ssh your.host $ mkdir my-new-repo $ cd my-new-repo $ git --bare init To access your repo (clone it): $ git clone ssh://[email protected]:2222/~user/my-new-repo

ssh CanonicalDomains

SSH Canonicalization CanonicalDomains example.com example.net example.org # CanonicalizeFallbackLocal no CanonicalizeHostname yes Host *.example.com IdentityFile ~/.ssh/exampleCOM User foo Host *.example.net IdentityFile ~/.ssh/exampleNET User foo Host *.example.org User foo IdentityFile ~/.ssh/exampleORG more info: https://dotfiles.tnetconsulting.net/articles/2016/0109/ssh-canonicalization.html

ssh permissions are too open

To set mode 0400 to all your ssh keys: $ find ~/.ssh/* -type f -name "id*" -not -iname "*.pub" -exec chmod 0400 {} \+

UseKeychain

To save SSH keys in macOS Sierra keychain add this to ~/.ssh/config: Host * AddKeysToAgent yes UseKeychain yes Keychain changes Prior to macOS Sierra, ssh would present a dialog asking for your passphrase and would offer the option to store it into the keychain. This UI was deprecated some time ago and has been removed. Instead, a new UseKeychain option was introduced in macOS Sierra allowing users to specify whether they would like for the passphrase to be stored in the keychain.

ssh update Host Keys

To create new ssh keys on the server: ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa -b 521 To check the fingerprint: ssh-keygen -lf ssh_host_ecdsa_key On the client side: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed.

two factor authentication with ssh

Two-Factor-Authentication “2FA” with SSH Install google authenticator and libqrencode: pkg install pam_google_authenticator pkg install libqrencode Edit /etc/pam.d/sshd an add the following line to the auth section: # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass auth required /usr/local/lib/pam_google_authenticator.so Add this to/etc/ssh/sshd_config: CallengeResponseAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive This setup will do a “publickey + verification code”, without password, in case you require password edit the /etc/pam.

pdsh

pdsh - issue commands to groups of hosts in parallel Install: brew install pdsh Usage: pdsh -R ssh -w ^servers.txt "<command>" In where servers.txt is something like: 10.8.4.2 10.8.4.3 10.8.4.4 one-liner: pdsh -b -w "10.8.4.2, 10.8.4.3, 10.8.4.4" "<command>" -b Disable ctrl-C status feature so that a single ctrl-C kills parallel job. (Batch Mode)

haproxy ssh

HTTPS and SSH on the same port Using HAProxy to server SSH and SSL available on the same port: global maxconn 1000000 spread-checks 3 log /var/run/log local0 notice daemon tune.ssl.default-dh-param 2048 defaults mode http balance roundrobin option http-server-close option abortonclose option dontlognull option redispatch timeout check 3s timeout client 30s # Client and server timeout must match the longest timeout connect 5s timeout http-keep-alive 5s timeout http-request 10s # A complete request may never take that long.

tmux ssh

Tmux multiple ssh connections with synchronized panels If need to debug/check in real-time multiple servers via ssh, this can be used. tmux script #!/bin/sh TARGET="tmux-ssh" SSH_USER="devops" i=0 while read line do if [ $i == 0 ] then tmux new-window -a -n ${TARGET} "ssh -l ${SSH_USER} ${line}" else tmux split-window -t "${TARGET}" "ssh -l ${SSH_USER} ${line}" && \ tmux select-layout -t "${TARGET}" tiled fi let i++ done < "${1:-/dev/stdin}" tmux set-window-option -t ${TARGET} synchronize-panes on hosts If the input is json, jq can be used to extract hosts, assuming your output is similar to:

bastion ssh

ProxyJump This is the easiest (new) way: Host 10.* ProxyJump [email protected]:2222 Using ProxyCommand Replace your.bastion.tld with your bastion server and set your bastion username in the ProxyCommand: Host bastion Hostname your.bastion.tld ForwardAgent yes Host 10.10.* ProxyCommand ssh <your-username>@bastion -W %h:%p example To login with user devops to server 10.10.3.4: $ ssh -l devops 10.10.3.4 or $ ssh [email protected] SSH sockets To speed up more when using the bastion host things this can be added at the top of the ~/.

ssh ed25519

Generate your new ssh ed25519 key: $ ssh-keygen -o -a 1000 -t ed25519

ssh proxy

SSH SOCKS5 proxy Route web traffic securely without a VPN using a SOCKS tunnel with ssh: $ ssh -D 8080 -f -C -q -N [email protected] -D 8080 tells ssh to launch a SOCKS server on port 8080 locally. -f Forks the process to the background. -C Compresses the data before sending it. -q Uses quiet mode. -N Tells SSH that no command will be sent once the tunnel is up.

ssh escape sequences

While using ssh your connection may become idle or unresponsive in any case instead of waiting you can simple terminate the connection by sending a escape sequence: ~. SSH escape sequences sequence description ~. terminate connection (and any multiplexed sessions) ~B send a BREAK to the remote system ~C open a command line ~R request rekey ~V/v decrease/increase verbosity (LogLevel) ~^Z suspend ssh ~# list forwarded connections ~& background ssh (when waiting for connections to terminate) ~?

ssh rsa public key encryption

Encrypt a file using ssh public keys. Create ssh public key in PEM format: ssh-keygen -f id_rsa.pub -e -m PKCS8 > id_rsa.pem.pub Use openssl to encrypt/decrypt Encrypt: openssl rsautl -encrypt -pubin -inkey ~/.ssh/id_rsa.pem.pub -ssl -in test.txt -out test.txt.enc Decrypt: openssl rsautl -decrypt -inkey ~/.ssh/id_rsa -in test.txt.enc -out test.txt.enc.txt

mosh

mosh (mobile shell) Remote terminal application that allows roaming, supports intermittent connectivity, and provides intelligent local echo and line editing of user keystrokes. Mosh is a replacement for SSH. It’s more robust and responsive, especially over Wi-Fi, cellular, and long-distance links. How to install server FreeBSD: $ pkg install net/mosh Edit /etc/login.conf and add this to the default: :charset=UTF-8:\ :lang=en_US.UTF-8:\ :setenv=LC_COLLATE=C: After editing /etc/locing.conf run:

mosh

mosh (mobile shell) Remote terminal application that allows roaming, supports intermittent connectivity, and provides intelligent local echo and line editing of user keystrokes. Mosh is a replacement for SSH. It’s more robust and responsive, especially over Wi-Fi, cellular, and long-distance links. How to install server FreeBSD: $ pkg install net/mosh Edit /etc/login.conf and add this to the default: :charset=UTF-8:\ :lang=en_US.UTF-8:\ :setenv=LC_COLLATE=C: After editing /etc/locing.conf run:

Port knocking

In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). For example, Using PF on FreeBSD to only open port 22 after X number of attempts to connect on port 1234: