SlideShare uma empresa Scribd logo

Ssh that wonderful thing

Marc Cluet
Marc Cluet

Lynx Consultants training into SSH

TecnologiaEducação
1 de 19
Baixar para ler offline
Marc  Cluet  –  Lynx  Consultants   How  I  learned  to  stop  worrying  and  love  the  shell  
What we’ll cover? ¡  Understand  how  SSH  works   ¡  Get  a  clear  picture  of  how  ssh  bastion  hosts  work   ¡  Be  able  to  do  more  awesome  stuff  with  SSH!   Lynx  Consultants  ©  2013  
What is SSH? ¡  Secure  Shell  (SSH)  is  a  cryptographic  network  protocol  for   secure  data  communication,  remote  shell  services  or   command  execution  and  other  secure  network  services   between  two  networked  computers  that  it  connects  via  a   secure  channel  over  an  insecure  network:  a  server  and  a   client  (running  SSH  server  and  SSH  client  programs,   respectively).[1]  The  protocol  specification  distinguishes  two   major  versions  that  are  referred  to  as  SSH-­‐1  and  SSH-­‐2….   *whew*   Lynx  Consultants  ©  2013  
But really, what is SSH? ¡  SSH  opens  a  terminal  connection  to  a  remote  host   ¡  It  does  so  using  cryptography  to  avoid  any  break  or  leak  in   communication   ¡  It  is  a  very  powerful  tool  for  remote  execution   ¡  It  is  awesome!   Lynx  Consultants  ©  2013  
How does SSH create a connection? ¡  You  run  your  SSH  command  ssh  user@host   ¡  SSH  client  connects  to  host   ¡  SSH  client  negotiates  with  host  crypto  and  version   ¡  SSH  host  requests  authentication  (password,  certificates)   ¡  SSH  client  replies  with  the  crypto  challenge   ¡  Communication  is  open!   Lynx  Consultants  ©  2013  
Authentication methods ¡  Password   §   Typical  manual  password   §   Turing  keyboard  test   ¡  Certificates   §   Public  Key  certificates  (RSA1,  RSA,  DSA,  GSS)   §   Host-­‐based  certificates   Lynx  Consultants  ©  2013  
Certificates ¡  A  certificate  ensures  your  identity  by  providing  a  crypto  key   divided  in  public  and  private  parts  (asymmetric   cryptography)   ¡  A  public  crypto  key  can  be  shared  and  is  mathematically   linked  to  the  private  key   ¡  A  private  key  shouldn’t  be  shared  and  is  able  to  unlock  and   decipher  the  ciphertext   Lynx  Consultants  ©  2013  
Certificates ¡  A  certificate  can  be  generated  for  each  host  or  group  of  hosts   you  want  to  access   ¡  Each  certificate  can  and  should  be  protected  by  a  password   for  extra  security   ¡  Certificates  are  easy  to  revoke,  so  in  case  of  any  incident  a   new  certificate  can  be  generated   Lynx  Consultants  ©  2013  
Certificates ¡  Run  the  command   §  ssh-­‐keygen  –t  rsa  ~/.ssh/id_foryournetwork   ¡  This  will  create  a  unique  certificate  for  network  hosts   ¡  All  your  other  hosts  or  keys  (github,  etc)  are  safely  different   Lynx  Consultants  ©  2013  
Security risks of running an infrastructure ¡  If  we  leave  password  authentication  open  we’re  subject  to   dictionary  attacks   §  The  whole  system  strength  is  defined  by  the  weakest  password   ¡  Each  host  that  has  ssh  open  is  another  security  risk   ¡  All  this  can  be  resolved  by  Bastion  Hosts!   Lynx  Consultants  ©  2013  
What is a Bastion Host? Lynx  Consultants  ©  2013  
What is a Bastion Host? ¡  A  Bastion  Host  sits  between  two  networks,  one  trusted  and   one  untrusted   ¡  It  regulates  traffic  between  those  networks,  highlighting  any   malicious  traffic  and  refusing  it   ¡  It  is  the  first  line  of  defence  in  a  system   Lynx  Consultants  ©  2013  
SSH Configuration ¡  Here’s  an  example   # Config to access bastion host! Host bastionhost! !User myuser! !IdentityFile ~/.ssh/id_mynetwork! !Hostname 1.2.3.4! Lynx  Consultants  ©  2013  
How to Diagnose connections ¡  Always  run  ssh  –v  (-­‐v  for  verbose)   ¡  Make  sure  you  test  each  point  of  your  connection   Lynx  Consultants  ©  2013  
How to Diagnose connections ¡  Always  run  ssh  –v  (-­‐v  for  verbose)   ¡  Make  sure  you  test  each  point  of  your  connection   §  First  bastion  host   §  Then  proceed  further  up   ¡  Regular  issues   §  Lack  of  Certificate   §  DNS  problem   §  Internets  is  broken   Lynx  Consultants  ©  2013  
Awesome Stuff – Port Redirection ¡  You  can  redirect  a  port  from  your  machine  to  the  remote   host  or  the  other  way  around   §   -­‐L  myport:destination:destport   ▪  Forwards  a  connection  made  to  localhost  8080  to  myhost  port  80  (-­‐ L  8080:myhost:80)   Lynx  Consultants  ©  2013  
Awesome Stuff – Port Redirection ¡  You  can  redirect  a  port  from  your  machine  to  the  remote   host  or  the  other  way  around   §   -­‐R  remoteport:destination:destport   ▪  Forwards  a  connection  made  to  destination  port  8080  to  localhost   port  80  (-­‐R  80:myhost:8080)   Lynx  Consultants  ©  2013  
Awesome Stuff – Socks Proxy ¡  You  can  create  a  SOCKS  Proxy  transparently  with  SSH   §  This  will  allow  you  to  navigate  the  remote  network  as  if  it  was   your  own   ¡  ssh  –D2222  user@myhost   ¡  Configure  your  browser  to  use  a  SOCKS  proxy  at  localhost   port  2222   ¡  Navigate  to  all  internal  network  pages!   Lynx  Consultants  ©  2013  
Questions? Lynx  Consultants  ©  2013  

Recomendados

Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGPSarang Ananda Rao
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)Pina Parmar
 
Secure SHell
Secure SHellSecure SHell
Secure SHellÇağrı Çakır
 
Ssh
SshSsh
SshRaghu nath
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocolBaspally Sai Anirudh
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 
Secure shell
Secure shellSecure shell
Secure shellArjun Aj
 

Recomendados

Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGPSarang Ananda Rao
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)Pina Parmar
 
Secure SHell
Secure SHellSecure SHell
Secure SHellÇağrı Çakır
 
Ssh
SshSsh
SshRaghu nath
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocolBaspally Sai Anirudh
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 
Secure shell
Secure shellSecure shell
Secure shellArjun Aj
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSHJP Bourget
 
Ssh And Rlogin
Ssh And RloginSsh And Rlogin
Ssh And RloginSourav Roy
 
SSH
SSHSSH
SSHZach Dennis
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)Mehedi Farazi
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
Ssh tunnel
Ssh tunnelSsh tunnel
Ssh tunnelAmandeep Singh
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
FLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configFLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configdmp1304
 
SSH.ppt
SSH.pptSSH.ppt
SSH.pptjoekr1
 
Cryptography - Overview
Cryptography - OverviewCryptography - Overview
Cryptography - OverviewMohammed Adam
 
OpenSSH tricks
OpenSSH tricksOpenSSH tricks
OpenSSH tricksAssem CHELLI
 
SSL intro
SSL introSSL intro
SSL introThree Lee
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Secure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLESecure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLEAmiraMohamedGalal
 
Ssh
SshSsh
Sshgh02
 
How to increase security with SSH
How to increase security with SSHHow to increase security with SSH
How to increase security with SSHVitalii Sharavara
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Sandeep Gupta
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkNisheed KM
 
Using Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowUsing Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowNovell
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 

Mais conteúdo relacionado

Mais procurados

Ssh And Rlogin
Ssh And RloginSsh And Rlogin
Ssh And RloginSourav Roy
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)Mehedi Farazi
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
FLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configFLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configdmp1304
 
SSH.ppt
SSH.pptSSH.ppt
SSH.pptjoekr1
 
Cryptography - Overview
Cryptography - OverviewCryptography - Overview
Cryptography - OverviewMohammed Adam
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Secure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLESecure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLEAmiraMohamedGalal
 
Ssh
SshSsh
Sshgh02
 
How to increase security with SSH
How to increase security with SSHHow to increase security with SSH
How to increase security with SSHVitalii Sharavara
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Sandeep Gupta
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkNisheed KM
 

Mais procurados (19)

Intro to SSH
Intro to SSHIntro to SSH
Intro to SSH
 
Ssh And Rlogin
Ssh And RloginSsh And Rlogin
Ssh And Rlogin
 
SSH
SSHSSH
SSH
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
 
Ssh tunnel
Ssh tunnelSsh tunnel
Ssh tunnel
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
 
FLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configFLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh config
 
SSH.ppt
SSH.pptSSH.ppt
SSH.ppt
 
Cryptography - Overview
Cryptography - OverviewCryptography - Overview
Cryptography - Overview
 
OpenSSH tricks
OpenSSH tricksOpenSSH tricks
OpenSSH tricks
 
SSL intro
SSL introSSL intro
SSL intro
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
Secure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLESecure shell(ssh) AND telnet AND CONSOLE
Secure shell(ssh) AND telnet AND CONSOLE
 
Ssh
SshSsh
Ssh
 
How to increase security with SSH
How to increase security with SSHHow to increase security with SSH
How to increase security with SSH
 
Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)Ssl (Secure Socket Layer)
Ssl (Secure Socket Layer)
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
TLS/SSL Internet Security Talk
TLS/SSL Internet Security TalkTLS/SSL Internet Security Talk
TLS/SSL Internet Security Talk
 

Semelhante a Ssh that wonderful thing

Using Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowUsing Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowNovell
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
Presentation nix
Presentation nixPresentation nix
Presentation nixfangjiafu
 
encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)Alastair Irvine
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerBU
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expertRoyce Davis
 
SSH Tunneling
SSH TunnelingSSH Tunneling
SSH TunnelingThanh Tai
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a servicePino deCandia
 
Creating SSH Key.pptx
Creating SSH Key.pptxCreating SSH Key.pptx
Creating SSH Key.pptxSaumya876452
 
DSSH: Innovation in SSH
DSSH: Innovation in SSHDSSH: Innovation in SSH
DSSH: Innovation in SSHJuraj Bednar
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
How To Create a SSL Certificate on Nginx for Ubuntu.pptx
How To Create a SSL Certificate on Nginx for Ubuntu.pptxHow To Create a SSL Certificate on Nginx for Ubuntu.pptx
How To Create a SSL Certificate on Nginx for Ubuntu.pptxVEXXHOST Private Cloud
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testersE D Williams
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructurewebhostingguy
 

Semelhante a Ssh that wonderful thing (20)

Using Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowUsing Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should Know
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
Presentation nix
Presentation nixPresentation nix
Presentation nix
 
encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)encryption presentation (SAGE-WA, 2010-10-05)
encryption presentation (SAGE-WA, 2010-10-05)
 
SSh_part_1.pptx
SSh_part_1.pptxSSh_part_1.pptx
SSh_part_1.pptx
 
Configure ssh cell
Configure ssh cellConfigure ssh cell
Configure ssh cell
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
Windowshadoop
WindowshadoopWindowshadoop
Windowshadoop
 
SSH Tunneling
SSH TunnelingSSH Tunneling
SSH Tunneling
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
 
Creating SSH Key.pptx
Creating SSH Key.pptxCreating SSH Key.pptx
Creating SSH Key.pptx
 
DSSH: Innovation in SSH
DSSH: Innovation in SSHDSSH: Innovation in SSH
DSSH: Innovation in SSH
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
How To Create a SSL Certificate on Nginx for Ubuntu.pptx
How To Create a SSL Certificate on Nginx for Ubuntu.pptxHow To Create a SSL Certificate on Nginx for Ubuntu.pptx
How To Create a SSL Certificate on Nginx for Ubuntu.pptx
 
Ost ssl lec
Ost ssl lecOst ssl lec
Ost ssl lec
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
SSH for pen-testers
SSH for pen-testersSSH for pen-testers
SSH for pen-testers
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
 

Mais de Marc Cluet

Your Kernel and You
Your Kernel and YouYour Kernel and You
Your Kernel and YouMarc Cluet
 
Managing DevOps teams, staying alive
Managing DevOps teams, staying aliveManaging DevOps teams, staying alive
Managing DevOps teams, staying aliveMarc Cluet
 
The DevOps journey - How to get there painlessly
The DevOps journey - How to get there painlesslyThe DevOps journey - How to get there painlessly
The DevOps journey - How to get there painlesslyMarc Cluet
 
Elastic Beanstalk, usos prácticos y conceptos
Elastic Beanstalk, usos prácticos y conceptosElastic Beanstalk, usos prácticos y conceptos
Elastic Beanstalk, usos prácticos y conceptosMarc Cluet
 
Service discovery and puppet
Service discovery and puppetService discovery and puppet
Service discovery and puppetMarc Cluet
 
Puppet Camp London Fall 2015 - Service Discovery and Puppet
Puppet Camp London Fall 2015 - Service Discovery and PuppetPuppet Camp London Fall 2015 - Service Discovery and Puppet
Puppet Camp London Fall 2015 - Service Discovery and PuppetMarc Cluet
 
Puppet and your Metadata - PuppetCamp London 2015
Puppet and your Metadata - PuppetCamp London 2015Puppet and your Metadata - PuppetCamp London 2015
Puppet and your Metadata - PuppetCamp London 2015Marc Cluet
 
Consul First Steps
Consul First StepsConsul First Steps
Consul First StepsMarc Cluet
 
Autoscaling Best Practices - WebPerf Barcelona Oct 2014
Autoscaling Best Practices - WebPerf Barcelona Oct 2014Autoscaling Best Practices - WebPerf Barcelona Oct 2014
Autoscaling Best Practices - WebPerf Barcelona Oct 2014Marc Cluet
 
Microservices and the Cloud - DevOps Cardiff Meetup
Microservices and the Cloud - DevOps Cardiff MeetupMicroservices and the Cloud - DevOps Cardiff Meetup
Microservices and the Cloud - DevOps Cardiff MeetupMarc Cluet
 
Microservices and the Cloud
Microservices and the CloudMicroservices and the Cloud
Microservices and the CloudMarc Cluet
 
How to implement microservices
How to implement microservicesHow to implement microservices
How to implement microservicesMarc Cluet
 
A Metadata Ocean in Chef and Puppet
A Metadata Ocean in Chef and PuppetA Metadata Ocean in Chef and Puppet
A Metadata Ocean in Chef and PuppetMarc Cluet
 
Autoscaling Best Practices
Autoscaling Best PracticesAutoscaling Best Practices
Autoscaling Best PracticesMarc Cluet
 
Rackspace Hack Night - Vagrant & Packer
Rackspace Hack Night - Vagrant & PackerRackspace Hack Night - Vagrant & Packer
Rackspace Hack Night - Vagrant & PackerMarc Cluet
 
Innovation in the Cloud - Rackspace Zurich Event
Innovation in the Cloud - Rackspace Zurich EventInnovation in the Cloud - Rackspace Zurich Event
Innovation in the Cloud - Rackspace Zurich EventMarc Cluet
 
Introduction to DevOps - Rackspace tech night
Introduction to DevOps - Rackspace tech nightIntroduction to DevOps - Rackspace tech night
Introduction to DevOps - Rackspace tech nightMarc Cluet
 
Hadoop operations
Hadoop operationsHadoop operations
Hadoop operationsMarc Cluet
 
Introduction to hadoop
Introduction to hadoopIntroduction to hadoop
Introduction to hadoopMarc Cluet
 
Networking & dns 101
Networking & dns 101Networking & dns 101
Networking & dns 101Marc Cluet
 

Mais de Marc Cluet (20)

Your Kernel and You
Your Kernel and YouYour Kernel and You
Your Kernel and You
 
Managing DevOps teams, staying alive
Managing DevOps teams, staying aliveManaging DevOps teams, staying alive
Managing DevOps teams, staying alive
 
The DevOps journey - How to get there painlessly
The DevOps journey - How to get there painlesslyThe DevOps journey - How to get there painlessly
The DevOps journey - How to get there painlessly
 
Elastic Beanstalk, usos prácticos y conceptos
Elastic Beanstalk, usos prácticos y conceptosElastic Beanstalk, usos prácticos y conceptos
Elastic Beanstalk, usos prácticos y conceptos
 
Service discovery and puppet
Service discovery and puppetService discovery and puppet
Service discovery and puppet
 
Puppet Camp London Fall 2015 - Service Discovery and Puppet
Puppet Camp London Fall 2015 - Service Discovery and PuppetPuppet Camp London Fall 2015 - Service Discovery and Puppet
Puppet Camp London Fall 2015 - Service Discovery and Puppet
 
Puppet and your Metadata - PuppetCamp London 2015
Puppet and your Metadata - PuppetCamp London 2015Puppet and your Metadata - PuppetCamp London 2015
Puppet and your Metadata - PuppetCamp London 2015
 
Consul First Steps
Consul First StepsConsul First Steps
Consul First Steps
 
Autoscaling Best Practices - WebPerf Barcelona Oct 2014
Autoscaling Best Practices - WebPerf Barcelona Oct 2014Autoscaling Best Practices - WebPerf Barcelona Oct 2014
Autoscaling Best Practices - WebPerf Barcelona Oct 2014
 
Microservices and the Cloud - DevOps Cardiff Meetup
Microservices and the Cloud - DevOps Cardiff MeetupMicroservices and the Cloud - DevOps Cardiff Meetup
Microservices and the Cloud - DevOps Cardiff Meetup
 
Microservices and the Cloud
Microservices and the CloudMicroservices and the Cloud
Microservices and the Cloud
 
How to implement microservices
How to implement microservicesHow to implement microservices
How to implement microservices
 
A Metadata Ocean in Chef and Puppet
A Metadata Ocean in Chef and PuppetA Metadata Ocean in Chef and Puppet
A Metadata Ocean in Chef and Puppet
 
Autoscaling Best Practices
Autoscaling Best PracticesAutoscaling Best Practices
Autoscaling Best Practices
 
Rackspace Hack Night - Vagrant & Packer
Rackspace Hack Night - Vagrant & PackerRackspace Hack Night - Vagrant & Packer
Rackspace Hack Night - Vagrant & Packer
 
Innovation in the Cloud - Rackspace Zurich Event
Innovation in the Cloud - Rackspace Zurich EventInnovation in the Cloud - Rackspace Zurich Event
Innovation in the Cloud - Rackspace Zurich Event
 
Introduction to DevOps - Rackspace tech night
Introduction to DevOps - Rackspace tech nightIntroduction to DevOps - Rackspace tech night
Introduction to DevOps - Rackspace tech night
 
Hadoop operations
Hadoop operationsHadoop operations
Hadoop operations
 
Introduction to hadoop
Introduction to hadoopIntroduction to hadoop
Introduction to hadoop
 
Networking & dns 101
Networking & dns 101Networking & dns 101
Networking & dns 101
 

Último

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Último (20)

What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Ssh that wonderful thing

  • 1. Marc  Cluet  –  Lynx  Consultants   How  I  learned  to  stop  worrying  and  love  the  shell  
  • 2. What we’ll cover? ¡  Understand  how  SSH  works   ¡  Get  a  clear  picture  of  how  ssh  bastion  hosts  work   ¡  Be  able  to  do  more  awesome  stuff  with  SSH!   Lynx  Consultants  ©  2013  
  • 3. What is SSH? ¡  Secure  Shell  (SSH)  is  a  cryptographic  network  protocol  for   secure  data  communication,  remote  shell  services  or   command  execution  and  other  secure  network  services   between  two  networked  computers  that  it  connects  via  a   secure  channel  over  an  insecure  network:  a  server  and  a   client  (running  SSH  server  and  SSH  client  programs,   respectively).[1]  The  protocol  specification  distinguishes  two   major  versions  that  are  referred  to  as  SSH-­‐1  and  SSH-­‐2….   *whew*   Lynx  Consultants  ©  2013  
  • 4. But really, what is SSH? ¡  SSH  opens  a  terminal  connection  to  a  remote  host   ¡  It  does  so  using  cryptography  to  avoid  any  break  or  leak  in   communication   ¡  It  is  a  very  powerful  tool  for  remote  execution   ¡  It  is  awesome!   Lynx  Consultants  ©  2013  
  • 5. How does SSH create a connection? ¡  You  run  your  SSH  command  ssh  user@host   ¡  SSH  client  connects  to  host   ¡  SSH  client  negotiates  with  host  crypto  and  version   ¡  SSH  host  requests  authentication  (password,  certificates)   ¡  SSH  client  replies  with  the  crypto  challenge   ¡  Communication  is  open!   Lynx  Consultants  ©  2013  
  • 6. Authentication methods ¡  Password   §   Typical  manual  password   §   Turing  keyboard  test   ¡  Certificates   §   Public  Key  certificates  (RSA1,  RSA,  DSA,  GSS)   §   Host-­‐based  certificates   Lynx  Consultants  ©  2013  
  • 7. Certificates ¡  A  certificate  ensures  your  identity  by  providing  a  crypto  key   divided  in  public  and  private  parts  (asymmetric   cryptography)   ¡  A  public  crypto  key  can  be  shared  and  is  mathematically   linked  to  the  private  key   ¡  A  private  key  shouldn’t  be  shared  and  is  able  to  unlock  and   decipher  the  ciphertext   Lynx  Consultants  ©  2013  
  • 8. Certificates ¡  A  certificate  can  be  generated  for  each  host  or  group  of  hosts   you  want  to  access   ¡  Each  certificate  can  and  should  be  protected  by  a  password   for  extra  security   ¡  Certificates  are  easy  to  revoke,  so  in  case  of  any  incident  a   new  certificate  can  be  generated   Lynx  Consultants  ©  2013  
  • 9. Certificates ¡  Run  the  command   §  ssh-­‐keygen  –t  rsa  ~/.ssh/id_foryournetwork   ¡  This  will  create  a  unique  certificate  for  network  hosts   ¡  All  your  other  hosts  or  keys  (github,  etc)  are  safely  different   Lynx  Consultants  ©  2013  
  • 10. Security risks of running an infrastructure ¡  If  we  leave  password  authentication  open  we’re  subject  to   dictionary  attacks   §  The  whole  system  strength  is  defined  by  the  weakest  password   ¡  Each  host  that  has  ssh  open  is  another  security  risk   ¡  All  this  can  be  resolved  by  Bastion  Hosts!   Lynx  Consultants  ©  2013  
  • 11. What is a Bastion Host? Lynx  Consultants  ©  2013  
  • 12. What is a Bastion Host? ¡  A  Bastion  Host  sits  between  two  networks,  one  trusted  and   one  untrusted   ¡  It  regulates  traffic  between  those  networks,  highlighting  any   malicious  traffic  and  refusing  it   ¡  It  is  the  first  line  of  defence  in  a  system   Lynx  Consultants  ©  2013  
  • 13. SSH Configuration ¡  Here’s  an  example   # Config to access bastion host! Host bastionhost! !User myuser! !IdentityFile ~/.ssh/id_mynetwork! !Hostname 1.2.3.4! Lynx  Consultants  ©  2013  
  • 14. How to Diagnose connections ¡  Always  run  ssh  –v  (-­‐v  for  verbose)   ¡  Make  sure  you  test  each  point  of  your  connection   Lynx  Consultants  ©  2013  
  • 15. How to Diagnose connections ¡  Always  run  ssh  –v  (-­‐v  for  verbose)   ¡  Make  sure  you  test  each  point  of  your  connection   §  First  bastion  host   §  Then  proceed  further  up   ¡  Regular  issues   §  Lack  of  Certificate   §  DNS  problem   §  Internets  is  broken   Lynx  Consultants  ©  2013  
  • 16. Awesome Stuff – Port Redirection ¡  You  can  redirect  a  port  from  your  machine  to  the  remote   host  or  the  other  way  around   §   -­‐L  myport:destination:destport   ▪  Forwards  a  connection  made  to  localhost  8080  to  myhost  port  80  (-­‐ L  8080:myhost:80)   Lynx  Consultants  ©  2013  
  • 17. Awesome Stuff – Port Redirection ¡  You  can  redirect  a  port  from  your  machine  to  the  remote   host  or  the  other  way  around   §   -­‐R  remoteport:destination:destport   ▪  Forwards  a  connection  made  to  destination  port  8080  to  localhost   port  80  (-­‐R  80:myhost:8080)   Lynx  Consultants  ©  2013  
  • 18. Awesome Stuff – Socks Proxy ¡  You  can  create  a  SOCKS  Proxy  transparently  with  SSH   §  This  will  allow  you  to  navigate  the  remote  network  as  if  it  was   your  own   ¡  ssh  –D2222  user@myhost   ¡  Configure  your  browser  to  use  a  SOCKS  proxy  at  localhost   port  2222   ¡  Navigate  to  all  internal  network  pages!   Lynx  Consultants  ©  2013