Enhance OpenSSH for fun and security
•
7 likes•1,833 views
A talk about OpenSSH tips and tricks for advanced users, given at LinuxCon Europe 2015 in Dublin.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Enhance OpenSSH for fun and security
Similar to Enhance OpenSSH for fun and security (20)
More from Julien Pivotto
More from Julien Pivotto (20)
Recently uploaded
Recently uploaded (20)
Enhance OpenSSH for fun and security
- 1. Enhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and Security Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto LinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon Europe October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015
- 2. Match User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluie Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto • Sysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.eu • FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004 • DevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believer • @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie on irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/github
- 3. inuits.eu
- 4. World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015 Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/80497449@N04/10012162166
- 5. Connected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devices • MMMMMMMMMMMMMMMMMainframes • SSSSSSSSSSSSSSSSServers • VVVVVVVVVVVVVVVVVirtual machines • CCCCCCCCCCCCCCCCContainers • IIIIIIIIIIIIIIIIIoT
- 6. Entrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance Doors • PPPPPPPPPPPPPPPPPhysical Access • TTTTTTTTTTTTTTTTTelnet • RRRRRRRRRRRRRRRRRSH • SSSSSSSSSSSSSSSSSSH • HHHHHHHHHHHHHHHHHTTPS • ……………………………………………
- 7. SSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSH • DDDDDDDDDDDDDDDDDozens of implementations • OOOOOOOOOOOOOOOOOpenSSH • DDDDDDDDDDDDDDDDDropbear (embedded) • CCCCCCCCCCCCCCCCClosed-source • ……………………………………………
- 8. SSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSH • DDDDDDDDDDDDDDDDDozens of usecases • SSSSSSSSSSSSSSSSShell access and TCP Tunelling • CCCCCCCCCCCCCCCCCode (git) • FFFFFFFFFFFFFFFFFile transfert (sftp) • XXXXXXXXXXXXXXXXX terminal (x2go) • AAAAAAAAAAAAAAAAAutomation (ansible) • ……………………………………………
- 9. OpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSH Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/pennuja/5399766800
- 10. OpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSH • DDDDDDDDDDDDDDDDDeveloped by the OpenBSD project • RRRRRRRRRRRRRRRRReleased first in 1995 • SSSSSSSSSSSSSSSSServer/Client implementation • IIIIIIIIIIIIIIIIIncluded in BSD, Linux, Cygwin, Mac OS X, … • AAAAAAAAAAAAAAAAAvailable in many other platforms
- 11. Out of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scope • FFFFFFFFFFFFFFFFFirewalling, OS, … • BBBBBBBBBBBBBBBBBasic tips: RootLogin, Pubkeys, … • CCCCCCCCCCCCCCCCCrypto/Encryption/Key Exchanges https://stribika.github.io/2015/01/04/secure- secure-shell.html
- 12. SecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecurity Licensed under a Creative Commons Asstribution-ShareAlike 2.0 License https://www.flickr.com/photos/111692634@N04/11406986014
- 13. Common senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon sense • DDDDDDDDDDDDDDDDDo you need SSH? (immutable infra, containers…) • KKKKKKKKKKKKKKKKKISS • CCCCCCCCCCCCCCCCChose what will get public IP and then exposition.. hypervisors vs vms? • PPPPPPPPPPPPPPPPPort 22 is not Evil
- 14. Server-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-side Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/56001405@N06/6187271613
- 15. "Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config" • /////////////////etc/ssh/sshd_config • RRRRRRRRRRRRRRRRRestart of the service does not kill current ssh sessions
- 16. Allow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rules Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/84388958@N03/7729300102
- 17. AllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsers AllowUsers jenkins AllowUsers jenkins nagios@172.31.29.5 AllowUsers jenkins nagios@172 .31.29.0/12 AllowUsers is exclusive
- 19. Allow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* ordering • DDDDDDDDDDDDDDDDDenyUsers • AAAAAAAAAAAAAAAAAllowUsers • DDDDDDDDDDDDDDDDDenyGroups • AAAAAAAAAAAAAAAAAllowGroups
- 20. MatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatch • MMMMMMMMMMMMMMMMMatch + conditions • rrrrrrrrrrrrrrrrreads until next Match or EOF
- 21. MatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatch AllowGroups staff Match Address 172.31.16.8 AllowGroups staff jenkins
- 22. Trust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First Use Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/armandoh2o/7069748077
- 23. TOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFU The authenticity of host 'example.com (93.184.216.34)' can't be established. ED25519 key fingerprint is SHA256: eIvxpj9aMSS/+Ed7NQZ9er/ vyV17mabfiUxtgF2Q1X0. Are you sure you want to continue connecting (yes/no)?
- 24. Trust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first use • WWWWWWWWWWWWWWWWWho checks the key on the server? • WWWWWWWWWWWWWWWWWho says no? • SSSSSSSSSSSSSSSSSecurity fatigue
- 25. Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2) • AAAAAAAAAAAAAAAAAutomation • EEEEEEEEEEEEEEEEExport keys from hosts • CCCCCCCCCCCCCCCCCollect them from hosts • AAAAAAAAAAAAAAAAApply then to /etc/ssh/known_hosts
- 26. # saz/puppet−ssh − ASL 2.0 if $::sshrsakey { @@sshkey { "${::fqdn}_rsa": ensure => present, host_aliases => $host_aliases, type => rsa, key => $::sshrsakey, } } else { @@sshkey { "${::fqdn}_rsa": ensure => absent, } }
- 27. Sshkey <<| |>>
- 28. Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2) • DDDDDDDDDDDDDDDDDNS • EEEEEEEEEEEEEEEEExport keys in SSHFP DNS records • CCCCCCCCCCCCCCCCCan be secured by DNSSEC • hhhhhhhhhhhhhhhhhttps://github.com/jpmens/facts2sshfp
- 29. $ dig +short SSHFP example.com 1 1 F00A55CEA3B8E15528665A6781CA7C35190CF0 2 1 CC1F004DA60CF38E809FE58B10D0F22680D59D
- 30. ssh −o VerifyHostKeyDNS=yes example.com
- 31. The authenticity of host 'example.com (93.184.216.34)' can't be established. ED25519 key fingerprint is SHA256: eIvxpj9aMSS/+Ed7NQZ9er/ vyV17mabfiUxtgF2Q1X0. Matching host key fingerprint found in DNS Are you sure you want to continue connecting (yes/no)?
- 32. Authorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keys Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/brenda-starr/4498078166
- 33. ssh−rsa AAsafgrewgBzhfadgthgfpoDtGlUBIYhzf user@desktop • OOOOOOOOOOOOOOOOOne key, one user • AAAAAAAAAAAAAAAAAlways with a password • DDDDDDDDDDDDDDDDDistribute them in an automated way
- 34. from="172.21.32.4" ssh−rsa AAspoDtGlUBIYhzf ansible no−port−forwarding ,no−x11−forwarding ,no−agent−forwarding ssh−rsa AAspDjeFJwFRf jenkins
- 35. ssh_authorized_key { 'jenkins ': type => 'ssh−rsa', key => 'AAAAKZ6TwZl3ikhY42clyY/De7J ', user => 'jenkins ', }
- 36. ssh_authorized_key { 'jenkins ': type => 'ssh−rsa', key => 'AAAAKZ6TwZl3ikhY42clyY/De7J ', user => 'jenkins ', options => 'from="192.168.10.1"' }
- 37. Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys! user { 'jenkins ': purge_ssh_keys => true , }
- 38. AuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommand • SSSSSSSSSSSSSSSSScript that takes username as arguments and returns authorized_keys • EEEEEEEEEEEEEEEEExemple reference: openssh-ldap RPM
- 39. Client SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient Side Licensed under a Creative Commons Zero License @roidelapluie
- 40. Client configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configuration • $$$$$$$$$$$$$$$$$HOME/.ssh/config • /////////////////etc/ssh/ssh_config
- 41. Host web1 Hostname web1.example.com User roidelapluie
- 42. SSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH Hops Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/sarahrosenau/269786597
- 43. Host web1 Proxycommand ssh proxy nc %h %p Host proxy Proxycommand ssh out nc %h %p
- 44. SSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH Hops • AAAAAAAAAAAAAAAAAcces restricted areas • KKKKKKKKKKKKKKKKKeeps your private keys in your machine • NNNNNNNNNNNNNNNNNo need for agent forwarding
- 45. SocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSockets Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/restlessglobetrotter/2661016046
- 46. Host git.example.com ControlMaster auto ControlPath /tmp/ssh−%r@%h:%p ControlPersist 5
- 47. SSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH Sockets • SSSSSSSSSSSSSSSSSpeed up reconnection time • DDDDDDDDDDDDDDDDDo not renegotiate each time • UUUUUUUUUUUUUUUUUseful for git
- 48. Stopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSH Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/horiavarlan/4747872021
- 49. Send to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to background <enter > ~ &
- 50. PausePausePausePausePausePausePausePausePausePausePausePausePausePausePausePausePause <enter > ~ <ctrl+z>
- 51. Kill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the session <enter > ~ .
- 52. TunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnels Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/hanuska/5174842932
- 53. TunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnels • TTTTTTTTTTTTTTTTTCP Tunnels • SSSSSSSSSSSSSSSSSOCKS proxy
- 54. TunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnels • LLLLLLLLLLLLLLLLLocal TCP Port Forwarding: give remote acces to local port • RRRRRRRRRRRRRRRRRemote TCP Port Forwarding: get access to remote ports
- 55. Local TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port Forwarding Icons from http://www.opensecurityarchitecture.org/cms/library/icon-library and the Tango Icons project
- 56. Local TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port Forwarding Icons from http://www.opensecurityarchitecture.org/cms/library/icon-library and the Tango Icons project
- 57. Local TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port Forwarding Icons from http://www.opensecurityarchitecture.org/cms/library/icon-library and the Tango Icons project
- 58. Local TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel example • UUUUUUUUUUUUUUUUUser A is natted behind a firewall • HHHHHHHHHHHHHHHHHe wants to give User B access to local SSH daemon userA@hostA > ssh −NR 22222:localhost:22 userA@hostB userB@hostB > ssh −p 22222 localhost -N is for No Shell
- 59. Remote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port Forwarding Icons from http://www.opensecurityarchitecture.org/cms/library/icon-library and the Tango Icons project
- 60. Remote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port Forwarding Icons from http://www.opensecurityarchitecture.org/cms/library/icon-library and the Tango Icons project
- 61. Remote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding example • UUUUUUUUUUUUUUUUUser A is behind a firewall that blocks VNC port • HHHHHHHHHHHHHHHHHe wants to access User B local VNC daemon userA@hostA > ssh −NL 5900:localhost:5900 userA@hostB userA@hostA > vncviewer localhost
- 62. SOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS Proxy • """""""""""""""""Dynamic" port forwarding • EEEEEEEEEEEEEEEEEnable UDP, TCP, … • CCCCCCCCCCCCCCCCCreates a SOCKS5 proxy userA@hostA > ssh −ND 9500 userA@hostB userA@hostA > proxychains wget http://example.com
- 63. ToolsToolsToolsToolsToolsToolsToolsToolsToolsToolsToolsToolsToolsToolsToolsToolsTools Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/86639298@N02/8559728371
- 64. ssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agent • SSSSSSSSSSSSSSSSStores your private key in memory • eeeeeeeeeeeeeeeeeval $(ssh-agent) • ssssssssssssssssssh-add; ssh-add -t 1h foo.key • ssssssssssssssssssh-add -x (lock) • ssssssssssssssssssh-add -X (unlock) • PPPPPPPPPPPPPPPPPart of OpenSSH
- 65. screenscreenscreenscreenscreenscreenscreenscreenscreenscreenscreenscreenscreenscreenscreenscreenscreen • KKKKKKKKKKKKKKKKKeep session accross ssh connection • HHHHHHHHHHHHHHHHHave multiple shell `windows' • RRRRRRRRRRRRRRRRRun long command and keep them running • ssssssssssssssssscreen (launch new session) • CCCCCCCCCCCCCCCCCtrl+a d (detach) • ssssssssssssssssscreen -dx (detach and reattach) • ssssssssssssssssssh host -t screen -dx • AAAAAAAAAAAAAAAAAlternative: tmux
- 66. reptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyr • AAAAAAAAAAAAAAAAAttach a long running process to the current terminal • IIIIIIIIIIIIIIIIIdea: launch a screen and rattach another process inside • UUUUUUUUUUUUUUUUUseful when you forgot to launch your screen before • rrrrrrrrrrrrrrrrreptyr -p PID
- 67. vimvimvimvimvimvimvimvimvimvimvimvimvimvimvimvimvim • EEEEEEEEEEEEEEEEEdit files remotely with scp • vvvvvvvvvvvvvvvvvim scp://web//etc/hosts
- 68. ConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusion Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/freddyfromutah/4424199420
- 69. ConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusion • SSSSSSSSSSSSSSSSSSH is still part of modern infrastructures • IIIIIIIIIIIIIIIIIt should be part of what you automate/control • LLLLLLLLLLLLLLLLLots of other projects rely on it • YYYYYYYYYYYYYYYYYou can harden it in a lot of ways • TTTTTTTTTTTTTTTTThere is a lot of things to discover!
- 70. HomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomework • SSSSSSSSSSSSSSSSSSH certificate authority • cccccccccccccccccommand= permitopen= • MMMMMMMMMMMMMMMMMatch blocks • sssssssssssssssssshfs • ……………………………………………
- 71. Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?
- 72. ContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContact Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto julien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eu @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie inuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuits https://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.eu info@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.eu +32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636