SSH Deep Dive

Transcript

1. SSH DEEP DIVE

2. SCHEDULE overview & features user authentication & key forwarding client

   & server configuration security considerations some examples algorithms, ciphers & encryption details

3. ABOUT SSH

4. WHAT IS IT? Secure SHell protocol remote login and command

   execution encrypted transport and authentication open architecture cross-platform

5. (SOME) FEATURES remote login/command execution public key authentication file copy/sync

   port forwarding socks proxy SSHFS

6. USER AUTHENTICATION

7. AUTHENTICATION METHODS password(s) as secure as the passwords of each

   account publickey different algorithms, many features keyboard-interactive TOTP, YubiKey, SecurID GSSAPI Kerberos, NTLM

8. PUBLIC KEY AUTHENTICATION no need to remember individual passwords private

   key generate with password, store securely public key add/send to remove server different algorithms modern: ed25519, compatibility: RSA-4096, deprecated: DSA -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACDnXZC/cbTLylCGTd5BYja/LndYhwoLqiuVs3UfTMFwqwAAAKhk9jK9ZPYy vQAAAAtzc2gtZWQyNTUxOQAAACDnXZC/cbTLylCGTd5BYja/LndYhwoLqiuVs3UfTMFwqw AAAECtr2VWK5EWewhVdZzkKyj54SVigsAaCQDh1jZVzFh3DeddkL9xtMvKUIZN3kFiNr8u d1iHCguqK5WzdR9MwXCrAAAAHnRlYW0rcHVwcGV0MTAtZGVwbG95QG9wc29uZS5jaAECAw QFBgc= -----END OPENSSH PRIVATE KEY----- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOddkL9xtMvKUIZN3kFiNr8ud1iHCguqK5W

9. PUBLIC KEY AUTHENTICATION generate on client ssh-keygen -t ed25519 -C

   '[email protected]' protect private key with passphrase automation keys: restrict access, single usage only confidential: save only locally never copy a private key to remote systems public key allowed and required to copy to remote systems really public: https://github.com/andristeiner.keys

10. PUBLIC KEY AUTHENTICATION add to ~/.ssh/authorized_keys on server configuration: restrict

    access from="10.0.0.1",command="/my/deployment" configuration: set environment environment="NAME=value" configuration: disable features no-port-forwarding,no-agent-forwarding more man 5 authorized_keys

11. KEY FORWARDING SSH agent loads key into RAM, later usage

    without passphrase -A will forward agent socket to remote server remote server/user(s) can use keys loaded in your local agent (!)

12. CONFIGURATION

13. SERVER authentication settings 2FA, auth, logs per user settings require

    certain auth/user/groups encryption settings: Mozilla recommendations key algorithms, ciphers, MACs more https://infosec.mozilla.org/guidelines/openssh man 5 sshd_config

14. CLIENT CLI options (-o OptionName=value ) configuration file ~/.ssh/config more

    Host review.typo3.org User steiner Port 29418 Host * User devop ProxyJump jump.example.net man ssh

15. SECURITY CONSIDERATIONS

16. SERVER restrict SSH access to trusted sources restrict authorized_keys as

    much as possible install patches as soon as available frequently update configuration recommendations frequently update moduli (Diffie-Hellman params) add SSHFP DNS records for host key verification https://infosec.mozilla.org/guidelines/openssh

17. CLIENT use SSH agent & load your keys with confirmation

    depends ond agent, look for ssh-askpass on your platform use SSH agent forwarding only when required jumpserver without agent forwarding

18. SOME EXAMPLES

19. SHELL PIPELINES SSH is just another command export database from

    one remote system and import it to another export database from one remote system and directly import it to another ssh [email protected] mysqldump exampledb | ssh [email protected] ssh [email protected] "mysqldump exampledb | ssh [email protected]

20. PORT FORWARDING map local TCP port to remote host TCP

    port map remote host TCP port to local TCP port ssh -L 3306:127.0.0.1:3306 server1.example.net ssh -R 9003:127.0.0.1:9003 server1.example.net

21. MULTIPLEXING/MASTER MODE multiple SSH connections through the same TCP connection

    subsequent connections do use the already established connection espacially useful for multiple connections to the same destination central jumpserver, scripts, CI ssh -M -S ~/.ssh/master.sock server1.example.net

22. KEEPALIVE if you encounter sudden session drops unreliable connection or

    pseudo security measures enable ServerAliveInterval client sends a small ping every 60 seconds ssh -O ServerAliveInterval=60 server1.example.net

23. SOCKS PROXY poor man's VPN to tunnel certain requests connect

    to remote server configure your application/request with proxy useful to access a single endpoint restricted TYPO3 backend, API endpoints, (mail) debugging ssh -D 9090 server.example.net curl --socks5 localhost:9090 https://example.net/

24. VPN full-fledged, routing-based VPN all outgoing connections will go through

    SSH virtual network interface and routing table adjustements required Linux & MacOS: sshuttle https://github.com/sshuttle/sshuttle

25. LONG RUNNING TASKS use a multiplexer (not an SSH feature)

    screen or tmux detach/attach to existing shell share a shell between users

26. FILE TRANSFER scp (SFTP) to copy full files/directories rsync to

    copy changes only FTPS ≠ SFTP FTPS: good old FTP through TLS (like HTTPS for HTTP) SFTP: Secure File Transfer Protocol, uses SSH

27. CLIENT CONFIGURATION no need to remember all required options text

    file and includes relevant part can be versioned and shared with others Host ancient.example.net HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa Host intranet.customer.local HostName 10.0.0.1 User intranet ProxyJump [email protected] ForwardAgent yes Host review.typo3.org User steiner Port 29418 Host *.typo3.org User asteiner Host *

28. User devop ProxyJump jump.example.net ControlMaster auto ControlPath ~/.ssh/master-%r@%h:%p

29. THANK YOU! Slides https://my.typo3.org/u/steiner https://speakerdeck.com/andristeiner

30. None