After faffing around for the last couple of days, I finally managed to get Android #Termux to connect to one of my Linux PCs using #tailscale. Needed to create a id_rsa file with a #SSH key. Using #ChatGPT to point me in the right direction. Will never really need it. Just wanted to see if I could do it 😁
With the constant rise of online threats, it becomes more crucial to ensure that your server is secure. Review these basic measures, and make your server safer. The steps in this guide are primarily geared towards Ubuntu and Debian, but the fundamental principles are the same.
Um meine Daten zu schützen, habe ich die DynDNS-Funktion an meiner Fritzbox deaktiviert und verzichte beim Raspi auf einen Webzugang. Sind meine Daten sicher?
Just released: AWS Y SSH Cheat Sheet by jaotalvaro
Here's their description of it: Información de cómo acceder a un servidor creado en AWS por medio de conexión SSH
Mal eine blöde #SSH-Frage, vielleicht weiß ja zufällig jemand eine einfache Lösung:
Ich sitze hinter einer restriktiven Firewall, die nach außen hin nur die Ports 443 und 80 geöffnet hat. Sprich: http(s) geht, ssh aber nicht.
Klar kann ich theoretisch auch eine SSH-Verbindung über die Ports 80 und 443 laufen lassen.
Der Server (Debian, ebenfalls meiner, offen zugänglich) hat aber auf diesen Ports schon einen nginx laufen, sprich: die Ports sind schon belegt.
Kennt jemand eine Möglichkeit, z.B. eine spezielle Subdomain oder einen (geheimen?) Pfad so einzurichten, dass ich am Ende meinem Server wieder bei Port 22 rauskomme?
Ziel ist es dann einen geschützten Eingang zu einem Reverse-SSH-Tunnel zum abgeschirmten Server zu installieren.
Synology: aggiornamento di Tailscale fuori dal Centro Pacchetti
Synology: aggiornamento di Tailscale fuori dal Centro Pacchetti
if you've tried `ssh-copy-id` with a 1password managed ssh key, you can't because ssh-copy-id won't copy it without the private key also there, I think it's a like a "save the stupid user" thing. run your command first with `-f -n` for a quick dry run, then remove the `-n` it works, you just have to force it.
ssh-copy-id -f -i .ssh/1password.booger.id_ed25519.pub email@example.com
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/1password.booger.id_ed25519.pub"
@polpo @jcs In my mind, it’s futile to connect most #retro computers directly to the internet, barely a chance for up-to-date TCP stacks esp. considering #QUIC and the occasionally fast moving cipher changes. Perhaps all they would need is a pseudo-serial port that transparently corresponds to a data stream on todays internet, be it telnet, TLS, #SSH or QUIC. Possibly providing free getty functionality for ssh access, and reviving #zmodem for reliable file transfer.
A testing database I had on a VPS got hit with ransomware :blobfoxannoyed: It was testing and had nothing on it, so nothing was lost. But I don't get how it got pwned.
I hadn't bothered to change the default password on the database since it was an empty testing database, so yeah that makes it easy. But I had it behind #UFW firewall, access only allowed through #Tailscale. Password logins are disabled in #SSH and only key logins enabled, also only allowed through Tailscale.
1.Install PAM module
$ apt install libpam-google-authenticator
2. Generate QR Code and add token to your TOTP App
3. Set these configuration in your /etc/ssh/sshd_config:
4. Edit /etc/pam.d/sshd and add below common-auth:
auth required pam_google_authenticator.so
5. Restart sshd
~ ❯ ssh firstname.lastname@example.org
email@example.com ~ #
It's funny that sometimes #cryptography toots appear in my #tofu feed. There's a thing called Trust On First Use, which basically means that you trust a (public) key whenever it's used for the first time. For example, in #Matrix, you can begin chatting with a person right away after the chat is created (and keys exchanged in the background), even if you haven't verified the keys; your Matrix client will only warn you when the key is changed (which could be a sign of the account being compromised). #SSH has a similar feature (I think it's the program that made T.O.F.U. popular).
If the #iPhone15Pro action button allows #Shortcuts, does that mean, I can create a shortcut with a series of #SSH commands to destroy all of my server infrastructure by accidentally pushing it inside my pocket?
Count me in.
From the makers of pocket-called™️ comes out:
last but not least
#SSH is a standard tool, but it can be tricky to explain setup to people across different operating systems. Our updated SSH reference is designed to help people on all the standard platforms. If you ever needed a place to point people, this might work: https://scicomp.aalto.fi/scicomp/ssh/
a better proactive approach for public-facing #debian systems is to safelist a trusted IP (or at least a subnet from one or more ISPs)
$ sudo ufw allow from 126.96.36.199
$ sudo ufw allow from 188.8.131.52/24
setup a cheap long-term VPS somewhere and setup pi-vpn, or use @tailscale for a trusted source IP for a personal linux admin bastion
2023 年 9 月 20 日 THN Kubernetes / サプライ チェーン攻撃
サイバーセキュリティ研究者は、Kubernetes 構成と SSH キーを侵害されたマシンからリモート サーバーに漏洩するように設計された悪意のあるパッケージの新しいバッチを npm パッケージ レジストリで発見しました。
Sonatype は、これまでに 14 の異なる npm パッケージを発見したと述べています」
That is, the underlying connection will break after a short while and open files will be closed. But the remote filesystem stays mounted and gets reconnected upon the next access to it with a little delay.
very nice …
Statement von Dietmar Wyhs, #SSH
#itsa #HomeofITSecurity #ITSecurity #RemoteAccess #OTSecurity #SSH Communications Security# #passwordless #keyless #Quantumcomputing #Kryptografie #Verschlüsselung #Security #Cybersecurity #Sicherheitsmesse #Nürnberg #Cybersicherheit #ITSicherheit
Install and configure SSH on Debian 12 Bookworm
"The following configuration makes root logins on the remote machine impossible. Only users belonging to the group ssh-users may establish a connection. Access to the remote machine is tied to the local user’s private key."
ICAO code: #407642
Operator: Tui Airways Limited
Type: BOEING 737MAX 8
From: #SSH to #MAN
Speed: 812 kmh
Altitude: 11582 m
Distance: 2.9 km
Angle ∆: 76.0°
Direction ->: WNW
ICAO code: #44A838
Operator: Tui Airlines Belgium
Type: BOEING 737-8K5
From: #SSH to #BRU
Speed: 310 kmh
Altitude: 709 m
Distance: 4.7 km
Angle ∆: 8.6°
Direction ->: SSW
#Landing #BrusselsAirport #Belgium
#ssh-agent is a little program that exposes a standard API to your SSH clients that lets your SSH client create keys and sign stuff without actually having direct access to key material. Your SSH client typically talks to your agent over a Unix domain socket. The path to the domain socket is read from the SSH_AUTH_SOCK environment variable. OpenSSH comes with a default ssh-agent that holds key material in memory. The advantage is that key material never has to touch disk.
You can replace the default ssh-agent with a different one that manages key material some other way (e.g., by using the secure enclave on a Mac, or by using a #yubikey
I am leaning heavy into #termux for command line options and have gcc, rust, go, python, and java already installed.
TIme for some X11. While non-termux options exist, I didn't really look hard at them at this time since my first pass at this is definitely termux-centric.
So here is the #xfce desktop via termux to provide more GUI options in the coming days.
Editando las primeras clases del curso de Networking TCP/IP de JuncoTIC.com!!
Contenido adicional en los cursos de Admin GNU/Linux para LPIC-1, iptables y SSH, así que, alumnos de esos cursos, estén atentos que pronto recibirán mensajería anunciando nuevo contenido educativo 😀
This is another reason you should not use #SSH keys anywhere.
Git. Alternative Entra ID (any IDP) service account via OIDC or SAML. AWS IAM anywhere..
Linux/Unix server login - use code, redeploy never login to a server. Emergency use tools like AWS systems manager. Also works in your datacenters
Manage everything via code: https://rakkhi.substack.com/p/why-you-should-manage-your-cyber
So, I know this might be a bit odd and I already tried searching but didn't find anything really useful.
I need to be able to authenticate users using multiple 2FA providers (users in group1 should use provider1, users in group2 should use provider2, etc.) on the same #linux #ssh server.
Any clue, hint, pointer, ideas?
I recently started experimenting with #gensio, which can do some really cool things with #serial ports, TCP ports, etc. It can make a serial line a framed, reliable communications medium. It can act like netcat, socat, and so forth. You can use it to run #ssh or #NNCP over a serial line, or provide an encryption layer itself. I wrote up some ideas here: https://www.complete.org/using-gensio-and-ser2net/
It was a brief suggestion, cited as FreeNX, in a video by Vagner Fonseca on another subject.
I shall post more about it soon. I can already say that it should receive much more attention and development in order to be better supported. It's incredible!
master connection needs to be open for another connection to be able to use the master connection.
The socket file is only available while the master connection is open. If you close the master connection then the socket file is removed. Any open "slave" connection will be closed if the master connection is closed.
Tho that'll still be more than #Floppinux did...but that's just me being pendantic.
Few things infuriate me as much as brand new devices being sold with completely outdated components in their firmware.
Trying since far too long now to get my #Brother ADS-4300N scanner to talk to my #SSH server for pushing scanned documents to my #PaperlessNGX via SFTP.
One could ignore that it doesn't support #ed25519 for PubKey auth, but it can't even negotiate a connection since the provided MACs are apparently that outdated that a recent #OpenSSH doesn't even allow to enable them anymore.
LSM provides hooks only for access control
Systems like #grsecurity and RSBAC 1 need >just access
control. in Implementations like #AppArmor , LIDS 2 , #POSIX capabilitites ,Smack 3 ,TOMOYO 4 ,#SELinux, Stacking multiple security modules is problematic , LSM hooks expose kernel internal data structures as parameters, #Ethos is running inside the Xen Virtual Machine Monitor #VMM
#Xen Dom0 OS is typically Linux. #Virtualization allows to run Ethos alongside Linux. 4
when Dom0 receives a packet destined to an Ethos host, its routing/ARP tables allow it to deliver packet correctly.
(1) request was received on interface n’s partition,
(2) target address belongs to a host that exists on an interface
other than n.
(3) ensure Dom0 has ARP table entries for each Ethos host.
#Ethos immediately sends a packet to shadowdæmon upon booting, and shadowdæmon uses this
packet to update Dom0’s static ARP table
when Dom0 receives a packet destined to an Ethos host, its routing/ARP tables allow it to deliver the packet correctly.
e fileInformation system call is interesting in that Ethos supports file metadata typically
not present on Linux. Here shadowdæmon makes use of Linux’s getxattr/setxattr system calls
to store Ethos metadata along with the files it describes. Shadowdæmon is also responsible for
providing Ethos with random data using a Random RPC.
. Shadowdæmon is also responsible for providing Ethos with random data using a Random RPC
Ethos offers distributed types in the Etypes subsystem:
A notation, ETN, for specifying types, a machine-readable type description (“type graph”), A single wire format (ETE), Tools (userspace and kernelspace) to transform ETN into code that will encode, decode, and recognize types,Extensions to read and write system calls to check input and output,Programs specify what input types they allow,Validity of input (and outputs) enforced by OS
#Kerberos was motivated by the transition from single, time-sharing systems to distributed
networks of workstations
a Kerberos installation is made up of two services: an authentication service and a Ticket Granting Service(TGS).
X.509 added a graph-based trust model to its traditional hierarchical model , but
its design imposes a high performance overhead. SDSI  also provides a strong trust model,
but likewise does not perform well at Internet scale. Another alternative is the web of trust
used by #PGP
#SSH attempts to isolate private keys by protecting them
#Multics provides a hierarchical filesystem that is governed by access control lists. Processes
serve as subjects and can access objects in the storage system. Each subject has associated
with it a value called a principal identifier, which corresponds to the user on whose behalf the
process runs. Each object in the storage system has associated with it three modes, read, write,
and execute. For each mode, there exists a list of principal identifiers that may access the object
using the mode.
likewise #Unix authorization traditionally has been discretionary.
#Factotum acts as an authentication proxy.
Consider a POP email server that must implement the APOP authentication protocol. On
Plan 9, such an email server would receive requests from the network and process them. In the
case of authentication requests, the email server forwards the request to factotum. Factotum
then provides the email server with the response it should pass to the client. Never in this process are keys shared with the email server.
#HiStar’s flow controls contain effect of a compromised app , serving as a countermeasure to one of the facets of application based subversion. Even if an app is compromised, it cannot bypass the flow controls that HiStar imposes on it. bu An app that operates within its information-flow constraints could easily be programmed or misconfigured so that protections are missing.
on traditional Unix systems, still remain with HiStar’s Unix layer
"Keystroke timing obfuscation" has been added to ssh(1) client in #OpenBSD -current.
This uses the recently added "firstname.lastname@example.org" vendor extension described in the PROTOCOL file.
djm@ modified src/usr.bin/ssh/*: Add keystroke timing obfuscation to the client.
This attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. It also sends fake "chaff" keystrokes for a random interval after the last real keystroke. These are controlled by a new ssh_config ObscureKeystrokeTiming keyword.
🆕 blog! “Mosh supports .ssh/config”
I've recently started using Mosh. It's a clever bit of software that keeps your SSH sessions running, even if your client goes offline or changes IP address. But I find the syntax used to launch it a bit verbose and easy to forget. A typical command is something like: mosh --ssh="ssh -p 1234" email@example.com Within […]
I've recently started using Mosh. It's a clever bit of software that keeps your SSH sessions running, even if your client goes offline or changes IP address.
But I find the syntax used to launch it a bit verbose and easy to forget. A typical command is something like:
mosh --ssh="ssh -p 1234" firstname.lastname@example.org
Within the FAQ is a fleeting mention of how to configure Mosh. It says:
Q: How do I use a different SSH port (not 22)?
As of Mosh 1.2, you can pass arguments to ssh like so:
mosh remotehost --ssh="ssh -p 2222"
Or configure a host alias in
~/.ssh/configwith a Port directive. Mosh will respect that too.
What it doesn't say is that Mosh will use all the directives in
~/.ssh/config. So you can have something like:
Host home HostName example.com User myname Port 1234
Then you can run
mosh home to connect. If you don't want to use passwords, you can add
IdentityFile ~/.ssh/example.key or similar.
Perhaps you already knew that - but I didn't.
Being a bit overzealus and did a 1.0.0 release candidate for `ssh-tpm-agent` :)
Now with RSA key support, import support, an `ssh-tpm-add` utility and proxy support for other agents.
This is extremely frustrating.
I host a piece of software on my server for my father. He connects to it via #SSH (using #PuTTY ). He just got a new computer, and wanted me to set it up so that he could connect, just like I did with his previous computer. No problem right?
I show up, generate the key, and authorize it on the server, but for whatever reason PuTTY refuses to acknowledge the existence of this key. I know it's not even trying, because it doesn't even ask for the passphrase to decrypt it.
Has something changed in the latest version of PuTTY that I just don't know about? Do I need to do something the enable public key authentication beyond simply specifying the path to the key?
SSH aliases are so awesome! I learned about this very recently. I have something like the following in my .ssh/config file for every server I SSH into:
, and it lets me just go like, ssh servername, enter my passphrase, and be logged in. #Linux #ssh
Did an initial v0.1.0 release of `ssh-tpm-agent`.
Should be in some state suitable for testing by users for feedback.
The project was also renamed from `tpm-ssh-agent` to `ssh-tpm-agent`. Someone thought it would make more sense :)
I forget who it was who suggested an #SSH socks proxy, but thanks! It worked like a charm when I needed to access some sites from my computer in the USA, while I was in Japan.
I used the directions from this page: https://ma.ttias.be/socks-proxy-linux-ssh-bypass-content-filters/
@Lili Bis #SSH gilt ja auch noch der Platinum Bereich ☝️ ... Bei Velaros ist das ja einfacher, da sind zumindest die Sticker, in den Baguette musste ich einmal selbst dem Zub einen Auzug aus deren Fahrzeugregister zeigen, bis die mir geglaubt haben, dass es in der 1. Klasse in den 2N2 3UA eben doch Platinum / TGV MAX Plaetze gibt.
* wenn du dann sowohl Platinum, als auch TGV PRO MAX zeigst gucken die uebrigens meistens etwas komisch und schuetteln nur den Kopf ...
Not surprisingly, logs can be really helpful 🙂 I could not get password-less ssh to work to one of my hosts. I looked at /var/log/auth.log and the message was very specific - "Authentication refused: bad ownership or modes for directory /home/dennis" Yep. /home/dennis had drifted from 750 which #ssh wants. Easy fix.
Why do nerds always do this; overcomplicate everything?
Nerds were like; "I know let's encode the private key in a series of words so people can memorize them" and now you've got two private keys!
Before executing important commands and scripts over #SSH, use #screen in case of disconnect. If your connection drops or you close the terminal, you can SSH back in and enter `screen -r` to recover from where you left off. Being reunited with that hanging command prompt will be a relief! #tuesdaytip #gnu #linux #cli #admin
Sharing open, pbcopy and pbpaste over #SSH
Also weedwhacked the absolute shit out of a lawnfull of dandelions this afternoon.
* For those interested in Protocol Bullshit and/or Software Architecture Bullshit, see https://github.com/paramiko/paramiko/issues/23#issuecomment-1516536336 and subsequent comment(s).
@jaredwhite @cappiello @vanilla @bridgetown Oh, I know. I'd prefer to stick with back-end development (.NET, C#, ASP.NET, SQL Server) because I'm familiar with it and I only got into coding because it pays better than cleaning toilets, but I keep landing in projects that want full-stack so I must perforce adapt.
#ICYMI #GitHub using GitHub to expose its own secrets
Mike Hanley (https://github.com/mph4), Chief Security Officer + SVP Engineering:
> At approximately 05:00 UTC on March 24, out of an abundance of caution, we replaced our RSA SSH host key used to secure Git operations for GitHub.com
> This week, we discovered that GitHub.com’s RSA SSH private key was briefly exposed in a public GitHub repository.
@SwiftOnSecurity one can easily read out said info from the systems without admin privilegues and gather extensive intelligence hidden before actually attacking the corporate IT and locking out admins first...
Why they don't use a proper auth with #SSH [-Keys] is beyond me except the fact that #Windows doesn't have any (good) #OpenSSH #Server included nor can it be actually used to admin a system effectively!
if you have multiple keys, you can change the comment in the key with the #OpenSSH command "ssh-keygen -c -f .ssh/file". That way, when you look at what keys are loaded or are in use, the programs can tell you who is what.
Super helpful for keeping track of event keys or organization keys.
$ ssh-add -l
3072 SHA256:[hash] phessler@hostname (RSA)
256 SHA256:[hash] phessler@hostname (ED25519)
3072 SHA256:[hash] phesslerr@event-year (RSA)