SSH
Jump to navigation
Jump to search
General
- https://en.wikipedia.org/wiki/Secure_Shell - a cryptographic network protocol for operating network services securely over an unsecured network] Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH.SSH provides a secure channel over an unsecured network by using a client–server architecture, connecting an SSH client application with an SSH server. The protocol specification distinguishes between two major versions, referred to as SSH-1 and SSH-2. The standard TCP port for SSH is 22. SSH is generally used to access Unix-like operating systems, but it can also be used on Microsoft Windows. Windows 10 uses OpenSSH as its default SSH client.
SSH was designed as a replacement for Telnet and for unsecured remote shell protocols such as the Berkeley rsh and the related rlogin and rexec protocols. Those protocols send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis. The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet, although files leaked by Edward Snowden indicate that the National Security Agency can sometimes decrypt SSH, allowing them to read the contents of SSH sessions.
- The SSH Protocol - The SSH-2 protocol is described in five main documents. Architecture describes the overall design of SSH-2. Transport provides a single, full-duplex, byte-oriented connection between client and server, with privacy, integrity, server authentication, and man-in-the-middle protection. Authentication identifies the client to the server. Connection provides richer, application-support services over the transport pipe, such as channel multiplexing, flow control, remote program execution, signal propagation, connection forwarding, etc. Finally, the Assigned Numbers document gathers together and lists various constant assignments made in the other documents.
ssh user@host ssh user@host -p 123 # specify alternate port
- http://unix.stackexchange.com/questions/309938/is-your-ssh-password-revealed-when-you-attempt-to-connect-to-the-wrong-server [1]
"Make sure you use full disk encryption and never stand up from your machine without locking it, and make sure you keep your local machine patched. If I get code execution on your machine, I am going to use whatever keys are loaded in your ssh-agent to pivot, hijack your existing open sessions, or modify your ssh client to dump the keys I need. ... Key length is a protection against the future, and against state level actors. Right now, key length doesn't matter much to me because I'm more focused on just stealing your keys from you regardless of length."
Forwarding
- Bogdan Popa: The Problem with SSH Agent Forwarding - [6]
- https://github.com/StanfordSNR/guardian-agent - secure agent forwarding for Mosh or SSH
Networking
ssh -L 9384:127.0.0.1:8384 remote-server
- https://github.com/sshuttle/sshuttle - Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.
- quicssh - a QUIC proxy that allows to use QUIC to connect to an SSH server without needing to patch the client or the server.
X11
See GUI#X Forwarding
Keys
Default file name format;
~/.ssh/id_rsa and ~/.ssh/id_rsa.pub RSA key
~/.ssh/identity and ~/.ssh/identity.pub DSA key (old)
Creating
ssh-keygen # generate a key. rsa is default. ssh-keygen -t ed25519 -f ~/.ssh/KEYNAME # eliptic curve key, specify the key filename(s)
- Gist: default-ssh-keygen-check.sh - This gist will track the websites that suggest unnecessarily-insecure default ssh-keygen arguments, in an attempt to have their authors update their arguments to safer defaults.
Distributing
ssh-copy-id [-i [identity_file]] [user@]remote ssh-copy-id username@remote-server.org
ssh-copy-id 'user@remote-server.org -p 8129' ssh-copy-id -i ~/.ssh/id_ecdsa.pub '-p 221 username@remote-server.org'
Multiple keys
ssh -i ~/.ssh/id_rsa_example.org
Config
~/.ssh/config
Host example.org IdentityFile ~/.ssh/id_rsa_example.org
- sshit - A quick way to manage .ssh/config
to sort
- SSH Can Do That? Productivity Tips for Working with Remote Servers
- Tips for Remote Unix Work (SSH, screen, and VNC) [8]
- http://blog.hypergeometric.com/2012/02/22/ssh-dos-and-donts/
- http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
- http://opensourcehacker.com/2012/10/24/ssh-key-and-passwordless-login-basics-for-developers/
- http://vimeo.com/54505525
- HOWTO: set up ssh keys
- Using Rsync and SSH - Keys, Validating, and Automation
- http://www.karan.org/blog/index.php/2009/08/25/multiple-ssh-private-keys
randomart
VisualHostKey=yes
Signing
SSH agent
- Envoy helps you to manage ssh keys in similar fashion to keychain, but done in c, takes advantage of cgroups and systemd.
Management
storm
- https://github.com/emre/storm - a command line tool to manage your ssh connections. features; adding, editing, deleting, listing, searching across your SSHConfig. command alias support for your CLI preferences. support for custom SSH directives. scriptable as a python library. user interfaces besides cli. (web ui, wxpython, unity(ubuntu) indicator.) [11]
multissh
- multissh - A really short but useful shellscript for connecting to all nodes of a cluster using ssh (also thru gateways and trapdoors) and sending commands to all nodes in parallel. It's using DCOP to remote-control a konsole process with the ssh connections in seperate tabs.
Teleport
- Teleport - Privileged access management for elastic infrastructure.
- https://github.com/gravitational/teleport
- Teleport 1.0 Released - "For the uninitiated, Teleport is modern SSH server designed for clusters of servers and the teams working on them. The notion of “cluster” and cluster membership is central to Teleport: users can explore the nodes in a cluster, their user permissions are governed on a cluster level, etc. You can think of Teleport as a set of enhancements to SSH, while still being backward compatible with OpenSSH. You can think of Teleport as a set of enhancements to SSH, while still being backward compatible with OpenSSH."
Server and client
OpenSSH
The OpenSSH suite consists of the following tools:
- Remote operations are done using ssh, scp, and sftp.
- Key management with ssh-add, ssh-keysign, ssh-keyscan, and ssh-keygen.
- The service side consists of sshd, sftp-server, and ssh-agent.
Dropbear
- Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is open source software, distributed under a MIT-style license. Dropbear is particularly useful for "embedded"-type Linux (or other Unix) systems, such as wireless routers.
Client
PuTTY
- PuTTY - a free implementation of SSH and Telnet for Windows and Unix platforms, along with an xterm terminal emulator.
- https://sourceforge.net/projects/rutty - adds scripting to PuTTY, scripting the easy way, record and replay.
- KiTTY - a fork from version 0.70 of PuTTY, the best telnet / SSH client in the world. KiTTY is only designed for the Microsoft® Windows® platform.
Server
tinyssh
- tinyssh - a minimalistic SSH server which implements only a subset of SSHv2 features.
Security
- https://en.wikipedia.org/wiki/SSHFP_record - a Secure Shell fingerprint record is a type of resource record in the Domain Name System (DNS) which identifies SSH keys that are associated with a host name. The acquisition of an SSHFP record needs to be secured with a mechanism such as DNSSEC for a chain of trust to be established.
fail2ban
sshguard
Honeypot
- https://github.com/skeeto/endlessh - an SSH tarpit that very slowly sends an endless, random SSH banner. It keeps SSH clients locked up for hours or even days at a time. The purpose is to put your real SSH server on another port and then let the script kiddies get stuck in this tarpit instead of bothering a real server. [12]
TOTP port fluxing
SSHFS
sshfs user@address:/home/user/dir dirtomountto -p [port] mount fusermount -u dirtomountto unmount
if
fuse: failed to open /dev/fuse: Permission denied
do
usermod -G fuse [username]
and relogin
Tools
- https://github.com/turicas/sbc - stands for Secure Back Channel and is a little tool to help you using SSH sessions. It looks like bcvi but is more secure in the command execution process (it uses SSH and not a new non-crypted non-authenticated protocol) and is very flexible for plugin creation (you can create your plugin easily, using your preferred programming language). It is tested on GNU/Linux and Mac OS X as client machines and any UNIX-like server, with any shell. Example use case: sometimes when you are in a local-machine and connects via SSH to a remote-machine you need to copy some files between two machines, run some time-consuming commands and other things. sbc helps you in these tasks so you don't need to open other terminal windows/SSH sessions to do it or you can be notified when some tasks are done, for example.
Signing
- sshign - uses your private SSH key to sign arbitrary chunks of data. The resulting signature can then be verified using your public SSH key.
Alternatives
- https://github.com/oxy-secure/oxy - An SSH-alike. In development. Uses Noise (noiseprotocol.org).
SSHv3
- https://github.com/francoismichel/ssh3 - a complete revisit of the SSH protocol, mapping its semantics on top of the HTTP mechanisms. In a nutshell, SSH3 uses QUIC+TLS1.3 for secure channel establishment and the HTTP Authorization mechanisms for user authentication. [14]
To sort
- https://wiki.archlinux.org/index.php/shfs - older Linux kernel module which allows you to mount remote filesystems using a plain shell (ssh) connection