all the last-minute changes before the workshop

2025-11-11 20:24:12 +01:00
parent 92e9b0f918
commit 56dda858c0
8 changed files with 930 additions and 1041 deletions
--- a/config/keyuploader-identity
+++ b/config/keyuploader-identity
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACCqaH0JN+vx7SXE0h1ahWPX9IspYlZw0ViqT75Z0t7+RQAAAJhndf/tZ3X/
+7QAAAAtzc2gtZWQyNTUxOQAAACCqaH0JN+vx7SXE0h1ahWPX9IspYlZw0ViqT75Z0t7+RQ
+AAAEB3y/J5XlDQDtBkXYfnCneIyUGrR1VahhXWkAA61nbBgKpofQk36/HtJcTSHVqFY9f0
+iyliVnDRWKpPvlnS3v5FAAAAEHJvb3RAc3Nod29ya3Nob3ABAgMEBQ==
+-----END OPENSSH PRIVATE KEY-----
--- a/config/keyuploader-identity.pub
+++ b/config/keyuploader-identity.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKpofQk36/HtJcTSHVqFY9f0iyliVnDRWKpPvlnS3v5F root@sshworkshop
--- a/presentation/ssh-basics.html
+++ b/presentation/ssh-basics.html
--- a/presentation/ssh-basics.md
+++ b/presentation/ssh-basics.md
@@ -25,7 +25,10 @@ backgroundImage: ![bg](./img/artbreeder-composer-2024-07-15T00_14_43.169Z.jpeg)
 ---
 # Intro
 ## about me
-I've been doing networks for over 30 years by now. And DevOps stuff before we called it that. 
+I've been doing networks for over 30 years by now. And DevOps stuff before we called it that. I work for Plusnet GmbH as a Solution Architect these days, but I have been a sysadmin, developer, network engineer, network architect and systems architect among other things. 
+
+---
+# Intro continued
 ## about you
 - Which of you...
  * use ssh already?
@@ -36,11 +39,111 @@ I've been doing networks for over 30 years by now. And DevOps stuff before we ca

 ---
 # Clients
-## OpenSSH
 - Linux, Mac, Windows
-  - just 
+  - I would always prefer OpenSSH
+  - in a pinch, `git bash` portable is helpful. or `putty` portable, but be careful where you download it.
 ## but I need a GUI
- A well-maintained ssh_config is usually better. And if you have too many hosts, you want to use ansible etc anyway.
+- Maybe. I believe that a well-maintained ssh_config is usually better. And if you have too many hosts, you want to use ansible etc anyway.
+- useful shells will offer tab-completion for ssh_config etc.
+
+
+---
+# access the lab
+<!-- for the first steps, this will be the standin for your personal machine - we will integrate your actual machine later after covering some of the fundamentals. -->
+- `ssh username@sshworkshop.telefrag.com -p4000+$last_octet`
+
+---
+# access our first system
+## jumphost1
+  * `ssh jumphost1`
+    * `uptime`
+    * `whoami`
+    * `fireworks`
+      * `CTRL-C`
+
+---
+# why is my terminal messed up?
+  * escape codes, binary garbage
+  * unix-like shells: `reset`
+  * powershell: `[Console]::ResetColor()`
+
+--- 
+# run commands remotely
+  * make sure you're still logged into your linux$N lab machine
+  * `ssh jumphost1 uptime`
+  * `ssh jumphost1 whoami`
+  * `ssh jumphost1 fireworks`
+    * `ssh jumphost1`
+      * `alias`
+      * `logout` or `CTRL-D`
+  * `ssh jumphost1 "fireworks.sh Fireworks"`
+  * `ssh -t jumphost1 "fireworks.sh Fireworks"`
+    * `CTRL-C`
+      * `reset`
+
+---
+# I hate typing passwords. 
+  * copy-paste
+    * risky (who never pasted credentials into the wrong chat?)
+  * key-based auth!
+    * what are pub/privkeys
+  * `ssh-keygen`
+    * passphrase? what, why, how?
+    * ED25519, RSA, ...
+
+--- 
+# run commands remotely redux
+  * make sure you're still logged into your linux$N lab machine
+  * `ssh jumphost1 uptime`
+  * `ssh jumphost1 whoami`
+  * `ssh jumphost1 -t fireworks`
+  * Yay, we've made it worse. Now we have to remember/copy-paste a passphrase instead of a password.
+
+---
+# ssh-agent
+  * make sure agent is running
+    * normally, your GUI should do this for you, but this is a crudely simulated personal machine :D
+    * `eval (ssh-agent -s)`
+      * SSH_AGENT_PID
+      * SSH_AUTH_SOCK
+      * nice helper: `keychain`
+        * cleverly finds out if there is already an agent running, updates ENV vars if so, otherwise, starts one
+  * stores your unlocked private keys
+  * `ssh-add /path/to/keyfile` - defaults to `~/.ssh/id_*`
+    * `ssh-add`
+    * asks for passphrase
+  * re-try the commands or logins
+
+---
+# milestone One
+- password login vs key-based
+- run commands remotely
+- ssh-agent
+- terminals, PTY and `-t`
+
+
+---
+# jumphost2
+  * shared user: dbadmin
+  * I need your public keys
+  * stupidly left my keycollector private key (NEVER DO THIS) in `/var/lib/misc/`
+    * seriously, never leave your private keys lying around.
+    * this is just for the sake of labs & stuff
+  * `scp  -i /var/lib/misc/keyuploader-identity /v /etc/passwd keycollector@192.168.0.254:$USER.passwd`
+  * copy, chmod, try again.
+
+---
+# break - 10 mins
+  - give me time to copy keys to jumphost2 etc. 
+  * this is why ssh key management is inherently difficult etc
+
+
+--- 
+# running remote commands advanced
+  * `ssh jumphost1 'if [ -f "/etc/passwd" ]; then echo "Yes"; tail -1 /etc/passwd; else echo "No"; fi'`
+  * `ssh user@host 'bash -s' < local_script.sh`
+  * (instead of copying, running, deleting local_script.sh)
+  * you should really start looking into ansible if you've reached this state

 ---
 # Timeline ideas
@@ -61,10 +164,16 @@ I've been doing networks for over 30 years by now. And DevOps stuff before we ca
 ---
 # ideas
 - Im laufenden Lab auf einem jumphost die host_keys ändern, um Warnungen zu produzieren
+  - vorher jumphost2 den link zu jumphost1 auf 100% packet loss einstellen
+    - in containerlab-extension jumphost2 rechtsklicken, packetloss fuer eth0 einstellen
+      - ssh escape chars lernen um aus der session rauszukommen
+        - enter, ~.
+  - jumphost2: `rm /etc/ssh/ssh_host_*; dpkg-reconfigure openssh-server; killall -HUP sshd`
+  - link impairment: clear all
 - agent_forwarding abgreifen und mich als einen der User einloggen
- Hinterher aufzeigen (frei nach "I've been here the whole time!"), dass man cert-based logins benutzt hat
- ggfs Stacy Fakename, Joanna Fakename als Easter eggs?
 - wie baue ich eine gute ssh_config
+- change my term local to C to avoid error messages:
+  - `LC_ALL=C LANG=C LC_CTYPE=C`
 ---
 ![bg right](./img/artbreeder-composer-2024-07-14T22_49_42.899Z.jpeg)

@@ -83,11 +192,13 @@ I've been doing networks for over 30 years by now. And DevOps stuff before we ca
 Set-Service   ssh-agent -StartupType Automatic
 Start-Service ssh-agent
 ```
-## Mac
+## Mac only
 To add your ssh keys to MacOS Keychain, use `UseKeychain yes` in your ssh_config.

 ## Linux
-Generally, ssh- agent "just works". If not, simply 
+Generally, ssh-agent "just works" nowadays, especially on Linux GUI environments. But pay attention, you can easily run too many agents and get confused which one has your keys.
+  * this is usually how tmux & co have problems with ssh-agent - due to stale environment vars.
+

 ---
 # ssh_config
--- a/presentation/sshworkshop-draft.drawio
+++ b/presentation/sshworkshop-draft.drawio
--- a/setups/gateway.sh
+++ b/setups/gateway.sh
@@ -13,6 +13,10 @@ ip addr replace dev eth3 172.16.202.32/31

 echo "nameserver 192.168.0.254" > /etc/resolv.conf

+useradd -m keycollector
+mkdir -p /home/keycollector/.ssh/
+echo "restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKpofQk36/HtJcTSHVqFY9f0iyliVnDRWKpPvlnS3v5F keycollect-identity" > /home/keycollector/.ssh/authorized_keys
+chown keycollector:keycollector /home/keycollector/.ssh/ -Rv

 # ----------------------------------------------------------------------
 # Run the long pipeline in the background, but start it only after 60 s.
@@ -20,8 +24,8 @@ echo "nameserver 192.168.0.254" > /etc/resolv.conf
 # ----------------------------------------------------------------------

 (
-    # wait 90 seconds first
-    sleep 90
+    # wait 180 seconds first
+    sleep 180
    /usr/local/bin/online-users.sh
 ) > /online-users.txt &   # ← background the whole subshell

--- a/setups/hypervisor.sh
+++ b/setups/hypervisor.sh
@@ -1,12 +1,15 @@
 #!/usr/bin/env bash
 UPLINK_INTERFACE="enp0s31f6"

-for port in {4010..4200}; do
-    ip_octet=$((port - 4000))               # 4011 → 11, … 4200 → 200
+what="A"
+if [ "$1" == "delete" ]; then
+    what="D"
+fi
+for port in {4001..4200}; do
+    ip_octet=$((port - 4000))               # 4001 → 1, … 4200 → 200
    dst_ip="192.168.0.${ip_octet}"
-
-    iptables -t nat -A PREROUTING \
+    iptables -t nat -${what} PREROUTING \
        -i "$UPLINK_INTERFACE" -p tcp -m tcp --dport "$port" \
        -j DNAT --to-destination "${dst_ip}:22"
 done
-iptables -t nat -A POSTROUTING     -o br-ext -p tcp -d 192.168.0.0/24 --dport 22     -j MASQUERADE
+iptables -t nat -A POSTROUTING     -o br-ext -p tcp -d 192.168.0.0/24 --dport 22     -j MASQUERADE
--- a/sshlab.clab.yml
+++ b/sshlab.clab.yml
@@ -16,11 +16,31 @@ topology:
        - ./setups/linux.sh:/usr/local/bin/setup.sh:ro
        - ./helpers/fireworks.sh:/usr/local/bin/fireworks.sh:ro
        - ./helpers/ssh-agent-environment.sh:/usr/local/bin/ssh-agent-environment.sh:ro
+        - ./config/keyuploader-identity:/var/lib/misc/keyuploader-identity:ro
      memory: 256MB
      cpu-set: 4-7
  nodes:
    a1:
      kind: arista_ceos
+      enforce-startup-config: true
+      startup-config: |
+        management telnet
+          no shutdown
+        !
+        management ssh
+          ciphers 3des-cbc
+          key-exchange diffie-hellman-group1-sha1 diffie-hellman-group14-sha1
+        !
+        interface Ethernet3
+          no switchport
+          ip address 169.254.45.1/30
+        !
+        management api http-commands
+          protocol http
+          no shutdown
+        !
+        username admin privilege 15 secret horse123
+
    br-clab-intonly:
      kind: bridge
    br-ext:
				`@@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKpofQk36/HtJcTSHVqFY9f0iyliVnDRWKpPvlnS3v5F root@sshworkshop`