Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
SSH That Wonderful Thing
Search
Marc Cluet
June 09, 2013
Technology
92
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
SSH That Wonderful Thing
Marc Cluet
June 09, 2013
More Decks by Marc Cluet
See All by Marc Cluet
FOSDEM'14 - Autoscaling Best Practices
lynxman
1
120
A metadata ocean in Chef and Puppet
lynxman
0
62
Rackspace Hack Night - Vagrant & Packer
lynxman
0
150
Innovation in the Cloud - Rackspace Zurich Event
lynxman
0
110
Introduction to DevOps - Rackspace Tech Night
lynxman
1
83
Introduction To Hadoop
lynxman
1
120
Hadoop Operations
lynxman
0
120
Networking & DNS 101
lynxman
0
100
Juju and Puppet - Rapid Harmonious Deployment
lynxman
0
110
Other Decks in Technology
See All in Technology
元・セキュリティ学習経験0大学生による業務紹介 / An Introduction to the Job by a Former College Student with Zero Security Training Experience
nttcom
0
200
データレイクの「見えない問題」を可視化する
sansantech
PRO
1
200
元銀行員がAIだけでアプリを量産!「バイブコーディング実演セミナー 」
tatsuya1970
0
110
自分が詳しくない領域でAIを使う #プロヒス2026
konifar
20
7.5k
感情と身体を置き去りにしない、エンジニアの生きのこり方 ──いまから、ここから「自分の状態」を扱うという選択
saorimurooka
0
340
【FinOps】データドリブンな意思決定を目指して
z63d
0
370
「ビジネスがわかるエンジニア」とは何か?
ryooob
0
320
秘密度ラベル初心者が第1歩でつまづかないための「設計・運用」ポイント
seafay
PRO
1
490
4人目のSREはAgent
tanimuyk
0
180
Lightning近況報告
kozy4324
0
220
技術・能力を向上する原理原則 #きのこセッションa #きのこ2026
bash0c7
0
130
MUSUBI 田中裕一『AIと共に行う「しごとのリデザイン」- スモールバックオフィス編』AI Ops Lab #4
musubi
0
320
Featured
See All Featured
Leo the Paperboy
mayatellez
7
1.9k
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
apolaine
1
360
Building Experiences: Design Systems, User Experience, and Full Site Editing
marktimemedia
0
540
The B2B funnel & how to create a winning content strategy
katarinadahlin
PRO
1
400
Exploring the relationship between traditional SERPs and Gen AI search
raygrieselhuber
PRO
2
4k
SEO for Brand Visibility & Recognition
aleyda
0
4.6k
The State of eCommerce SEO: How to Win in Today's Products SERPs - #SEOweek
aleyda
2
11k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
430
Utilizing Notion as your number one productivity tool
mfonobong
4
330
Reality Check: Gamification 10 Years Later
codingconduct
0
2.2k
Visualization
eitanlees
152
17k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Transcript
Marc Cluet – Lynx Consultants How I learned to
stop worrying and love the shell
What we’ll cover? ¡ Understand how SSH works ¡
Get a clear picture of how ssh bastion hosts work ¡ Be able to do more awesome stuff with SSH! Lynx Consultants © 2013
What is SSH? ¡ Secure Shell (SSH) is a cryptographic
network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client (running SSH server and SSH client programs, respectively).[1] The protocol specification distinguishes two major versions that are referred to as SSH-‐1 and SSH-‐2…. *whew* Lynx Consultants © 2013
But really, what is SSH? ¡ SSH opens a terminal
connection to a remote host ¡ It does so using cryptography to avoid any break or leak in communication ¡ It is a very powerful tool for remote execution ¡ It is awesome! Lynx Consultants © 2013
How does SSH create a connection? ¡ You run your
SSH command ssh user@host ¡ SSH client connects to host ¡ SSH client negotiates with host crypto and version ¡ SSH host requests authentication (password, certificates) ¡ SSH client replies with the crypto challenge ¡ Communication is open! Lynx Consultants © 2013
Authentication methods ¡ Password § Typical manual password
§ Turing keyboard test ¡ Certificates § Public Key certificates (RSA1, RSA, DSA, GSS) § Host-‐based certificates Lynx Consultants © 2013
Certificates ¡ A certificate ensures your identity by providing a
crypto key divided in public and private parts (asymmetric cryptography) ¡ A public crypto key can be shared and is mathematically linked to the private key ¡ A private key shouldn’t be shared and is able to unlock and decipher the ciphertext Lynx Consultants © 2013
Certificates ¡ A certificate can be generated for each host
or group of hosts you want to access ¡ Each certificate can and should be protected by a password for extra security ¡ Certificates are easy to revoke, so in case of any incident a new certificate can be generated Lynx Consultants © 2013
Certificates ¡ Run the command § ssh-‐keygen –t rsa
~/.ssh/id_foryournetwork ¡ This will create a unique certificate for network hosts ¡ All your other hosts or keys (github, etc) are safely different Lynx Consultants © 2013
Security risks of running an infrastructure ¡ If we leave
password authentication open we’re subject to dictionary attacks § The whole system strength is defined by the weakest password ¡ Each host that has ssh open is another security risk ¡ All this can be resolved by Bastion Hosts! Lynx Consultants © 2013
What is a Bastion Host? Lynx Consultants © 2013
What is a Bastion Host? ¡ A Bastion Host sits
between two networks, one trusted and one untrusted ¡ It regulates traffic between those networks, highlighting any malicious traffic and refusing it ¡ It is the first line of defence in a system Lynx Consultants © 2013
SSH Configuration ¡ Here’s an example # Config to
access bastion host! Host bastionhost! !User myuser! !IdentityFile ~/.ssh/id_mynetwork! !Hostname 1.2.3.4! Lynx Consultants © 2013
How to Diagnose connections ¡ Always run ssh –v (-‐v
for verbose) ¡ Make sure you test each point of your connection Lynx Consultants © 2013
How to Diagnose connections ¡ Always run ssh –v (-‐v
for verbose) ¡ Make sure you test each point of your connection § First bastion host § Then proceed further up ¡ Regular issues § Lack of Certificate § DNS problem § Internets is broken Lynx Consultants © 2013
Awesome Stuff – Port Redirection ¡ You can redirect a
port from your machine to the remote host or the other way around § -‐L myport:destination:destport ▪ Forwards a connection made to localhost 8080 to myhost port 80 (-‐ L 8080:myhost:80) Lynx Consultants © 2013
Awesome Stuff – Port Redirection ¡ You can redirect a
port from your machine to the remote host or the other way around § -‐R remoteport:destination:destport ▪ Forwards a connection made to destination port 8080 to localhost port 80 (-‐R 80:myhost:8080) Lynx Consultants © 2013
Awesome Stuff – Socks Proxy ¡ You can create a
SOCKS Proxy transparently with SSH § This will allow you to navigate the remote network as if it was your own ¡ ssh –D2222 user@myhost ¡ Configure your browser to use a SOCKS proxy at localhost port 2222 ¡ Navigate to all internal network pages! Lynx Consultants © 2013
Questions? Lynx Consultants © 2013