SSH (Secure SHell) is a protocol and program used to securely access remote systems. It allows establishing secure communication channels and relies on cryptography. Basic usage provides shell access or executes commands on remote servers, while advanced uses include transferring data, connecting to services, and creating secure tunnels through the public internet. Authentication can be done with passwords or public-key cryptography for increased security.
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. This presentation is made as an assignment during our university course.
Overview of the SSH protocol.
SSH (Secure SHell) is a secure replacement for TELNET, rcp, rlogin, rsh (for login, remote execution of
commands, file transfer).
Security-wise SSH provides confidentiality (nobody can read the message content), integrity (guarantee that data is unaltered in transit) and authentication (of client and server). This provides protection against many of the possible attack vectors like IP spoofing, DNS spoofing, Password interception and eavesdropping.
SSH exists in 2 versions. SSH-2 fixes some of the shortcomings of SSH-1 so it should be used in place of SSH-1.
SSH also comes with features that in itself raise security concerns like tunneling and port forwarding.
Slides from a presentation I gave on SSH. Covers basics of ssh, password|keys|host-based authentication, agent/key forwarding, configuration files (global and user-specific), local/remote port forwarding, scp, rsync, and briefly mentions git's support.
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. This presentation is made as an assignment during our university course.
Overview of the SSH protocol.
SSH (Secure SHell) is a secure replacement for TELNET, rcp, rlogin, rsh (for login, remote execution of
commands, file transfer).
Security-wise SSH provides confidentiality (nobody can read the message content), integrity (guarantee that data is unaltered in transit) and authentication (of client and server). This provides protection against many of the possible attack vectors like IP spoofing, DNS spoofing, Password interception and eavesdropping.
SSH exists in 2 versions. SSH-2 fixes some of the shortcomings of SSH-1 so it should be used in place of SSH-1.
SSH also comes with features that in itself raise security concerns like tunneling and port forwarding.
Slides from a presentation I gave on SSH. Covers basics of ssh, password|keys|host-based authentication, agent/key forwarding, configuration files (global and user-specific), local/remote port forwarding, scp, rsync, and briefly mentions git's support.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
Get an overview of HashiCorp's Vault concepts.
Learn how to start a Vault server.
Learn how to use the Vault's postgresql backend.
See an overview of the Vault's SSH backend integration.
This presentation was held on the DigitalOcean Meetup in Berlin. Find more details here: https://www.meetup.com/DigitalOceanBerlin/events/237123195/
Service Function Chaining in Openstack NeutronMichelle Holley
Service Function Chaining (SFC) uses software-defined networking (SDN) capabilities to create a service chain of connected network services (such as L4-7 like firewalls,
network address translation [NAT], intrusion protection) and connect them in a virtual chain. This capability can be used by network operators to set up suites or catalogs
of connected services that enable the use of a single network connection for many services, with different characteristics.
networking-sfc is a service plugin of Openstack neutron. The talk will go over the architecture, implementation, use-cases and latest enhancements to networking-sfc (the APIs and implementation to support service function chaining in neutron).
About the speaker: Farhad Sunavala is currently a principal architect/engineer working on Network Virtualization, Cloud service, and SDN technologies at Huawei Technology USA. He has led several wireless projects in Huawei including virtual EPC, service function chaining, etc. Prior to Huawei, he worked 17 years at Cisco. Farhad received his MS in Electrical and Computer Engineering from University of New Hampshire. His expertise includes L2/L3/L4 networking, Network Virtualization, SDN, Cloud Computing, and
mobile wireless networks. He holds several patents in platforms, virtualization, wireless, service-chaining and cloud computing. Farhad was a core member of networking-sfc.
I have tried my best to describe Samba Server through this PPT. I hope you guys will love this and this ppt will be helpful for you all.
Thanks,
Veeral Arora
The Network File System (NFS) is the most widely used network-based file system. NFS’s initial simple design and Sun Microsystems’ willingness to publicize the protocol and code samples to the community contributed to making NFS the most successful remote access file system. NFS implementations are available for numerous Unix systems, several Windows-based systems, and others.
SSH is a protocol for secure remote access to a machine over untrusted networks.
SSH is a replacement for telnet, rsh, rlogin and can replace ftp.
Uses Encryption.
SSH is not a shell like Unix Bourne shell and C shell (wildcard expansion and command interpreter)
Shell is a protocol that provides authentication, encryption and data integrity to secure network communications. Implementations of Secure Shell offer the following capabilities: a secure command-shell, secure file transfer, and remote access to a variety of TCP/IP applications via a secure tunnel. Secure Shell client and server applications are widely available for most popular operating systems.
Linux offers an extensive selection of programmable and configurable networking components from traditional bridges, encryption, to container optimized layer 2/3 devices, link aggregation, tunneling, several classification and filtering languages all the way up to full SDN components. This talk will provide an overview of many Linux networking components covering the Linux bridge, IPVLAN, MACVLAN, MACVTAP, Bonding/Team, OVS, classification & queueing, tunnel types, hidden routing tricks, IPSec, VTI, VRF and many others.
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...NETWAYS
OPNsense is an open source and easy-to-use FreeBSD based firewall and routing platform. 2018 – three years after OPNsense started as a fork of pfSense® and m0n0wall – OPNsense brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. A strong focus on security and code quality drives the development of the project. The modern and intuitive web interface makes configuring firewall rules funny
In this talk, Thomas will outline OPNsense’s FreeBSD-based architecture and how you can take advantage of additional features using OPNsense plugins. He will also show how to initially setup an OPNsense firewall, and how you use datacenter-features like High Availability & Hardware Failover or Dual Uplinks.
Open (source) makes sense – also for your firewall
SOSCON 2019.10.17
What are the methods for packet processing on Linux? And how fast are each packet processing methods? In this presentation, we will learn how to handle packets on Linux (User space, socket filter, netfilter, tc), and compare performance with analysis of where each packet processing is done in the network stack (hook point). Also, we will discuss packet processing using XDP, an in-kernel fast-path recently added to the Linux kernel. eXpress Data Path (XDP) is a high-performance programmable network data-path within the Linux kernel. The XDP is located at the lowest level of access through SW in the network stack, the point at which driver receives the packet. By using the eBPF infrastructure at this hook point, the network stack can be expanded without modifying the kernel.
Daniel T. Lee (Hoyeon Lee)
@danieltimlee
Daniel T. Lee currently works as Software Engineer at Kosslab and contributing to Linux kernel BPF project. He has interest in cloud, Linux networking, and tracing technologies, and likes to analyze the kernel's internal using BPF technology.
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
Docker Networking presentation at ONS2016.
Docker Macvlan and Ipvlan Networking Drivers Experimental Readme:
github.com/docker/docker/blob/master/experimental/vlan-networks.md
Kernel requirements for Ipvlan mode is v4.2+, Macvlan mode is v3.19.
If using Virtualbox to test with, use NAT mode interfaces unless you have multiple MAC addresses working in your setup. Use the 172.x.x.x subnet and gateway used by the VBox NAT network. Vmware Fusion works out of the box.
Here is a screenshot of a VirtualBox NAT interface:
https://www.dropbox.com/s/w1rf61n18y7q4f1/Screenshot%202016-03-20%2001.55.13.png?dl=0
Unifying Network Filtering Rules for the Linux Kernel with eBPFNetronome
At the core of fast network packet processing lies the ability to filter packets, or in other words, to apply a set of rules on packets, usually consisting of a pattern to match (L2 to L4 source and destination addresses and ports, protocols, etc.) and corresponding actions (redirect to a given queue, or drop the packet, etc.). Over the years, several filtering frameworks have been added to Linux. While at the lower level, ethtool can be used to configure N-tuple rules on the receive side for the hardware, the upper layers of the stack got equipped with rules for firewalling (Netfilter), traffic shaping (TC), or packet switching (Open vSwitch for example).
In this presentation, Quentin Monnet reviewed the needs for those filtering frameworks and the particularities of each one. Then focuses on the changes brought by eBPF and XDP in this landscape: as BPF programs allow for very flexible processing and can be attached very low in the stack—at the driver level, or even run on the NIC itself—they offer filtering capabilities with no precedent in terms of performance and versatility in the kernel. Lastly, the third part explores potential leads in order to create bridges between the different rule formats and to make it easier for users to build their filtering eBPF programs.
FreeIPA is the open source answer to Active Directory, bringing the functionality of Kerberos and centralized management to the unix world. This talk will dive into the background of FreeIPA, how to attack it, and its parallels to traditional Active Directory. We will cover the FreeIPA equivalents of credential abuse, discovery, and lateral movement, highlighting the similarities and differences from traditional Active Directory tradecraft. This will culminate in multiple real-world demos showing how chains of abuse, previously accessible only in Windows environments, are now possible in the unix realm, providing a new medium for offensive research into Kerberos and LDAP environments.
Get an overview of HashiCorp's Vault concepts.
Learn how to start a Vault server.
Learn how to use the Vault's postgresql backend.
See an overview of the Vault's SSH backend integration.
This presentation was held on the DigitalOcean Meetup in Berlin. Find more details here: https://www.meetup.com/DigitalOceanBerlin/events/237123195/
Service Function Chaining in Openstack NeutronMichelle Holley
Service Function Chaining (SFC) uses software-defined networking (SDN) capabilities to create a service chain of connected network services (such as L4-7 like firewalls,
network address translation [NAT], intrusion protection) and connect them in a virtual chain. This capability can be used by network operators to set up suites or catalogs
of connected services that enable the use of a single network connection for many services, with different characteristics.
networking-sfc is a service plugin of Openstack neutron. The talk will go over the architecture, implementation, use-cases and latest enhancements to networking-sfc (the APIs and implementation to support service function chaining in neutron).
About the speaker: Farhad Sunavala is currently a principal architect/engineer working on Network Virtualization, Cloud service, and SDN technologies at Huawei Technology USA. He has led several wireless projects in Huawei including virtual EPC, service function chaining, etc. Prior to Huawei, he worked 17 years at Cisco. Farhad received his MS in Electrical and Computer Engineering from University of New Hampshire. His expertise includes L2/L3/L4 networking, Network Virtualization, SDN, Cloud Computing, and
mobile wireless networks. He holds several patents in platforms, virtualization, wireless, service-chaining and cloud computing. Farhad was a core member of networking-sfc.
I have tried my best to describe Samba Server through this PPT. I hope you guys will love this and this ppt will be helpful for you all.
Thanks,
Veeral Arora
The Network File System (NFS) is the most widely used network-based file system. NFS’s initial simple design and Sun Microsystems’ willingness to publicize the protocol and code samples to the community contributed to making NFS the most successful remote access file system. NFS implementations are available for numerous Unix systems, several Windows-based systems, and others.
SSH is a protocol for secure remote access to a machine over untrusted networks.
SSH is a replacement for telnet, rsh, rlogin and can replace ftp.
Uses Encryption.
SSH is not a shell like Unix Bourne shell and C shell (wildcard expansion and command interpreter)
Shell is a protocol that provides authentication, encryption and data integrity to secure network communications. Implementations of Secure Shell offer the following capabilities: a secure command-shell, secure file transfer, and remote access to a variety of TCP/IP applications via a secure tunnel. Secure Shell client and server applications are widely available for most popular operating systems.
Linux offers an extensive selection of programmable and configurable networking components from traditional bridges, encryption, to container optimized layer 2/3 devices, link aggregation, tunneling, several classification and filtering languages all the way up to full SDN components. This talk will provide an overview of many Linux networking components covering the Linux bridge, IPVLAN, MACVLAN, MACVTAP, Bonding/Team, OVS, classification & queueing, tunnel types, hidden routing tricks, IPSec, VTI, VRF and many others.
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...NETWAYS
OPNsense is an open source and easy-to-use FreeBSD based firewall and routing platform. 2018 – three years after OPNsense started as a fork of pfSense® and m0n0wall – OPNsense brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. A strong focus on security and code quality drives the development of the project. The modern and intuitive web interface makes configuring firewall rules funny
In this talk, Thomas will outline OPNsense’s FreeBSD-based architecture and how you can take advantage of additional features using OPNsense plugins. He will also show how to initially setup an OPNsense firewall, and how you use datacenter-features like High Availability & Hardware Failover or Dual Uplinks.
Open (source) makes sense – also for your firewall
SOSCON 2019.10.17
What are the methods for packet processing on Linux? And how fast are each packet processing methods? In this presentation, we will learn how to handle packets on Linux (User space, socket filter, netfilter, tc), and compare performance with analysis of where each packet processing is done in the network stack (hook point). Also, we will discuss packet processing using XDP, an in-kernel fast-path recently added to the Linux kernel. eXpress Data Path (XDP) is a high-performance programmable network data-path within the Linux kernel. The XDP is located at the lowest level of access through SW in the network stack, the point at which driver receives the packet. By using the eBPF infrastructure at this hook point, the network stack can be expanded without modifying the kernel.
Daniel T. Lee (Hoyeon Lee)
@danieltimlee
Daniel T. Lee currently works as Software Engineer at Kosslab and contributing to Linux kernel BPF project. He has interest in cloud, Linux networking, and tracing technologies, and likes to analyze the kernel's internal using BPF technology.
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
Docker Networking presentation at ONS2016.
Docker Macvlan and Ipvlan Networking Drivers Experimental Readme:
github.com/docker/docker/blob/master/experimental/vlan-networks.md
Kernel requirements for Ipvlan mode is v4.2+, Macvlan mode is v3.19.
If using Virtualbox to test with, use NAT mode interfaces unless you have multiple MAC addresses working in your setup. Use the 172.x.x.x subnet and gateway used by the VBox NAT network. Vmware Fusion works out of the box.
Here is a screenshot of a VirtualBox NAT interface:
https://www.dropbox.com/s/w1rf61n18y7q4f1/Screenshot%202016-03-20%2001.55.13.png?dl=0
Unifying Network Filtering Rules for the Linux Kernel with eBPFNetronome
At the core of fast network packet processing lies the ability to filter packets, or in other words, to apply a set of rules on packets, usually consisting of a pattern to match (L2 to L4 source and destination addresses and ports, protocols, etc.) and corresponding actions (redirect to a given queue, or drop the packet, etc.). Over the years, several filtering frameworks have been added to Linux. While at the lower level, ethtool can be used to configure N-tuple rules on the receive side for the hardware, the upper layers of the stack got equipped with rules for firewalling (Netfilter), traffic shaping (TC), or packet switching (Open vSwitch for example).
In this presentation, Quentin Monnet reviewed the needs for those filtering frameworks and the particularities of each one. Then focuses on the changes brought by eBPF and XDP in this landscape: as BPF programs allow for very flexible processing and can be attached very low in the stack—at the driver level, or even run on the NIC itself—they offer filtering capabilities with no precedent in terms of performance and versatility in the kernel. Lastly, the third part explores potential leads in order to create bridges between the different rule formats and to make it easier for users to build their filtering eBPF programs.
Telnet é um protocolo de rede utilizado na Internet ou redes locais para proporcionar uma facilidade de comunicação baseada em texto interativo bidirecional usando uma conexão de terminal virtual.
This presentation outlines the core functions of TCP - Transmission Control Protocol.
These comprise TCP Connection Control, TCP Flow Control, TCP Error Control, TCP Congestion Control, TCP Options and TCP Timers.
TCP/IP is the Internet core protocol that provides reliable, connection-oriented and stream-based communication service. Most of Internet traffic is carried in TCP connections, so scalability and reliability are crucial for a stable network on a global scale.
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios
Leland Lammert's presentation on Nagios in a Multi-Platform Enviornment.
The presentation was given during the Nagios World Conference North America held Sept 20-Oct 2nd, 2013 in Saint Paul, MN. For more information on the conference (including photos and videos), visit: http://go.nagios.com/nwcna
OpenSSH is a FREE version of the SSH connectivity tools that technical users of the Internet rely on.
This talk will explain the most interesting features of ssh and some info about future developments.
install hadoop in windows using maven and windows sdk and visual c++ compiler.
To install hadoop on windows see below link step by step guidance.
From version 2.3 hadoop suppot windows also but by default it supports linux and other version. to install in windows need to compile the hadoop source in native windows sdk and then that hadoop distribution generated can be used to run hadoop in windows.
hadoop installation on windows
Internal knowledge share on SSH setup and usage. Includes some helpful config file options to save time and how to create and use SSH keys for better security and productivity.
Using Secure Shell on Linux: What Everyone Should KnowNovell
Secure Shell, or SSH, is a network protocol that allows data to be exchanged over a secure channel. SSH is much more than just data being passed over the wire. SSH can be used to tunnel traffic and specific ports or applications across multiple servers. SSH is a must for anyone using Linux. If you haven't used SSH, then you have not used Linux!
This session is designed for all technical staff or decision makers curious about great Linux tools and making access to Windows services, remote desktops and remote servers easier and less complicated. During this session, we will demonstrate techniques to tunnel RDP sessions, SOAP sessions and HTTP sessions between remote systems.
Apresentação na Pós-Graduação em Segurança da Informação:
- Sniffer de senhas em plain text;
- Ataque de brute-force no SSH;
- Proteção: Firewall, IPS e/ou TCP Wrappers;
- Segurança básica no sshd_config;
- Chaves RSA/DSA para acesso remoto;
- SSH buscando chaves no LDAP;
- Porque previnir o acesso: Fork Bomb
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
1. An introduction to SSH
Lucas Nussbaum
lucas.nussbaum@univ-lorraine.fr
Licence professionnelle ASRALL
Administration de systèmes, réseaux et applications à base de logiciels libres
Lucas Nussbaum An introduction to SSH 1 / 26
2. Plan
1 SSH basics
SSH 101
Public-key authentication
Checking the server’s identity
Configuring SSH
2 Advanced usage
SSH as a communication layer for applications
Access remote filesystems over SSH: sshfs
SSH tunnels, X11 forwarding, and SOCKS proxy
Jumping through hosts with ProxyCommand
Triggering remote command execution securely
Escape sequences
3 Conclusions
Lucas Nussbaum An introduction to SSH 2 / 26
3. Introduction
SSH = Secure SHell
Standard network protocol and service (TCP port 22)
Many implementations, including:
OpenSSH: Linux/Unix, Mac OS X ← this talk, mostly
Putty: Windows, client only
Dropbear: small systems (routers, embedded)
Unix command (ssh); server-side: sshd
Establish a secure communication channel between two machines
Relies on cryptography
Most basic usage: get shell access on a remote machine
Many advanced usages:
Data transfer (scp, sftp, rsync)
Connect to specific services (such as Git or SVN servers)
Dig secure tunnels through the public Internet
Several authentication schemes: password, public key
Lucas Nussbaum An introduction to SSH 3 / 26
4. Basic usage
Connecting to a remote server:
$ ssh login@remote-server
Provides a shell on remote-server
Executing a command on a remote server:
$ ssh login@remote-server ls /etc
Copying data (with scp, similar to cp):
$ scp local-file login@remote-serv:remote-directory/
$ scp login@remote-serv:remote-dir/file local-dir/
Usual cp options work, e.g. -r (recursive)
Copying data (with rsync, more efficient than scp with many files):
$ rsync -avzP localdir login@server:path-to-rem-dir/
Note: trailing slash on source matters with rsync (not with cp)
rsync -a dir1 u@h:dir2 dir1 copied inside dir2
rsync -a dir1/ u@h:dir2 content of dir1 copied to dir2
Lucas Nussbaum An introduction to SSH 4 / 26
5. Public-key authentication
General idea:
Asymmetric cryptography (or public-key cryptography):
The public key is used to encrypt something
Only the private key can decrypt it
User owns a private (secret) key, stored on the local machine
The server has the public key corresponding to the private key
Authentication = <server> prove that you own that private key!
Implementation (challenge-response authentication):
1 Server generates a nonce (random value)
2 Server encrypts the nonce with the Client’s public key
3 Server sends the encrypted nonce (= the challenge) to client
4 Client uses the private key to decrypt the challenge
5 Client sends the nonce (= the response) to the Server
6 Server compares the nonce with the response
Lucas Nussbaum An introduction to SSH 5 / 26
6. Public-key authentication (2)
Advantages:
The password does not need to be sent over the network
The private key never leaves the client
The process can be automated
However, the private key should be protected (what if your laptop
gets stolen?)
Usually with a passphrase
Lucas Nussbaum An introduction to SSH 6 / 26
7. Key-pair generation
$ ssh -keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa ): [ENTER]
Enter passphrase (empty for no passphrase ): passphrase
Enter same passphrase again: passphrase
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
f6 :35:53:71:2f:ff :00:73:59:78: ca:2c:7c:ff:89:7b user@my.hostname.net
The key ’s randomart image is:
+--[ RSA 2048]----+
..o
(...)
.o
+-----------------+
$
Creates the key-pair:
~/.ssh/id_rsa (private key)
~/.ssh/id_rsa.pub (public key)
Lucas Nussbaum An introduction to SSH 7 / 26
8. Copying the public key to the server
Example public key:
ssh-rsa AAAAB3NX[. . . ]hpoR3/PLlXgGcZS4oR user@my.hostname.net
On the server, ~user/.ssh/authorized_keys contains the list of
public keys authorized to connect to the user account
The key can be copied manually there
Or use ssh-copy-id to automatically copy the key:
client$ ssh-copy-id user@server
Sometimes the public key needs to be provided using a web
interface (e.g. on GitHub, FusionForge, Redmine, etc.)
Lucas Nussbaum An introduction to SSH 8 / 26
9. Remembering the passphrase
If the private key is not protected with a passphrase, the
connection is established immediately:
*** login@laptop:~$ ssh rlogin@rhost [ENTER]
*** rlogin@rhost:~$
Otherwise, ssh asks for the passphrase:
*** login@laptop:~$ ssh rlogin@rhost [ENTER]
Enter passphrase for key ’/home/login/id_rsa’: [passphrase+ENTER]
*** rlogin@rhost:~$
An SSH agent can be used to remember the passphrase
Most desktop environments act as SSH agents automatically
One can be started with ssh-agent if needed
Add keys manually with ssh-add
Lucas Nussbaum An introduction to SSH 9 / 26
10. Checking the server identity: known_hosts
Goal: detect hijacked servers
What if someone replaced the server to steal passwords?
When you connect to a server for the first time, ssh stores the
server’s public key in ~/.ssh/known_hosts
*** login@laptop:~$ ssh rlogin@server [ENTER]
The authenticity of host ’server (10.1.6.2)’ can’t be established.
RSA key fingerprint is
94:48:62:18:4b:37:d2:96:67:c9:7f:2f:af:2e:54:a5.
Are you sure you want to continue connecting (yes/no)? yes [ENTER]
Warning: Permanently added ’server,10.1.6.2’(RSA) to the list of
known hosts.
rlogin@server’s password:
Lucas Nussbaum An introduction to SSH 10 / 26
11. Checking the server identity: known_hosts (2)
During each following connection, ssh ensures that the key still
matches, and warns the user otherwise
*** login@laptop :~$ ssh rlogin@server [ENTER]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man -in-the -middle attack )!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
e3 :94:03:90:5d:81:ed:bb:d5:d2:f2:de:ba :31:18: d8.
Please contact your system administrator.
Add correct host key in /home/login/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/login/.ssh/known_hosts :12
RSA host key for server has changed and you have requested strict checking.
Host key verification failed.
*** login@laptop :~$
Remove a truly outdated key can be removed with
ssh-keygen -R server
Lucas Nussbaum An introduction to SSH 11 / 26
12. Configuring SSH
SSH gets configuration data from:
1 command-line options (-o ...)
2 the user’s configuration file: ~/.ssh/config
3 the system-wide configuration file: /etc/ssh/ssh_config
Options are documented in the ssh_config(5) man page
~/.ssh/config contains a list of hosts (with wildcards)
For each parameter, the first obtained value is used
Host-specific declarations are given near the beginning
General defaults at the end
Lucas Nussbaum An introduction to SSH 12 / 26
13. Example: ~/.ssh/config
Host mail.acme.com
User root
Host foo # alias/shortcut. ’ssh foo ’ works
Hostname very -long -hostname.acme.net
Port 2222
Host *.acme.com
User jdoe
Compression yes # default is no
PasswordAuthentication no # only use public key
ServerAliveInternal 60 # keep -alives for bad firewall
Host *
User john
Note: bash-completion can auto-complete using ssh_config hosts
Lucas Nussbaum An introduction to SSH 13 / 26
14. Plan
1 SSH basics
SSH 101
Public-key authentication
Checking the server’s identity
Configuring SSH
2 Advanced usage
SSH as a communication layer for applications
Access remote filesystems over SSH: sshfs
SSH tunnels, X11 forwarding, and SOCKS proxy
Jumping through hosts with ProxyCommand
Triggering remote command execution securely
Escape sequences
3 Conclusions
Lucas Nussbaum An introduction to SSH 14 / 26
15. SSH as a communication layer for applications
Several applications use SSH as their communication layer
Sometimes also authentication layer
scp, sftp, rsync (data transfer)
unison (synchronization)
Subversion: svn checkout svn+ssh://user@rhost/path/to/repo
Git: git clone ssh://git@github.com/path-to/repository.git
Or: git clone git@github.com:path-to/repository.git
Lucas Nussbaum An introduction to SSH 15 / 26
16. Access remote filesystems over SSH: sshfs
sshfs: FUSE-based solution to access remote machines
Ideal for remote file editing with a GUI, copying small amounts of
data, etc.
Mount a remote directory:
sshfs root@server:/etc /tmp/local-mountpoint
Unmount: fusermount -u /tmp/local-mountpoint
Combine with afuse to auto-mount any machine:
afuse -o mount_template="sshfs %r:/ %m" -o
unmount_template="fusermount -u -z %m" ~/.sshfs/
cd ~/.sshfs/rhost/etc/ssh
Lucas Nussbaum An introduction to SSH 16 / 26
17. SSH tunnels with -L and -R
Goal: transport traffic through a secure connection
Work-around network filtering (firewalls)
Avoid sending unencrypted data on the Internet
But only works for TCP connections
-L: access a remote service behind a firewall (Intranet server)
ssh -L 12345:service:1234 server
Still on Client: telnet localhost 12345
Server establishes a TCP connection to Service, port 1234
The traffic is tunnelled inside the SSH connection to Server
Client Server
TCP Service
on port 1234
Internet Private network
Lucas Nussbaum An introduction to SSH 17 / 26
18. SSH tunnels with -L and -R
Goal: transport traffic through a secure connection
Work-around network filtering (firewalls)
Avoid sending unencrypted data on the Internet
But only works for TCP connections
-L: access a remote service behind a firewall (Intranet server)
ssh -L 12345:service:1234 server
Still on Client: telnet localhost 12345
Server establishes a TCP connection to Service, port 1234
The traffic is tunnelled inside the SSH connection to Server
Client Server
TCP Service
on port 1234
Internet Private network
Lucas Nussbaum An introduction to SSH 17 / 26
19. SSH tunnels with -L and -R
-R: provide remote access to a local private service
ssh -R 12345:service:1234 server
On Server: telnet localhost 12345
Client establishes a TCP connection to Service, port 1234
The traffic is tunnelled inside the SSH connection to Client
Client Server
TCP Service
on port 1234
Private network Internet
Note: SSH tunnels don’t work very well for HTTP, because IP+port
are not enough to identify a website (Host: HTTP header)
Lucas Nussbaum An introduction to SSH 18 / 26
20. SSH tunnels with -L and -R
-R: provide remote access to a local private service
ssh -R 12345:service:1234 server
On Server: telnet localhost 12345
Client establishes a TCP connection to Service, port 1234
The traffic is tunnelled inside the SSH connection to Client
Client Server
TCP Service
on port 1234
Private network Internet
Note: SSH tunnels don’t work very well for HTTP, because IP+port
are not enough to identify a website (Host: HTTP header)
Lucas Nussbaum An introduction to SSH 18 / 26
21. X11 forwarding with -X: GUI apps over SSH
Run a graphical application on a remote machine, display locally
Similar to VNC, but on a per-application basis
ssh -X server
$DISPLAY will be set by SSH on the server:
$ echo $DISPLAY
localhost:10.0
Then start GUI applications on server (e.g. xeyes)
Troubleshooting:
xauth must be installed on the remote machine
The local Xorg server must allow TCP connections
pgrep -a Xorg -nolisten must not be included
Can be configured in your login manager
Does not work very well over slow or high-latency connections
Lucas Nussbaum An introduction to SSH 19 / 26
22. SOCKS proxy with -D
SOCKS: protocol to proxy TCP connections via a remote machine
SSH can act as a SOCKS server: ssh -D 1080 server
Use case similar to tunnelling with -L, but more flexible
Set up the proxy once, use for multiple connections
Usage:
Manual: configure applications to use the SOCKS proxy
Transparent: use tsocks to re-route connections via SOCKS
$ cat /etc/tsocks.conf
server = 127.0.0.1
server_type = 5
server_port = 1080 # then start ssh with -D 1080
$ tsocks pidgin # tunnel application through socks
Lucas Nussbaum An introduction to SSH 20 / 26
23. Jumping through hosts with ProxyCommand
Client Server
Server2 on
private network
Private networkInternet
Problem: to connect to Server2, you need to connect to Server
Can you do that in a single step? (required for data transfer,
tunnels, X11 forwarding)
Combines two SSH features:
ProxyCommand option: command used to connect to host;
connection available on standard input & output
ssh -W host:port establish a TCP connection, provide it
on standard input & output (suitable for ProxyCommand)
Lucas Nussbaum An introduction to SSH 21 / 26
24. Jumping through hosts with ProxyCommand (2)
Example configuration:
Host server2 # ssh server2 works
ProxyCommand ssh -W server2 :22 server
Also works with wildcards
Host *.priv # ssh host1.priv works
ProxyCommand ssh -W $(basename %h .priv ):%p server
-W only available since OpenSSH 5.4 (circa 2010), but the same
can be achieved with netcat:
Host *.priv
ProxyCommand ssh serv nc -q 0 $(basename %h .priv) %p
Similar solution to connect via a proxy:
SOCKS: connect-proxy -4 -S myproxy:1080 rhost 22
HTTP (with CONNECT): corkscrew myproxy 1080 rhost 22
When CONNECT requests are forbidden, set up httptunnel
on a remote server, and use htc and hts
Lucas Nussbaum An introduction to SSH 22 / 26
25. Triggering remote command execution securely
Goal: notify Server2 that something finished on Server1
But Server1 must not have full shell access on Server2
Method: limit to a single command in authorized_keys
Also known as SSH triggers
Example authorized_keys on Server2:
from=" server1.acme.com",command ="tar czf - /home",no-pty ,
no-port -forwarding ssh -rsa AAAA [...]oR user@my.host.net
Lucas Nussbaum An introduction to SSH 23 / 26
26. Escape sequences
Goal: interact with an already established SSH connection
Add tunnels or SOCKS proxy, kill unresponsive connection
Escape sequences start with ’~’, at the beginning of a line
So press [enter], then ~, then e.g. ’?’
Main sequences (others documented in ssh(1)):
~. – disconnect (for unresponsive connections)
~? – show the list of escape sequences
~C – open SSH command-line. e.g. ~C -D 1080
~& – logout and background SSH while waiting for forwarded
connections or X11 sessions to terminate
Lucas Nussbaum An introduction to SSH 24 / 26
27. Plan
1 SSH basics
SSH 101
Public-key authentication
Checking the server’s identity
Configuring SSH
2 Advanced usage
SSH as a communication layer for applications
Access remote filesystems over SSH: sshfs
SSH tunnels, X11 forwarding, and SOCKS proxy
Jumping through hosts with ProxyCommand
Triggering remote command execution securely
Escape sequences
3 Conclusions
Lucas Nussbaum An introduction to SSH 25 / 26
28. Conclusions
The Swiss-army knife of remote administration
Very powerful tool, many useful features
Practical session: test everything mentioned in this presentation
Other topics not covered in this presentation:
Built-in support for VPN
Other authentication methods (certificates)
Managing long executions on a remote machine with screen
or tmux
Mosh, an SSH alternative suited for Wi-Fi, cellular and long
distance links
Lucas Nussbaum An introduction to SSH 26 / 26