From 56dda858c01feb03151d74c1082e424eb4f044c9 Mon Sep 17 00:00:00 2001 From: Felix Schueren Date: Tue, 11 Nov 2025 20:24:12 +0100 Subject: [PATCH] all the last-minute changes before the workshop --- config/keyuploader-identity | 7 + config/keyuploader-identity.pub | 1 + presentation/ssh-basics.html | 281 ----- presentation/ssh-basics.md | 127 ++- presentation/sshworkshop-draft.drawio | 1514 +++++++++++++------------ setups/gateway.sh | 8 +- setups/hypervisor.sh | 13 +- sshlab.clab.yml | 20 + 8 files changed, 930 insertions(+), 1041 deletions(-) create mode 100644 config/keyuploader-identity create mode 100644 config/keyuploader-identity.pub delete mode 100644 presentation/ssh-basics.html diff --git a/config/keyuploader-identity b/config/keyuploader-identity new file mode 100644 index 0000000..777dffa --- /dev/null +++ b/config/keyuploader-identity @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACCqaH0JN+vx7SXE0h1ahWPX9IspYlZw0ViqT75Z0t7+RQAAAJhndf/tZ3X/ +7QAAAAtzc2gtZWQyNTUxOQAAACCqaH0JN+vx7SXE0h1ahWPX9IspYlZw0ViqT75Z0t7+RQ +AAAEB3y/J5XlDQDtBkXYfnCneIyUGrR1VahhXWkAA61nbBgKpofQk36/HtJcTSHVqFY9f0 +iyliVnDRWKpPvlnS3v5FAAAAEHJvb3RAc3Nod29ya3Nob3ABAgMEBQ== +-----END OPENSSH PRIVATE KEY----- diff --git a/config/keyuploader-identity.pub b/config/keyuploader-identity.pub new file mode 100644 index 0000000..e35748a --- /dev/null +++ b/config/keyuploader-identity.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKpofQk36/HtJcTSHVqFY9f0iyliVnDRWKpPvlnS3v5F root@sshworkshop diff --git a/presentation/ssh-basics.html b/presentation/ssh-basics.html deleted file mode 100644 index e8a2eea..0000000 --- a/presentation/ssh-basics.html +++ /dev/null @@ -1,281 +0,0 @@ -**SSH 101 with Felix**
-

SSH 101 with Felix

-

Things everybody assumes you already know about ssh
-(secure shell, though nobody calls it that)

-

Felix Schüren
-2025-11-09 DENOG17 Essen

-

Background illustration created with Artbreeder

-
SSH 101 - Felix
-
-
-

Intro

-
    -
  • Which of you... -
      -
    • use ssh already?
      • -
    • use port forwarding?
      • -
    • use ProxyJump?
      • -
    • use ssh certificates?
      • -
    • use Windows? MacOS? Linux? Something else?
      • -
    -
    • -
-
-
-

Timeline ideas

-
    -
  • passwordless login
    • -
  • port forwarding
    • -
  • jumphosts, agent forwarding, proxyjump
    • -
  • host_keys / mitm
    • -
  • ssh_config
    • -
-
-
-

ideas

-
    -
  • Im laufenden Lab auf einem jumphost die host_keys ändern, um Warnungen zu produzieren
    • -
  • agent_forwarding abgreifen und mich als einen der User einloggen
    • -
  • Hinterher aufzeigen (frei nach "I've been here the whole time!"), dass man cert-based logins benutzt hat
    • -
  • ggfs Stacy Fakename, Joanna Fakename als Easter eggs?
    • -
  • wie baue ich eine gute ssh_config
    • -
-
-
-
    -
  1. How?
    2. -
  2. Host Keys
    3. -
  3. Key-based auth
    4. -
  4. SSH Agent
    5. -
  5. Agent forwarding
    6. -
-

Illustration created with Artbreeder

-
-
-

how?

-

The essence behind SSH is asymmetric cryptography
-(public/private key cryptography)

-
    -
  1. you give others a "servant key" (public key) -
      -
    • can only be used to encrypt data
      • -
    -
    2. -
  2. you keep the master key (private key) -
      -
    • this decrypts the data that was encrypted with 1.
      • -
    • keep this very secure, never give it away.
      • -
    -
    3. -
-
-
-

host keys

-

Very similar concept to user/client keys, the host/server also has a private/public key pair

-
    -
  • live in /etc/ssh/, typically called ssh_host_$TYPE_key
    • -
  • be mindful of this when templating/cloning VMs or containers
    • -
-
-
-

known_hosts and you

-
The authenticity of host 'schmargonrog.example.com' can't be established.
-ED25519 key fingerprint is SHA256:H49twPDi0au3WObFIUmrbUSqc2j8uYzb2BCDigttvbw.
-This key is not known by any other names.
-Are you sure you want to continue connecting (yes/no/[fingerprint])?
-
-
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
-@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
-IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
-Someone could be eavesdropping on you right now (man-in-the-middle attack)!
-It is also possible that a host key has just been changed.
-The fingerprint for the ED25519 key sent by the remote host is
-SHA256:s7Z+oc2AUQUqNH91OPkqzL0VXbe2fAoF+p+robhrCv0.
-Add correct host key in /root/.ssh/known_hosts to get rid of this message.
-Offending ECDSA key in /root/.ssh/known_hosts:71
-  remove with:
-  ssh-keygen -f "/root/.ssh/known_hosts" -R "clab-f2-spine2"
-[...]
-Host key verification failed.
-
-
-
-

how does it keep track of known hosts?

- -

~/.ssh/known_hosts (personal) or /etc/ssh/ssh_known_hosts (global)

-
    -
  • lists hostname, ssh key type and public key for hosts you have previously connected to
    server1.example.com ssh-ed25519 AAAAC3NzaC1lZ...
-server1.example.com ssh-rsa AAAAB3NzaC1yc2E...
-server1.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLX...
-
    -
    • -
  • some Linux distros default to HashKnownHosts yes, which replaces the hostname with a hashed version
    |1|32Q6...=|Ul+EoN...= ssh-ed25519 AAAAC3NzaC1l...
-
    -
    • -
-
-
-

To recap:

-
    -
  • temp pub/priv keys used to establish connection & share the session secret -
      -
    • from this point on, all comms on the ssh session are protected by this session secret
      • -
    -
    • -
  • known_hosts important to prevent man-in-the-middle attacks
    • -
- -

Photo by Adam Winger on Unsplash

-
-
-

Part 2

-

The Two Pillars

- -
    -
  • Key based auth
    • -
  • ssh agent
    • -
- -

Photo by Cajeo Zhang on Unsplash

-
-
-

Key-based authentication

-
    -
  • A private (secret, only for you) key -
      -
    • never give this to anyone else
      • -
    • never copy this to another machine
      • -
    -
    • -
  • A public (everyone can have it) key -
      -
    • can be generated from the private key
      • -
    -
    • -
  • typically, id_rsa and id_rsa.pub -
      -
    • or id_ed25519, id_dsa, ...
      • -
    -
    • -
-
-
-

how to generate a key pair

-
    -
  • ssh-keygen -t rsa -b 4096 -
      -
    • will create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub
      • -
    -
    • -
  • ssh-keygen -t ed25519 -
      -
    • id_ed25519, essentially, it's id_$TYPE
      • -
    -
    • -
  • please, do set a passphrase for the key. I will explain how to make it not annoying.
    • -
-
-
-

and now? aka authorized_keys

- -

You now put the public key into the ~/.ssh/authorized_keys file of the user/host combination you want to have access to.

-
# cat ~/.ssh/authorized_keys
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6Gc/53b0ZBGL/ORF5hIa61hTPTAsrjnkxXl3wawsHT felix@home
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEx6jIZeHFxh1NDJOoHGQLg0ViqqFNKGd5ofTRvHb4Fh backuppc@backup
-
- -

(Remember, do not give your private key to anyone. Never.)

-
-
-

example login

-

having added the contents of my ~/.ssh/id_ed25519.pub file to the user root on my server db.example.com, I can now do

-
ssh -i ~/.ssh/id_ed25519 root@db.example.com
-
-

My local SSH client will ask me for my passphrase (to unlock the private key into memory), then use the private key to authenticate me, allowing me to log in.

-
-
-

SSH agent

-
    -
  • Stores unlocked private keys in memory
    • -
  • only enter your passphrase when adding the key to the in-memory store
    • -
  • configurable lifetime -
      -
    • I would recommend 8-10 hours, so that during normal working hours you enter your passphrase once per day.
      • -
    -
    • -
  • Painless passwordless logins!
    • -
  • can either manually add keys to it using ssh-add or set AddKeysToAgent yes in your ssh config
    • -
-
-
-

Agent forwarding

-
    -
  • Exposes your private key cache (the "agent") to the system you're connecting to -
      -
    • SSH_AUTH_SOCK environment variable
      • -
    -
    • -
-
# echo $SSH_AUTH_SOCK
-/tmp/ssh-XXXXiA23DL/agent.1337770
-
-
    -
  • allows you to access your private keys from an intermediary system -
      -
    • but everyone with root rights on the intermediary can use your SSH_AUTH_SOCK!
      • -
    -
    • -
-
-
-

Finished

- -
    -
  • keep your private key very private
    • -
  • be very careful with agent forwarding
    • -
  • be paranoid with known_hosts
    • -
  • check out the manpage of the ssh client config: man ssh_config
    • -
  • visit the advanced workshop
    • -
- -

Photo by Jonatan David on Unsplash

-
-
-

Teaser: Ich wollte eh auf der DENOG Workshop fuer ssh machen, gebe hier mal Teaser, Rest koennt ihr dann euch selber angucken, ...

-

Praxis-Fails einbauen - neue hostkeys, passwort eingeben muessen, passphrase, ... jetzt muss ich meinen private key auf den jumphost kopieren, nein doch nicht, .... teaser-problem fuer proxyjump

-

optional proxyjump, falls ich zu schnell durchgehe bzw generell mal fragen, ob weiteres Interesse besteht

-

fuer lab: ein ssh-container-labyrinth, proxyjumps aussenrum und dann zum Schluss mit einem einzelnen ssh-kommando dateien aus der Mitte nach aussen... oder so.

-
-
-

https://www.openssh.com/legacy.html
-KexAlgorithms: the key exchange methods that are used to generate per-connection keys
-HostkeyAlgorithms: the public key algorithms accepted for an SSH server to authenticate itself to an SSH client
-Ciphers: the ciphers to encrypt the connection
-MACs: the message authentication codes used to detect traffic modification
-ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost
-ssh -oHostKeyAlgorithms=+ssh-dss user@legacyhost

-
-

This is aimed at people using SSH in their daily work - it does not deal with details of the SSH protocol itself.

pubkey can also check signatures, but that's less important in ssh use.

This enables one-way secure communication - others can now send data to you that -can not be read or changed on the way to you. That's great, but you want to communicate bi-directionally...

Now both parties (client and server) have a way to receive encrypted messages, and as mentionend use this to share a session secret (for efficiency and speed) for running sessions. -Under the hood, SSH will use temporary pub/priv keys to establish the connection, then switch to symmetric encryption where the shared secret is randomly generated between the -SSH parties and transmitted securely through the magic of pub/priv crypto.

you will have seen a message popping up when you connect to a new host for the first time, displaying some form of

Another message you might have seen is this one:

In both cases, you should think about what is going on. First case is pretty normal, you're connecting to a host that you have no previous information on. It's usually okay to say yes here. For the extra paranoid, verify the host key fingerprint through a secure side channel (phone? DNS? photo? etc...) before continuing the connection. - -Don't follow the second message blindly say yes, think about *why* the host key might have changed. Did you recently do a dist-upgrade, did someone reinstall the machine without backing up/restoring the host keys, or was there a major breaking change with ssh during a system upgrade run? In any case, be vigilant.

If you said "yes" on the prior page, how does your local ssh client actually save this information? There are two spaces, with the global one usually not being used.

(this is what happens when you answer "yes" on the first connection to a host and )

This makes some deleting entries a lot harder than before, and it might break some tab-completion magic that might use the known_hosts file

You might want to roll out the known_hosts centrally.

Right, that's the basic how. Let's get to some things that make your life so much easier, yet that are often misunderstood.

The most widely used yet often misunderstood features of SSH. This is why you are here.

One of the core failures of the whole SSH ecosystem is the default naming convention for private/public keys. Accidentally cat'ing your private key is way too easy. - -rsa, dsa, ed25519 are different variants/types of encryption. When in doubt, use RSA. - -(I would always go with ED25519 for modern deployments, though it might not work on systems that are older than 2020ish)

Securing your private key with a passphrase (which just means "long password") is a good precaution, it means somebody that gets access to your private key cannot immediately use it.

Okay, now you have your key, and you can give the public side of it to others. If others want to securely encrypt something that **only** you can decrypt, they use your **public** key to encrypt. You then use your **private** key to decrypt.

In order to use this for authentication instead of a password, the SSH server will essentially encrypt something with your public key and ask you to send the decrypted text back (to prove that you are indeed in posession of the private key part)

*READABLE* && pubkey → *CRYPTED* && privkey → *READABLE*

Yes, this feels identical to logging in with a password, except I was encouraged to make my passphrase longer and more annoying to type. Great job, you've made using ssh more annoying.

Should probably more accurately be called the SSH private key cache. It's well integrated into openssh, and normal ssh connection attempts will try to use your local ssh agent automatically.

On macos, you can use the system keychain to store the passphrase, where they will live together with all the other saved passwords, protected by a master password. It's ```UseKeychain yes -``` in your .ssh/config, and I would recommend to use that if you're on a mac.

On windows, putty has "pageant" to serve as private key cache, it works identically, though by default does not set a lifetime (you do need to re-enter passphrase after rebooting)

This is a must-have if you're serious about using key-based auth. You can get by with using keys without passphrase, but please don't, it carries a heavy price in terms of identity theft and potential damage to your reputation. As a sidenote, with more and more machines ending up in an MDM (mobile device management) "friendly rootkit" scenario, your private keys, passphrases and logins etc are essentially all compromised (to your MDM admins), making (digital) identity inside your company all but meaningless, but that is a topic for another talk... or hit me up later, I will talk at length about the problems I see with MDM :)

you have essentially compromised your keys to every admin of the intermediary system. Be very, very careful where you agent forward to. Come visit my advanced SSH workshop to learn a better way.

This covers what I consider the SSH 101

\ No newline at end of file diff --git a/presentation/ssh-basics.md b/presentation/ssh-basics.md index eb82973..c9728c3 100644 --- a/presentation/ssh-basics.md +++ b/presentation/ssh-basics.md @@ -25,7 +25,10 @@ backgroundImage: ![bg](./img/artbreeder-composer-2024-07-15T00_14_43.169Z.jpeg) --- # Intro ## about me -I've been doing networks for over 30 years by now. And DevOps stuff before we called it that. +I've been doing networks for over 30 years by now. And DevOps stuff before we called it that. I work for Plusnet GmbH as a Solution Architect these days, but I have been a sysadmin, developer, network engineer, network architect and systems architect among other things. + +--- +# Intro continued ## about you - Which of you... * use ssh already? @@ -36,11 +39,111 @@ I've been doing networks for over 30 years by now. And DevOps stuff before we ca --- # Clients -## OpenSSH - Linux, Mac, Windows - - just + - I would always prefer OpenSSH + - in a pinch, `git bash` portable is helpful. or `putty` portable, but be careful where you download it. ## but I need a GUI -- A well-maintained ssh_config is usually better. And if you have too many hosts, you want to use ansible etc anyway. +- Maybe. I believe that a well-maintained ssh_config is usually better. And if you have too many hosts, you want to use ansible etc anyway. +- useful shells will offer tab-completion for ssh_config etc. + + +--- +# access the lab + +- `ssh username@sshworkshop.telefrag.com -p4000+$last_octet` + +--- +# access our first system +## jumphost1 + * `ssh jumphost1` + * `uptime` + * `whoami` + * `fireworks` + * `CTRL-C` + +--- +# why is my terminal messed up? + * escape codes, binary garbage + * unix-like shells: `reset` + * powershell: `[Console]::ResetColor()` + +--- +# run commands remotely + * make sure you're still logged into your linux$N lab machine + * `ssh jumphost1 uptime` + * `ssh jumphost1 whoami` + * `ssh jumphost1 fireworks` + * `ssh jumphost1` + * `alias` + * `logout` or `CTRL-D` + * `ssh jumphost1 "fireworks.sh Fireworks"` + * `ssh -t jumphost1 "fireworks.sh Fireworks"` + * `CTRL-C` + * `reset` + +--- +# I hate typing passwords. + * copy-paste + * risky (who never pasted credentials into the wrong chat?) + * key-based auth! + * what are pub/privkeys + * `ssh-keygen` + * passphrase? what, why, how? + * ED25519, RSA, ... + +--- +# run commands remotely redux + * make sure you're still logged into your linux$N lab machine + * `ssh jumphost1 uptime` + * `ssh jumphost1 whoami` + * `ssh jumphost1 -t fireworks` + * Yay, we've made it worse. Now we have to remember/copy-paste a passphrase instead of a password. + +--- +# ssh-agent + * make sure agent is running + * normally, your GUI should do this for you, but this is a crudely simulated personal machine :D + * `eval (ssh-agent -s)` + * SSH_AGENT_PID + * SSH_AUTH_SOCK + * nice helper: `keychain` + * cleverly finds out if there is already an agent running, updates ENV vars if so, otherwise, starts one + * stores your unlocked private keys + * `ssh-add /path/to/keyfile` - defaults to `~/.ssh/id_*` + * `ssh-add` + * asks for passphrase + * re-try the commands or logins + +--- +# milestone One +- password login vs key-based +- run commands remotely +- ssh-agent +- terminals, PTY and `-t` + + +--- +# jumphost2 + * shared user: dbadmin + * I need your public keys + * stupidly left my keycollector private key (NEVER DO THIS) in `/var/lib/misc/` + * seriously, never leave your private keys lying around. + * this is just for the sake of labs & stuff + * `scp -i /var/lib/misc/keyuploader-identity /v /etc/passwd keycollector@192.168.0.254:$USER.passwd` + * copy, chmod, try again. + +--- +# break - 10 mins + - give me time to copy keys to jumphost2 etc. + * this is why ssh key management is inherently difficult etc + + +--- +# running remote commands advanced + * `ssh jumphost1 'if [ -f "/etc/passwd" ]; then echo "Yes"; tail -1 /etc/passwd; else echo "No"; fi'` + * `ssh user@host 'bash -s' < local_script.sh` + * (instead of copying, running, deleting local_script.sh) + * you should really start looking into ansible if you've reached this state --- # Timeline ideas @@ -61,10 +164,16 @@ I've been doing networks for over 30 years by now. And DevOps stuff before we ca --- # ideas - Im laufenden Lab auf einem jumphost die host_keys ändern, um Warnungen zu produzieren + - vorher jumphost2 den link zu jumphost1 auf 100% packet loss einstellen + - in containerlab-extension jumphost2 rechtsklicken, packetloss fuer eth0 einstellen + - ssh escape chars lernen um aus der session rauszukommen + - enter, ~. + - jumphost2: `rm /etc/ssh/ssh_host_*; dpkg-reconfigure openssh-server; killall -HUP sshd` + - link impairment: clear all - agent_forwarding abgreifen und mich als einen der User einloggen -- Hinterher aufzeigen (frei nach "I've been here the whole time!"), dass man cert-based logins benutzt hat -- ggfs Stacy Fakename, Joanna Fakename als Easter eggs? - wie baue ich eine gute ssh_config +- change my term local to C to avoid error messages: + - `LC_ALL=C LANG=C LC_CTYPE=C` --- ![bg right](./img/artbreeder-composer-2024-07-14T22_49_42.899Z.jpeg) @@ -83,11 +192,13 @@ I've been doing networks for over 30 years by now. And DevOps stuff before we ca Set-Service ssh-agent -StartupType Automatic Start-Service ssh-agent ``` -## Mac +## Mac only To add your ssh keys to MacOS Keychain, use `UseKeychain yes` in your ssh_config. ## Linux -Generally, ssh- agent "just works". If not, simply +Generally, ssh-agent "just works" nowadays, especially on Linux GUI environments. But pay attention, you can easily run too many agents and get confused which one has your keys. + * this is usually how tmux & co have problems with ssh-agent - due to stale environment vars. + --- # ssh_config diff --git a/presentation/sshworkshop-draft.drawio b/presentation/sshworkshop-draft.drawio index 66c8091..f4429e9 100644 --- a/presentation/sshworkshop-draft.drawio +++ b/presentation/sshworkshop-draft.drawio @@ -1,745 +1,769 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/setups/gateway.sh b/setups/gateway.sh index 5526a60..32037e7 100755 --- a/setups/gateway.sh +++ b/setups/gateway.sh @@ -13,6 +13,10 @@ ip addr replace dev eth3 172.16.202.32/31 echo "nameserver 192.168.0.254" > /etc/resolv.conf +useradd -m keycollector +mkdir -p /home/keycollector/.ssh/ +echo "restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKpofQk36/HtJcTSHVqFY9f0iyliVnDRWKpPvlnS3v5F keycollect-identity" > /home/keycollector/.ssh/authorized_keys +chown keycollector:keycollector /home/keycollector/.ssh/ -Rv # ---------------------------------------------------------------------- # Run the long pipeline in the background, but start it only after 60 s. @@ -20,8 +24,8 @@ echo "nameserver 192.168.0.254" > /etc/resolv.conf # ---------------------------------------------------------------------- ( - # wait 90 seconds first - sleep 90 + # wait 180 seconds first + sleep 180 /usr/local/bin/online-users.sh ) > /online-users.txt & # ← background the whole subshell diff --git a/setups/hypervisor.sh b/setups/hypervisor.sh index d3ffb81..07afb1b 100755 --- a/setups/hypervisor.sh +++ b/setups/hypervisor.sh @@ -1,12 +1,15 @@ #!/usr/bin/env bash UPLINK_INTERFACE="enp0s31f6" -for port in {4010..4200}; do - ip_octet=$((port - 4000)) # 4011 → 11, … 4200 → 200 +what="A" +if [ "$1" == "delete" ]; then + what="D" +fi +for port in {4001..4200}; do + ip_octet=$((port - 4000)) # 4001 → 1, … 4200 → 200 dst_ip="192.168.0.${ip_octet}" - - iptables -t nat -A PREROUTING \ + iptables -t nat -${what} PREROUTING \ -i "$UPLINK_INTERFACE" -p tcp -m tcp --dport "$port" \ -j DNAT --to-destination "${dst_ip}:22" done -iptables -t nat -A POSTROUTING -o br-ext -p tcp -d 192.168.0.0/24 --dport 22 -j MASQUERADE \ No newline at end of file +iptables -t nat -A POSTROUTING -o br-ext -p tcp -d 192.168.0.0/24 --dport 22 -j MASQUERADE diff --git a/sshlab.clab.yml b/sshlab.clab.yml index 3904c8e..70ac497 100644 --- a/sshlab.clab.yml +++ b/sshlab.clab.yml @@ -16,11 +16,31 @@ topology: - ./setups/linux.sh:/usr/local/bin/setup.sh:ro - ./helpers/fireworks.sh:/usr/local/bin/fireworks.sh:ro - ./helpers/ssh-agent-environment.sh:/usr/local/bin/ssh-agent-environment.sh:ro + - ./config/keyuploader-identity:/var/lib/misc/keyuploader-identity:ro memory: 256MB cpu-set: 4-7 nodes: a1: kind: arista_ceos + enforce-startup-config: true + startup-config: | + management telnet + no shutdown + ! + management ssh + ciphers 3des-cbc + key-exchange diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 + ! + interface Ethernet3 + no switchport + ip address 169.254.45.1/30 + ! + management api http-commands + protocol http + no shutdown + ! + username admin privilege 15 secret horse123 + br-clab-intonly: kind: bridge br-ext: