SlideShare ist ein Scribd-Unternehmen logo

SSH Cookbook: Secure Shell Tools and Best Practices

Jean-Marie Renouard
Jean-Marie Renouard
Technologie
1 von 28
Downloaden Sie, um offline zu lesen
SSH COOKBOOK V2 A SSH TOOLS SUITE PRESENTATION ENHANCED VERSION Created by Jean-Marie Renouard / @jmrenouard http://www.jmrenouard.fr/
WHAT'S SSH ? SSH is a secure TCP communication protocol. SSH v2 is base standard in all distributions. SSH allows you to connect securely to server. SSH avoid attack such man in the middle.
SSH BASIC USAGE Connect to server REF01.mynetwork as osuser $ ssh osuser@REF01.mynetwork
WHAT'S NEXT ? Password is asked. osuser@REF01.mynetwork's password : Password is checked based on system. Input password is crypted. Result is compared with /etc/shadow information. Comparaison failed : command fails, simple !
AND WHEN IT IS OK ... Comparaison successed SSH asks system for a new shell session. Shell session is based on /etc/passwd info. 7th and last field of /etc/passwd is shell path. Default Welcome Message Last login: Thu Mar 20 23:26:46 2014 from 192.168.X.X Then, You've got a shell ( Bash for instance ) A shell as a local shell remotely / securely !
SHELL IS GREAT Ctrl-d : Kill the connection immediately. Ctrl-l : Clean your screen Ctrl-r : Search in bash history on the server Readline powered .bash_history : command history .bash_profile and .bashrc for personal shell customisation (alias, functions, ...)
BORING ASPECT OF SSH ONE CONNECTION MEANS ONE PASSWORD CHECK. Password typing No human error probe Ctrl-d, exit, kill -9 0, killall bash, ... Kill/terminate Shell session means : All processes launched from Shell session are also killed. You JUST have to REconnect and REtype your password. REtype your command even if it's long time taking.
AVOIDING PASSWORD TYPING Thanks God, it is possible to connect without passord typing. It is as secure as password typing. Maybe more secure: No password Excel File on network No Agile Access info Post-it on ScrumBoard :)
SSH KEY GENERATION 2 FILES MUST BE GENERATED 1. Red key : .ssh/id_rsa is your Private SSH key Keep it secret 2. Blue key: .ssh/id_rsa.pub is your Public SSH key.
SSH KEY GENERATION COMMAND Key Generation Command: ssh-keygen -t rsa Hey, it is asking me a F*** password !!! Leave it empty :)
SSH KEY DEPLOYMENT Public Key Deployment Command: ssh-copy-id -i .ssh/id_rsa.pub ossuer@REF01.mynnetwork It is asking a password for a last time ....
AND ALL IS OK ? On the server, .ssh/authorized_keys contains the content of your public key. Try to connect one again. ssh osuser@REF01.mynetwork NO MORE PASSWORD .... Magic Simple, Easy and secure ....
IS IT ALL ? How to automate this process ? Library Expect : library interacting with shell programmaticaly. You can script an interactive scenario. And you can execute it automatically.
BETTER THAN A SHELL YOU CAN ALSO REMOTELY EXECUTE A COMMAND. Shutdown the server ssh root@REF01.mynetwork shutdown -h now Execute a remote python script ssh osuser@REF01.mynetwork "python remoteScript.py" Know load average on REF01 server ssh osuser@REF01.mynetwork uptime
PERL EXPECT #!/usr/bin/perl use strict; use Expect; my $timeout=1; my $command="ssh ".$ARGV[0]." ".$ARGV[2]; my $exp = Expect->spawn($command) or die "Cannot spawn $command: $!n"; $exp->raw_pty(1); LOGIN: $exp->expect($timeout, [ 'ogin: $' => sub { $exp->send("lusern"); exp_continue; } ], [ 'yes/no)?s*$' => sub { $exp->send("yesn"); goto LOGIN; } ], [ 'assword:s*$' => sub { $exp->send($ARGV[1]."n"); exp_continue; } ], '-re', qr'[#>:] $' ); $exp->soft_close();
REMOTE EXECUTE A LOCAL SCRIPT PYTHON, BASH, PHP, RYBY, JAVA, ALL INTERPRETERS Interpreter must be present on the remote server Simple Python Script: hello.py #!/usr/bin/python print "Hello World !" Remote execute script:ssh-exec #!/bin/sh INTERPRETER=$(head -n 1 $2 | sed -e 's/#!//') cat $2 | grep -v "#" | ssh -t $1 $INTERPRETER Usage ssh-exec osuser@REF01.mynetwork hello.py
FILE TRANSFERT OVER SSH Using the input/output redirection. cat myLocalFile | ssh osuser@REF01.mynetwork "cat > myRemoteFile" Compressing on fly. cat myLocalFile | gzip | ssh osuser@REF01.mynetwork "gzip > myRemoteFile" Compression by SSH himself. cat myLocalFile | ssh -C osuser@REF01.mynetwork "cat > myRemoteFile"
DIRECTORIES OVER SSH Commands using input/output for directory tar UNIX archiver command works with stdin and stdout tar -czf – myDir | ssh -C osuser@ref01.mynetwork "mkdir myDir;cd myDir ;tar -xzf -" Better solution A kind of cp based on SSHv2 protocol scp -rp mydir osuser@ref01.mynetwork:myDir Best solution Incremental copy rsync -avz myDir osuser@ref01.mynetwork:myDir
MULTIPLE HOST COMMANDS SIMPLE SHELL LOOP ON 3 SERVERS for host in server1 server2 server3; do echo "* Updating $host" ssh -C root@${host}.mynetwork "yum -y update" done SIMPLE SHELL LOOP ON SERVER1 TO SERVER100 for i in `seq 1 100`; do host=server${i}.mynetwork echo "*Updating $host" ssh -C root@${host} "yum -y update" done
MULTIPLE HOST COMMANDS IN PARALLEL FORKING SUBSHELLS IN LOOP ON SERVER1 TO SERVER100 for i in `seq 1 100`; do ( host=server${i}.mynetwork echo "*Updating $host" ssh -C root@${host} "yum -y update" 2>&1 >> ${host}.update.log echo "* Updating $host ..DONE" )& done Output and Errors are stored in individual log file per host
MULTIPLE HOST COMMANDS IN PARALLEL FORKING SUBSHELLS IN LOOP FROM A FILE while read host; do ( echo "*Updating $host" ssh -C root@${host} "yum -y update" 2>&1 >> ${host}.update.log echo "* Updating $host ..DONE" )& done < "${1:-/proc/${$}/fd/0}" Server are reading from a file or from stdin A file with one server name by line Output and Errors are stored in individual log file per host
PORT FORWARDING OPEN A LOCAL PORT AND REDIRECT IT THROUGHT SSH ssh -L2000:localhost:80 user@host1 Open a local port 2000 and redirect I/O to server port 80 on host1 ssh -L8080:host2:80 user@host1 Open a local port 8080 and redirect I/O to server port 80 on host2 Using SSH to host1 to access host2 server
REVERSE PORT FORWARDING OPEN A REMOTE PORT ON SERVER AND REDIRECT IT THROUGHT SSH TO CLIENT ssh -R 2000:localhost:80 user@host1 Open a port 2000 on host1 Redirect I/O ond this port to local port80 ssh -R 8080:host2:80 user@host1 Open a remote port 8080 on host1 Redirect I/O to server host2 on port 80 from ssh client host Using SSH to host1 to access host2 server
USEFUL SCRIPTS ssh-installkeys, ssh key installer ssh-copy-id, included in openssh-clients in all distributions Fusefs, Filesystem over SSH MUSSH, Multihost SSH perl-Net-SSH-Expect, automate connection without ssh keys scanssh, scan hosts with SSH sshpass, password cracker for SSH
PROJECTS FOR MASSIVE REMOTE EXECUTION Ansible in Python Chef in Ruby Rex in Perl Rundeck in Java Envoy in PHP Shunt in PHP SSHKit DO It in Ruby
PROJECTS FOR SSH MANAGEMENT GateOne, Web SSH client Storm in Python, manage your SSH identities SSHRC, transport your config everywhere git deliver, deliver files from git and SSH SShuttle, the poor's man VPN Solution
STELLAR LINKS Code samples in Bash and Perl http://www.jmrenouard.fr Follow me on Twitter
THE END BY JEAN-MARIE RENOUARD / JMRENOUARD.FR

Empfohlen

Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Bob Novas
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filterGiovanni Bechis
 
Getting started with RDO Havana
Getting started with RDO HavanaGetting started with RDO Havana
Getting started with RDO HavanaDan Radez
 
Ansible - simple it automation
Ansible - simple it automationAnsible - simple it automation
Ansible - simple it automationLarry Nung
 
nginxをソースからインストールしてみたよ
nginxをソースからインストールしてみたよnginxをソースからインストールしてみたよ
nginxをソースからインストールしてみたよmamoru tateoka
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSDGiovanni Bechis
 
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Hari
 

Empfohlen

Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Ssh and sshfp dns records v04
Ssh and sshfp dns records v04Bob Novas
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
Pf: the OpenBSD packet filter
Pf: the OpenBSD packet filterPf: the OpenBSD packet filter
Pf: the OpenBSD packet filterGiovanni Bechis
 
Getting started with RDO Havana
Getting started with RDO HavanaGetting started with RDO Havana
Getting started with RDO HavanaDan Radez
 
Ansible - simple it automation
Ansible - simple it automationAnsible - simple it automation
Ansible - simple it automationLarry Nung
 
nginxをソースからインストールしてみたよ
nginxをソースからインストールしてみたよnginxをソースからインストールしてみたよ
nginxをソースからインストールしてみたよmamoru tateoka
 
Pledge in OpenBSD
Pledge in OpenBSDPledge in OpenBSD
Pledge in OpenBSDGiovanni Bechis
 
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)
Source Code of Building Linux IPv6 DNS Server (Complete Sourcecode)Hari
 
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04Instalasi Network Monitoring System (Nagios) Ubuntu 12.04
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04Febi Gelar Ramadhan
 
Red Hat Linux cheat sheet
Red Hat Linux cheat sheetRed Hat Linux cheat sheet
Red Hat Linux cheat sheetRafael Montesinos Muñoz
 
WHEN FILE ENCRYPTION HELPS PASSWORD CRACKING
WHEN FILE ENCRYPTION HELPS PASSWORD CRACKINGWHEN FILE ENCRYPTION HELPS PASSWORD CRACKING
WHEN FILE ENCRYPTION HELPS PASSWORD CRACKINGPositive Hack Days
 
Perintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating SistemPerintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating SistemRoziq Bahtiar
 
What Have Syscalls Done for you Lately?
What Have Syscalls Done for you Lately?What Have Syscalls Done for you Lately?
What Have Syscalls Done for you Lately?Docker, Inc.
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloudNUTC, imac
 
使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台NUTC, imac
 
50 Perintah Dasar pada linux
50 Perintah Dasar pada linux50 Perintah Dasar pada linux
50 Perintah Dasar pada linuxReskyRian
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作NUTC, imac
 
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani TadayonRedis Labs
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
Aprils fool 2014
Aprils fool 2014Aprils fool 2014
Aprils fool 2014bijan_
 
Eduardo Silva - monkey http-server everywhere
Eduardo Silva - monkey http-server everywhereEduardo Silva - monkey http-server everywhere
Eduardo Silva - monkey http-server everywhereStarTech Conference
 
Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...
Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...
Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...Develcz
 
Docker command
Docker commandDocker command
Docker commandEric Ahn
 
Ubic
UbicUbic
UbicVyacheslav Matyukhin
 
Computer Security
Computer SecurityComputer Security
Computer SecurityAristotelis Kotsomitopoulos
 
Who Broke My Crypto
Who Broke My CryptoWho Broke My Crypto
Who Broke My CryptoJohn Varghese
 
Tomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHTomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHwebelement
 
SSH how to 2011
SSH how to 2011SSH how to 2011
SSH how to 2011Chris Hales
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSHJP Bourget
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
 

Weitere ähnliche Inhalte

Was ist angesagt?

Instalasi Network Monitoring System (Nagios) Ubuntu 12.04
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04Instalasi Network Monitoring System (Nagios) Ubuntu 12.04
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04Febi Gelar Ramadhan
 
WHEN FILE ENCRYPTION HELPS PASSWORD CRACKING
WHEN FILE ENCRYPTION HELPS PASSWORD CRACKINGWHEN FILE ENCRYPTION HELPS PASSWORD CRACKING
WHEN FILE ENCRYPTION HELPS PASSWORD CRACKINGPositive Hack Days
 
Perintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating SistemPerintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating SistemRoziq Bahtiar
 
What Have Syscalls Done for you Lately?
What Have Syscalls Done for you Lately?What Have Syscalls Done for you Lately?
What Have Syscalls Done for you Lately?Docker, Inc.
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloudNUTC, imac
 
使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台NUTC, imac
 
50 Perintah Dasar pada linux
50 Perintah Dasar pada linux50 Perintah Dasar pada linux
50 Perintah Dasar pada linuxReskyRian
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作NUTC, imac
 
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani TadayonRedis Labs
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Giovanni Bechis
 
Aprils fool 2014
Aprils fool 2014Aprils fool 2014
Aprils fool 2014bijan_
 
Eduardo Silva - monkey http-server everywhere
Eduardo Silva - monkey http-server everywhereEduardo Silva - monkey http-server everywhere
Eduardo Silva - monkey http-server everywhereStarTech Conference
 
Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...
Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...
Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...Develcz
 
Docker command
Docker commandDocker command
Docker commandEric Ahn
 

Was ist angesagt? (18)

Instalasi Network Monitoring System (Nagios) Ubuntu 12.04
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04Instalasi Network Monitoring System (Nagios) Ubuntu 12.04
Instalasi Network Monitoring System (Nagios) Ubuntu 12.04
 
Red Hat Linux cheat sheet
Red Hat Linux cheat sheetRed Hat Linux cheat sheet
Red Hat Linux cheat sheet
 
WHEN FILE ENCRYPTION HELPS PASSWORD CRACKING
WHEN FILE ENCRYPTION HELPS PASSWORD CRACKINGWHEN FILE ENCRYPTION HELPS PASSWORD CRACKING
WHEN FILE ENCRYPTION HELPS PASSWORD CRACKING
 
Perintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating SistemPerintah perintah dasar linux Operating Sistem
Perintah perintah dasar linux Operating Sistem
 
What Have Syscalls Done for you Lately?
What Have Syscalls Done for you Lately?What Have Syscalls Done for you Lately?
What Have Syscalls Done for you Lately?
 
Build your own private openstack cloud
Build your own private openstack cloudBuild your own private openstack cloud
Build your own private openstack cloud
 
使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台使用 CLI 管理 OpenStack 平台
使用 CLI 管理 OpenStack 平台
 
50 Perintah Dasar pada linux
50 Perintah Dasar pada linux50 Perintah Dasar pada linux
50 Perintah Dasar pada linux
 
Docker 基本概念與指令操作
Docker 基本概念與指令操作Docker 基本概念與指令操作
Docker 基本概念與指令操作
 
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon
SSH I/O Streaming via Redis-based Persistent Message Queue -Mani Tadayon
 
Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)Linux seccomp(2) vs OpenBSD pledge(2)
Linux seccomp(2) vs OpenBSD pledge(2)
 
Aprils fool 2014
Aprils fool 2014Aprils fool 2014
Aprils fool 2014
 
Eduardo Silva - monkey http-server everywhere
Eduardo Silva - monkey http-server everywhereEduardo Silva - monkey http-server everywhere
Eduardo Silva - monkey http-server everywhere
 
Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...
Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...
Ondřej Šika: Docker, Traefik a CI - Mějte nasazené všeny větve na kterých pra...
 
Docker command
Docker commandDocker command
Docker command
 
Ubic
UbicUbic
Ubic
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Who Broke My Crypto
Who Broke My CryptoWho Broke My Crypto
Who Broke My Crypto
 

Ähnlich wie SSH Cookbook: Secure Shell Tools and Best Practices

Tomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHTomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHwebelement
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
 
Chef Hack Day Denver
Chef Hack Day Denver Chef Hack Day Denver
Chef Hack Day Denver Chef
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios
 
Session Server - Maintaing State between several Servers
Session Server - Maintaing State between several ServersSession Server - Maintaing State between several Servers
Session Server - Maintaing State between several ServersStephan Schmidt
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testersE D Williams
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefAlert Logic
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018Mandi Walls
 
How to increase security with SSH
How to increase security with SSHHow to increase security with SSH
How to increase security with SSHVitalii Sharavara
 

Ähnlich wie SSH Cookbook: Secure Shell Tools and Best Practices (20)

Tomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHTomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSH
 
SSH how to 2011
SSH how to 2011SSH how to 2011
SSH how to 2011
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSH
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSH
 
Chef Hack Day Denver
Chef Hack Day Denver Chef Hack Day Denver
Chef Hack Day Denver
 
tutorial-ssh.pdf
tutorial-ssh.pdftutorial-ssh.pdf
tutorial-ssh.pdf
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
 
Advanced open ssh
Advanced open sshAdvanced open ssh
Advanced open ssh
 
OpenSSH tricks
OpenSSH tricksOpenSSH tricks
OpenSSH tricks
 
Linuxserver harden
Linuxserver hardenLinuxserver harden
Linuxserver harden
 
Cent os 5 ssh
Cent os 5 sshCent os 5 ssh
Cent os 5 ssh
 
Puppet @ Seat
Puppet @ SeatPuppet @ Seat
Puppet @ Seat
 
Sshstuff
SshstuffSshstuff
Sshstuff
 
Session Server - Maintaing State between several Servers
Session Server - Maintaing State between several ServersSession Server - Maintaing State between several Servers
Session Server - Maintaing State between several Servers
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testers
 
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, ChefCompliance as Code: Velocity with Security - Fraser Pollock, Chef
Compliance as Code: Velocity with Security - Fraser Pollock, Chef
 
SSH.pdf
SSH.pdfSSH.pdf
SSH.pdf
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
 
InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018InSpec Workshop at Velocity London 2018
InSpec Workshop at Velocity London 2018
 
How to increase security with SSH
How to increase security with SSHHow to increase security with SSH
How to increase security with SSH
 

Mehr von Jean-Marie Renouard

Manuel De Securite 1.8 (Mise à jour avec DOCKER)
Manuel De Securite 1.8 (Mise à jour avec DOCKER)Manuel De Securite 1.8 (Mise à jour avec DOCKER)
Manuel De Securite 1.8 (Mise à jour avec DOCKER)Jean-Marie Renouard
 
Sécurité et Quaité de code PHP
Sécurité et Quaité de code PHPSécurité et Quaité de code PHP
Sécurité et Quaité de code PHPJean-Marie Renouard
 

Mehr von Jean-Marie Renouard (20)

Manuel De Securite 1.8 (Mise à jour avec DOCKER)
Manuel De Securite 1.8 (Mise à jour avec DOCKER)Manuel De Securite 1.8 (Mise à jour avec DOCKER)
Manuel De Securite 1.8 (Mise à jour avec DOCKER)
 
ManuelDeSecurite-1.7.pdf
ManuelDeSecurite-1.7.pdfManuelDeSecurite-1.7.pdf
ManuelDeSecurite-1.7.pdf
 
Manuel de sécurité Linux
Manuel de sécurité Linux Manuel de sécurité Linux
Manuel de sécurité Linux
 
Les structures de données PHP5
Les structures de données PHP5Les structures de données PHP5
Les structures de données PHP5
 
SQL et MySQL
SQL et MySQLSQL et MySQL
SQL et MySQL
 
Javascript et JQuery
Javascript et JQueryJavascript et JQuery
Javascript et JQuery
 
Gestion de formulaires en PHP
Gestion de formulaires en PHPGestion de formulaires en PHP
Gestion de formulaires en PHP
 
Sécurité et Quaité de code PHP
Sécurité et Quaité de code PHPSécurité et Quaité de code PHP
Sécurité et Quaité de code PHP
 
Configuration PHP5
Configuration PHP5Configuration PHP5
Configuration PHP5
 
Client base de données en PHP5
Client base de données en PHP5Client base de données en PHP5
Client base de données en PHP5
 
MVC / Frameworks PHP
MVC / Frameworks PHPMVC / Frameworks PHP
MVC / Frameworks PHP
 
Email et PHP5
Email et PHP5Email et PHP5
Email et PHP5
 
Fichier XML et PHP5
Fichier XML et PHP5Fichier XML et PHP5
Fichier XML et PHP5
 
Le client FTP de PHP5
Le client FTP de PHP5Le client FTP de PHP5
Le client FTP de PHP5
 
Le client HTTP PHP5
Le client HTTP PHP5Le client HTTP PHP5
Le client HTTP PHP5
 
PHP 5 et la programmation objet
PHP 5 et la programmation objetPHP 5 et la programmation objet
PHP 5 et la programmation objet
 
PHP5 et les fichiers
PHP5 et les fichiersPHP5 et les fichiers
PHP5 et les fichiers
 
Syntaxe du langage PHP
Syntaxe du langage PHPSyntaxe du langage PHP
Syntaxe du langage PHP
 
Présentation de PHP
Présentation de PHPPrésentation de PHP
Présentation de PHP
 
Ssh cookbook
Ssh cookbookSsh cookbook
Ssh cookbook
 

Kürzlich hochgeladen

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 

Kürzlich hochgeladen (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 

SSH Cookbook: Secure Shell Tools and Best Practices

  • 1. SSH COOKBOOK V2 A SSH TOOLS SUITE PRESENTATION ENHANCED VERSION Created by Jean-Marie Renouard / @jmrenouard http://www.jmrenouard.fr/
  • 2. WHAT'S SSH ? SSH is a secure TCP communication protocol. SSH v2 is base standard in all distributions. SSH allows you to connect securely to server. SSH avoid attack such man in the middle.
  • 3. SSH BASIC USAGE Connect to server REF01.mynetwork as osuser $ ssh osuser@REF01.mynetwork
  • 4. WHAT'S NEXT ? Password is asked. osuser@REF01.mynetwork's password : Password is checked based on system. Input password is crypted. Result is compared with /etc/shadow information. Comparaison failed : command fails, simple !
  • 5. AND WHEN IT IS OK ... Comparaison successed SSH asks system for a new shell session. Shell session is based on /etc/passwd info. 7th and last field of /etc/passwd is shell path. Default Welcome Message Last login: Thu Mar 20 23:26:46 2014 from 192.168.X.X Then, You've got a shell ( Bash for instance ) A shell as a local shell remotely / securely !
  • 6. SHELL IS GREAT Ctrl-d : Kill the connection immediately. Ctrl-l : Clean your screen Ctrl-r : Search in bash history on the server Readline powered .bash_history : command history .bash_profile and .bashrc for personal shell customisation (alias, functions, ...)
  • 7. BORING ASPECT OF SSH ONE CONNECTION MEANS ONE PASSWORD CHECK. Password typing No human error probe Ctrl-d, exit, kill -9 0, killall bash, ... Kill/terminate Shell session means : All processes launched from Shell session are also killed. You JUST have to REconnect and REtype your password. REtype your command even if it's long time taking.
  • 8. AVOIDING PASSWORD TYPING Thanks God, it is possible to connect without passord typing. It is as secure as password typing. Maybe more secure: No password Excel File on network No Agile Access info Post-it on ScrumBoard :)
  • 9. SSH KEY GENERATION 2 FILES MUST BE GENERATED 1. Red key : .ssh/id_rsa is your Private SSH key Keep it secret 2. Blue key: .ssh/id_rsa.pub is your Public SSH key.
  • 10. SSH KEY GENERATION COMMAND Key Generation Command: ssh-keygen -t rsa Hey, it is asking me a F*** password !!! Leave it empty :)
  • 11. SSH KEY DEPLOYMENT Public Key Deployment Command: ssh-copy-id -i .ssh/id_rsa.pub ossuer@REF01.mynnetwork It is asking a password for a last time ....
  • 12. AND ALL IS OK ? On the server, .ssh/authorized_keys contains the content of your public key. Try to connect one again. ssh osuser@REF01.mynetwork NO MORE PASSWORD .... Magic Simple, Easy and secure ....
  • 13. IS IT ALL ? How to automate this process ? Library Expect : library interacting with shell programmaticaly. You can script an interactive scenario. And you can execute it automatically.
  • 14. BETTER THAN A SHELL YOU CAN ALSO REMOTELY EXECUTE A COMMAND. Shutdown the server ssh root@REF01.mynetwork shutdown -h now Execute a remote python script ssh osuser@REF01.mynetwork "python remoteScript.py" Know load average on REF01 server ssh osuser@REF01.mynetwork uptime
  • 15. PERL EXPECT #!/usr/bin/perl use strict; use Expect; my $timeout=1; my $command="ssh ".$ARGV[0]." ".$ARGV[2]; my $exp = Expect->spawn($command) or die "Cannot spawn $command: $!n"; $exp->raw_pty(1); LOGIN: $exp->expect($timeout, [ 'ogin: $' => sub { $exp->send("lusern"); exp_continue; } ], [ 'yes/no)?s*$' => sub { $exp->send("yesn"); goto LOGIN; } ], [ 'assword:s*$' => sub { $exp->send($ARGV[1]."n"); exp_continue; } ], '-re', qr'[#>:] $' ); $exp->soft_close();
  • 16. REMOTE EXECUTE A LOCAL SCRIPT PYTHON, BASH, PHP, RYBY, JAVA, ALL INTERPRETERS Interpreter must be present on the remote server Simple Python Script: hello.py #!/usr/bin/python print "Hello World !" Remote execute script:ssh-exec #!/bin/sh INTERPRETER=$(head -n 1 $2 | sed -e 's/#!//') cat $2 | grep -v "#" | ssh -t $1 $INTERPRETER Usage ssh-exec osuser@REF01.mynetwork hello.py
  • 17. FILE TRANSFERT OVER SSH Using the input/output redirection. cat myLocalFile | ssh osuser@REF01.mynetwork "cat > myRemoteFile" Compressing on fly. cat myLocalFile | gzip | ssh osuser@REF01.mynetwork "gzip > myRemoteFile" Compression by SSH himself. cat myLocalFile | ssh -C osuser@REF01.mynetwork "cat > myRemoteFile"
  • 18. DIRECTORIES OVER SSH Commands using input/output for directory tar UNIX archiver command works with stdin and stdout tar -czf – myDir | ssh -C osuser@ref01.mynetwork "mkdir myDir;cd myDir ;tar -xzf -" Better solution A kind of cp based on SSHv2 protocol scp -rp mydir osuser@ref01.mynetwork:myDir Best solution Incremental copy rsync -avz myDir osuser@ref01.mynetwork:myDir
  • 19. MULTIPLE HOST COMMANDS SIMPLE SHELL LOOP ON 3 SERVERS for host in server1 server2 server3; do echo "* Updating $host" ssh -C root@${host}.mynetwork "yum -y update" done SIMPLE SHELL LOOP ON SERVER1 TO SERVER100 for i in `seq 1 100`; do host=server${i}.mynetwork echo "*Updating $host" ssh -C root@${host} "yum -y update" done
  • 20. MULTIPLE HOST COMMANDS IN PARALLEL FORKING SUBSHELLS IN LOOP ON SERVER1 TO SERVER100 for i in `seq 1 100`; do ( host=server${i}.mynetwork echo "*Updating $host" ssh -C root@${host} "yum -y update" 2>&1 >> ${host}.update.log echo "* Updating $host ..DONE" )& done Output and Errors are stored in individual log file per host
  • 21. MULTIPLE HOST COMMANDS IN PARALLEL FORKING SUBSHELLS IN LOOP FROM A FILE while read host; do ( echo "*Updating $host" ssh -C root@${host} "yum -y update" 2>&1 >> ${host}.update.log echo "* Updating $host ..DONE" )& done < "${1:-/proc/${$}/fd/0}" Server are reading from a file or from stdin A file with one server name by line Output and Errors are stored in individual log file per host
  • 22. PORT FORWARDING OPEN A LOCAL PORT AND REDIRECT IT THROUGHT SSH ssh -L2000:localhost:80 user@host1 Open a local port 2000 and redirect I/O to server port 80 on host1 ssh -L8080:host2:80 user@host1 Open a local port 8080 and redirect I/O to server port 80 on host2 Using SSH to host1 to access host2 server
  • 23. REVERSE PORT FORWARDING OPEN A REMOTE PORT ON SERVER AND REDIRECT IT THROUGHT SSH TO CLIENT ssh -R 2000:localhost:80 user@host1 Open a port 2000 on host1 Redirect I/O ond this port to local port80 ssh -R 8080:host2:80 user@host1 Open a remote port 8080 on host1 Redirect I/O to server host2 on port 80 from ssh client host Using SSH to host1 to access host2 server
  • 24. USEFUL SCRIPTS ssh-installkeys, ssh key installer ssh-copy-id, included in openssh-clients in all distributions Fusefs, Filesystem over SSH MUSSH, Multihost SSH perl-Net-SSH-Expect, automate connection without ssh keys scanssh, scan hosts with SSH sshpass, password cracker for SSH
  • 25. PROJECTS FOR MASSIVE REMOTE EXECUTION Ansible in Python Chef in Ruby Rex in Perl Rundeck in Java Envoy in PHP Shunt in PHP SSHKit DO It in Ruby
  • 26. PROJECTS FOR SSH MANAGEMENT GateOne, Web SSH client Storm in Python, manage your SSH identities SSHRC, transport your config everywhere git deliver, deliver files from git and SSH SShuttle, the poor's man VPN Solution
  • 27. STELLAR LINKS Code samples in Bash and Perl http://www.jmrenouard.fr Follow me on Twitter
  • 28. THE END BY JEAN-MARIE RENOUARD / JMRENOUARD.FR