Stuff I'm Up To

Technical Ramblings

Tunnelling RDP over SSH — February 4, 2020

Tunnelling RDP over SSH

After a day of battling with a very laggy and Windows bound Logmein we decided it was time to get to the customers Windows machines via a conveniently placed Linux server.

It’s a case of connecting to the remote server over ssh and then using port forwarding to direct traffic to the Windows RDP server. We can then run Remmina to access Windows using a much smoother performing method.

Continue reading
SSH Tunnelling – autossh — January 31, 2020

SSH Tunnelling – autossh

Maintaining a secure connection to a remote host using SSH to securely tunnel traffic for underlying services like MSQL, PostgreSQL or just for remote support is made far easier by using a tool designed to bring up the connection and monitor and maintain it.

This is where autossh comes in.

Continue reading
Lsyncd and Docker — January 29, 2020
Filesystem Synchronisation — January 28, 2020
OpenSSH keys and known_hosts — January 24, 2020

OpenSSH keys and known_hosts

As I’ve been working on Docker containers I’ve been having to use local containerised versions of ssh key pairs and known_hosts. I need to be able to carry out key creation etc. without upsetting my own personal keys under ~/.ssh.

This may be bread and butter stuff to many long time Linux admins, but it’s not something I’ve had to do on a daily basis until recently.

Creating a Key Pair

$ ssh-keygen -f rsa -b 4096 -f [key name]

Where I can specify the location and name of the key files to create eg.

$ ssh-keygen -t rsa -b 4096 -f folder/id_rsa

Will give me the id_rsa and id_rsa.pub files in the folder called folder.

Updating a known_host File

If I’m using two containers and need to get the remote containers key finger prints into my local containers known_hosts I can use ssh-keyscan to grab the fingerprints and then direct them to a file. Be careful as the order of the parameters is important, especially if you have ssh daemons on different ports on the remote.

$ ssh-keyscan -H -p 22 [remote host] >> folder/known_hosts

You can change the port that the keyscan pulls fingerprints from by changing the -p 22 to your required port.

This can even be scripted into your containers “entrypoint” so the connection is always ready and avoid the messages:

ECDSA host key for IP address ‘192.168.122.99’ not in list of known hosts.

Host key verification failed.

Using ssh-agent to Remember Your Password

After a while relentlessly typing your keys passphrase gets wearing. Use the ssh-agent in your current environment to provide it for you.

$ eval `ssh-agent`
$ ssh-add

You’ll be asked for your password and then the agent will pass it along to all the future requests for that session.

VCSA root Locked Out! — June 7, 2019

VCSA root Locked Out!

This gave me cause for tears today. The VCSA (vCenter Server Appliance) management Web UI (https://vcsa:5480) decided not to let me in as root. I’m guessing I spannered the password a few too many times.

It’s a very good job that at some point in the past I put my public key onto the system so I could use my plain old no password required private key to logon to the system using ssh!

SSH Logon with Private Key

Now I’m logged onto the console how do I go about getting access back to the Web UI? I discovered that the VCSA system uses pam_tally2 to lockout sessions. What I needed to do was reset the root account:

# pam_tally2 --user=root
 Login           Failures Latest failure     From
 root               10    06/07/19 14:12:11  unknown
# pam_tally2 --user=root --reset
 Login           Failures Latest failure     From
 root               10    06/07/19 14:12:11  unknown
# pam_tally2 --user=root
 Login           Failures Latest failure     From

Now I can logon to the Web UI!

The lesson to learn here is to install your public key onto your precious Linux boxes!

Public Key from Private Key — January 3, 2019

Public Key from Private Key

I fall over this every so often. I have the private key file but would either have to trawl servers for authorized_keys files to get the public password or remember how to obtain the public key from the private key.

Time to document it here so I don’t have to hunt for it with Google again.

For an RSA PEM format public key

$ openssl rsa -in private.key -pubout

-----BEGIN PUBLIC KEY-----
MIIBIDA ...
-----END PUBLIC KEY-----

For an SSH putty friendly version

$ ssh-keygen -y -f private.key

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQE ...
SRX SSH Ciphers, Algorithms & Key Exchange — July 31, 2017

SRX SSH Ciphers, Algorithms & Key Exchange

When doing a Nessus scan for the first time on the new SRX320 cluster it highlighted some weaknesses in the SSH protocol. This was due to arcfour, cbc and hmac being enabled by default.

So to remedy this we need to set the acceptable levels of ciphers etc.

Using the CLI a simple change to the config for the SSH service is required, under system services ssh.

# edit system services ssh
# set ciphers [ aes256-ctr "aes256-gcm@openssh.com" "chacha20-poly1305@openssh.com" ];
# set macs [ hmac-sha2-256 "hmac-sha2-256-etm@openssh.com" hmac-sha2-512 "hmac-sha2-512-etm@openssh.com" ];
# set key-exchange [ curve25519-sha256 ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 group-exchange-sha2 ]

Commit the changes and rescan and all is good.

Continue reading

SSH Logon with Private Key — March 1, 2017
SSH Weak MAC Algorithms Enabled — February 15, 2017
SSH Tunnelling — September 27, 2016
Debian Installation — September 20, 2016

Debian Installation

When I setup a Debian server there’s a few basic things I do to get it online.

First steps boot from the netinst CD and follow the installer.

First logon using SSH as your regular user account as root can’t access the system remotely. So you’ll have to logon unprivileged and then su to root.

$ su

Sudo

Then before doing anything else install sudo and give your user account access by making them a member of the sudo group.

# apt-get install sudo
# usermod -a -G sudo [user]

You’ll have to logout and back in to pick-up the sudo group change.

Continue reading