17 KiB
theme, _class, size, paginate, _footer, marp, transition, lang, backgroundColor, xbackgroundImage, backgroundImage
| theme | _class | size | paginate | _footer | marp | transition | lang | backgroundColor | xbackgroundImage | backgroundImage |
|---|---|---|---|---|---|---|---|---|---|---|
| sparta | lead | 16:9 | true | SSH 101 - Felix | true | fade | en | url('https://marp.app/assets/hero-background.svg') |
Intro
about me
I've been doing networks for over 30 years by now. And DevOps stuff before we called it that.
about you
- Which of you...
- use ssh already?
- use port forwarding?
- use ProxyJump?
- use ssh certificates?
- use Windows? MacOS? Linux? Something else?
Clients
OpenSSH
- Linux, Mac, Windows
- just
but I need a GUI
- A well-maintained ssh_config is usually better. And if you have too many hosts, you want to use ansible etc anyway.
Timeline ideas
- clients
- passwordless login
- port forwarding
- jumphosts, agent forwarding, proxyjump
- host_keys / mitm
- ssh_config
- vs code
- identity files (multiple identities)
~/.ssh permissions etc
ideas
- Im laufenden Lab auf einem jumphost die host_keys ändern, um Warnungen zu produzieren
- agent_forwarding abgreifen und mich als einen der User einloggen
- Hinterher aufzeigen (frei nach "I've been here the whole time!"), dass man cert-based logins benutzt hat
- ggfs Stacy Fakename, Joanna Fakename als Easter eggs?
- wie baue ich eine gute ssh_config
Illustration created with Artbreeder
SSH Agent
Windows
Set-Service ssh-agent -StartupType Automatic
Start-Service ssh-agent
Mac
To add your ssh keys to MacOS Keychain, use UseKeychain yes in your ssh_config.
Linux
Generally, ssh- agent "just works". If not, simply
ssh_config
- on Windows:
%USERPROFILE%\.ssh\configPS C:\Users\felix>notepad.exe .\.ssh\config
- on Mac/Linux:
~/.ssh/config
SSH Agent cont'd
root@clab:~/labs/ssh-workshop# ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-TzLLcOVtmlcY/agent.342525; export SSH_AUTH_SOCK;
SSH_AGENT_PID=342526; export SSH_AGENT_PID;
echo Agent pid 342526;
-> eval $(ssh-agent -s)
Never use ForwardAgent yes.
ANYONE with access to the SSH_AUTH_SOCK file can use the socket. (Generally, root. The directory is locked down as far as it will go, but root...)
ssh identities
- ssh_config:
IdentityFile ~/.ssh/my-special-key
IdentitiesOnly yes
how?
The essence behind SSH is asymmetric cryptography (public/private key cryptography)
- you give others a "servant key" (public key)
- can only be used to encrypt data
- you keep the master key (private key)
- this decrypts the data that was encrypted with 1.
- keep this very secure, never give it away.
host keys
Very similar concept to user/client keys, the host/server also has a private/public key pair
- server (
sshd) keys live in/etc/ssh/, typically calledssh_host_$TYPE_key - they are the "identity" of this particular ssh instance, they should be different on different machines
- be mindful of this when templating/cloning VMs or containers
known_hosts and you
The authenticity of host 'schmargonrog.example.com' can't be established.
ED25519 key fingerprint is SHA256:H49twPDi0au3WObFIUmrbUSqc2j8uYzb2BCDigttvbw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:s7Z+oc2AUQUqNH91OPkqzL0VXbe2fAoF+p+robhrCv0.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:71
remove with:
ssh-keygen -f "/root/.ssh/known_hosts" -R "clab-f2-spine2"
[...]
Host key verification failed.
how does it keep track of known hosts?
~/.ssh/known_hosts (personal) or /etc/ssh/ssh_known_hosts (global)
- lists hostname, ssh key type and public key for hosts you have previously connected to
server1.example.com ssh-ed25519 AAAAC3NzaC1lZ... server1.example.com ssh-rsa AAAAB3NzaC1yc2E... server1.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLX... - some Linux distros default to
HashKnownHosts yes, which replaces the hostname with a hashed version|1|32Q6...=|Ul+EoN...= ssh-ed25519 AAAAC3NzaC1l...
To recap:
- temp pub/priv keys used to establish connection & share the session secret
- from this point on, all comms on the ssh session are protected by this session secret
known_hostsimportant to prevent man-in-the-middle attacks
Photo by Adam Winger on Unsplash
Part 2
The Two Pillars
- Key based auth
- ssh agent
Photo by Cajeo Zhang on Unsplash
Key-based authentication
- A private (secret, only for you) key
- never give this to anyone else
- never copy this to another machine
- A public (everyone can have it) key
- can be generated from the private key
- typically,
id_rsaandid_rsa.pub- or
id_ed25519,id_dsa, ...
- or
how to generate a key pair
ssh-keygen -t rsa -b 4096- will create
~/.ssh/id_rsaand~/.ssh/id_rsa.pub
- will create
ssh-keygen -t ed25519- →
id_ed25519, essentially, it'sid_$TYPE
- →
- please, do set a passphrase for the key. I will explain how to make it not annoying.
and now? aka authorized_keys
You now put the public key into the ~/.ssh/authorized_keys file of the user/host combination you want to have access to.
# cat ~/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA6Gc/53b0ZBGL/ORF5hIa61hTPTAsrjnkxXl3wawsHT felix@home
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEx6jIZeHFxh1NDJOoHGQLg0ViqqFNKGd5ofTRvHb4Fh backuppc@backup
(Remember, do not give your private key to anyone. Never.)
example login
having added the contents of my ~/.ssh/id_ed25519.pub file to the user root on my server db.example.com, I can now do
ssh -i ~/.ssh/id_ed25519 root@db.example.com
My local SSH client will ask me for my passphrase (to unlock the private key into memory), then use the private key to authenticate me, allowing me to log in.
SSH agent
- Stores unlocked private keys in memory
- only enter your passphrase when adding the key to the in-memory store
- configurable lifetime
- I would recommend 8-10 hours, so that during normal working hours you enter your passphrase once per day.
- Painless passwordless logins!
- can either manually add keys to it using
ssh-addor setAddKeysToAgent yesin your ssh config
Agent forwarding
- Exposes your private key cache (the "agent") to the system you're connecting to
SSH_AUTH_SOCKenvironment variable
# echo $SSH_AUTH_SOCK
/tmp/ssh-XXXXiA23DL/agent.1337770
- allows you to access your private keys from an intermediary system
- but everyone with root rights on the intermediary can use your SSH_AUTH_SOCK!
Finished
<style scoped> ul { font-size: smaller; } </style>- keep your private key very private
- be very careful with agent forwarding
- be paranoid with
known_hosts - check out the manpage of the ssh client config:
man ssh_config - visit the advanced workshop
Photo by Jonatan David on Unsplash
Teaser: Ich wollte eh auf der DENOG Workshop fuer ssh machen, gebe hier mal Teaser, Rest koennt ihr dann euch selber angucken, ...
Praxis-Fails einbauen - neue hostkeys, passwort eingeben muessen, passphrase, ... jetzt muss ich meinen private key auf den jumphost kopieren, nein doch nicht, .... teaser-problem fuer proxyjump
optional proxyjump, falls ich zu schnell durchgehe bzw generell mal fragen, ob weiteres Interesse besteht
fuer lab: ein ssh-container-labyrinth, proxyjumps aussenrum und dann zum Schluss mit einem einzelnen ssh-kommando dateien aus der Mitte nach aussen... oder so.
https://www.openssh.com/legacy.html
KexAlgorithms: the key exchange methods that are used to generate per-connection keys
HostkeyAlgorithms: the public key algorithms accepted for an SSH server to authenticate itself to an SSH client
Ciphers: the ciphers to encrypt the connection
MACs: the message authentication codes used to detect traffic modification
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost
ssh -oHostKeyAlgorithms=+ssh-dss user@legacyhost