Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and - - PowerPoint PPT Presentation

Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security Enhance OpenSSH for Fun and Security

Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto LinuxCon Europe LinuxCon Europe LinuxCon Europe LinuxCon Europe LinuxCon Europe LinuxCon Europe LinuxCon Europe LinuxCon Europe LinuxCon Europe LinuxCon Europe LinuxCon Europe LinuxCon Europe LinuxCon Europe LinuxCon Europe LinuxCon Europe LinuxCon Europe LinuxCon Europe October 5, 2015 October 5, 2015 October 5, 2015 October 5, 2015 October 5, 2015 October 5, 2015 October 5, 2015 October 5, 2015 October 5, 2015 October 5, 2015 October 5, 2015 October 5, 2015 October 5, 2015 October 5, 2015 October 5, 2015 October 5, 2015 October 5, 2015

Match User roidelapluie Match User roidelapluie Match User roidelapluie Match User roidelapluie Match User roidelapluie Match User roidelapluie Match User roidelapluie Match User roidelapluie Match User roidelapluie Match User roidelapluie Match User roidelapluie Match User roidelapluie Match User roidelapluie Match User roidelapluie Match User roidelapluie Match User roidelapluie Match User roidelapluie

Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto

• Sysadmin at inuits.eu

Sysadmin at inuits.eu Sysadmin at inuits.eu Sysadmin at inuits.eu Sysadmin at inuits.eu Sysadmin at inuits.eu Sysadmin at inuits.eu Sysadmin at inuits.eu Sysadmin at inuits.eu Sysadmin at inuits.eu Sysadmin at inuits.eu Sysadmin at inuits.eu Sysadmin at inuits.eu Sysadmin at inuits.eu Sysadmin at inuits.eu Sysadmin at inuits.eu Sysadmin at inuits.eu

• FLOSS user since 2004

FLOSS user since 2004 FLOSS user since 2004 FLOSS user since 2004 FLOSS user since 2004 FLOSS user since 2004 FLOSS user since 2004 FLOSS user since 2004 FLOSS user since 2004 FLOSS user since 2004 FLOSS user since 2004 FLOSS user since 2004 FLOSS user since 2004 FLOSS user since 2004 FLOSS user since 2004 FLOSS user since 2004 FLOSS user since 2004

• DevOps believer

DevOps believer DevOps believer DevOps believer DevOps believer DevOps believer DevOps believer DevOps believer DevOps believer DevOps believer DevOps believer DevOps believer DevOps believer DevOps believer DevOps believer DevOps believer DevOps believer

• @roidelapluie

@roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie on irc/twitter/github

• n irc/twitter/github
• n irc/twitter/github
• n irc/twitter/github
• n irc/twitter/github
• n irc/twitter/github
• n irc/twitter/github
• n irc/twitter/github
• n irc/twitter/github
• n irc/twitter/github
• n irc/twitter/github
• n irc/twitter/github
• n irc/twitter/github
• n irc/twitter/github
• n irc/twitter/github
• n irc/twitter/github
• n irc/twitter/github

inuits.eu

World, 2015 World, 2015 World, 2015 World, 2015 World, 2015 World, 2015 World, 2015 World, 2015 World, 2015 World, 2015 World, 2015 World, 2015 World, 2015 World, 2015 World, 2015 World, 2015 World, 2015

Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/80497449@N04/10012162166

Connected devices Connected devices Connected devices Connected devices Connected devices Connected devices Connected devices Connected devices Connected devices Connected devices Connected devices Connected devices Connected devices Connected devices Connected devices Connected devices Connected devices

• M

M M M M M M M M M M M M M M M Mainframes

• S

S S S S S S S S S S S S S S S Servers

• V

V V V V V V V V V V V V V V V Virtual machines

• C

C C C C C C C C C C C C C C C Containers

• I

I I I I I I I I I I I I I I I IoT

Entrance Doors Entrance Doors Entrance Doors Entrance Doors Entrance Doors Entrance Doors Entrance Doors Entrance Doors Entrance Doors Entrance Doors Entrance Doors Entrance Doors Entrance Doors Entrance Doors Entrance Doors Entrance Doors Entrance Doors

• P

P P P P P P P P P P P P P P P Physical Access

• T

T T T T T T T T T T T T T T T Telnet

• R

R R R R R R R R R R R R R R R RSH

• S

S S S S S S S S S S S S S S S SSH

• H

H H H H H H H H H H H H H H H HTTPS

• …

… … … … … … … … … … … … … … … …

SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH

• D

D D D D D D D D D D D D D D D Dozens of implementations

• O

O O O O O O O O O O O O O O O OpenSSH

• D

D D D D D D D D D D D D D D D Dropbear (embedded)

• C

C C C C C C C C C C C C C C C Closed-source

• …

… … … … … … … … … … … … … … … …

SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH SSH

• D

D D D D D D D D D D D D D D D Dozens of usecases

• S

S S S S S S S S S S S S S S S Shell access and TCP Tunelling

• C

C C C C C C C C C C C C C C C Code (git)

• F

F F F F F F F F F F F F F F F File transfert (sftp)

• X

X X X X X X X X X X X X X X X X terminal (x2go)

• A

A A A A A A A A A A A A A A A Automation (ansible)

• …

… … … … … … … … … … … … … … … …

OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH

Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/pennuja/5399766800

OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH OpenSSH

• D

D D D D D D D D D D D D D D D Developed by the OpenBSD project

• R

R R R R R R R R R R R R R R R Released first in 1995

• S

S S S S S S S S S S S S S S S Server/Client implementation

• I

I I I I I I I I I I I I I I I Included in BSD, Linux, Cygwin, Mac OS X, …

• A

A A A A A A A A A A A A A A A Available in many other platforms

Out of scope Out of scope Out of scope Out of scope Out of scope Out of scope Out of scope Out of scope Out of scope Out of scope Out of scope Out of scope Out of scope Out of scope Out of scope Out of scope Out of scope

• F

F F F F F F F F F F F F F F F Firewalling, OS, …

• B

B B B B B B B B B B B B B B B Basic tips: RootLogin, Pubkeys, …

• C

C C C C C C C C C C C C C C C Crypto/Encryption/Key Exchanges https://stribika.github.io/2015/01/04/secure-secure- shell.html

Security Security Security Security Security Security Security Security Security Security Security Security Security Security Security Security Security

Licensed under a Creative Commons Asstribution-ShareAlike 2.0 License https://www.flickr.com/photos/111692634@N04/11406986014

Common sense Common sense Common sense Common sense Common sense Common sense Common sense Common sense Common sense Common sense Common sense Common sense Common sense Common sense Common sense Common sense Common sense

• D

D D D D D D D D D D D D D D D Do you need SSH? (immutable infra, containers…)

• K

K K K K K K K K K K K K K K K KISS

• C

C C C C C C C C C C C C C C C Chose what will get public IP and then exposition.. hypervisors vs vms?

• P

P P P P P P P P P P P P P P P Port 22 is not Evil

Server-side Server-side Server-side Server-side Server-side Server-side Server-side Server-side Server-side Server-side Server-side Server-side Server-side Server-side Server-side Server-side Server-side

Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/56001405@N06/6187271613

"Server config" "Server config" "Server config" "Server config" "Server config" "Server config" "Server config" "Server config" "Server config" "Server config" "Server config" "Server config" "Server config" "Server config" "Server config" "Server config" "Server config"

• /

/ / / / / / / / / / / / / / / /etc/ssh/sshd_config

• R

R R R R R R R R R R R R R R R Restart of the service does not kill current ssh sessions

Allow/Deny rules Allow/Deny rules Allow/Deny rules Allow/Deny rules Allow/Deny rules Allow/Deny rules Allow/Deny rules Allow/Deny rules Allow/Deny rules Allow/Deny rules Allow/Deny rules Allow/Deny rules Allow/Deny rules Allow/Deny rules Allow/Deny rules Allow/Deny rules Allow/Deny rules

Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/84388958@N03/7729300102

AllowUsers AllowUsers AllowUsers AllowUsers AllowUsers AllowUsers AllowUsers AllowUsers AllowUsers AllowUsers AllowUsers AllowUsers AllowUsers AllowUsers AllowUsers AllowUsers AllowUsers

AllowUsers jenkins AllowUsers jenkins nagios@172.31.29.5 AllowUsers jenkins nagios@172 .31.29.0/12

AllowUsers is exclusive

AllowGroups AllowGroups AllowGroups AllowGroups AllowGroups AllowGroups AllowGroups AllowGroups AllowGroups AllowGroups AllowGroups AllowGroups AllowGroups AllowGroups AllowGroups AllowGroups AllowGroups

AllowGroups staff jenkins

AllowGroups is exclusive

Allow* ordering Allow* ordering Allow* ordering Allow* ordering Allow* ordering Allow* ordering Allow* ordering Allow* ordering Allow* ordering Allow* ordering Allow* ordering Allow* ordering Allow* ordering Allow* ordering Allow* ordering Allow* ordering Allow* ordering

• D

D D D D D D D D D D D D D D D DenyUsers

• A

A A A A A A A A A A A A A A A AllowUsers

• D

D D D D D D D D D D D D D D D DenyGroups

• A

A A A A A A A A A A A A A A A AllowGroups

Match Match Match Match Match Match Match Match Match Match Match Match Match Match Match Match Match

• M

M M M M M M M M M M M M M M M Match + conditions

• r

r r r r r r r r r r r r r r r reads until next Match or EOF

Match Match Match Match Match Match Match Match Match Match Match Match Match Match Match Match Match

AllowGroups staff Match Address 172.31.16.8 AllowGroups staff jenkins

Trust On First Use Trust On First Use Trust On First Use Trust On First Use Trust On First Use Trust On First Use Trust On First Use Trust On First Use Trust On First Use Trust On First Use Trust On First Use Trust On First Use Trust On First Use Trust On First Use Trust On First Use Trust On First Use Trust On First Use

Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/armandoh2o/7069748077

TOFU TOFU TOFU TOFU TOFU TOFU TOFU TOFU TOFU TOFU TOFU TOFU TOFU TOFU TOFU TOFU TOFU

The authenticity of host 'example.com (93.184.216.34)' can't be established. ED25519 key fingerprint is SHA256:eIvxpj9aMSS/+ Ed7NQZ9er/vyV17mabfiUxtgF2Q1X0. Are you sure you want to continue connecting (yes/no)?

Trust on first use Trust on first use Trust on first use Trust on first use Trust on first use Trust on first use Trust on first use Trust on first use Trust on first use Trust on first use Trust on first use Trust on first use Trust on first use Trust on first use Trust on first use Trust on first use Trust on first use

• W

W W W W W W W W W W W W W W W Who checks the key on the server?

• W

W W W W W W W W W W W W W W W Who says no?

• S

S S S S S S S S S S S S S S S Security fatigue

Alternative to TOFU (1/2) Alternative to TOFU (1/2) Alternative to TOFU (1/2) Alternative to TOFU (1/2) Alternative to TOFU (1/2) Alternative to TOFU (1/2) Alternative to TOFU (1/2) Alternative to TOFU (1/2) Alternative to TOFU (1/2) Alternative to TOFU (1/2) Alternative to TOFU (1/2) Alternative to TOFU (1/2) Alternative to TOFU (1/2) Alternative to TOFU (1/2) Alternative to TOFU (1/2) Alternative to TOFU (1/2) Alternative to TOFU (1/2)

• A

A A A A A A A A A A A A A A A Automation

• E

E E E E E E E E E E E E E E E Export keys from hosts

• C

C C C C C C C C C C C C C C C Collect them from hosts

• A

A A A A A A A A A A A A A A A Apply then to /etc/ssh/known_hosts

# saz/puppet−ssh − ASL 2.0 if $::sshrsakey { @@sshkey { "${::fqdn}_rsa": ensure => present, host_aliases => $host_aliases, type => rsa, key => $::sshrsakey, } } else { @@sshkey { "${::fqdn}_rsa": ensure => absent, } }

Sshkey <<| |>>

Alternative to TOFU (2/2) Alternative to TOFU (2/2) Alternative to TOFU (2/2) Alternative to TOFU (2/2) Alternative to TOFU (2/2) Alternative to TOFU (2/2) Alternative to TOFU (2/2) Alternative to TOFU (2/2) Alternative to TOFU (2/2) Alternative to TOFU (2/2) Alternative to TOFU (2/2) Alternative to TOFU (2/2) Alternative to TOFU (2/2) Alternative to TOFU (2/2) Alternative to TOFU (2/2) Alternative to TOFU (2/2) Alternative to TOFU (2/2)

• D

D D D D D D D D D D D D D D D DNS

• E

E E E E E E E E E E E E E E E Export keys in SSHFP DNS records

• C

C C C C C C C C C C C C C C C Can be secured by DNSSEC

• h

h h h h h h h h h h h h h h h https://github.com/jpmens/facts2sshfp

$ dig +short SSHFP example.com 1 1 F00A55CEA3B8E15528665A6781CA7C35190CF0 2 1 CC1F004DA60CF38E809FE58B10D0F22680D59D

ssh −o VerifyHostKeyDNS=yes example.com

The authenticity of host 'example.com (93.184.216.34)' can't be established. ED25519 key fingerprint is SHA256:eIvxpj9aMSS/+ Ed7NQZ9er/vyV17mabfiUxtgF2Q1X0. Matching host key fingerprint found in DNS Are you sure you want to continue connecting (yes/no)?

Authorized keys Authorized keys Authorized keys Authorized keys Authorized keys Authorized keys Authorized keys Authorized keys Authorized keys Authorized keys Authorized keys Authorized keys Authorized keys Authorized keys Authorized keys Authorized keys Authorized keys

Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/brenda-starr/4498078166

ssh−rsa AAsafgrewgBzhfadgthgfpoDtGlUBIYhzf user@desktop

• O

O O O O O O O O O O O O O O O One key, one user

• A

A A A A A A A A A A A A A A A Always with a password

• D

D D D D D D D D D D D D D D D Distribute them in an automated way

from="172.21.32.4" ssh−rsa AAspoDtGlUBIYhzf ansible no−port−forwarding ,no−x11−forwarding ,no−agent−forwarding ssh−rsa AAspDjeFJwFRf jenkins

ssh_authorized_key { 'jenkins ': type => 'ssh−rsa', key => 'AAAAKZ6TwZl3ikhY42clyY/De7J ', user => 'jenkins ', }

ssh_authorized_key { 'jenkins ': type => 'ssh−rsa', key => 'AAAAKZ6TwZl3ikhY42clyY/De7J ', user => 'jenkins ',

• ptions => 'from="192.168.10.1"'

}

Purge undefined keys! Purge undefined keys! Purge undefined keys! Purge undefined keys! Purge undefined keys! Purge undefined keys! Purge undefined keys! Purge undefined keys! Purge undefined keys! Purge undefined keys! Purge undefined keys! Purge undefined keys! Purge undefined keys! Purge undefined keys! Purge undefined keys! Purge undefined keys! Purge undefined keys!

user { 'jenkins ': purge_ssh_keys => true , }

AuthorizedKeysCommand AuthorizedKeysCommand AuthorizedKeysCommand AuthorizedKeysCommand AuthorizedKeysCommand AuthorizedKeysCommand AuthorizedKeysCommand AuthorizedKeysCommand AuthorizedKeysCommand AuthorizedKeysCommand AuthorizedKeysCommand AuthorizedKeysCommand AuthorizedKeysCommand AuthorizedKeysCommand AuthorizedKeysCommand AuthorizedKeysCommand AuthorizedKeysCommand

• S

S S S S S S S S S S S S S S S Script that takes username as arguments and returns authorized_keys

• E

E E E E E E E E E E E E E E E Exemple reference: openssh-ldap RPM

Client Side Client Side Client Side Client Side Client Side Client Side Client Side Client Side Client Side Client Side Client Side Client Side Client Side Client Side Client Side Client Side Client Side

Licensed under a Creative Commons Zero License @roidelapluie

Client configuration Client configuration Client configuration Client configuration Client configuration Client configuration Client configuration Client configuration Client configuration Client configuration Client configuration Client configuration Client configuration Client configuration Client configuration Client configuration Client configuration

• $

$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $HOME/.ssh/config

• /

/ / / / / / / / / / / / / / / /etc/ssh/ssh_config

Host web1 Hostname web1.example.com User roidelapluie

SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops

Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/sarahrosenau/269786597

Host web1 Proxycommand ssh proxy nc %h %p Host proxy Proxycommand ssh out nc %h %p

SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops SSH Hops

• A

A A A A A A A A A A A A A A A Acces restricted areas

• K

K K K K K K K K K K K K K K K Keeps your private keys in your machine

• N

N N N N N N N N N N N N N N N No need for agent forwarding

Sockets Sockets Sockets Sockets Sockets Sockets Sockets Sockets Sockets Sockets Sockets Sockets Sockets Sockets Sockets Sockets Sockets

Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/restlessglobetrotter/2661016046

Host git.example.com ControlMaster auto ControlPath /tmp/ssh−%r@%h:%p ControlPersist 5

SSH Sockets SSH Sockets SSH Sockets SSH Sockets SSH Sockets SSH Sockets SSH Sockets SSH Sockets SSH Sockets SSH Sockets SSH Sockets SSH Sockets SSH Sockets SSH Sockets SSH Sockets SSH Sockets SSH Sockets

• S

S S S S S S S S S S S S S S S Speed up reconnection time

• D

D D D D D D D D D D D D D D D Do not renegotiate each time

• U

U U U U U U U U U U U U U U U Useful for git

Stopping OpenSSH Stopping OpenSSH Stopping OpenSSH Stopping OpenSSH Stopping OpenSSH Stopping OpenSSH Stopping OpenSSH Stopping OpenSSH Stopping OpenSSH Stopping OpenSSH Stopping OpenSSH Stopping OpenSSH Stopping OpenSSH Stopping OpenSSH Stopping OpenSSH Stopping OpenSSH Stopping OpenSSH

Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/horiavarlan/4747872021

Send to background Send to background Send to background Send to background Send to background Send to background Send to background Send to background Send to background Send to background Send to background Send to background Send to background Send to background Send to background Send to background Send to background

<enter > ~ &

Pause Pause Pause Pause Pause Pause Pause Pause Pause Pause Pause Pause Pause Pause Pause Pause Pause

<enter > ~ <ctrl+z>

Kill the session Kill the session Kill the session Kill the session Kill the session Kill the session Kill the session Kill the session Kill the session Kill the session Kill the session Kill the session Kill the session Kill the session Kill the session Kill the session Kill the session

<enter > ~ .

Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels

Licensed under a Creative Commons Attribution-ShareAlike 2.0 License https://www.flickr.com/photos/hanuska/5174842932

Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels

• T

T T T T T T T T T T T T T T T TCP Tunnels

• S

S S S S S S S S S S S S S S S SOCKS proxy

Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels Tunnels

• L

L L L L L L L L L L L L L L L Local TCP Port Forwarding: give remote acces to local port

• R

R R R R R R R R R R R R R R R Remote TCP Port Forwarding: get access to remote ports

Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding

Icons from http://www.opensecurityarchitecture.org/cms/library/icon-library and the Tango Icons project

Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding

Icons from http://www.opensecurityarchitecture.org/cms/library/icon-library and the Tango Icons project

Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding Local TCP Port Forwarding

Icons from http://www.opensecurityarchitecture.org/cms/library/icon-library and the Tango Icons project

Local TCP Tunnel example Local TCP Tunnel example Local TCP Tunnel example Local TCP Tunnel example Local TCP Tunnel example Local TCP Tunnel example Local TCP Tunnel example Local TCP Tunnel example Local TCP Tunnel example Local TCP Tunnel example Local TCP Tunnel example Local TCP Tunnel example Local TCP Tunnel example Local TCP Tunnel example Local TCP Tunnel example Local TCP Tunnel example Local TCP Tunnel example

• U

U U U U U U U U U U U U U U U User A is natted behind a firewall

• H

H H H H H H H H H H H H H H H He wants to give User B access to local SSH daemon

userA@hostA > ssh −NR 22222:localhost:22 userA@hostB userB@hostB > ssh −p 22222 localhost

• N is for No Shell

Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding

Icons from http://www.opensecurityarchitecture.org/cms/library/icon-library and the Tango Icons project

Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding Remote TCP Port Forwarding

Icons from http://www.opensecurityarchitecture.org/cms/library/icon-library and the Tango Icons project

Remote Port Forwarding example Remote Port Forwarding example Remote Port Forwarding example Remote Port Forwarding example Remote Port Forwarding example Remote Port Forwarding example Remote Port Forwarding example Remote Port Forwarding example Remote Port Forwarding example Remote Port Forwarding example Remote Port Forwarding example Remote Port Forwarding example Remote Port Forwarding example Remote Port Forwarding example Remote Port Forwarding example Remote Port Forwarding example Remote Port Forwarding example

• U

U U U U U U U U U U U U U U U User A is behind a firewall that blocks VNC port

• H

H H H H H H H H H H H H H H H He wants to access User B local VNC daemon

userA@hostA > ssh −NL 5900:localhost:5900 userA@hostB userA@hostA > vncviewer localhost

SOCKS Proxy SOCKS Proxy SOCKS Proxy SOCKS Proxy SOCKS Proxy SOCKS Proxy SOCKS Proxy SOCKS Proxy SOCKS Proxy SOCKS Proxy SOCKS Proxy SOCKS Proxy SOCKS Proxy SOCKS Proxy SOCKS Proxy SOCKS Proxy SOCKS Proxy

• "

" " " " " " " " " " " " " " " "Dynamic" port forwarding

• E

E E E E E E E E E E E E E E E Enable UDP , TCP , …

• C

C C C C C C C C C C C C C C C Creates a SOCKS5 proxy

userA@hostA > ssh −ND 9500 userA@hostB userA@hostA > proxychains wget http://example.com

Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools Tools

Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/86639298@N02/8559728371

ssh-agent ssh-agent ssh-agent ssh-agent ssh-agent ssh-agent ssh-agent ssh-agent ssh-agent ssh-agent ssh-agent ssh-agent ssh-agent ssh-agent ssh-agent ssh-agent ssh-agent

• S

S S S S S S S S S S S S S S S Stores your private key in memory

• e

e e e e e e e e e e e e e e e eval $(ssh-agent)

• s

s s s s s s s s s s s s s s s ssh-add; ssh-add -t 1h foo.key

• s

s s s s s s s s s s s s s s s ssh-add -x (lock)

• s

s s s s s s s s s s s s s s s ssh-add -X (unlock)

• P

P P P P P P P P P P P P P P P Part of OpenSSH

screen screen screen screen screen screen screen screen screen screen screen screen screen screen screen screen screen

• K

K K K K K K K K K K K K K K K Keep session accross ssh connection

• H

H H H H H H H H H H H H H H H Have multiple shell `windows'

• R

R R R R R R R R R R R R R R R Run long command and keep them running

• s

s s s s s s s s s s s s s s s screen (launch new session)

• C

C C C C C C C C C C C C C C C Ctrl+a d (detach)

• s

s s s s s s s s s s s s s s s screen -dx (detach and reattach)

• s

s s s s s s s s s s s s s s s ssh host -t screen -dx

• A

A A A A A A A A A A A A A A A Alternative: tmux

reptyr reptyr reptyr reptyr reptyr reptyr reptyr reptyr reptyr reptyr reptyr reptyr reptyr reptyr reptyr reptyr reptyr

• A

A A A A A A A A A A A A A A A Attach a long running process to the current terminal

• I

I I I I I I I I I I I I I I I Idea: launch a screen and rattach another process inside

• U

U U U U U U U U U U U U U U U Useful when you forgot to launch your screen before

• r

r r r r r r r r r r r r r r r reptyr -p PID

vim vim vim vim vim vim vim vim vim vim vim vim vim vim vim vim vim

• E

E E E E E E E E E E E E E E E Edit files remotely with scp

• v

v v v v v v v v v v v v v v v vim scp://web//etc/hosts

Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion

Licensed under a Creative Commons Attribution 2.0 License https://www.flickr.com/photos/freddyfromutah/4424199420

Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion Conclusion

• S

S S S S S S S S S S S S S S S SSH is still part of modern infrastructures

• I

I I I I I I I I I I I I I I I It should be part of what you automate/control

• L

L L L L L L L L L L L L L L L Lots of other projects rely on it

• Y

Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y You can harden it in a lot of ways

• T

T T T T T T T T T T T T T T T There is a lot of things to discover!

Homework Homework Homework Homework Homework Homework Homework Homework Homework Homework Homework Homework Homework Homework Homework Homework Homework

• S

S S S S S S S S S S S S S S S SSH certificate authority

• c

c c c c c c c c c c c c c c c command= permitopen=

• M

M M M M M M M M M M M M M M M Match blocks

• s

s s s s s s s s s s s s s s s sshfs

• …

… … … … … … … … … … … … … … … …

Any Question? Any Question? Any Question? Any Question? Any Question? Any Question? Any Question? Any Question? Any Question? Any Question? Any Question? Any Question? Any Question? Any Question? Any Question? Any Question? Any Question?

Contact Contact Contact Contact Contact Contact Contact Contact Contact Contact Contact Contact Contact Contact Contact Contact Contact

Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto Julien Pivotto julien@inuits.eu julien@inuits.eu julien@inuits.eu julien@inuits.eu julien@inuits.eu julien@inuits.eu julien@inuits.eu julien@inuits.eu julien@inuits.eu julien@inuits.eu julien@inuits.eu julien@inuits.eu julien@inuits.eu julien@inuits.eu julien@inuits.eu julien@inuits.eu julien@inuits.eu @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie @roidelapluie

inuits inuits inuits inuits inuits inuits inuits inuits inuits inuits inuits inuits inuits inuits inuits inuits inuits

https://inuits.eu https://inuits.eu https://inuits.eu https://inuits.eu https://inuits.eu https://inuits.eu https://inuits.eu https://inuits.eu https://inuits.eu https://inuits.eu https://inuits.eu https://inuits.eu https://inuits.eu https://inuits.eu https://inuits.eu https://inuits.eu https://inuits.eu info@inuits.eu info@inuits.eu info@inuits.eu info@inuits.eu info@inuits.eu info@inuits.eu info@inuits.eu info@inuits.eu info@inuits.eu info@inuits.eu info@inuits.eu info@inuits.eu info@inuits.eu info@inuits.eu info@inuits.eu info@inuits.eu info@inuits.eu +32 473 441 636 +32 473 441 636 +32 473 441 636 +32 473 441 636 +32 473 441 636 +32 473 441 636 +32 473 441 636 +32 473 441 636 +32 473 441 636 +32 473 441 636 +32 473 441 636 +32 473 441 636 +32 473 441 636 +32 473 441 636 +32 473 441 636 +32 473 441 636 +32 473 441 636