SSH

Secure Shell Protocol - Port 22

Last updated 2 months ago

SSH

Secure Shell Protocol - Port 22

Key Generation

RSA

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Ed25519

ssh-keygen -t ed25519

ECDSA

ssh-keygen -t ecdsa-sk

FIDO/U2F NO-TOUCH MODE

Without Touch-Mode

ssh-keygen -O no-touch-required -t ed25519-sk

Allow mode on sshd

no-touch-required sk-ssh-ed25519@openssh.com AAAAInN... user@example.com

Enumeration

Show Details

ssh-keygen -C "$(whoami)@$(uname -n)-$(date -I)"

Key lenght

ssh-keygen -l -f public_key

Check SSH access

netexec ssh <IP> -u <USER> -p 'password'

SSH Brute Force

nmap -n -p22 --script ssh-brute --script-args userdb=usernames.txt,passdb=passwords.txt <IP>

Trouble-shooting

SSH2_MSG_KEX_ECDH_REPLY error:

ssh -o MACs=hmac-sha2-256 <HOST>

Sometimes the /etc/hosts.allow or /etc/hosts.deny may be configured to blacklist or whitelist IPs trying to connect to the server:

Whitelist

ALL : 10.10.16.8

Add that in the /hosts.allow file; make sure to let a blank line at the end.
sshd_wl is the syslink to host.allow and is normally in .ssh

In recent versions of OpenSSH, certain older key types like ssh-rsa have been deprecated because of security concerns with the SHA-1 hash algorithm they use:

ssh root@10.10.10.34 -i id_rsa -o PubkeyAcceptedKeyTypes=ssh-rsa

OpenSSH Vulnerabilities

RsaCtfTool

(mainly for ctf) - retrieve private key from weak public key and/or uncipher data.
Install libmpc-dev, libgmp3-dev and sagemath
Also recommend to use a virtual environment

RsaCtfTool/RsaCtfTool.py --publickey decoder.pub --decryptfile pass.crypt

CVE-2008-0166

Debian OpenSSL Predictable PRNG -> Check the
Look for matches for a given public_key:

grep -R -n `cat public_key` rsa/

sshd - SSH Server

Configuration File

/etc/ssh/sshd_config

Sampler config

# Disable root login
PermitRootLogin no

# Use SSH Protocol 2 only
Protocol 2

# Use only strong authentication methods
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no

# Limit user access (replace 'youruser' with your username)
AllowUsers youruser

# Use non-standard port (optional, requires adjustment to QEMU port forwarding)
Port 2233

# Restrict key exchange, ciphers, and MACs to strong algorithms
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

# Strict mode
StrictModes yes

# Disable X11 forwarding
X11Forwarding no

# Set low login grace time
LoginGraceTime 30s

# Limit maximum authentication attempts
MaxAuthTries 3

# Enable logging
LogLevel VERBOSE

# Disable GSSAPI authentication
GSSAPIAuthentication no

# Disable host-based authentication
HostbasedAuthentication no

# Disable empty passwords
PermitEmptyPasswords no

# Disable TCP forwarding for stealthiness
AllowTcpForwarding no
GatewayPorts no

# Set idle timeout (15 minutes)
ClientAliveInterval 300
ClientAliveCountMax 3

Enable fail2ban to prevent brute force attempts

sudo pacman -S fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the SSH jail configuration

sudo nano /etc/fail2ban/jail.local

Add this to the SSH section

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 3600

Enable/Start the service

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Configure system auditing

Set up audit

sudo pacman -S audit
sudo systemctl enable auditd
sudo systemctl start auditd

Configure it

sudo auditctl -w /etc/ssh/sshd_config -p wa -k sshd_config
sudo auditctl -w /etc/passwd -p wa -k user_modification
sudo auditctl -w /etc/shadow -p wa -k user_modification

PreviousICMP NextTelnet

Last updated 2 months ago

Key Generation

RSA

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Ed25519

ssh-keygen -t ed25519

ECDSA

ssh-keygen -t ecdsa-sk

FIDO/U2F NO-TOUCH MODE

Without Touch-Mode

ssh-keygen -O no-touch-required -t ed25519-sk

Allow mode on sshd

no-touch-required sk-ssh-ed25519@openssh.com AAAAInN... user@example.com

Enumeration

Show Details

ssh-keygen -C "$(whoami)@$(uname -n)-$(date -I)"

Key lenght

ssh-keygen -l -f public_key

Check SSH access

netexec ssh <IP> -u <USER> -p 'password'

SSH Brute Force

nmap -n -p22 --script ssh-brute --script-args userdb=usernames.txt,passdb=passwords.txt <IP>

Trouble-shooting

SSH2_MSG_KEX_ECDH_REPLY error:

ssh -o MACs=hmac-sha2-256 <HOST>

Sometimes the /etc/hosts.allow or /etc/hosts.deny may be configured to blacklist or whitelist IPs trying to connect to the server:

Whitelist

ALL : 10.10.16.8

Add that in the /hosts.allow file; make sure to let a blank line at the end.
sshd_wl is the syslink to host.allow and is normally in .ssh

In recent versions of OpenSSH, certain older key types like ssh-rsa have been deprecated because of security concerns with the SHA-1 hash algorithm they use:

ssh root@10.10.10.34 -i id_rsa -o PubkeyAcceptedKeyTypes=ssh-rsa

OpenSSH Vulnerabilities

RsaCtfTool

(mainly for ctf) - retrieve private key from weak public key and/or uncipher data.
Install libmpc-dev, libgmp3-dev and sagemath
Also recommend to use a virtual environment

RsaCtfTool/RsaCtfTool.py --publickey decoder.pub --decryptfile pass.crypt

CVE-2008-0166

Debian OpenSSL Predictable PRNG -> Check the
Look for matches for a given public_key:

grep -R -n `cat public_key` rsa/

sshd - SSH Server

Configuration File

/etc/ssh/sshd_config

Sampler config

# Disable root login
PermitRootLogin no

# Use SSH Protocol 2 only
Protocol 2

# Use only strong authentication methods
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no

# Limit user access (replace 'youruser' with your username)
AllowUsers youruser

# Use non-standard port (optional, requires adjustment to QEMU port forwarding)
Port 2233

# Restrict key exchange, ciphers, and MACs to strong algorithms
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

# Strict mode
StrictModes yes

# Disable X11 forwarding
X11Forwarding no

# Set low login grace time
LoginGraceTime 30s

# Limit maximum authentication attempts
MaxAuthTries 3

# Enable logging
LogLevel VERBOSE

# Disable GSSAPI authentication
GSSAPIAuthentication no

# Disable host-based authentication
HostbasedAuthentication no

# Disable empty passwords
PermitEmptyPasswords no

# Disable TCP forwarding for stealthiness
AllowTcpForwarding no
GatewayPorts no

# Set idle timeout (15 minutes)
ClientAliveInterval 300
ClientAliveCountMax 3

Enable fail2ban to prevent brute force attempts

sudo pacman -S fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the SSH jail configuration

sudo nano /etc/fail2ban/jail.local

Add this to the SSH section

[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 3600

Enable/Start the service

sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Configure system auditing

Set up audit

sudo pacman -S audit
sudo systemctl enable auditd
sudo systemctl start auditd

Configure it

sudo auditctl -w /etc/ssh/sshd_config -p wa -k sshd_config
sudo auditctl -w /etc/passwd -p wa -k user_modification
sudo auditctl -w /etc/shadow -p wa -k user_modification