Enhance OpenSSH for fun and security

1,069 views

Published on

A talk about OpenSSH tips and tricks for advanced users, given at LinuxCon Europe 2015 in Dublin.

Published in: Technology

Enhance OpenSSH for fun and security

  1. 1. Enhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and SecurityEnhance OpenSSH for Fun and Security Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto LinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon EuropeLinuxCon Europe October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015October 5, 2015
  2. 2. Match User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluieMatch User roidelapluie Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto • Sysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.euSysadmin at inuits.eu • FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004FLOSS user since 2004 • DevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believerDevOps believer • @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie on irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/githubon irc/twitter/github
  3. 3. inuits.eu
  4. 4. World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015World, 2015 Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/80497449@N04/10012162166
  5. 5. Connected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devicesConnected devices • MMMMMMMMMMMMMMMMMainframes • SSSSSSSSSSSSSSSSServers • VVVVVVVVVVVVVVVVVirtual machines • CCCCCCCCCCCCCCCCContainers • IIIIIIIIIIIIIIIIIoT
  6. 6. Entrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance DoorsEntrance Doors • PPPPPPPPPPPPPPPPPhysical Access • TTTTTTTTTTTTTTTTTelnet • RRRRRRRRRRRRRRRRRSH • SSSSSSSSSSSSSSSSSSH • HHHHHHHHHHHHHHHHHTTPS • ……………………………………………
  7. 7. SSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSH • DDDDDDDDDDDDDDDDDozens of implementations • OOOOOOOOOOOOOOOOOpenSSH • DDDDDDDDDDDDDDDDDropbear (embedded) • CCCCCCCCCCCCCCCCClosed-source • ……………………………………………
  8. 8. SSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSHSSH • DDDDDDDDDDDDDDDDDozens of usecases • SSSSSSSSSSSSSSSSShell access and TCP Tunelling • CCCCCCCCCCCCCCCCCode (git) • FFFFFFFFFFFFFFFFFile transfert (sftp) • XXXXXXXXXXXXXXXXX terminal (x2go) • AAAAAAAAAAAAAAAAAutomation (ansible) • ……………………………………………
  9. 9. OpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSH Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/pennuja/5399766800
  10. 10. OpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSHOpenSSH • DDDDDDDDDDDDDDDDDeveloped by the OpenBSD project • RRRRRRRRRRRRRRRRReleased first in 1995 • SSSSSSSSSSSSSSSSServer/Client implementation • IIIIIIIIIIIIIIIIIncluded in BSD, Linux, Cygwin, Mac OS X, … • AAAAAAAAAAAAAAAAAvailable in many other platforms
  11. 11. Out of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scopeOut of scope • FFFFFFFFFFFFFFFFFirewalling, OS, … • BBBBBBBBBBBBBBBBBasic tips: RootLogin, Pubkeys, … • CCCCCCCCCCCCCCCCCrypto/Encryption/Key Exchanges https://stribika.github.io/2015/01/04/secure- secure-shell.html
  12. 12. SecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecuritySecurity Licensed under a Creative Commons Asstribution-ShareAlike 2.0 License https://www.flickr.com/photos/111692634@N04/11406986014
  13. 13. Common senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon senseCommon sense • DDDDDDDDDDDDDDDDDo you need SSH? (immutable infra, containers…) • KKKKKKKKKKKKKKKKKISS • CCCCCCCCCCCCCCCCChose what will get public IP and then exposition.. hypervisors vs vms? • PPPPPPPPPPPPPPPPPort 22 is not Evil
  14. 14. Server-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-sideServer-side Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/56001405@N06/6187271613
  15. 15. "Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config""Server config" • /////////////////etc/ssh/sshd_config • RRRRRRRRRRRRRRRRRestart of the service does not kill current ssh sessions
  16. 16. Allow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rulesAllow/Deny rules Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/84388958@N03/7729300102
  17. 17. AllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsersAllowUsers AllowUsers jenkins AllowUsers jenkins nagios@172.31.29.5 AllowUsers jenkins nagios@172 .31.29.0/12 AllowUsers is exclusive
  18. 18. AllowGroupsAllowGroupsAllowGroupsAllowGroupsAllowGroupsAllowGroupsAllowGroupsAllowGroupsAllowGroupsAllowGroupsAllowGroupsAllowGroupsAllowGroupsAllowGroupsAllowGroupsAllowGroupsAllowGroups AllowGroups staff jenkins AllowGroups is exclusive
  19. 19. Allow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* orderingAllow* ordering • DDDDDDDDDDDDDDDDDenyUsers • AAAAAAAAAAAAAAAAAllowUsers • DDDDDDDDDDDDDDDDDenyGroups • AAAAAAAAAAAAAAAAAllowGroups
  20. 20. MatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatch • MMMMMMMMMMMMMMMMMatch + conditions • rrrrrrrrrrrrrrrrreads until next Match or EOF
  21. 21. MatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatchMatch AllowGroups staff Match Address 172.31.16.8 AllowGroups staff jenkins
  22. 22. Trust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First UseTrust On First Use Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/armandoh2o/7069748077
  23. 23. TOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFUTOFU The authenticity of host 'example.com (93.184.216.34)' can't be established. ED25519 key fingerprint is SHA256: eIvxpj9aMSS/+Ed7NQZ9er/ vyV17mabfiUxtgF2Q1X0. Are you sure you want to continue connecting (yes/no)?
  24. 24. Trust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first useTrust on first use • WWWWWWWWWWWWWWWWWho checks the key on the server? • WWWWWWWWWWWWWWWWWho says no? • SSSSSSSSSSSSSSSSSecurity fatigue
  25. 25. Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2)Alternative to TOFU (1/2) • AAAAAAAAAAAAAAAAAutomation • EEEEEEEEEEEEEEEEExport keys from hosts • CCCCCCCCCCCCCCCCCollect them from hosts • AAAAAAAAAAAAAAAAApply then to /etc/ssh/known_hosts
  26. 26. # saz/puppet−ssh − ASL 2.0 if $::sshrsakey { @@sshkey { "${::fqdn}_rsa": ensure => present, host_aliases => $host_aliases, type => rsa, key => $::sshrsakey, } } else { @@sshkey { "${::fqdn}_rsa": ensure => absent, } }
  27. 27. Sshkey <<| |>>
  28. 28. Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2)Alternative to TOFU (2/2) • DDDDDDDDDDDDDDDDDNS • EEEEEEEEEEEEEEEEExport keys in SSHFP DNS records • CCCCCCCCCCCCCCCCCan be secured by DNSSEC • hhhhhhhhhhhhhhhhhttps://github.com/jpmens/facts2sshfp
  29. 29. $ dig +short SSHFP example.com 1 1 F00A55CEA3B8E15528665A6781CA7C35190CF0 2 1 CC1F004DA60CF38E809FE58B10D0F22680D59D
  30. 30. ssh −o VerifyHostKeyDNS=yes example.com
  31. 31. The authenticity of host 'example.com (93.184.216.34)' can't be established. ED25519 key fingerprint is SHA256: eIvxpj9aMSS/+Ed7NQZ9er/ vyV17mabfiUxtgF2Q1X0. Matching host key fingerprint found in DNS Are you sure you want to continue connecting (yes/no)?
  32. 32. Authorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keysAuthorized keys Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/brenda-starr/4498078166
  33. 33. ssh−rsa AAsafgrewgBzhfadgthgfpoDtGlUBIYhzf user@desktop • OOOOOOOOOOOOOOOOOne key, one user • AAAAAAAAAAAAAAAAAlways with a password • DDDDDDDDDDDDDDDDDistribute them in an automated way
  34. 34. from="172.21.32.4" ssh−rsa AAspoDtGlUBIYhzf ansible no−port−forwarding ,no−x11−forwarding ,no−agent−forwarding ssh−rsa AAspDjeFJwFRf jenkins
  35. 35. ssh_authorized_key { 'jenkins ': type => 'ssh−rsa', key => 'AAAAKZ6TwZl3ikhY42clyY/De7J ', user => 'jenkins ', }
  36. 36. ssh_authorized_key { 'jenkins ': type => 'ssh−rsa', key => 'AAAAKZ6TwZl3ikhY42clyY/De7J ', user => 'jenkins ', options => 'from="192.168.10.1"' }
  37. 37. Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys!Purge undefined keys! user { 'jenkins ': purge_ssh_keys => true , }
  38. 38. AuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommandAuthorizedKeysCommand • SSSSSSSSSSSSSSSSScript that takes username as arguments and returns authorized_keys • EEEEEEEEEEEEEEEEExemple reference: openssh-ldap RPM
  39. 39. Client SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient SideClient Side Licensed under a Creative Commons Zero License @roidelapluie
  40. 40. Client configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configurationClient configuration • $$$$$$$$$$$$$$$$$HOME/.ssh/config • /////////////////etc/ssh/ssh_config
  41. 41. Host web1 Hostname web1.example.com User roidelapluie
  42. 42. SSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH Hops Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/sarahrosenau/269786597
  43. 43. Host web1 Proxycommand ssh proxy nc %h %p Host proxy Proxycommand ssh out nc %h %p
  44. 44. SSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH HopsSSH Hops • AAAAAAAAAAAAAAAAAcces restricted areas • KKKKKKKKKKKKKKKKKeeps your private keys in your machine • NNNNNNNNNNNNNNNNNo need for agent forwarding
  45. 45. SocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSocketsSockets Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/restlessglobetrotter/2661016046
  46. 46. Host git.example.com ControlMaster auto ControlPath /tmp/ssh−%r@%h:%p ControlPersist 5
  47. 47. SSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH SocketsSSH Sockets • SSSSSSSSSSSSSSSSSpeed up reconnection time • DDDDDDDDDDDDDDDDDo not renegotiate each time • UUUUUUUUUUUUUUUUUseful for git
  48. 48. Stopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSHStopping OpenSSH Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/horiavarlan/4747872021
  49. 49. Send to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to backgroundSend to background <enter > ~ &
  50. 50. PausePausePausePausePausePausePausePausePausePausePausePausePausePausePausePausePause <enter > ~ <ctrl+z>
  51. 51. Kill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the sessionKill the session <enter > ~ .
  52. 52. TunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnels Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/hanuska/5174842932
  53. 53. TunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnels • TTTTTTTTTTTTTTTTTCP Tunnels • SSSSSSSSSSSSSSSSSOCKS proxy
  54. 54. TunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnelsTunnels • LLLLLLLLLLLLLLLLLocal TCP Port Forwarding: give remote acces to local port • RRRRRRRRRRRRRRRRRemote TCP Port Forwarding: get access to remote ports
  55. 55. Local TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port Forwarding Icons from http://www.opensecurityarchitecture.org/cms/library/icon-library and the Tango Icons project
  56. 56. Local TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port Forwarding Icons from http://www.opensecurityarchitecture.org/cms/library/icon-library and the Tango Icons project
  57. 57. Local TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port ForwardingLocal TCP Port Forwarding Icons from http://www.opensecurityarchitecture.org/cms/library/icon-library and the Tango Icons project
  58. 58. Local TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel exampleLocal TCP Tunnel example • UUUUUUUUUUUUUUUUUser A is natted behind a firewall • HHHHHHHHHHHHHHHHHe wants to give User B access to local SSH daemon userA@hostA > ssh −NR 22222:localhost:22 userA@hostB userB@hostB > ssh −p 22222 localhost -N is for No Shell
  59. 59. Remote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port Forwarding Icons from http://www.opensecurityarchitecture.org/cms/library/icon-library and the Tango Icons project
  60. 60. Remote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port ForwardingRemote TCP Port Forwarding Icons from http://www.opensecurityarchitecture.org/cms/library/icon-library and the Tango Icons project
  61. 61. Remote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding exampleRemote Port Forwarding example • UUUUUUUUUUUUUUUUUser A is behind a firewall that blocks VNC port • HHHHHHHHHHHHHHHHHe wants to access User B local VNC daemon userA@hostA > ssh −NL 5900:localhost:5900 userA@hostB userA@hostA > vncviewer localhost
  62. 62. SOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS ProxySOCKS Proxy • """""""""""""""""Dynamic" port forwarding • EEEEEEEEEEEEEEEEEnable UDP, TCP, … • CCCCCCCCCCCCCCCCCreates a SOCKS5 proxy userA@hostA > ssh −ND 9500 userA@hostB userA@hostA > proxychains wget http://example.com
  63. 63. ToolsToolsToolsToolsToolsToolsToolsToolsToolsToolsToolsToolsToolsToolsToolsToolsTools Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/86639298@N02/8559728371
  64. 64. ssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agentssh-agent • SSSSSSSSSSSSSSSSStores your private key in memory • eeeeeeeeeeeeeeeeeval $(ssh-agent) • ssssssssssssssssssh-add; ssh-add -t 1h foo.key • ssssssssssssssssssh-add -x (lock) • ssssssssssssssssssh-add -X (unlock) • PPPPPPPPPPPPPPPPPart of OpenSSH
  65. 65. screenscreenscreenscreenscreenscreenscreenscreenscreenscreenscreenscreenscreenscreenscreenscreenscreen • KKKKKKKKKKKKKKKKKeep session accross ssh connection • HHHHHHHHHHHHHHHHHave multiple shell `windows' • RRRRRRRRRRRRRRRRRun long command and keep them running • ssssssssssssssssscreen (launch new session) • CCCCCCCCCCCCCCCCCtrl+a d (detach) • ssssssssssssssssscreen -dx (detach and reattach) • ssssssssssssssssssh host -t screen -dx • AAAAAAAAAAAAAAAAAlternative: tmux
  66. 66. reptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyrreptyr • AAAAAAAAAAAAAAAAAttach a long running process to the current terminal • IIIIIIIIIIIIIIIIIdea: launch a screen and rattach another process inside • UUUUUUUUUUUUUUUUUseful when you forgot to launch your screen before • rrrrrrrrrrrrrrrrreptyr -p PID
  67. 67. vimvimvimvimvimvimvimvimvimvimvimvimvimvimvimvimvim • EEEEEEEEEEEEEEEEEdit files remotely with scp • vvvvvvvvvvvvvvvvvim scp://web//etc/hosts
  68. 68. ConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusion Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/freddyfromutah/4424199420
  69. 69. ConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusionConclusion • SSSSSSSSSSSSSSSSSSH is still part of modern infrastructures • IIIIIIIIIIIIIIIIIt should be part of what you automate/control • LLLLLLLLLLLLLLLLLots of other projects rely on it • YYYYYYYYYYYYYYYYYou can harden it in a lot of ways • TTTTTTTTTTTTTTTTThere is a lot of things to discover!
  70. 70. HomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomeworkHomework • SSSSSSSSSSSSSSSSSSH certificate authority • cccccccccccccccccommand= permitopen= • MMMMMMMMMMMMMMMMMatch blocks • sssssssssssssssssshfs • ……………………………………………
  71. 71. Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?Any Question?
  72. 72. ContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContactContact Julien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien PivottoJulien Pivotto julien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eujulien@inuits.eu @roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie@roidelapluie inuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuitsinuits https://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.euhttps://inuits.eu info@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.euinfo@inuits.eu +32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636+32 473 441 636

×