1. 2016-12-05 - Resolve ssh host key violations; Tags: Resolve ssh host key violations
    Loading...

    Resolve ssh host key violations

    Having multiple virtual machines for testing and POC (proof of concepts) you install for the “remote” access an OpenSSH server. Everytime you log in into a new machine, you might run into this legit warning:

    tan@omega:~$ ssh tan@localhost -p 222
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
    Someone could be eavesdropping on you right now (man-in-the-middle attack)!
    It is also possible that a host key has just been changed.
    The fingerprint for the ECDSA key sent by the remote host is
    SHA256:MggEJZSCbAmRQXebLxzdtEt7qjJVdUcr+cv1CBl5OgY.
    Please contact your system administrator.
    Add correct host key in /home/tan/.ssh/known_hosts to get rid of this message.
    Offending ECDSA key in /home/tan/.ssh/known_hosts:17
      remove with:
      ssh-keygen -f "/home/tan/.ssh/known_hosts" -R [localhost]:222
    ECDSA host key for [localhost]:222 has changed and you have requested strict checking.
    Host key verification failed.
    

    Since there is already a host key for another virtual machine, you can disable the warning for localhost via config.

    cat /home/tan/.ssh/config
    Host localhost
        NoHostAuthenticationForLocalhost yes
    

    Otherwise you might end up removing the host key on every occasion.

    ssh
  2. 2016-03-21 - Check supported algorithms in OpenSSH; Tags: Check supported algorithms in OpenSSH
    Loading...

    Check supported algorithms in OpenSSH

    I have to prepare some file transfers within the company. The administrator was talking about mandatory cipher suites aes128-cbc and aes256-cbc. Basically I rely on OpenSSH and don’t dig so deep into the details, but never hurts to check if my running systems comply with above requirements.

    OpenSSH offers in the man page following option:

     -Q cipher | cipher-auth | mac | kex | key
                 Queries ssh for the algorithms supported for the specified version 2.  The available features are: cipher (supported sym‐
                 metric ciphers), cipher-auth (supported symmetric ciphers that support authenticated encryption), mac (supported message
                 integrity codes), kex (key exchange algorithms), key (key types).
    

    Supported cipher suites, requirements fulfilled :-).

    vinh@omega:~> ssh -Q cipher
    3des-cbc
    blowfish-cbc
    cast128-cbc
    arcfour
    arcfour128
    arcfour256
    aes128-cbc
    aes192-cbc
    aes256-cbc
    rijndael-cbc@lysator.liu.se
    aes128-ctr
    aes192-ctr
    aes256-ctr
    aes128-gcm@openssh.com
    aes256-gcm@openssh.com
    chacha20-poly1305@openssh.com
    

    Supported message integrity codes

    vinh@omega:~> ssh -Q mac
    hmac-sha1
    hmac-sha1-96
    hmac-sha2-256
    hmac-sha2-512
    hmac-md5
    hmac-md5-96
    hmac-ripemd160
    hmac-ripemd160@openssh.com
    umac-64@openssh.com
    umac-128@openssh.com
    hmac-sha1-etm@openssh.com
    hmac-sha1-96-etm@openssh.com
    hmac-sha2-256-etm@openssh.com
    hmac-sha2-512-etm@openssh.com
    hmac-md5-etm@openssh.com
    hmac-md5-96-etm@openssh.com
    hmac-ripemd160-etm@openssh.com
    umac-64-etm@openssh.com
    umac-128-etm@openssh.com
    

    Supported key exchange algorithms

    vinh@omega:~> ssh -Q kex
    diffie-hellman-group1-sha1
    diffie-hellman-group14-sha1
    diffie-hellman-group-exchange-sha1
    diffie-hellman-group-exchange-sha256
    ecdh-sha2-nistp256
    ecdh-sha2-nistp384
    ecdh-sha2-nistp521
    diffie-hellman-group1-sha1
    curve25519-sha256@libssh.org
    gss-gex-sha1-
    gss-group1-sha1-
    gss-group14-sha1-
    

    Supported key types

    vinh@omega:~> ssh -Q key
    ssh-rsa
    ssh-dss
    ssh-ed25519
    ecdsa-sha2-nistp256
    ecdsa-sha2-nistp384
    ecdsa-sha2-nistp521
    ssh-rsa-cert-v01@openssh.com
    ssh-dss-cert-v01@openssh.com
    ecdsa-sha2-nistp256-cert-v01@openssh.com
    ecdsa-sha2-nistp384-cert-v01@openssh.com
    ecdsa-sha2-nistp521-cert-v01@openssh.com
    ssh-rsa-cert-v00@openssh.com
    ssh-dss-cert-v00@openssh.com
    ssh-ed25519-cert-v01@openssh.com
    null
    
    ssh
  3. 2016-02-03 - Use ssh-keys for authentication with MobaXterm; Tags: Use ssh-keys for authentication with MobaXterm
    Loading...

    Use ssh-keys for authentication with MobaXterm

    MobaXterm is also a more convenient ssh client like putty. Session management in the professional version is very handy. Since MobaXterm comes with cygwin, ssh is also available in the local terminal. To eliminate the hassle for entering the password (especially if security compliance requires you to change the password every month), ssh keys are a more secure and convenient method for authentication on severs. This post illustrates how you do it with MobaXterm.

    Before using ssh, MobaXterm requires a persistent home directory. Go to Settings and set the persistent home directory.

    Persistent Home Directory

    First step is to generate the ssh key, therefore open a local terminal and generate a key (rsa) with this command:

    ssh-keygen -t rsa
    

    The output

    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/mobaxterm/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/mobaxterm/.ssh/id_rsa.
    Your public key has been saved in /home/mobaxterm/.ssh/id_rsa.pub.
    The key fingerprint is:
    a8:68:33:c4:61:32:d0:08:93:f1:36:a9:6a:76:b2:c8 vinh@cinhtau
    The key's randomart image is:
    +---[RSA 2048]----+
    |*=               |
    |+o..             |
    |o B              |
    | B o   .         |
    |. o   . S        |
    |.. . .           |
    |.+=..            |
    |=.+o             |
    |.E               |
    +-----------------+
    

    The second step is to export the public key to the servers, with respective logins, to the authorized keys file. Replace user@host to your needs.

    cat ~/.ssh/id_rsa.pub | ssh vinh@omega "cat - >> ~/.ssh/authorized_keys"
    

    You may need to create the ssh folder first in your home directory on the remote machine.

    mkdir ~/.ssh
    

    or combine it within the ssh command

    cat ~/.ssh/id_rsa.pub | ssh vinh@omega "mkdir .ssh && cat - >> ~/.ssh/authorized_keys"
    

    Edit: After some instruction with my co-worker, you have to change the session to use the ssh-key (see picture below).

    Private SSH Key

    ssh
  4. 2015-08-06 - Change password of ssh key; Tags: Change password of ssh key
    Loading...

    Change password of ssh key

    Existing (private) ssh keys may have a password. If you want to alter the password, the ssh-keygen command will reassign the pass phrase to the existing private key.

    # RSA algorithm
    ssh-keygen -p -f ~/.ssh/id_rsa
    
    # DSA algorithm
    ssh-keygen -p -f ~/.ssh/id_dsa
    
    ssh
  5. 2015-07-03 - Using git under Windows with SSH; Tags: Using git under Windows with SSH
    Loading...

    Using git under Windows with SSH

    Git provides with the git bash and gui a sufficient way to manage git repositories. Using git with SSH causes an error. Somehow git doesn’t take Putty’s plink. Well the culprit was a former installed program - tortoisegit. This article about Git on Windows fixed my problem with tortoisegit. Just set the GIT_SSH environment variable to plink.

  6. 2015-07-03 - Switching remote URLs from HTTPS to SSH; Tags: Switching remote URLs from HTTPS to SSH
    Loading...

    Switching remote URLs from HTTPS to SSH

    If you access the git repository via HTTPS you have to provide each time authentication data. Switching to SSH is more convenient and secure. After adding your public SSH key to the repository in GitHub (or any other) you can access the repository with SSH. To switch your local git repository:

    # show current remote urls
    git remote -v
    # switch remote
    git remote set-url origin git@github.com/user/repository.git
    # check again
    git remote -v
    

    Replace user and repository and you are done. You may consider that other providers like Atlassian Stash or Bitbucket have another syntax.

    # Bitbucket example with user
    git remote set-url origin ssh://git@bitbucket.org:user/repository.git
    # Atlassian Stash example with default ssh port
    git remote set-url origin ssh://git@stashhost:7999/repository.git
    
  7. 2015-07-03 - Unknown host accessing Atlassian Stash; Tags: Unknown host accessing Atlassian Stash
    Loading...

    Unknown host accessing Atlassian Stash

    Atlassian Stash default server setting for SSH is port 7999. If you switch the git repository to SSH access, your client may reject the SSH connection.

    To resolve this try to login with ssh to the host

    Linux

    ssh gitstash:7999
    

    On Windows with plink (Putty Link)

    $ "C:Program Files (x86)PuTTYplink.exe" gitstash -P 7999
    The server's host key is not cached in the registry. You
    have no guarantee that the server is the computer you
    think it is.
    The server's rsa2 key fingerprint is:
    ssh-rsa 2048 ..
    If you trust this host, enter "y" to add the key to
    PuTTY's cache and carry on connecting.
    If you want to carry on connecting just once, without
    adding the key to the cache, enter "n".
    If you do not trust this host, press Return to abandon the
    connection.
    Store key in cache? (y/n) y
    
  8. 2015-07-03 - Create SSH keys with PuTTYgen; Tags: Create SSH keys with PuTTYgen
    Loading...

    Create SSH keys with PuTTYgen

    If you are “forced” to use Windows, Putty provides with PuTTYgen the possibility to create SSH keys. It can also convert existing keys from OpenSSH. The keys will be available to the Putty ssh agent - pageant.

    To max security you can also use your gpg authentication key from your smartcard over SSH. You will need the patched pageant from Dr. Peter Koch.

  9. 2013-02-09 - GPF Crypto Stick OpenSSH Authentication; Tags: GPF Crypto Stick OpenSSH Authentication
    Loading...

    GPF Crypto Stick OpenSSH Authentication

    For the SSH Authentication the gpgsm package is needed, because we need “scdaemon” = smartcard-daemon

    sudo apt-get install gpgsm
    

    gpg-agent is needed because it is the only possibility to use a authentication subkey directly from the smartcard

    sudo apt-get install gnupg-agent
    

    deactivate gnome-keyring-daemon ssh-agent dropin-replacement, we want only gpg-agent

    gconftool-2 --type bool --set /apps/gnome-keyring/daemon-components/ssh false
    

    configure gpg to use agent (only for smartcard)

    echo "use-agent" >> ~/.gnupg/gpg.conf
    

    enable ssh-agent drop in replacement support for gpg-agent

    echo "enable-ssh-support" >> ~/.gnupg/gpg-agent.conf
    

    secure gnupg homedir

    chmod -R go-rwx ~/.gnupg
    

    update authorized keys file replace “766C78D0” with your authentication subkey-id from before add key to remote host (it’s the first key under the public key or the other public key)

    gpgkey2ssh 766C78D0 | ssh root@krios "cat - >> ~/.ssh/authorized_keys"
    

    My authentication key from GnuPG smart card

    gpgkey2ssh F981E710 | ssh root@persephone "cat - >> ~/.ssh/authorized_keys"