jm + ssh   22

Gravitational Teleport
Teleport enables teams to easily adopt the best SSH practices like:

Integrated SSH credentials with your organization Google Apps identities or other OAuth identity providers.
No need to distribute keys: Teleport uses certificate-based access with automatic expiration time.
Enforcement of 2nd factor authentication.
Cluster introspection: every Teleport node becomes a part of a cluster and is visible on the Web UI.
Record and replay SSH sessions for knowledge sharing and auditing purposes.
Collaboratively troubleshoot issues through session sharing.
Connect to clusters located behind firewalls without direct Internet access via SSH bastions.
ssh  teleport  ops  bastions  security  auditing  oauth  2fa 
8 weeks ago by jm
OWASP KeyBox
a web-based SSH console that centrally manages administrative access to systems. Web-based administration is combined with management and distribution of user's public SSH keys. Key management and administration is based on profiles assigned to defined users.

Administrators can login using two-factor authentication with FreeOTP or Google Authenticator . From there they can create and manage public SSH keys or connect to their assigned systems through a web-shell. Commands can be shared across shells to make patching easier and eliminate redundant command execution.
keybox  owasp  security  ssh  tls  ssl  ops 
april 2015 by jm
Duplicate SSH Keys Everywhere
Poor hardware imaging practices, basically:
It looks like all devices with the fingerprint are Dropbear SSH instances that have been deployed by Telefonica de Espana. It appears that some of their networking equipment comes setup with SSH by default, and the manufacturer decided to re-use the same operating system image across all devices.
crypto  ssh  security  telefonica  imaging  ops  shodan 
february 2015 by jm
Secure Secure Shell
How to secure SSH, disabling insecure ciphers etc. (via Padraig)
via:pixelbeat  crypto  security  ssh  ops 
january 2015 by jm
Use sshuttle to Keep Safe on Insecure Wi-Fi
I keep forgetting about sshuttle. It's by far the easiest way to get a cheapo IP-over-SSH VPN working with an OSX client, particularly since it's in homebrew
ssh  vpn  sshuttle  tunnelling  security  ip  wifi  networking  osx  homebrew 
december 2014 by jm
Russell91/sshrc
'bring your .bashrc, .vimrc, etc. with you when you ssh'. A really nice implementation of this idea (much nicer than my own version!)
hacks  productivity  ssh  remote  shell  sh  bash  via:johnke  home-directory  unix 
september 2014 by jm
The little ssh that (sometimes) couldn't - Mina Naguib
A good demonstration of what it looks like when network-level packet corruption occurs on a TCP connection
ssh  sysadmin  networking  tcp  bugs  bit-flips  cosmic-rays  corruption  packet 
april 2014 by jm
Open-Sourcing Ssync: An Out-of-the-Box Distributed Rsync
a script to perform divide-and-conquer recursive rsync over SSH
recursion  scripts  rsync  ssync  ssh  divide-and-conquer 
january 2014 by jm
Juniper Adds Puppet support
This is super-cool.

'Network engineering no longer should be mundane tasks like conf, set interfaces fe-0/0/0 unit o family inet address 10.1.1.1/24. How does mindless CLI work translate to efficiently spent time ? What if you need to change 300 devices? What if you are writing it by hand? An error-prone waste of time. Juniper today announced Puppet support for their 12.2R3,5 JUNOS code. This is compatible with EX4200, EX4550, and QFX3500 switches. These are top end switches, but this start is directly aimed at their DC and enterprise devices. Initially, the manifest interactions offered are interface, layer 2 interface, vlan, port aggregation groups, and device names.'

Based on what I saw in the Network Automation team in Amazon, this is an amazing leap forward; it'd instantly render obsolete a bunch of horrific SSH-CLI automation cruft.
ssh  cli  automation  networking  networks  puppet  ops  juniper  cisco 
august 2013 by jm
Nelson's Weblog: tech / bad / failure-of-encryption
One of the great failures of the Internet era has been giving up on end-to-end encryption. PGP dates back to 1991, 22 years ago. It gave us the technical means to have truly secure email between two people. But it was very difficult to use. And in 22 years no one has ever meaningfully made email encryption really usable. [...]

We do have SSL/HTTPS, the only real end-to-end encryption most of us use daily. But the key distribution is hopelessly centralized, authority rooted in 40+ certificates. At least 4 of those certs have been compromised by blackhat hackers in the past few years. How many more have been subverted by government agencies? I believe the SSL Observatory is the only way we’d know.


We do also have SSH. Maybe more services need to adopt that model?
ssh  ssl  tls  pki  crypto  end-to-end  pgp  security  surveillance 
august 2013 by jm
We interrupt this program to warn the Emergency Alert System is hackable | Ars Technica
Private SSH key included in a firmware update. Oh dear:
The US Emergency Alert System, which interrupts live TV and radio broadcasts with information about national emergencies in progress, is vulnerable to attacks that allow hackers to remotely disseminate bogus reports and tamper with gear, security researchers warned. The remote takeover vulnerability affects the DASDEC-I and DASDEC-II application servers made by a company called Digital Alert Systems. It stems from the a recent firmware update that mistakenly included the private secure shell (SSH) key, according to an advisory published Monday by researchers from security firm IOActive. Administrators use such keys to remotely log in to a server to gain unfettered "root" access. The publication of the key makes it trivial for hackers to gain unauthorized access on Digital Alert System appliances that run default settings on older firmware. "An attacker who gains control of one or more DASDEC systems can disrupt these stations' ability to transmit and could disseminate false emergency information over a large geographic area," the IOActive advisory warned. "In addition, depending on the configuration of this and other devices, these messages could be forwarded and mirrored by other DASDEC systems."
ssh  security  fail  emergency  alert  warning  tv  radio 
july 2013 by jm
Ansible
'SSH-Based Configuration Management & Deployment'. deploy via SSH; no target-side daemons required. GPLv3 licensed, unfortunately :(
ansible  devops  configuration  deployment  sysadmin  python  ssh 
july 2012 by jm
peak6/scala-ssh-shell - GitHub
'Backdoor that gives you a scala shell over ssh on your jvm. The shell is not sandboxed, anyone access the shell can touch anything in the jvm and do anything the jvm can do including modifying and deleting files, etc.' nifty!
scala  ssh  repl  interactive  debugging  coding  jvm  java 
october 2011 by jm
The Monkeysphere Project
OpenPGP's web of trust extending further. 'Everyone who has used a web browser has been interrupted by the "Are you sure you want to connect?" warning message, which occurs when the browser finds the site's certificate unacceptable. But web browser vendors (e.g. Microsoft or Mozilla) should not be responsible for determining whom (or what) the user trusts to certify the authenticity of a website, or the identity of another user online. The user herself should have the final say, and designation of trust should be done on the basis of human interaction. The Monkeysphere project aims to make that possibility a reality.'
via:filippo  gpg  pki  security  software  ssh  ssl  web 
september 2011 by jm
corkscrew
'a tool for tunneling SSH through HTTP proxies'. handy
ssh  http  proxies  software  linux  tunneling  isps 
august 2011 by jm
DuoSecurity
well-packaged, well-designed, two-factor auth for SSH from Dug Song. free for small-scale use, too, it looks like. awesome! I've signed up (via Nelson)
via:nelson  security  authentication  authorization  two-factor-auth  openssh  ssh  dug-song 
april 2011 by jm
Copying block devices between machines
a very hairy hack to perform a block-level rsync-like "send just the changes" algorithm between two very large files (think /dev/sda block devices).  Crazy, but it'd work alright!
devices  hairy  hacks  shell  perl  networking  ssh  rsync  lvm  snapshots  from delicious
march 2011 by jm
apenwarr/sshuttle - GitHub
'Any TCP session you initiate to one of the proxied IP addresses [specified on the command line] will be captured by sshuttle and sent over an ssh session to the remote copy of sshuttle, which will then regenerate the connection on that end, and funnel the data back and forth through ssh. Fun, right? A poor man's instant VPN, and you don't even have to have admin access on the server.'
vpn  ssh  security  linux  opensource  tcp  networking  tunnelling  port-forwarding  from delicious
january 2011 by jm
Infrastructures.Org: Best Practices in Automated Systems Administration and Infrastructure Architecture: Gold Server
well-written, and it's good to see version control listed right at the top of the list. But quite dead; interesting for historical reasons only at this stage
via:fanf  deployment  sysadmin  unix  rsync  ssh  cvs  infrastructure  cfengine 
july 2009 by jm

related tags

2fa  alert  ansible  auditing  authentication  authorization  automation  bash  bastions  bit-flips  bugs  cfengine  cisco  cli  coding  collaboration  configuration  corruption  cosmic-rays  crypto  cvs  debugging  deployment  devices  devops  divide-and-conquer  dug-song  editors  emacs  emergency  end-to-end  fabric  fail  gpg  hacks  hairy  home-directory  homebrew  http  imaging  infrastructure  interactive  ip  isps  java  juniper  jvm  keybox  linux  lvm  networking  networks  oauth  one-time-passwords  opensource  openssh  opie  ops  osx  otp  owasp  packet  pair-programming  perl  pgp  pki  port-forwarding  productivity  proxies  pty  puppet  python  radio  recursion  remote  repl  rsync  scala  screen  scripts  security  server  sh  shell  shodan  skey  snapshots  software  ssh  sshd  sshuttle  ssl  ssync  surveillance  sysadmin  tcp  telefonica  teleport  tls  tunneling  tunnelling  tv  two-factor-auth  ubuntu  unix  via:fanf  via:filippo  via:johnke  via:nelson  via:pixelbeat  vpn  warning  web  wifi  xp 

Copy this bookmark:



description:


tags: