The Dark Arts of SSH

Where are we?

_images/blowfish.jpg

Logo © OpenSSH project, used for promotion

Note

  • What is SSH?
  • How is SSH used?

We’re going to talk about

  • Keys + Agents
  • Config files
  • Port forwards and tunnelling
  • Libraries
  • (X Forwarding)++
  • Best practices

Keys

Note

  • Each is a unique identity
  • Consists of 2 parts: public and private key
  • Can have a passphrase or no passphrase

Creating Keys

Creating Keys

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/bkero/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/bkero/.ssh/id_rsa.
Your public key has been saved in /home/bkero/.ssh/id_rsa.pub.
...

Art!

The key fingerprint is:
SHA256:6Apo827Ag+KtsIU5zhCJPXeYfbrARJKH7rjdd5/Si0U bkero@localhost
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|   o             |
|  + o            |
|.+ + + .         |
|* + = + S E      |
|o@ = o o .       |
|@oB o o  ..      |
|*Bo= o..oo..     |
|o+=oo....o+.     |
+----[SHA256]-----+
$ ssh-keygen -lvf .ssh/id_rsa.pub

Private Key

$ cat $HOME/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAppDzIOAZlm9EsOWiu/WJy7EPt8sGsFUxukSK2WCa/1+uGoqi
...
f5U2pE3Ek0txRfcw/bjjjlGDYNqDy4rUfC1FVaNaLLGgquTC/Sjpbe8=
-----END RSA PRIVATE KEY-----
$ cat $HOME/.ssh/key_with_passphrase
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,F76824221BDE3EBF2C3D8FAE3689EC94

TvWitQjoG2R9W3voiNIAd4/yhEs/XEnVDvVWDCqFbjxIT+KBccwSa9gYcuZBxSQZ
...
-----END RSA PRIVATE KEY-----

Public Key

# Defined in RFC 4253
# Format: $KEY_TYPE $KEY_MATERIAL $COMMENT
$ cat $HOME/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABA... bkero@localhost
$ echo  AAAAB3NzaC1yc2EA | base64 -d
ssh-rsa

Keys (Usage)

$ cat $HOME/.ssh/id_rsa.pub >> $HOME/.ssh/authorized_keys
$ ssh-copy-id -i $HOME/.ssh/my_new_key.pub bkero@host.example.com
$ cat $HOME/.ssh/id_rsa.pub | nc termbin.com 9999
http://termbin.com/8wxn

Note

  • Placed in authorized_keys file
  • Shorcut script to do this called ssh-copy-id

Anatomy of an authorized_keys file

$ cat $HOME/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0m7hau2... bkero@ponderosa
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA3PweBtP... bkero@mozilla
$ cat $HOME/.ssh/authorized_keys2
command="/usr/games/bin/nethack -u $USER",
no-port-forwarding,no-X11-forwarding,
no-agent-forwarding,
no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB... bkero@localhost

Note

  • Point out the command/options/key-type/key/comment
  • Ask if anybody can figure out what this is doing
  • Point out that authorized_keys2 is deprecated, added for SSH v2

Options for authorized_keys entries

Options Example Description
command /usr/games/bin/nethack forced command to run
environment PS2=’(╯°□°)╯︵ ┻━┻’ Set environment variables
from *.example.com Source ACL
restrict restrict no X11, no PTYs, no agent
user-rc user-rc re-enables use of .ssh/rc
$ man 8 sshd # AUTHORIZED_KEYS FILE FORMAT

Note

  • These are some options that can be associated with each key in an authorized_keys file

Agents

_images/agent2.jpg

Note

  • Does anybody know who this is?
  • Agents are daemons that run on your computer, manage keys
  • Examples: ssh-agent, gpg-agent, gnome-keyring, Keychain.app
  • Keys with passphrases must be unlocked to be used (can set timeout)
  • Demo (eval ssh-agent, env|grep SSH, logging in)

Hacky Agent Usage

$ eval `ssh-agent`
Agent pid 6518
$ env | grep SSH
SSH_AGENT_PID=6518
SSH_AUTH_SOCK=/tmp/ssh-jKJJ4eWCtWjj/agent.6517

$ ssh-add $HOME/.ssh/id_rsa
Enter passphrase for /home/bkero/.ssh/id_rsa:
Identity added: /home/bkero/.ssh/ponderosa (/home/bkero/.ssh/ponderosa)

Configuration

  • man (1) ssh
  • man (5) ssh_config
$ cat $HOME/.ssh/config
Host irc
    HostName bke.ro
    UserName bkero
    Port 2228
    IdentityFile /home/bkero/.ssh/irc

Match *.mozilla.com
    Username bkero@mozilla.com
    ForwardAgent yes # (!)

Note

  • Most things can be specified from the command line
  • Options can be discovered in man pages: ssh(1), ssh_config(5)
  • CONFIG BLOCK containing hostname, port, user, identityfile
  • MATCH BLOCK CONTAINING *.mozilla.org

Keeping your session alive

  • man ssh_config(5): TCPKeepAlive
  • man ssh_config(5): ServerAliveInternal
  • man ssh_config(5): ServerAliveMaxCount
$     ssh bke.ro -D1080 -N ^C
$ autossh bke.ro -D1080 -N

Note

  • TCPKeepAlive: Sends TCP keepalive, session dies if TCP connections hiccups. Is spoofable
  • ServerAliveInterval: Internal keepalive that SSH sends if no data has been received (seconds)
  • ServerAliveMaxCount: How many ServerAliveIntervals can fail before terminating
  • mosh demo: mosh bkero@localhost ; ps aux|grep mosh|cat /proc/PROC/environ | tr \0 \n

Mosh - mosh.org

  • Alternative piece of software
  • Uses SSH for initial handshake, then custom UDP connection
localhost$ mosh host.example.com
host$
✈️️ ✈️️ ✈️️ ✈️️ ✈️️ ✈️️ ✈️️ ✈️️
host$
$ ps -ax | grep mosh
13939 pts/7    S+     0:00 mosh-client -# localhost | 127.0.0.1 60001
$ cat /proc/13939/environ | tr \\0 \\n | grep MOSH
MOSH_CLIENT_PID=13939
MOSH_KEY=OLNCLi3qhdJ+kbWNJR0YNg
MOSH_PREDICTION_DISPLAY=adaptive

SSH Commandline

  • Must be preceeded by a newline
  • Default keycombo is ~.
$ ssh bke.ro
(~?)
Supported escape sequences:
 ~.   - terminate connection (and any multiplexed sessions)
 ~B   - send a BREAK to the remote system
 ~C   - open a command line
 ~R   - request rekey
 ~V/v - decrease/increase verbosity (LogLevel)
 ~^Z  - suspend ssh
 ~#   - list forwarded connections
 ~&   - background ssh (when waiting for connections to terminate)
 ~?   - this message
 ~~   - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

Tunnelling

  • Forward forwards
$ ssh -L localhost:8080:intranet.mozilla.org:443 ssh.mozilla.com
$ ssh -L 8080:intranet.mozilla.org:443 ssh.mozilla.com
  • Reverse forwards
$ ssh -N -R 0.0.0.0:5000:localhost:8000 bke.ro
  • Dynamic forwards (SOCKS proxy)
$ ssh -N -D 1080 ssh.mozilla.com
  • Sshuttle (transparent proxy)
$ sshuttle -r ssh.mozilla.com --dns 0/0
Connected.

Example: Transparent proxying

  • Tsocks (and tsocks.conf)
  • SSH -D <port>
  • Firefox -> Preferences -> Network -> Connection Settings
$ curl http://icanhazip.com
216.151.13.66

$ ssh -D 1080 bke.ro

$ cat /etc/tsocks.conf
local = 192.168.0.0/255.255.255.0
server = 127.0.0.1
server_port = 1080

$ tsocks curl http://icanhazip.com

Note

  • Tsocks is a little shim application that intercepts network system calls and pushes them through a network
  • Run SSH with the -D <port> flag to enable the proxy
  • icanhazip.com is just a small site that tells you your IP address, shoutout to Rackspace for hosting it

Example: Sneaky Tunneling Trick

  • You can call python modules from the command line
  • Some modules do cool things
  • python -m SimpleHTTPServer
$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...

Note

  • Explain it, fire up a terminal, cd into ~/code, do python -m SimpleHTTPServer, open new tab
  • Then open another terminal showing ssh -R0.0.0.0:5000:localhost:8000 bke.ro
  • Open another tab

X Forwarding

  • Super secure mode:
$ ssh -X bke.ro
  • Oh god it’s slow! Can we make faster? YES!
$ ssh -XY bke.ro
  • Xpra: It’s like GNU Screen for X
$ ssh bke.ro
bke.ro$ xpra start :10
bke.ro$ DISPLAY=:10 xterm

$ xpra attach bkeroxpra :10

Note

  • You’re going to want -Y. -Y disables X11 SECURITY. X is an old protocol, makes many round-trips.

Multiplexing Connections

  • man ssh_config(5) ControlMaster
  • man ssh_config(5) ControlPath
$ cat .ssh/config
Host irc
    HostName bke.ro
    Port 2228
    ControlMaster yes
    ControlPath /home/bkero/.ssh/%h.socket

$ time ssh irc echo
real 0m2.549s

$ time ssh irc &
$ time ssh irc
real 0m0.349s

Libraries

  • Paramiko (to embed SSH into your applications)
  • Twisted Conch (to construct own servers)
  • Demo (twisted app serving nyancat)

Best Practices (server)

  • PermitRootLogin no
  • GatewayPorts
  • Keys only (AuthenticationMethods)
  • AuthorizedKeysCommand

Note

  • Logging into a box as root with a password is bad practice. At least use keys.
  • Gatewayports disables users from binding to non-loopback interfaces. You probably want this enabled

In Review

  • SSH is powerful
  • -D1080, Sshuttle, and tsocks give great agility
  • python -mSimpleHTTPServer is a great access trick

That’s all!

  • Questions?