Category Archives: SSH

SSH Key Fingerprints

As a network administrator I know that there are SSH fingerprints. And of course I know that I must verify the fingerprints for every new connection. ;) But I did not know that there are so many different kinds of fingerprints such as md5- or sha-hashed, represented in base64 or hex, and of course for each public key pair such as RSA, DSA, ECDSA, and Ed25519. Uh, a bit too complicated at a first glance. Hence I draw a picture.

Continue reading SSH Key Fingerprints

Lastline SSH Key-Based Authentication for “monitoring” User

If you are using a Lastline device (Manager, Engine, Sensor or Pinbox) you can reach the machine via SSH after you activated it via monitoring_user_password . However, per default this uses only a password for authentication. If you want to use the key-based authentication for this “monitoring” user account you can add the public key to the authorized_keys file for that user.

This is a small record on how to add a public key to the Lastline device. However, it is quite general since the Lastline appliance is built upon a standard Ubuntu server.

Continue reading Lastline SSH Key-Based Authentication for “monitoring” User

Idea: SSHFP Validator

The usage of the SSHFP resource record helps admins to authenticate the SSH server before they are exposing their credentials or before a man-in-the-middle attack occurs. This is only one great extension of DNSSEC (beside DANE whose TLSA records can be used to authenticate HTTPS/SMTPS servers).

While there are some great online tools for checking the mere DNS (1, 2), the correct DNSSEC signing (3, 4), or the placement of TLSA resource records for DANE (5, 6, 7), I have not found an online SSHFP validator. That’s the idea:

Continue reading Idea: SSHFP Validator

SSHFP: Authenticate SSH Fingerprints via DNSSEC

This is really cool. After DNSSEC is used to sign a complete zone, SSH connections can be authenticated via checking the SSH fingerprint against the SSHFP resource record on the DNS server. With this way, administrators will never get the well-known “The authenticity of host ‘xyz’ can’t be established.” message again. Here we go:

Continue reading SSHFP: Authenticate SSH Fingerprints via DNSSEC

KeePass Passwort-Speicher Einführung

Eine der häufigsten Fragen bzw. Tipps, die ich meinen Bekannten gebe, ist: Benutzt sichere Passwörter! Am besten noch verschiedene für alle Services, also Dienste/Homepages/E-Mail/etc. im Internet und Co. Und uns ist allen klar: Das macht keiner… ;) Außer man hat einen vernünftigen Passwortspeicher den man auch flexibel und von verschiedenen Orten aus benutzen kann. In einem solchen Programm kann man alle verschiedenen Passwörter eingeben und verschlüsselt in einer Datei speichern. Das heißt, man braucht zwar ein sehr gutes (= langes & komplexes) Passwort, erspart sich aber das Merken von allen anderen Passwörtern. Sprich: Man muss sich fortan nur noch ein Passwort merken und hat dann einen sicheren Zugriff auf alle möglichen anderen Passwörter. Ich verwende den KeePass Password Safe und möchte hier eine komplette Einführung in dessen Benutzung geben.

Continue reading KeePass Passwort-Speicher Einführung