SlideShare a Scribd company logo

Importance of SSHFP for Network Devices

APNIC
APNIC

SSHFP records provide a secure method of distributing host public keys via DNS. The document discusses: 1) How SSHFP records store the fingerprint of a host's public key in DNS, allowing clients to validate the key via DNS lookup rather than trusting the host directly. 2) Instructions for generating SSHFP records for network devices that may not support all SSH commands, including extracting public keys and generating fingerprints. 3) Configuration details for distributing the SSHFP records in DNS and validating them during SSH connections using DNSSEC, avoiding the need to manually accept host keys.

Internet
1 of 26
Importance of SSHFP And Configuring SSHFP for Network Devices Muhammad Moinur Rahman moin@bofh.im
SSHFP root@ns:~ # ssh root@pdr.bofh.network The authenticity of host 'pdr.bofh.network (2604:6800:0:162:0:1:0:1)' can't be established. ECDSA key fingerprint is SHA256:AlzRr/ZNFC9fjs89jYAD1o2dFDs4vu3gUVUD7gI2QBk. No matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)? ● Have you ever logged in that host or device ? ● Have you ever checked the public key ? ● Do you know the SHA256 Fingerprint of the ECDSA Public Key? ● 99.9% Sysadmin or Network admin never checks it @ console ● Victm of MITM Atack
SSHFP ● First came up in 2006 ● Defined in RFC 4255 ● Creates a DNS record of type SSHFP ● Distributed by DNS, Verified by DNS lookup and secured by DNSSEC
Previous Usage ● Distributed known_hosts file ● Easily modify ● No access, no verification ● Maybe use a bastion host
known_hosts file pdr.bofh.network ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdH AyNTYAAABBBLGgYTGJQyJFOGAn3C31QG1aw/LQDl+x q+M1pvM6RAW8vGvuaMsS5c23PjcR0zEfsjhKCV33vY hXf7hxshcDZVI= ● Host ● Algorithm ● Public Key
Why SSHFP? ● SSH Public Key size are large to distribute via DNS ● So need the fingerprint ● Fingerprint method – Base64 – sha1/sha256 checksum
What we need? ● Fingerprints of the host ● Proper SSHFP DNS records ● Zone must be DNSSEC signed ● A DNSSEC validator DNS server or ldns support in ssh client ● A SSH client capable to verify DNSSEC validated fingerprint
Fingerprints of the host? root@pdr:~ # ssh-keygen -r pdr.bofh.network pdr.bofh.network IN SSHFP 1 1 2cfb54c336799bf601a17a6b2723d096ed23ce55 pdr.bofh.network IN SSHFP 1 2 95a39495ec59ad717c0990bfe1f3c8ddd9e2b1201065e0ca5fc381cbc7ea8d8b pdr.bofh.network IN SSHFP 2 1 90eb07d57e037aacbec479ed3a4c6a1264edf4f0 pdr.bofh.network IN SSHFP 2 2 eccdc4d93bb9af3eb4791e30f66aa327d9f0c9c388f5e950159ec285bb746783 pdr.bofh.network IN SSHFP 3 1 491ff6cd714362c5bae223fc2c942dbf78c3ba0e pdr.bofh.network IN SSHFP 3 2 597d44db5b0e28f787ad5b1535e8b201e509373f8a8e711c71c950556ecdf799 pdr.bofh.network IN SSHFP 4 1 c63d32f031cc3fc7fe867baf2d0cd23d4ef25213 pdr.bofh.network IN SSHFP 4 2 15d249791d60bc46ec400c3a16a66b1cca191b2d30464707e8e5ba204dea1433
Dissecting Fingerprints ● Hostname ● Record CLASS (Internet) ● Record Type (SSHFP) ● Algorithm – 1 – RSA – 2 – DSA – 3 – ECDSA – 4 – Ed25519 ● Fingerprint TYPE – SHA1 – SHA256 ● Key
Algorithm ● Most modern OS will show all 4 ● Old OS might show only RSA and DSA ● ECDSA and Ed25519 are modern Cryptographic algorithm ● Ed25519 added in RFC7479 ● For ECDSA and Ed25519 we need OpenSSH=>6.7
Distributing via DNS root@pdr:~ # drill -D pdr.bofh.network sshfp ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 60914 ;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; pdr.bofh.network. IN SSHFP ;; ANSWER SECTION: pdr.bofh.network. 3599 IN SSHFP 2 1 90eb07d57e037aacbec479ed3a4c6a1264edf4f0 pdr.bofh.network. 3599 IN SSHFP 3 2 597d44db5b0e28f787ad5b1535e8b201e509373f8a8e711c71c950556ecdf799 pdr.bofh.network. 3599 IN SSHFP 3 1 491ff6cd714362c5bae223fc2c942dbf78c3ba0e pdr.bofh.network. 3599 IN SSHFP 4 2 15d249791d60bc46ec400c3a16a66b1cca191b2d30464707e8e5ba204dea1433 pdr.bofh.network. 3599 IN SSHFP 1 2 95a39495ec59ad717c0990bfe1f3c8ddd9e2b1201065e0ca5fc381cbc7ea8d8b pdr.bofh.network. 3599 IN SSHFP 4 1 c63d32f031cc3fc7fe867baf2d0cd23d4ef25213 pdr.bofh.network. 3599 IN SSHFP 1 1 2cfb54c336799bf601a17a6b2723d096ed23ce55 pdr.bofh.network. 3599 IN SSHFP 2 2 eccdc4d93bb9af3eb4791e30f66aa327d9f0c9c388f5e950159ec285bb746783 pdr.bofh.network. 3599 IN RRSIG SSHFP 8 3 3600 20171114225917 20171031212226 15678 dzcrd.net. QBTRbj8xtyEN/9WH/PL39n1mC0XOKmGDj5TzgP/Kkvo7ac3wPwZ92dEcVnKyi1H2e8wP6532NIMjmuveyundnavCCbstOUfFyN17fBuEtHQTJzLmp8XQ7JxDgXbzbp6bvaKrck/XBFbRfk895oI9+Spg09fYkfseN4axEVoscQY= ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 1750 msec ;; EDNS: version 0; flags: do ; udp: 512 ;; SERVER: 127.0.0.1 ;; WHEN: Wed Nov 1 21:35:20 2017 ;; MSG SIZE rcvd: 530
SSHFP Validation with ssh client root@ns:~ # ldd /usr/bin/ssh /usr/bin/ssh: libprivatessh.so.5 => /usr/lib/libprivatessh.so.5 (0x80084f000) libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800aee000) libcrypto.so.8 => /lib/libcrypto.so.8 (0x800e00000) libc.so.7 => /lib/libc.so.7 (0x801269000) libprivateldns.so.5 => /usr/lib/libprivateldns.so.5 (0x801621000) libcrypt.so.5 => /lib/libcrypt.so.5 (0x80187f000) libz.so.6 => /lib/libz.so.6 (0x801a9e000)
If ldns is supported .. ● Need to maintain a trust-anchor ● Run unbound-anchor ● Add to /etc/resolv.conf anchor /etc/unbound/root.key [*BSD] anchor /var/lib/unbound/root.key [Linux]
Else .. ● Run a validating resolver like Unbound server: auto-trust-anchor-file: "/etc/unbound/root.key"
Test ● root@pdr:~$ ssh root@pdr.bofh.network The authenticity of host 'pdr.bofh.network (2003:51:6012:110::9)' can't be established. ECDSA key fingerprint is SHA256:T09/p/ZSubnkraG3oslDMehfIiLRe6UiVn1dGZvtjZE. Are you sure you want to continue connecting (yes/no)? ^C ● root@pdr:~$ ssh -o VerifyHostKeyDNS=yes root@pdr.bofh.network root@pdr:~$
Test Successful ● DNSSEC Validation Works ● SSH login without .known_host works
SSH/SSHFP Demystified ● SSH Creates Public/Private Keys – For Linux/Unix under /etc/ssh/ssh_host_<ALGORITHM>.* – Normally during first run of sshd service – This part is automatic and hidden ● ssh-keygen creates fingerprints for those keys
SSHFP for Network Equipments ● Network Equipments don’t have ssh-keygen command ● Equipments comes with limited subset of ssh ● Configure ssh service for devices preferably version 2 ● Create the public/private keys normally RSA only ● Gather the public key connecting through console or direct point-to-point connectivity ● Generate the Fingerprints for SSHFP records
Configuring Router R1#conf t R1(config)#ip domain-name bofh.network R1(config)#crypto key generate rsa modulus 4096 R1(config)#crypto key generate rsa modulus 4096 R1(config)#crypto key generate rsa modulus 4096 R1#show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1pb6dZ01nHBPZUZXcTxf7swq3NoNc6Geiz9C006YS gCwz47msZn7YGIlPtrhw+GGT2jZo+34xSXekVYV9Cie+e8NI4UgD7b+aXma6aNPGfDN338jAmWBN7SDB sZvLJnjDYndNqRtYXby8uhvzWfGNtPwIZCXgbX+nOTmCR9Ap0iFF4zxzPppwPko41xdyAaOc4qros8aR ocLP8hrEeEz9R7WWZZ5ui/+ya3wa/SFjOZIcnv/7BKl1E5z+CM0OneDUfktw6lEd3hYGr347sz5I4Obj ia3HJ1D3lQKtRcT8zqavdlDyaYZEvYbg4eMp6aSMjJ79BOhhGgiFJ/Mxw7isMikfd6iKisdU+pd3XxQN mNlDywfuRKl9RYfYAVNG3PvOAqzECplh4s5+jl1+SWeKIg3ah7iFv7ddEVdBtaOrCsVxaOJuIMYPioTH aoDNmeOpfZJa/VIqker78bTlIgIGALybnnniFYhAb9ztYJv8g14pmu7cZol3lGg9pa/Qi6sdCAVyizdj 0wsS/s8Sl8VhwoZpxEUs0XQIHEsKP47XpJdmKAWG3vYopWYz7JCRmpwl8+oRCHLL35zV4Em+BO4aH/gt +nRQuEaVFBwaHGbe0A77d4ABIHLWAvuFb4wr+oOGoD57kDolrFYq7IfW/d261+DMr11Ip0kJEncXIgZc
Extracting Key ● Connect with Console ● Connect directly with point to point LAN ● Use show ip ssh – Copy the string starting with “ssh-rsa” and ending till last line ● For remote connection add the key with prompt and verify the keys ● Save the file in a Linux/Unix host with filename like hostname_rsa_key.pub
Using the script #!/usr/local/bin/bash HOST="${1}" if [[ "$1" == "-h" || "$1" == "--help" ]] then echo "Usage: sshfpgen <hostname>" fi for pubkey in *_key.pub do echo "$HOST IN SSHFP 1 1 $(cut -f2 -d ' ' "$pubkey" | base64 --decode | shasum | cut -f 1 -d ' ')" echo "$HOST IN SSHFP 1 2 $(cut -f2 -d ' ' "$pubkey" | base64 --decode | shasum -a 256 | cut -f 1 -d ' ')" done
Running the script root@ns:~ # ./sshfpgen r1.bofh.network r1.bofh.network IN SSHFP 1 1 96898fe4604ed5e7b1a1c80374b1200fae3f4adb r1.bofh.network IN SSHFP 1 2 ebfca263706e4e12c7189ae377014f30467af6e6243d3b8a7e5f763d2813023b
Adding to DNS ● Following records were added into the DNS r1.bofh.network IN SSHFP 1 1 96898fe4604ed5e7b1a1c80374b1200fae3f4adb r1.bofh.network IN SSHFP 1 2 ebfca263706e4e12c7189ae377014f30467af6e6243d3b8a7e5f763d2813023b ● DNS Query Test $ dig SSHFP +noadditional +noquestion +nocomments +nocmd +nostats r1.bofh.network r1.bofh.network. 3600 IN SSHFP 1 1 96898fe4604ed5e7b1a1c80374b1200fae3f4adb r1.bofh.network. 3600 IN SSHFP 1 2 ebfca263706e4e12c7189ae377014f30467af6e6243d3b8a7e5f763d2813023b
Connectivity Test ● Connecting without DNSSEC validation $ ssh VerifyHostKeyDNS=yes r1.bofh.network The authenticity of host 'r1.bofh.network (192.168.100.100)' can't be established. RSA key fingerprint is SHA256:y2STsQ4RA/8durhpic+pb6UjcKwz7+bUaKX3C40yOGk. Matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)?
Connectivity Test ● Connecting with DNSSEC validation $ ssh VerifyHostKeyDNS=yes r1.bofh.network Username: ● Also no records will be added in .known_host file
Live Demonstration & Questions

Recommended

SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
Tiago Cruz
 
SSH Tunnel-Fu [NoVaH 2011]
SSH Tunnel-Fu [NoVaH 2011]SSH Tunnel-Fu [NoVaH 2011]
SSH Tunnel-Fu [NoVaH 2011]
Vincent Batts
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)
Fred Posner
 
Getting started with RDO Havana
Getting started with RDO HavanaGetting started with RDO Havana
Getting started with RDO Havana
Dan Radez
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
Giuseppe Trotta
 
Using Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityUsing Kamailio for Scalability and Security
Using Kamailio for Scalability and Security
Fred Posner
 
Kamailio - SIP Firewall for Carrier Grade Traffic
Kamailio - SIP Firewall for Carrier Grade TrafficKamailio - SIP Firewall for Carrier Grade Traffic
Kamailio - SIP Firewall for Carrier Grade Traffic
Daniel-Constantin Mierla
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 

Recommended

SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
Tiago Cruz
 
SSH Tunnel-Fu [NoVaH 2011]
SSH Tunnel-Fu [NoVaH 2011]SSH Tunnel-Fu [NoVaH 2011]
SSH Tunnel-Fu [NoVaH 2011]
Vincent Batts
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)
Fred Posner
 
Getting started with RDO Havana
Getting started with RDO HavanaGetting started with RDO Havana
Getting started with RDO Havana
Dan Radez
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
Giuseppe Trotta
 
Using Kamailio for Scalability and Security
Using Kamailio for Scalability and SecurityUsing Kamailio for Scalability and Security
Using Kamailio for Scalability and Security
Fred Posner
 
Kamailio - SIP Firewall for Carrier Grade Traffic
Kamailio - SIP Firewall for Carrier Grade TrafficKamailio - SIP Firewall for Carrier Grade Traffic
Kamailio - SIP Firewall for Carrier Grade Traffic
Daniel-Constantin Mierla
 
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOSPart 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Part 3 - Local Name Resolution in Linux, FreeBSD and macOS/iOS
Men and Mice
 
Codified PostgreSQL Schema
Codified PostgreSQL SchemaCodified PostgreSQL Schema
Codified PostgreSQL Schema
Sean Chittenden
 
Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04
Bob Novas
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & Security
Jose Manuel Ortega Candel
 
Kamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load BalancersKamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load Balancers
Daniel-Constantin Mierla
 
Configuring ssh on switch
Configuring ssh on switchConfiguring ssh on switch
Configuring ssh on switchtcpipguru
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
MrArora Arjuna
 
NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin
Davide Cioccia
 
Ssh cookbook
Ssh cookbookSsh cookbook
Ssh cookbook
Jean-Marie Renouard
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD
Giovanni Bechis
 
Advanced open ssh
Advanced open sshAdvanced open ssh
Advanced open sshDan Kaminsky
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice
 
Instant DevOps
Instant DevOpsInstant DevOps
Instant DevOps
Ferenc Erki
 
Ansible ssh y comandos ad-hoc
Ansible ssh y comandos ad-hocAnsible ssh y comandos ad-hoc
Ansible ssh y comandos ad-hoc
Raul Hugo
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslogamiable_indian
 
Packet crafting of2013
Packet crafting of2013Packet crafting of2013
Packet crafting of2013Shteryana Shopova
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
Men and Mice
 
Managing server secrets at scale with SaltStack and a vaultless password manager
Managing server secrets at scale with SaltStack and a vaultless password managerManaging server secrets at scale with SaltStack and a vaultless password manager
Managing server secrets at scale with SaltStack and a vaultless password manager
Ignat Korchagin
 
Really useful linux commands
Really useful linux commandsReally useful linux commands
Really useful linux commands
Michael J Geiser
 
DOD 2016 - Ignat Korchagin - Managing Server Secrets at Scale
DOD 2016 - Ignat Korchagin - Managing Server Secrets at ScaleDOD 2016 - Ignat Korchagin - Managing Server Secrets at Scale
DOD 2016 - Ignat Korchagin - Managing Server Secrets at Scale
PROIDEA
 
Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)
Jun Hong Kim
 

More Related Content

What's hot

Codified PostgreSQL Schema
Codified PostgreSQL SchemaCodified PostgreSQL Schema
Codified PostgreSQL Schema
Sean Chittenden
 
Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04
Bob Novas
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
Men and Mice
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & Security
Jose Manuel Ortega Candel
 
Kamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load BalancersKamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load Balancers
Daniel-Constantin Mierla
 
Configuring ssh on switch
Configuring ssh on switchConfiguring ssh on switch
Configuring ssh on switchtcpipguru
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
MrArora Arjuna
 
NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin
Davide Cioccia
 
Ssh cookbook
Ssh cookbookSsh cookbook
Ssh cookbook
Jean-Marie Renouard
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD
Giovanni Bechis
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
Men and Mice
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
Men and Mice
 
Instant DevOps
Instant DevOpsInstant DevOps
Instant DevOps
Ferenc Erki
 
Ansible ssh y comandos ad-hoc
Ansible ssh y comandos ad-hocAnsible ssh y comandos ad-hoc
Ansible ssh y comandos ad-hoc
Raul Hugo
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslogamiable_indian
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
Men and Mice
 

What's hot (18)

Codified PostgreSQL Schema
Codified PostgreSQL SchemaCodified PostgreSQL Schema
Codified PostgreSQL Schema
 
Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04
 
Part 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows NetworksPart 2 - Local Name Resolution in Windows Networks
Part 2 - Local Name Resolution in Windows Networks
 
Python Cryptography & Security
Python Cryptography & SecurityPython Cryptography & Security
Python Cryptography & Security
 
Kamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load BalancersKamailio - Load Balancing Load Balancers
Kamailio - Load Balancing Load Balancers
 
Configuring ssh on switch
Configuring ssh on switchConfiguring ssh on switch
Configuring ssh on switch
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
 
NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin NAS Botnet Revealed - Mining Bitcoin
NAS Botnet Revealed - Mining Bitcoin
 
Ssh cookbook
Ssh cookbookSsh cookbook
Ssh cookbook
 
Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD Relayd: a load balancer for OpenBSD
Relayd: a load balancer for OpenBSD
 
Advanced open ssh
Advanced open sshAdvanced open ssh
Advanced open ssh
 
DNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing SolutionsDNS High-Availability Tools - Open-Source Load Balancing Solutions
DNS High-Availability Tools - Open-Source Load Balancing Solutions
 
DNSSEC signing Tutorial
DNSSEC signing Tutorial DNSSEC signing Tutorial
DNSSEC signing Tutorial
 
Instant DevOps
Instant DevOpsInstant DevOps
Instant DevOps
 
Ansible ssh y comandos ad-hoc
Ansible ssh y comandos ad-hocAnsible ssh y comandos ad-hoc
Ansible ssh y comandos ad-hoc
 
Centralized Logging with syslog
Centralized Logging with syslogCentralized Logging with syslog
Centralized Logging with syslog
 
Packet crafting of2013
Packet crafting of2013Packet crafting of2013
Packet crafting of2013
 
Yeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the rootYeti DNS - Experimenting at the root
Yeti DNS - Experimenting at the root
 

Similar to Importance of SSHFP for Network Devices

Managing server secrets at scale with SaltStack and a vaultless password manager
Managing server secrets at scale with SaltStack and a vaultless password managerManaging server secrets at scale with SaltStack and a vaultless password manager
Managing server secrets at scale with SaltStack and a vaultless password manager
Ignat Korchagin
 
Really useful linux commands
Really useful linux commandsReally useful linux commands
Really useful linux commands
Michael J Geiser
 
DOD 2016 - Ignat Korchagin - Managing Server Secrets at Scale
DOD 2016 - Ignat Korchagin - Managing Server Secrets at ScaleDOD 2016 - Ignat Korchagin - Managing Server Secrets at Scale
DOD 2016 - Ignat Korchagin - Managing Server Secrets at Scale
PROIDEA
 
Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)
Jun Hong Kim
 
Sshstuff
SshstuffSshstuff
Sshstuff
Matt Rae
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
Pino deCandia
 
Linux networking
Linux networkingLinux networking
Linux networking
Arie Bregman
 
Adhocr T-dose 2012
Adhocr T-dose 2012Adhocr T-dose 2012
Adhocr T-dose 2012
Gratien D'haese
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network Issues
Apcera
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
n|u - The Open Security Community
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSH
nussbauml
 
New microsoft power point presentation
New microsoft power point presentationNew microsoft power point presentation
New microsoft power point presentationrajsandhu1989
 
Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)
Avansa Mid- en Zuidwest
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
httpd — Apache Web Server
httpd — Apache Web Serverhttpd — Apache Web Server
httpd — Apache Web Serverwebhostingguy
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort webhostingguy
 
Cisco asa dhcp services
Cisco asa dhcp servicesCisco asa dhcp services
Cisco asa dhcp servicesIT Tech
 

Similar to Importance of SSHFP for Network Devices (20)

Managing server secrets at scale with SaltStack and a vaultless password manager
Managing server secrets at scale with SaltStack and a vaultless password managerManaging server secrets at scale with SaltStack and a vaultless password manager
Managing server secrets at scale with SaltStack and a vaultless password manager
 
Really useful linux commands
Really useful linux commandsReally useful linux commands
Really useful linux commands
 
DOD 2016 - Ignat Korchagin - Managing Server Secrets at Scale
DOD 2016 - Ignat Korchagin - Managing Server Secrets at ScaleDOD 2016 - Ignat Korchagin - Managing Server Secrets at Scale
DOD 2016 - Ignat Korchagin - Managing Server Secrets at Scale
 
Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)Hadoop meet Rex(How to construct hadoop cluster with rex)
Hadoop meet Rex(How to construct hadoop cluster with rex)
 
Sshstuff
SshstuffSshstuff
Sshstuff
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
 
Linux networking
Linux networkingLinux networking
Linux networking
 
Adhocr T-dose 2012
Adhocr T-dose 2012Adhocr T-dose 2012
Adhocr T-dose 2012
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network Issues
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSH
 
New microsoft power point presentation
New microsoft power point presentationNew microsoft power point presentation
New microsoft power point presentation
 
Rac
RacRac
Rac
 
Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)Linux network tools (Maarten Blomme)
Linux network tools (Maarten Blomme)
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
httpd — Apache Web Server
httpd — Apache Web Serverhttpd — Apache Web Server
httpd — Apache Web Server
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Intrusion Detection System using Snort
Intrusion Detection System using Snort Intrusion Detection System using Snort
Intrusion Detection System using Snort
 
Cisco asa dhcp services
Cisco asa dhcp servicesCisco asa dhcp services
Cisco asa dhcp services
 

More from APNIC

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
APNIC
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
APNIC
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
APNIC
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
APNIC
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
APNIC
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
APNIC
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
APNIC
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
APNIC
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
APNIC
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
APNIC
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
APNIC
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
APNIC
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
APNIC
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APNIC
 

More from APNIC (20)

APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
Registry Data Accuracy Improvements, presented by Chimi Dorji at SANOG 41 / I...
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 

Recently uploaded

Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
TristanJasperRamos
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
ShahulHameed54211
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
Himani415946
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 

Recently uploaded (16)

Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptxLiving-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
Living-in-IT-era-Module-7-Imaging-and-Design-for-Social-Impact.pptx
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
Output determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CCOutput determination SAP S4 HANA SAP SD CC
Output determination SAP S4 HANA SAP SD CC
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
ER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAEER(Entity Relationship) Diagram for online shopping - TAE
ER(Entity Relationship) Diagram for online shopping - TAE
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 

Importance of SSHFP for Network Devices

  • 1. Importance of SSHFP And Configuring SSHFP for Network Devices Muhammad Moinur Rahman moin@bofh.im
  • 2. SSHFP root@ns:~ # ssh root@pdr.bofh.network The authenticity of host 'pdr.bofh.network (2604:6800:0:162:0:1:0:1)' can't be established. ECDSA key fingerprint is SHA256:AlzRr/ZNFC9fjs89jYAD1o2dFDs4vu3gUVUD7gI2QBk. No matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)? ● Have you ever logged in that host or device ? ● Have you ever checked the public key ? ● Do you know the SHA256 Fingerprint of the ECDSA Public Key? ● 99.9% Sysadmin or Network admin never checks it @ console ● Victm of MITM Atack
  • 3. SSHFP ● First came up in 2006 ● Defined in RFC 4255 ● Creates a DNS record of type SSHFP ● Distributed by DNS, Verified by DNS lookup and secured by DNSSEC
  • 4. Previous Usage ● Distributed known_hosts file ● Easily modify ● No access, no verification ● Maybe use a bastion host
  • 6. Why SSHFP? ● SSH Public Key size are large to distribute via DNS ● So need the fingerprint ● Fingerprint method – Base64 – sha1/sha256 checksum
  • 7. What we need? ● Fingerprints of the host ● Proper SSHFP DNS records ● Zone must be DNSSEC signed ● A DNSSEC validator DNS server or ldns support in ssh client ● A SSH client capable to verify DNSSEC validated fingerprint
  • 8. Fingerprints of the host? root@pdr:~ # ssh-keygen -r pdr.bofh.network pdr.bofh.network IN SSHFP 1 1 2cfb54c336799bf601a17a6b2723d096ed23ce55 pdr.bofh.network IN SSHFP 1 2 95a39495ec59ad717c0990bfe1f3c8ddd9e2b1201065e0ca5fc381cbc7ea8d8b pdr.bofh.network IN SSHFP 2 1 90eb07d57e037aacbec479ed3a4c6a1264edf4f0 pdr.bofh.network IN SSHFP 2 2 eccdc4d93bb9af3eb4791e30f66aa327d9f0c9c388f5e950159ec285bb746783 pdr.bofh.network IN SSHFP 3 1 491ff6cd714362c5bae223fc2c942dbf78c3ba0e pdr.bofh.network IN SSHFP 3 2 597d44db5b0e28f787ad5b1535e8b201e509373f8a8e711c71c950556ecdf799 pdr.bofh.network IN SSHFP 4 1 c63d32f031cc3fc7fe867baf2d0cd23d4ef25213 pdr.bofh.network IN SSHFP 4 2 15d249791d60bc46ec400c3a16a66b1cca191b2d30464707e8e5ba204dea1433
  • 9. Dissecting Fingerprints ● Hostname ● Record CLASS (Internet) ● Record Type (SSHFP) ● Algorithm – 1 – RSA – 2 – DSA – 3 – ECDSA – 4 – Ed25519 ● Fingerprint TYPE – SHA1 – SHA256 ● Key
  • 10. Algorithm ● Most modern OS will show all 4 ● Old OS might show only RSA and DSA ● ECDSA and Ed25519 are modern Cryptographic algorithm ● Ed25519 added in RFC7479 ● For ECDSA and Ed25519 we need OpenSSH=>6.7
  • 11. Distributing via DNS root@pdr:~ # drill -D pdr.bofh.network sshfp ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 60914 ;; flags: qr rd ra ad ; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; pdr.bofh.network. IN SSHFP ;; ANSWER SECTION: pdr.bofh.network. 3599 IN SSHFP 2 1 90eb07d57e037aacbec479ed3a4c6a1264edf4f0 pdr.bofh.network. 3599 IN SSHFP 3 2 597d44db5b0e28f787ad5b1535e8b201e509373f8a8e711c71c950556ecdf799 pdr.bofh.network. 3599 IN SSHFP 3 1 491ff6cd714362c5bae223fc2c942dbf78c3ba0e pdr.bofh.network. 3599 IN SSHFP 4 2 15d249791d60bc46ec400c3a16a66b1cca191b2d30464707e8e5ba204dea1433 pdr.bofh.network. 3599 IN SSHFP 1 2 95a39495ec59ad717c0990bfe1f3c8ddd9e2b1201065e0ca5fc381cbc7ea8d8b pdr.bofh.network. 3599 IN SSHFP 4 1 c63d32f031cc3fc7fe867baf2d0cd23d4ef25213 pdr.bofh.network. 3599 IN SSHFP 1 1 2cfb54c336799bf601a17a6b2723d096ed23ce55 pdr.bofh.network. 3599 IN SSHFP 2 2 eccdc4d93bb9af3eb4791e30f66aa327d9f0c9c388f5e950159ec285bb746783 pdr.bofh.network. 3599 IN RRSIG SSHFP 8 3 3600 20171114225917 20171031212226 15678 dzcrd.net. QBTRbj8xtyEN/9WH/PL39n1mC0XOKmGDj5TzgP/Kkvo7ac3wPwZ92dEcVnKyi1H2e8wP6532NIMjmuveyundnavCCbstOUfFyN17fBuEtHQTJzLmp8XQ7JxDgXbzbp6bvaKrck/XBFbRfk895oI9+Spg09fYkfseN4axEVoscQY= ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 1750 msec ;; EDNS: version 0; flags: do ; udp: 512 ;; SERVER: 127.0.0.1 ;; WHEN: Wed Nov 1 21:35:20 2017 ;; MSG SIZE rcvd: 530
  • 12. SSHFP Validation with ssh client root@ns:~ # ldd /usr/bin/ssh /usr/bin/ssh: libprivatessh.so.5 => /usr/lib/libprivatessh.so.5 (0x80084f000) libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x800aee000) libcrypto.so.8 => /lib/libcrypto.so.8 (0x800e00000) libc.so.7 => /lib/libc.so.7 (0x801269000) libprivateldns.so.5 => /usr/lib/libprivateldns.so.5 (0x801621000) libcrypt.so.5 => /lib/libcrypt.so.5 (0x80187f000) libz.so.6 => /lib/libz.so.6 (0x801a9e000)
  • 13. If ldns is supported .. ● Need to maintain a trust-anchor ● Run unbound-anchor ● Add to /etc/resolv.conf anchor /etc/unbound/root.key [*BSD] anchor /var/lib/unbound/root.key [Linux]
  • 14. Else .. ● Run a validating resolver like Unbound server: auto-trust-anchor-file: "/etc/unbound/root.key"
  • 15. Test ● root@pdr:~$ ssh root@pdr.bofh.network The authenticity of host 'pdr.bofh.network (2003:51:6012:110::9)' can't be established. ECDSA key fingerprint is SHA256:T09/p/ZSubnkraG3oslDMehfIiLRe6UiVn1dGZvtjZE. Are you sure you want to continue connecting (yes/no)? ^C ● root@pdr:~$ ssh -o VerifyHostKeyDNS=yes root@pdr.bofh.network root@pdr:~$
  • 16. Test Successful ● DNSSEC Validation Works ● SSH login without .known_host works
  • 17. SSH/SSHFP Demystified ● SSH Creates Public/Private Keys – For Linux/Unix under /etc/ssh/ssh_host_<ALGORITHM>.* – Normally during first run of sshd service – This part is automatic and hidden ● ssh-keygen creates fingerprints for those keys
  • 18. SSHFP for Network Equipments ● Network Equipments don’t have ssh-keygen command ● Equipments comes with limited subset of ssh ● Configure ssh service for devices preferably version 2 ● Create the public/private keys normally RSA only ● Gather the public key connecting through console or direct point-to-point connectivity ● Generate the Fingerprints for SSHFP records
  • 19. Configuring Router R1#conf t R1(config)#ip domain-name bofh.network R1(config)#crypto key generate rsa modulus 4096 R1(config)#crypto key generate rsa modulus 4096 R1(config)#crypto key generate rsa modulus 4096 R1#show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 1024 bits IOS Keys in SECSH format(ssh-rsa, base64 encoded): ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1pb6dZ01nHBPZUZXcTxf7swq3NoNc6Geiz9C006YS gCwz47msZn7YGIlPtrhw+GGT2jZo+34xSXekVYV9Cie+e8NI4UgD7b+aXma6aNPGfDN338jAmWBN7SDB sZvLJnjDYndNqRtYXby8uhvzWfGNtPwIZCXgbX+nOTmCR9Ap0iFF4zxzPppwPko41xdyAaOc4qros8aR ocLP8hrEeEz9R7WWZZ5ui/+ya3wa/SFjOZIcnv/7BKl1E5z+CM0OneDUfktw6lEd3hYGr347sz5I4Obj ia3HJ1D3lQKtRcT8zqavdlDyaYZEvYbg4eMp6aSMjJ79BOhhGgiFJ/Mxw7isMikfd6iKisdU+pd3XxQN mNlDywfuRKl9RYfYAVNG3PvOAqzECplh4s5+jl1+SWeKIg3ah7iFv7ddEVdBtaOrCsVxaOJuIMYPioTH aoDNmeOpfZJa/VIqker78bTlIgIGALybnnniFYhAb9ztYJv8g14pmu7cZol3lGg9pa/Qi6sdCAVyizdj 0wsS/s8Sl8VhwoZpxEUs0XQIHEsKP47XpJdmKAWG3vYopWYz7JCRmpwl8+oRCHLL35zV4Em+BO4aH/gt +nRQuEaVFBwaHGbe0A77d4ABIHLWAvuFb4wr+oOGoD57kDolrFYq7IfW/d261+DMr11Ip0kJEncXIgZc
  • 20. Extracting Key ● Connect with Console ● Connect directly with point to point LAN ● Use show ip ssh – Copy the string starting with “ssh-rsa” and ending till last line ● For remote connection add the key with prompt and verify the keys ● Save the file in a Linux/Unix host with filename like hostname_rsa_key.pub
  • 21. Using the script #!/usr/local/bin/bash HOST="${1}" if [[ "$1" == "-h" || "$1" == "--help" ]] then echo "Usage: sshfpgen <hostname>" fi for pubkey in *_key.pub do echo "$HOST IN SSHFP 1 1 $(cut -f2 -d ' ' "$pubkey" | base64 --decode | shasum | cut -f 1 -d ' ')" echo "$HOST IN SSHFP 1 2 $(cut -f2 -d ' ' "$pubkey" | base64 --decode | shasum -a 256 | cut -f 1 -d ' ')" done
  • 22. Running the script root@ns:~ # ./sshfpgen r1.bofh.network r1.bofh.network IN SSHFP 1 1 96898fe4604ed5e7b1a1c80374b1200fae3f4adb r1.bofh.network IN SSHFP 1 2 ebfca263706e4e12c7189ae377014f30467af6e6243d3b8a7e5f763d2813023b
  • 23. Adding to DNS ● Following records were added into the DNS r1.bofh.network IN SSHFP 1 1 96898fe4604ed5e7b1a1c80374b1200fae3f4adb r1.bofh.network IN SSHFP 1 2 ebfca263706e4e12c7189ae377014f30467af6e6243d3b8a7e5f763d2813023b ● DNS Query Test $ dig SSHFP +noadditional +noquestion +nocomments +nocmd +nostats r1.bofh.network r1.bofh.network. 3600 IN SSHFP 1 1 96898fe4604ed5e7b1a1c80374b1200fae3f4adb r1.bofh.network. 3600 IN SSHFP 1 2 ebfca263706e4e12c7189ae377014f30467af6e6243d3b8a7e5f763d2813023b
  • 24. Connectivity Test ● Connecting without DNSSEC validation $ ssh VerifyHostKeyDNS=yes r1.bofh.network The authenticity of host 'r1.bofh.network (192.168.100.100)' can't be established. RSA key fingerprint is SHA256:y2STsQ4RA/8durhpic+pb6UjcKwz7+bUaKX3C40yOGk. Matching host key fingerprint found in DNS. Are you sure you want to continue connecting (yes/no)?
  • 25. Connectivity Test ● Connecting with DNSSEC validation $ ssh VerifyHostKeyDNS=yes r1.bofh.network Username: ● Also no records will be added in .known_host file
  • 26. Live Demonstration & Questions