136 private links
SSH continues to be a go-to command line tool for system administrators. These six guides reveal key ways that SSH plays a crucial role in getting the job done.
-
ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
each use. These keys may be generated using ssh-keygen using a new
"verify-required" option. When a PIN-required key is used, the user
will be prompted for a PIN to complete the signature operation. -
sshd(8): authorized_keys now supports a new "verify-required"
option to require FIDO signatures assert that the token verified
that the user was present before making the signature. The FIDO
protocol supports multiple methods for user-verification, but
currently OpenSSH only supports PIN verification. -
sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
signatures. Webauthn is a standard for using FIDO keys in web
browsers. These signatures are a slightly different format to plain
FIDO signatures and thus require explicit support. -
ssh(1): allow some keywords to expand shell-style ${ENV}
environment variables. The supported keywords are CertificateFile,
ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
RemoteForward when used for Unix domain socket paths. bz#3140 -
ssh(1), ssh-agent(1): allow some additional control over the use of
ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
including forcibly enabling and disabling its use. bz#69 -
ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
limit for keys in addition to its current flag options. Time-
limited keys will automatically be removed from ssh-agent after
their expiry time has passed.
Endlessh is an SSH tarpit that very slowly sends an endless, random SSH banner. It keeps SSH clients locked up for hours or even days at a time. The purpose is to put your real SSH server on another port and then let the script kiddies get stuck in this tarpit instead of bothering a real server.
Since the tarpit is in the banner before any cryptographic exchange occurs, this program doesn't depend on any cryptographic libraries. It's a simple, single-threaded, standalone C program. It uses poll() to trap multiple clients at a time.
SSH is a powerful tool which often grants a lot of access to anyone using it to log into a server. In this post, I’m going to talk about a few different ways that you can easily improve the security of your SSH model without needing to deploy a new application or make any huge changes to user experience.
Our kickass setup will allow us to do a series of cool things related to daily development operations:
Two Factor Authentication
PAM Authentication (logging into your linux/mac PC)
GPG mail and GIT commit signing/encrypting
SSH Authenticationssh-audit is a tool for ssh server auditing.
Features
SSH1 and SSH2 protocol server support;
grab banner, recognize device or software and operating system, detect compression;
gather key-exchange, host-key, encryption and message authentication code algorithms;
output algorithm information (available since, removed/disabled, unsafe/weak/legacy, etc);
output algorithm recommendations (append or remove based on recognized software version);
output security information (related issues, assigned CVE list, etc);
analyze SSH version compatibility based on algorithm information;
historical information from OpenSSH, Dropbear SSH and libssh;
no dependencies, compatible with Python 2.6+, Python 3.x and PyPy;Now that I’m using OpenPGP cards for GnuPG, I may as well start using them for their other bells and whistles too. The first and most useful such extra feature of those cards is using the authentication key for SSH.
Getting this working is actually surprisingly simple...
#Planet #Commandline is finally online: http://planet-commandline.org/ #cli #ssh #shell #grml #gnuscreen #zsh
reading http://tinyurl.com/nsmco8 - improving #SSH security on Debian Linux/Ubuntu #Heise
Terminator is a cross-platform GPL terminal emulator with advanced features not yet found elsewhere.