SSH
Enable Password Authentication SSH Login
$ ssh ubuntu@192.168.168.124 ubuntu@192.168.168.124: Permission denied (publickey).If you want to use a password to access the SSH server, a solution for fixing the Permission denied error is to enable password login in the /etc/ssh/sshd_config file on the SSH server.
Restart the SSH service by typing the following command:
$ sudo systemctl restart sshd
How to Setup Passwordless SSH Login
Secure Shell (SSH) is a cryptographic network protocol used for secure connection between a client and a server and supports various authentication mechanisms. The two most popular mechanisms are
- passwords based authentication
- public key based authentication
Setup SSH Passwordless Login
There are 2 files needed on the server and the client side respectively:
- server
~/.ssh/authorized_keys
~/.ssh/known_hosts
To set up a passwordless SSH login in Linux all you need to do is to generate a public authentication key and append it to the remote hosts ~/.ssh/authorized_keys file.
Your key pair will be under ~/.ssh/.
If you don't have it, you need to create it.
To generate a new 4096 bits SSH key pair with your email address as a comment:
$ ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"
To be sure that the SSH keys are generated, you will find the following files under ~/.ssh/ :
id_rsa id_rsa.pub
By default, the filenames of supported public keys for GitHub are one of the following.
id_rsa.pub id_ecdsa.pub id_ed25519.pubThen, let the public key be appended to the remote user's ~/.ssh/authorized_keys file.
Go to the remore,
mkdir -p ~/.ssh chmod 700 ~/.ssh cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys"
After the key authentication works, you can disable the password authentication for SSH.
Open the SSH configuration file /etc/ssh/sshd_config, do the change
PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no
Adding a new SSH key to your GitHub account
Before adding a new SSH key to your account on GitHub.com, you should have: To add a new SSH key to your account on GitHub.com,- Copy the SSH public key to your clipboard Copy the contents of the id_ed25519.pub file displayed in the terminal to your clipboard
- In the upper-right corner of any page, click your profile photo, then click Settings.
- In the "Access" section of the sidebar, click SSH and GPG keys.
- Click New SSH key then Add new.
- Title
- Key Copy the content of the key dumpped started from "ssh-rsa"
$ cat ~/.ssh/rsa.pub
Testing your SSH connection
After you've set up your SSH key and added it to your account on GitHub.com, you can test your connection.
$ ssh -T git@github.com Hi JerryLeeTaipei! You've successfully authenticated, but GitHub does not provide shell access.If you access your github repo and see the following error:
$ git clone https://github.com/... ... Password for 'https://JerryLeeTaipei@github.com': remote: Support for password authentication was removed on August 13, 2021. Please use a personal access token instead. remote: Please see https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/ for more information. fatal: Authentication failed for 'https://github.com/JerryLeeTaipei/canonical.git/'Click "Settings --> Developer settings --> Generate new token --> ", then you will get
./githubUse the saved token for password input while accessing github later.
How To Fix Offending key in ~/.ssh/known_hosts file
If there is a key change in the remote host, you have to delete old invalid public key for that remote host.Following error will be displayed when the remote host key changes (after you’ve connected earlier with a valid remote host key).
Offending key for IP in /home/jerry/.ssh/known_hosts:79Use the following command to remove the offending key.,
$ sed -i '79d' ~/.ssh/known_hosts
sshpass
sshpass is a utility designed for running ssh using the mode referred to as "keyboard-interactive" password authentication, but in non-inter‐active mode.
ssh uses direct TTY access to make sure that the password is indeed issued by an interactive keyboard user. Sshpass runs ssh in a dedicated tty, fooling it into thinking it is getting the password from an inter‐active user.
How to Access a Remote Server Using a ssh Jump Host
What is an SSH Jump Server?
An SSH jump server is a regular Linux server, accessible from the Internet, which is used as a gateway to access other Linux machines on a private network using the SSH protocol.Sometimes an SSH jump server is also called a “jump host”.
+ ------+ +------------+ +-------+ | SSH | internet| SSH |intranet | SSH | | client |---------|Jump Server |---------|Server | +--------+ +------------+ +-------+
How to Set Up an SSH Jump Server
A dedicated SSH jump server must not install any other publicly accessible software on it and not allow users to log into a jump server directly.There are two popular open-source projects used to configuring an SSH jump server.
- OpenSSH
- Teleport
$ ssh -J proxy.example.com 10.2.2.1In the above example, the ssh client tried access another host with an address of 10.2.2.1.
To avoid typing -J proxy.example.com all the time, you can update your client’s SSH configuration in ~/.ssh/config with the following:
Host 10.2.2.*
ProxyJump proxy.example.com
Now, the user can type the following to ssh log in the remoter server directly:
$ ssh 10.2.2.1
OPENSSL COOKBOOK
by Ivan Ristić
Preface
The project consists of a high-performance implementation of key cryptographic algorithms, a complete SSL/TLS and PKI stack, and a
command-line toolkit.
1 OpenSSL
The history of OpenSSL:
- SSLeay by Eric A. Young and Tim J. Hudson., 1995
- OpenSSL, 1998
Determine OpenSSL version and configuration,
$ openssl version OpenSSL 1.1.1b 26 Feb 2019 $ openssl version -a OpenSSL 1.1.1b 26 Feb 2019 built on: Thu Mar 7 15:40:08 2019 UTC platform: linux-x86_64 options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) compiler: /tmp/build/80754af9/openssl_1551973186461/_build_env/bin/x86_64-conda_cos6-linux-gnu-cc -DNDEBUG -D_FORTIFY_SOURCE=2 -O2 -march=nocona -mtune=haswell -ftree-vectorize -fPIC -fstack-protector-strong -fno-plt -O2 -ffunction-sections -pipe -I/home/jerry/anaconda3/include -fdebug-prefix-map=/tmp/build/80754af9/openssl_1551973186461/work=/usr/local/src/conda/openssl-1.1.1b -fdebug-prefix-map=/home/jerry/anaconda3=/usr/local/src/conda-prefix -Wa,--noexecstack -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG OPENSSLDIR: "/home/jerry/anaconda3/ssl" ENGINESDIR: "/home/jerry/anaconda3/lib/engines-1.1" Seeding source: os-specificOPENSSLDIR will tell you where OpenSSL will look for its configuration and certificates.
-rw-rw-r-- 2 jerry jerry 219596 二 7 2019 cacert.pem lrwxrwxrwx 1 jerry jerry 10 九 2 12:55 cert.pem -> cacert.pem -rw-rw-r-- 2 jerry jerry 412 三 7 2019 ct_log_list.cnf -rw-rw-r-- 2 jerry jerry 412 三 7 2019 ct_log_list.cnf.dist drwxr-xr-x 2 jerry jerry 4096 九 2 12:55 misc -rw-rw-r-- 2 jerry jerry 10909 三 7 2019 openssl.cnf -rw-rw-r-- 2 jerry jerry 10909 三 7 2019 openssl.cnf.distThe misc/ folder contains a few supplementary scripts, the most interesting of which are the scripts that allow you to implement a private certification authority (CA).
Examine Available Commands,
$ openssl help Standard commands asn1parse ca ciphers cms crl crl2pkcs7 dgst dhparam dsa dsaparam ec ecparam enc engine errstr gendsa genpkey genrsa help list nseq ocsp passwd pkcs12 pkcs7 pkcs8 pkey pkeyparam pkeyutl prime rand rehash req rsa rsautl s_client s_server s_time sess_id smime speed spkac srp storeutl ts verify version x509 Message Digest commands (see the `dgst' command for more details) blake2b512 blake2s256 gost md4 md5 mdc2 rmd160 sha1 sha224 sha256 sha3-224 sha3-256 sha3-384 sha3-512 sha384 sha512 sha512-224 sha512-256 shake128 shake256 sm3 Cipher commands (see the `enc' command for more details) aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1 aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8 aria-256-ctr aria-256-ecb aria-256-ofb base64 bf bf-cbc bf-cfb bf-ecb bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc camellia-192-ecb camellia-256-cbc camellia-256-ecb cast cast-cbc cast5-cbc cast5-cfb cast5-ecb cast5-ofb des des-cbc des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb des-ofb des3 desx idea idea-cbc idea-cfb idea-ecb idea-ofb rc2 rc2-40-cbc rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb rc4 rc4-40 seed seed-cbc seed-cfb seed-ecb seed-ofb sm4-cbc sm4-cfb sm4-ctr sm4-ecb sm4-ofb
Creating Certificate Signing Requests
Once you have a private key, you can proceed to create a Certificate Signing Request (CSR).
This is a formal request asking a CA to sign a certificate, and it contains the public key of the entity requesting the certificate and some information about the entity. This data will all be part of the certificate. A CSR is always signed with the private key corresponding to the public key it carries.
Configuration
The best approach is to use the OpenSSL ciphers command to determine which suites are enabled with a particular configuration string.
$ openssl ciphers -V
0x13,0x02 - TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
...
0x00,0x8C - PSK-AES128-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=AES(128) Mac=SHA1
Each line contains information on one suite and the following information:1. Suite name
2. Required minimum protocol version
3. Key exchange algorithm
4. Authentication algorithm
5. Cipher algorithm and strength
6. MAC (integrity) algorithm
7. Export suite indicator
You can ask it to list only cipher suites that are based on RSA,
$ openssl ciphers -v 'RSA'Further, the order in which suites appear in the output does matter, the suites listed first are given priority.
Network Security with OpenSSL
By Pravir Chandra, Matt Messier, John ViegaChapter 4. Support Infrastructure
The OpenSSL library is composed of many different packages. Some of the lower-level packages can be used independently, while the higher-level ones may make use of several of the lower-level ones.
In this chapter, we concentrate on the lower-level APIs that are most useful with the higher-level APIs that we discuss through the rest of this book.
4.1 Multithread Support
The developer needs to do some work in order to make a program thread-safe.
OpenSSL uses many data structures on which operations must be atomic.
OpenSSL provides for the thread safety of its data structures by requiring each thread to acquire a
mutually exclusive lock known as a mutex that protects the structure before allowing it to be accessed.
Using OpenSSL in multi-threaded applications was changed for the 1.1.0 release.
In OpenSSL 1.0.2 (and earlier), applications had to provide their own integration with locking and threads, as documented in the threads.pod file:
It requires the application programmer to perform his implementation of threading operations in a manner appropriate for the platform it's running on by making callbacks to functions that the application registers with OpenSSL for this purpose.
- Static locks provide a fixed number of mutexes available for OpenSSL's use.
- Dynamic locks allow OpenSSL to create mutexes as it needs them.
With 1.1.0, if threads support is enabled, then the native threads package is used.
On all Unix/Linux platforms, the pthreads API is used, crypto/threads_pthread.c.
In cases where the native threads facility isn’t known, or if explicitly configured with no-threads then dummy functions are used, crypto/threads_none.c.
4.1.1 Static Locking Callbacks
The static locking mechanism requires the application to provide two callback functions.
- void locking_function(int mode, int n, const char *file, int line)
- mode When the CRYPTO_LOCK flag is set, the lock should be acquired; otherwise, it should be released.
- n The number of the lock that should be acquired or released. The first lock is identified by 0. The value will never be greater than or equal to the return from the CRYPTO_num_locks() function.
- file The name of the source file(usually supplied by the __FILE__) requesting the locking operation to take place.
- line The source line number(usually supplied by the __LINE__) requesting the locking operation to take place.
Chapter 5. SSL/TLS Programming
In this chapter, we'll discuss only programming with the SSLv3 and TLSv1 protocols in OpenSSL.
The sample applications includes 4 files:
- common.h Include relevant headers from OpenSSL, define the address for the client and server machines as well as the server's listening port.
- common.c Defines our error reporting function handle_error and a function that will perform common initialization such as setting up OpenSSL for multithreading, initializing the library, and loading error strings.
#include "common.h"
void handle_error(const char *file, int lineno, const char *msg)
{
fprintf(stderr, "** %s:%i %s\n", file, lineno, msg);
ERR_print_errors_fp(stderr);
exit(-1);
}
void init_OpenSSL(void)
{
if (!THREAD_setup() || !SSL_library_init())
{
fprintf(stderr, "** OpenSSL initialization failed!\n");
exit(-1);
}
SSL_load_error_strings();
}
# ifndef OPENSSL_NO_DEPRECATED_1_1_0 # define OpenSSL_add_ssl_algorithms() SSL_library_init() # define SSLeay_add_ssl_algorithms() SSL_library_init() # endif # ifndef OPENSSL_NO_DEPRECATED_1_1_0 # define SSL_library_init() OPENSSL_init_ssl(0, NULL) # endif int OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings);
#include "common.h"
void do_client_loop(BIO *conn)
{
int err, nwritten;
char buf[80];
for (;;)
{
if (!fgets(buf, sizeof(buf), stdin))
break;
for (nwritten = 0; nwritten < sizeof(buf); nwritten += err)
{
err = BIO_write(conn, buf + nwritten, sizeof(buf) - nwritten);
if (err <= 0)
return;
}
}
}
int main(int argc, char *argv[])
{
BIO *conn;
init_OpenSSL();
conn = BIO_new_connect(SERVER ":" PORT);
if (!conn)
int_error("Error creating connection BIO");
if (BIO_do_connect(conn) <= 0)
int_error("Error connecting to remote machine");
fprintf(stderr, "Connection opened\n");
do_client_loop(conn);
fprintf(stderr, "Connection closed\n");
BIO_free(conn);
return 0;
}
留言