SSH Stuff

Supported Ciphers, Key, MAC on OpenBSD 7.1. Not all of them are good for useage, here is my recommendation.

Recommended

for your sshd_config / ssh_config

Ciphers                aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes128-cbc

HostKeyAlgorithms      ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,
                       sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256

Kexalgorithms          curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,
                       diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

MACs                   hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

PubKeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,
                       rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,
                       ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-25

List of all available Types

Cipher

ssh -Q cipher

3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

HostbasedAcceptedAlgorithms

ssh -Q HostbasedAcceptedAlgorithms

ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256@openssh.com
webauthn-sk-ecdsa-sha2-nistp256@openssh.com
ssh-rsa-cert-v01@openssh.com
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com

HostKeyAlgorithms

ssh -Q HostKeyAlgorithms

ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ssh-rsa
rsa-sha2-256
rsa-sha2-512
ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521
sk-ecdsa-sha2-nistp256@openssh.com
webauthn-sk-ecdsa-sha2-nistp256@openssh.com
ssh-rsa-cert-v01@openssh.com
rsa-sha2-256-cert-v01@openssh.com
rsa-sha2-512-cert-v01@openssh.com
ssh-dss-cert-v01@openssh.com
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com

KexAlgorithms

ssh -Q KexAlgorithms

diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup761x25519-sha512@openssh.com
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup761x25519-sha512@openssh.com

MAC

Message Authentication Code

Let’s give a try with Alpine Linux, OpenSSH and 2FA with Google Authenticator.

add Packages

apk add openssh openssh-server-pam google-authenticator openssh-doc google-authenticator-doc libqrencode

Configure GoogleAuth

touch /etc/pam.d/sshd
ln /etc/pam.d/sshd /etc/pam.d/sshd.pam

cat << 'EOF' >> /etc/pam.d/sshd.pam
account   include     base-account

auth      required    pam_env.so
auth      required    pam_nologin.so  successok
auth      required    /lib/security/pam_google_authenticator.so   echo_verification_code grace_period=57600 nullok
auth      required    pam_unix.so   md5 sha512
EOF

update sshd_config

cat << 'EOF' >> /etc/ssh/sshd_config
PasswordAuthentication no
AuthenticationMethods any
UsePAM yes
EOF

Restart SSHD

service sshd restart

Setup User

su - USERNAME
google-authenticator

Response

Intro

I stumbled across an old Cisco box in the basement. I thought i might have some fun (or frust?) with the aging Device. The Hardware still works fine, right ? And what about the Software ? Let’s give a try !

Hardware

show version

Cisco 1841 (revision 7.0) with 352256K/40960K bytes of memory.
Processor board ID FCZ1234757Y
6 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
125184K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Software

dir flash

Stumbled upon something that I’ve missed for a long time: encrypting files with the ssh public key :)

Source

• https://github.com/FiloSottile/age

Install Package

OpenBSD (and most others *nix systems) got a package for age. Just install it.

doas pkg_add age

Asymmetric Encryption

Asymmetric Encryption encrypts and decrypts the data using two separate yet mathematically connected cryptographic keys. These keys are known as a ‘Public Key’ and a ‘Private Key’. Together, they’re called a ‘Public and Private Key Pair’

Signing Files with SSH 8.0

unsigned file

$ cat hosts
127.0.0.1 localhost
::1   localhost

1.2.3.4         egal

sign

$ ssh-keygen -Y sign -f id_rsa -n file hosts
Signing file hosts
Write signature to hosts.sig

signed file

$ cat hosts.sig
-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAAZcAAAAHc3NoLXJzYQAAAAMBAAEAAAGBALJB+O4WCOM7V56H1xigpd
uJem52Izwltl2cG9GQOO94HClebcr7C5aD24iI4wDcT9Ajv5/fu9cDVEXku83I/U0blUZe
oMd8qCIH+4O+RVYyCvKFyEkcZ6n+RRH1G5EgcP0UXtmo4J3p8Hyo/6jtPA/r28+idi84A6
7yW1cmC5GpIw24Vr5aqA3e3rCJdFBZThzsTrwu/DHzIueQstEQdldycUit4X9UPBaCVnov
+nhyijO9b8adzkTMxjcJAl65fdLUmwuJ5h3z0owdKOmrcNlbWxqTIuGU0in25ZDQVxLssc
WI8oW7vR5F7+cXSV7fYliTG/XPsCkD1KpWc/xSOr35bALRQpxD1+T48mrbKToZuzu4hage
cUSOvRI3R0hKIvcXYyf2SQoBfLNlpvl5CRcatlw2fMhFQPrVz0Bh543chEFsF4nxKQw8yq
riJbqkvhW8tzKCnMA7vyTRxey6uSDJrw0YchXIJdprNUlgM1t+z9J3AwC4ugpvhgVd6H0v
9QAAAAxob3N0cy5zaWduZWQAAAAAAAAABnNoYTUxMgAAAZQAAAAMcnNhLXNoYTItNTEyAA
ABgAB9zAZStPsSvPIBh66lAgGLE/JWPk0voZjTUz9pO5wl81aM6Kn1clY9n4jysEkiQ0xy
yy/tWgFzKi10mVfh/SJ34L2Mdo8t+vBnha1KNlkFwXZl+GXiCLlVl+ei6xpRfp9knheoIh
LyEHoxgkuI6lO0c8pi4ymNnrlfvkg9SvvZfSdXWUMfTWHDlHvFIGqMg3BWQu7ylTEgQVDF
obpqDInU3hkisfsywQRQh6KVVe8eSUc0qVH/FSSLoG8X/IX9Vh3g4tT/2FJPrE4k464yie
GdnLkp5edcnnE+jjoSQroMs52QWy2a3XXZC5KTaDL6w4mcry1RpavhXb5aJQ7o0852Pkc9
wDkwX/11JZhMmxNZbDlg+tHsWy12KUubKAxAjJ1HUFXMjTFI6HMu8WyU989e3dOTt/bL3W
l7sDo5P8SGv3/6+tJxugz9shz8WaN9Xz6Oh2AfCM6+IROXaeUgWMXtDmGS5bUZxUOSxHa1
ww7wzYR0NKXuOk3IeJMSQ2f97g==
-----END SSH SIGNATURE-----

verify file

allowed signers

$ cat /etc/allowed_signers
mail@world.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCyQfjuFgjjO1eeh9cYoKXbiXpudiM8JbZdnBvRkDjveBwpXm3K+wuWg9uIiOMA3E/QI7+f37vXA1RF5LvNyP1NG5VGXqDHfKgiB/uDvkVWMgryhchJHGep/kUR9RuRIHD9FF7ZqOCd6fB8qP+o7TwP69vPonYvOAOu8ltXJguRqSMNuFa+WqgN3t6wiXRQWU4c7E68Lvwx8yLnkLLREHZXcnFIreF/VDwWglZ6L/p4coozvW/Gnc5EzMY3CQJeuX3S1JsLieYd89KMHSjpq3DZW1sakyLhlNIp9uWQ0FcS7LHFiPKFu70eRe/nF0le32JYkxv1z7ApA9SqVnP8Ujq9+WwC0UKcQ9fk+PJq2yk6Gbs7uIWoHnFEjr0SN0dISiL3F2Mn9kkKAXyzZab5eQkXGrZcNnzIRUD61c9AYeeN3IRBbBeJ8SkMPMqq4iW6pL4VvLcygpzAO78k0cXsurkgya8NGHIVyCXaazVJYDNbfs/SdwMAuLoKb4YFXeh9L/U=

verify

Need a small and smart utility to manage you ssh keys under linux ? got some scripts and cronjobs which requires an local ssh key ? have a look at keychain !

Install Software

depending on your OS …

macos$ brew install keychain
debian$ sudo apt-get install keychain
openbsd$ pkg_add keychain
freebsd$ pkg install keychain

edit startup Scripts

$HOME/.bashrc $HOME/.bash_profile /etc/profile $HOME/.profile

cat << 'EOF' >> $HOME/.bashrc
# Keychain Startup
eval `keychain --eval id_ed25519`
EOF

check service

$ keychain
$ ssh-add -L

add to .profile

cat << 'EOF' >> .profile

# Keychain Loaded ? Load and show Key ...
eval $(keychain --eval id_ed25519)
echo -e "loaded keys: `ssh-add -L |cut -c 1-12,77-`\n"
EOF

List Keys

keychain --list

List Finterprints (Public Key ?)

$ keychain --list-fp

Set Timeout

Timeout for SSH Agent

got a Server behing NAT / Firewall ? Need Shell access to … ?

Server behind NAT/FW

user@server$ ssh -R 1234:localhost:22 my.public.jumpbox

Access Server

ssh my.public.jumpbox

user@jumpbox$ ssh -p 1234 localhost

user@server$

and you’re in :)

sha256: 81b4dc1d84f9f8bcbf5060f382853759fffa1e5824e2ae98ad5508a082db5dfd

stumpled upon a bug in openssh … did a small config change in sshd_config, deployed it with ansible … and lost connectifity to all these boxes immediately … and of course, i did a config check before reloading the sshd daemon, and the config check was fine.

i can’t belife that nobody else found this before, as it’s really simple to reproduce. and it’s working with openbsd, debian, centos and mostly on all system which have opensshd implemented (and that’s a lot of …)

Did you know that you can easily forward a variable (or secret) via SSH … ?

This Variable is just available if you’re logged in and never stored in any configfile or backup. This can be a real advantage …

Sending Host

/etc/ssh/ssh_conf

Host trustedhost.world
  SendEnv        _secret

Receiving Host

/etc/ssh/sshd_conf

AcceptEnv               _secret

restart sshd

Connect

user@myhost ~# export _secret=topsecret99
user@myhost ~# ssh trustedhost.world

user@trustedhost ~# set |grep _secret
_secret=topsecret99

here we are …

sha256: 2713843b09025791c3a22c831d592af5ed0a0d7a0e593e67175956f7ee8acfbe

ssh-audit is a tool for ssh server auditing.

Features

SSH1 and SSH2 protocol server support;

grab banner, recognize device or software and operating system, detect compression;

gather key-exchange, host-key, encryption and message authentication code algorithms;

output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);

output algorithm recommendations (append or remove based on recognized software version);

output security information (related issues, assigned CVE list, etc);

analyze SSH version compatibility based on algorithm information;