SSH

Cisco - SSH Key Auth

Intro do you wanna login into your cisco switches with ssh & public key. you can build your config easily and copy/paste it to your switch(es). Set & Check Variables pubkey: read from ~/.ssh/id_rsa.pub username: root password: will be generated. or set it by hand # get & convert public key pubkey=$(cat ~/.ssh/id_rsa.pub |cut -d' ' -f 2 |fold -b -w 72) # Username Switch username=root # Password for User password=$(openssl rand -hex 12) # Full Line echo "username $username privilege 15 password $password" SSH Pubkey Auth Config Snippet # Build Config cat << EOF ############################################ # Copy/Paste to your Cisco Devices - START # ############################################ conf t # Set Version ip ssh version 2 no aaa new-model # Set User username $username privilege 15 password $password # Set Key ip ssh pubkey-chain username $username key-string $pubkey exit exit exit # vty Stuff line vty 0 15 login local transport input ssh end write exit ############################################ # Copy/Paste to your Cisco Devices - END # ############################################ EOF you should test it in a lab environment before running on productiv switches ;)

SSH LogLevels

Log Levels for SSH In SSH, the LogLevel option allows you to control the level of logging information generated by the SSH client and server. There are several log levels you can use to adjust the verbosity of SSH logging. Here are the most commonly used log levels: QUIET: Suppresses all log messages, except for fatal errors. It provides the least amount of information. FATAL: Logs only fatal errors, indicating severe issues that may prevent the SSH session from being established.

IP over SSH

wanna tunnel IP over SSH ? give a try ? Tested for you with … OpenBSD :) Host1 do the following as root echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf sysctl net.inet.ip.forwarding=1 echo "inet 10.0.0.1 255.255.255.0 10.0.0.2" >> /etc/hostname.tun0 sh /etc/netstart tun0 sed -i '/PermitTunnel .*/PermitTunnel yes/' /etc/ssh/sshd_config rcctl restart sshd ssh-copy-id root@host2 Host2 do the following as root echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf sysctl net.inet.ip.forwarding=1 echo "inet 10.0.0.2 255.255.255.0 10.0.0.1" >> /etc/hostname.tun0 sh /etc/netstart tun0 sed -i '/PermitTunnel .

Slides - SSH Agent

made a few Slides about SSH Agent & Agent Forwarding with https://slides.com. Do you like it ? I do … Any Comments ? sha256: dd15fd6475246beedee7f6c61924134c76248cf5e28d7092283475c97e9f2f50

SSH Key Generator

If you need multiple SSH keys with passphrases for educational purposes, you can generate them as follows. The passphrase is set in the comments of the corresponding public key. SSH Key Generator Script cat << 'EOF' > /tmp/ssh-key-generator.sh #!/usr/bin/env bash # File f=/tmp/id_ed25519 # Cleanup test -f $f && rm $f $f.pub # Gen Key ssh-keygen -o -a 100 -t ed25519 -N "" -f ${f} # Extact Password (last 8 Char from PubKey) pw=$(cat ${f}.

Yubikey - on OpenBSD

Running YubiKey on OpenBSD buy a Key and give try … Source https://www.yubico.com/ Install Software pkg_add yubikey-manager-3.1.2p4 pkg_add yubikey-manager-3.1.2p4 quirks-6.42 signed on 2023-01-08T01:39:04Z yubikey-manager-3.1.2p4:py3-click-7.1.2: ok yubikey-manager-3.1.2p4:py3-pyusb-1.0.2p5: ok yubikey-manager-3.1.2p4:pcsc-lite-1.9.8: ok yubikey-manager-3.1.2p4:py3-cparser-2.19p2: ok yubikey-manager-3.1.2p4:py3-cffi-1.15.1: ok yubikey-manager-3.1.2p4:py3-cryptography-38.0.0p0: ok yubikey-manager-3.1.2p4:py3-pyscard-2.0.3: ok yubikey-manager-3.1.2p4:py3-openssl-22.0.0: ok yubikey-manager-3.1.2p4:libyubikey-1.13p4: ok yubikey-manager-3.1.2p4:json-c-0.16: ok yubikey-manager-3.1.2p4:ykpers-1.20.0p2: ok yubikey-manager-3.1.2p4: ok The following new rcscripts were installed: /etc/rc.d/pcscd See rcctl(8) for details. --- +yubikey-manager-3.1.2p4 ------------------- NOTE: yubikey-manager (ykman) is only partially functional on OpenBSD. Most of the "ykman fido xxx" commands (pin-setting and others) stall.

OpenBSD & OTP

i don’t like ssh & password authentication. but sometime, specially during setup or recovery, it’s need and make sense. thought i’ll protect some boxes with otp. here a few notes and instrucations Build login_otp git clone https://github.com/reyk/login_otp cd login_otp make obj make all doas make install Initialize OTP DB doas otp -i Generate Key for User otp -g Name: stoege Key: xxxx xxxx xxxx xxxx xxxx xxxx xx URL: otpauth://totp/stoege?secret=xxxxxxxxxxxxxxxxxxxxxxxxxx&issuer=&algorithm=SHA1&digits=6&period=30 Build QR Code echo "otpauth://totp/stoege?

SSH - Cipher, Key, MAC

SSH Stuff Supported Ciphers, Key, MAC on OpenBSD 7.1. Not all of them are good for useage, here is my recommendation. Recommended for your sshd_config / ssh_config Ciphers aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes128-cbc HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com, sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256 Kexalgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512, diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com PubKeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com, ssh-rsa-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-25 List of all available Types Cipher ssh -Q cipher 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com chacha20-poly1305@openssh.com HostbasedAcceptedAlgorithms ssh -Q HostbasedAcceptedAlgorithms ssh-ed25519 ssh-ed25519-cert-v01@openssh.com sk-ssh-ed25519@openssh.com sk-ssh-ed25519-cert-v01@openssh.com ssh-rsa rsa-sha2-256 rsa-sha2-512 ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 sk-ecdsa-sha2-nistp256@openssh.

OpenSSH 2FA Google Auth

Let’s give a try with Alpine Linux, OpenSSH and 2FA with Google Authenticator. add Packages apk add openssh openssh-server-pam google-authenticator openssh-doc google-authenticator-doc libqrencode Configure GoogleAuth touch /etc/pam.d/sshd ln /etc/pam.d/sshd /etc/pam.d/sshd.pam cat << 'EOF' >> /etc/pam.d/sshd.pam account include base-account auth required pam_env.so auth required pam_nologin.so successok auth required /lib/security/pam_google_authenticator.so echo_verification_code grace_period=57600 nullok auth required pam_unix.so md5 sha512 EOF update sshd_config cat << 'EOF' >> /etc/ssh/sshd_config PasswordAuthentication no AuthenticationMethods any UsePAM yes EOF Restart SSHD service sshd restart Setup User su - USERNAME google-authenticator Response