ssh – matoken's blog

Codebergのssh認証を公開鍵認証に変更する

matoken — Sun, 04 May 2025 22:15:05 +0000

Forgejo+αな感じのGitHub代替なCodebergにSSH公開鍵を登録してssh公開鍵認証でGitが使えるようにしてみました．

公式の手順はこちらにあります．少し気になったのが鍵生成のオプションでroundsが100もあること．手元のOpenSSH 10.0p2のssh-keygenのmanで確認すると既定値は16になっているので大分捻っています．

Adding an SSH key to your account | Codeberg Documentation

鍵ペアを生成したら*.pubの拡張子の付いた公開鍵*を以下のページから登録．

~/.ssh/configにCodebergの設定を書いておきます．Codebergはport 443でもssh接続okなのでここでは443を使うようにしています．
Userがみんなgitですが，鍵によりユーザを区別するようです．

$ grep -A 4 Host\ codeberg.org ~/.ssh/config
Host codeberg.org
  HostName codeberg.org
  User git
  IdentityFile ~/.ssh/id_ed25519
  Port 443

接続テストをします．

初回接続時にはホスト鍵の確認が必要です．Codebergのホスト鍵の鍵指紋は以下で確認できます．確認して入力しましょう．

Verifying you’re connected to Codeberg using SSH fingerprints | Codeberg Documentation

$ ssh -T git@codeberg.org
The authenticity of host 'codeberg.org (2a0a:4580:103f:c0de::1)' can't be established.
ED25519 key fingerprint is SHA256:mIlxA9k46MmM6qdJOdMnAQpzGxF4WIVVL+fj+wZbw0g.
+--[ED25519 256]--+
| ++*+=.          |
|o +.+...         |
|oBo...+ o        |
|+o*o + OE        |
|o ... +.So       |
|. o .  .o.+      |
|.= o .  .+ .     |
|..+.o   ...      |
| oo     .o.      |
+----[SHA256]-----+
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? SHA256:mIlxA9k46MmM6qdJOdMnAQpzGxF4WIVVL+fj+wZbw0g
Warning: Permanently added 'codeberg.org' (ED25519) to the list of known hosts.
Connection closed by 2a0a:4580:103f:c0de::1 port 22

接続がうまく行けば自分のアカウント名や，鍵のコメントが表示されます．

$ ssh -T git@codeberg.org
Host key fingerprint is SHA256:mIlxA9k46MmM6qdJOdMnAQpzGxF4WIVVL+fj+wZbw0g
+--[ED25519 256]--+
| ++*+=.          |
|o +.+...         |
|oBo...+ o        |
|+o*o + OE        |
|o ... +.So       |
|. o .  .o.+      |
|.= o .  .+ .     |
|..+.o   ...      |
| oo     .o.      |
+----[SHA256]-----+
Enter passphrase for key '/home/matoken/.ssh/id_ed25519':
Authenticated to codeberg.org ([2a0a:4580:103f:c0de::1]:22) using "publickey".
Hi there, matoken! You've successfully authenticated with the key named matoken@l13, but Forgejo does not provide shell access.
If this is unexpected, please log in with password and setup Forgejo under another user.

ここではmatoken@l13という鍵を使い，matokenというアカウントでログインに成功しています．

Note	Codebergはport 443でもssh接続okなのですが，ここのテストは443を使うと失敗するようです．

この状態でパスワード認証を試みると失敗します．

$ ssh -T matoken@codeberg.org -o PasswordAuthentication=yes
Host key fingerprint is SHA256:mIlxA9k46MmM6qdJOdMnAQpzGxF4WIVVL+fj+wZbw0g
+--[ED25519 256]--+
| ++*+=.          |
|o +.+...         |
|oBo...+ o        |
|+o*o + OE        |
|o ... +.So       |
|. o .  .o.+      |
|.= o .  .+ .     |
|..+.o   ...      |
| oo     .o.      |
+----[SHA256]-----+
matoken@codeberg.org: Permission denied (publickey).

TOTPの設定を有効にしてこのSSH公開鍵認証を使うようにするとそこそこ安心な感じです．

Debian unstableのaptでftp, rsh, sshメソッドが削除

matoken — Thu, 21 Nov 2024 09:20:45 +0000

Debian sidでパッケージ更新をすると新しいaptがやってきました．そしてapt-listchangesで気になる記述が表示されました．

$ zcat /usr/share/doc/apt/NEWS.Debian.gz | head
apt (2.9.11) unstable; urgency=medium

  The ftp, rsh, and ssh methods have been removed. They have been unsupported
  and disabled since 1.8. Please, migrate to http(s) instead, or contribute
  an sftp method.

  If you need ad hoc access to a remote repository, you can usually run
  `python3 -m http.server` on that machine and use SSH port forwarding to
  run HTTP over SSH.

ftp, rsh, sshメソッドが削除されたようです．

代わりにhttp(s)に移行するか，sftpメソッドに貢献してくださいとのこと．

アドホックアクセスが必要な場合はhttpdを起動してsshポートフォワーディングを使いssh経由でhttpを利用するように勧められています．

自分のsid環境のsource.listを確認するとhttpだけ，/etc/apt/source.list.d/* を確認するとここは全てhttpsを利用していました．ということでこの環境はこのままで大丈夫そうです．

$ grep ^deb\  /etc/apt/sources.list
deb http://ftp.jp.debian.org/debian/ sid main contrib non-free non-free-firmware
$ grep ^deb\  /etc/apt/sources.list.d/*
/etc/apt/sources.list.d/signal-xenial.list:deb [arch=amd64 signed-by=/usr/share/keyrings/signal-desktop-keyring.gpg] https://updates.signal.org/desktop/apt xenial main
/etc/apt/sources.list.d/steam-stable.list:deb [arch=amd64,i386 signed-by=/usr/share/keyrings/steam.gpg] https://repo.steampowered.com/steam/ stable steam
/etc/apt/sources.list.d/tailscale.list:deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/debian sid main
/etc/apt/sources.list.d/vscodium.list:deb [ signed-by=/usr/share/keyrings/vscodium-archive-keyring.gpg ] https://download.vscodium.com/debs vscodium main
/etc/apt/sources.list.d/wezterm.list:deb [signed-by=/usr/share/keyrings/wezterm-fury.gpg] https://apt.fury.io/wez/ * *

試しにsource.listをftpに書き換えて試してみます．ftpでアクセスできるのを確認したリポジトリを apt edit-sources でsource.listを書き換えここでサニタイズチェックが走っているはずなのですが特に何も言われず書き換えられました．その後 apt update を実行してみるとエラーとなりftpは使えませんでした．

$ curl -s ftp://ftp.jp.debian.org/debian/dists/sid/InRelease | head
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Origin: Debian
Label: Debian
Suite: unstable
Codename: sid
Changelogs: https://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog
Date: Thu, 21 Nov 2024 02:25:33 UTC
Valid-Until: Thu, 28 Nov 2024 02:25:33 UTC

$ sudo apt update
  :
Error: The method driver /usr/lib/apt/methods/ftp could not be found.
Notice: Is the package apt-transport-ftp installed?
  :
Error: Failed to fetch ftp://ftp.jp.debian.org/debian/dists/sid/InRelease  
Error: Some index files failed to download. They have been ignored, or old ones used instead.

apt-transport-ftp をインストールしていますかと聞かれますがその様なものはないのでやはり使えないですね．
その他のapt-transportはこんな感じ，この中ではhttpsとtorしか使ったことがない気がします．

$ apt-cache search apt-transport
apt - commandline package manager
apt-transport-https - transitional package for https support
libapt-pkg6.0t64 - package management runtime library
apt-transport-in-toto - apt transport method for in-toto supply chain verification
apt-transport-s3 - APT transport for privately held AWS S3 repositories
apt-transport-tor - APT transport for anonymous package downloads via Tor

ということで，sidを使っている人は少ないでしょうが次のDebian 13あたりからこれが降ってくると思うので新たにリポジトリを用意する場合やdist-upgrade時に気をつける必要がありそうです．

環境

$ dpkg-query -W apt
apt     2.9.12
$ lsb_release -dr
Description:    Debian GNU/Linux trixie/sid
Release:        n/a
$ arch
x86_64

SSH鍵を使った暗号化，復号化が出来る age

matoken — Thu, 04 Apr 2024 11:36:16 +0000

age という暗号化ツールを知りました．この age では ssh の公開鍵を使って暗号化，秘密鍵で復号化が出来るのが面白そうなので少し試してみました．

FiloSottile/age: A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.

install

今回は Upstream とバージョンは同じだし Raspberry Pi OS bookworm armhf のパッケージを利用しました．
go install での導入も Go が入っていれば簡単，GitHub の releases にもいくつかのバイナリがあります．
その他各種環境にもパッケージがあるようです．

Raspberry Pi OS への age パッケージ導入

$ sudo apt install age
$ age --version
1.1.1
$ dpkg-query -W age
age     1.1.1-1+b3
$ age
Usage:
    age [--encrypt] (-r RECIPIENT | -R PATH)... [--armor] [-o OUTPUT] [INPUT]
    age [--encrypt] --passphrase [--armor] [-o OUTPUT] [INPUT]
    age --decrypt [-i PATH]... [-o OUTPUT] [INPUT]

Options:
    -e, --encrypt               Encrypt the input to the output. Default if omitted.
    -d, --decrypt               Decrypt the input to the output.
    -o, --output OUTPUT         Write the result to the file at path OUTPUT.
    -a, --armor                 Encrypt to a PEM encoded format.
    -p, --passphrase            Encrypt with a passphrase.
    -r, --recipient RECIPIENT   Encrypt to the specified RECIPIENT. Can be repeated.
    -R, --recipients-file PATH  Encrypt to recipients listed at PATH. Can be repeated.
    -i, --identity PATH         Use the identity file at PATH. Can be repeated.

INPUT defaults to standard input, and OUTPUT defaults to standard output.
If OUTPUT exists, it will be overwritten.

RECIPIENT can be an age public key generated by age-keygen ("age1...")
or an SSH public key ("ssh-ed25519 AAAA...", "ssh-rsa AAAA...").

Recipient files contain one or more recipients, one per line. Empty lines
and lines starting with "#" are ignored as comments. "-" may be used to
read recipients from standard input.

Identity files contain one or more secret keys ("AGE-SECRET-KEY-1..."),
one per line, or an SSH key. Empty lines and lines starting with "#" are
ignored as comments. Passphrase encrypted age files can be used as
identity files. Multiple key files can be provided, and any unused ones
will be ignored. "-" may be used to read identities from standard input.

When --encrypt is specified explicitly, -i can also be used to encrypt to an
identity file symmetrically, instead or in addition to normal recipients.

Example:
    $ age-keygen -o key.txt
    Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
    $ tar cvz ~/data | age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p > data.tar.gz.age
    $ age --decrypt -i key.txt -o data.tar.gz data.tar.gz.age

age key での利用

age-keygen コマンドで age 用の鍵ペアが生成できます． public key を共有します．

鍵の生成

$ age-keygen -o key.txt
Public key: age1asle7pc9uj5n3fxamxst286ejh24yv5nut0qtedmadsxdm38egvs6ez9jr
$ cat key.txt
# created: 2024-03-30T04:44:49+09:00
# public key: age1asle7pc9uj5n3fxamxst286ejh24yv5nut0qtedmadsxdm38egvs6ez9jr
AGE-SECRET-KEY-1VZVZ0VXNSP7D3XN6X545MT7EX89S2Z7F68G6CG0RZ9WKMGN0CW4STSVM26
$ age-keygen -o key2.txt
Public key: age1vz7kedcgzvzk4n4ke50wdxthll9g3muhgwlv3vz37g926frzjvvst777qe

age public key で暗号化，age secret key で復号化します．

鍵で暗号化，復号化

$ echo 'plain' > data
$ age -o data.age -r age1asle7pc9uj5n3fxamxst286ejh24yv5nut0qtedmadsxdm38egvs6ez9jr data (1)
$ age --decrypt -i key.txt -o - data.age (2)
plain
$ age -o data.age -r age1asle7pc9uj5n3fxamxst286ejh24yv5nut0qtedmadsxdm38egvs6ez9jr \
    -r age1vz7kedcgzvzk4n4ke50wdxthll9g3muhgwlv3vz37g926frzjvvst777qe data (3)
$ age --decrypt -i key.txt -o - data.age (4)
plain
$ age --decrypt -i key2.txt -o - data.age (5)
plain

パスフレーズで暗号化，復号化

暗号化

$ age --passphrase -o data.age data (1)
Enter passphrase (leave empty to autogenerate a secure one):
Confirm passphrase:
$ age --passphrase -o data.age data (2)
Enter passphrase (leave empty to autogenerate a secure one):
age: using autogenerated passphrase "resist-host-rabbit-rapid-choose-slender-legal-ramp-forward-scare"
$ age --passphrase --armor data (3)
age: using autogenerated passphrase "what-open-rifle-junior-meadow-grass-hurdle-cigar-hybrid-slide"
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNjcnlwdCBxcGxLRjNySGliS3ZyUmUz
Tm5MMnVRIDE4ClQzVUhlUmJlSGQrSmdUcU1xaEo0ZkFUcGpLWGZpUnBEbjNPbDMy
WDk4ZHcKLS0tIFRic2twRVFOVkJ3a2Y3UWZ3WEdxcG5iSi9qWk5TU1UydWllVG1G
NlBmMkkKh1ok+t0EGZrBXEQujdb6JQLcIGyZXcnvJrAetajKdVImFUCHXu0=
-----END AGE ENCRYPTED FILE-----

自分で決めたパスフレーズで暗号化します
パスフレーズを入力しないと age がパスフレーズを自動生成してくれます．
-a/–armor オプションで PEM 形式で出力．

復号化

$ age --decrypt -o - ./data.age
Enter passphrase:
plain
$ echo '-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNjcnlwdCBxcGxLRjNySGliS3ZyUmUz
Tm5MMnVRIDE4ClQzVUhlUmJlSGQrSmdUcU1xaEo0ZkFUcGpLWGZpUnBEbjNPbDMy
WDk4ZHcKLS0tIFRic2twRVFOVkJ3a2Y3UWZ3WEdxcG5iSi9qWk5TU1UydWllVG1G
NlBmMkkKh1ok+t0EGZrBXEQujdb6JQLcIGyZXcnvJrAetajKdVImFUCHXu0=
-----END AGE ENCRYPTED FILE-----' | age --decrypt -o -
Enter passphrase:
plain

ssh鍵で暗号化，復号化

これを試したかったのでした．

ed25519 で暗号化，復号化

$ age --armor -R ~/.ssh/id_ed25519.pub data
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGVSY0tCZyBZRUJD
NUZ6OWpQWDlzK2JKbmszaVp1ak9TQ0NZWkxoM0JuRlhtTm1hNVdFCjZqV0RlRldI
cjY4TDJJR1hRckxNUkw2QmoreGVoRURzRGhRYllZUjBXck0KLS0tIEJBaFVXa3J0
RHFobkVzUnRLaDZaUDVHdnpTbklHYmozQThKKzVKT3haUkEKaRkef04BHGL2sDPy
B9hl8CCpgJ57fOZtLBG8tPruAz5uASNhJss=
-----END AGE ENCRYPTED FILE-----
$ echo '-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGVSY0tCZyBZRUJD
NUZ6OWpQWDlzK2JKbmszaVp1ak9TQ0NZWkxoM0JuRlhtTm1hNVdFCjZqV0RlRldI
cjY4TDJJR1hRckxNUkw2QmoreGVoRURzRGhRYllZUjBXck0KLS0tIEJBaFVXa3J0
RHFobkVzUnRLaDZaUDVHdnpTbklHYmozQThKKzVKT3haUkEKaRkef04BHGL2sDPy
B9hl8CCpgJ57fOZtLBG8tPruAz5uASNhJss=
-----END AGE ENCRYPTED FILE-----' | age -d -i ~/.ssh/id_ed25519
plain

RSA で暗号化

$ echo 'plain' | age --armor -R ./rsa1024.pub
age: warning: recipients file "./rsa1024.pub": ignoring unsupported SSH key of type "ssh-rsa" at line 1
age: error: failed to parse recipient file "./rsa1024.pub": "./rsa1024.pub": no recipients found
age: report unexpected or unhelpful errors at https://filippo.io/age/report
$ echo 'plain' | age --armor -R ./rsa2048.pub
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgNXd4UUtBCmxZY2ZKczFr
MkJ1akc2Y3JkUHQyN0JaRU1RTnN4NHFydjBwZE4vUml4d0JnZ0VQYnVxRUhXRFpx
WkRCOWxpSG4KTnUzZCsvNmFGSnM0MzNkdEpSRWVyUEl1VVgxOHR3NFd6alJMMUlH
Q3VYbTZDTDdYNUxoeTdnbE8zNlI5eWpCawpPMTVRZXhoTGNVWHRhRngybkVHVmxE
QXVTRFJKOEFIVFQwWXFFZHRrdmU4UVhiV0lwbFVtQ0Vzb1ZzTnlBNXc5CjN4VW02
a21MZGxxRmhtY1pOZ1NsQjlBS0RmL1o3M0xNZ0RVQXRXS3pVSDVXS1UramQ5V3Nv
NWhSZDBaYjhlSWkKTVUzM1dEZzltcWU3SEpPMGV6eG5ucHFqUGZDRWZ0eDNQNTUy
RmZxdHdXUzBZamlrLzNFaGdWajVTeXZBREF1VwpFN2x4S0VnR0N6WmIxeXFuTjUr
bGFnCi0tLSAzaytQQktGcHA4dG9OZjhGbGNZY2g1ZktUaHRsemxoNUNxeW9YTkVD
Q2NJCnEqtAa7v2TJGtQWC2CglKZ9YeX698uiW90pBq13wqwxFxe26eUb
$ echo 'plain' | age --armor -R ./rsa3072.pub
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgZFNIbVJ3CmxTaERheUlS
RDJ2dE8wVXZrWDRKMStQYkl4SW5RVExYUWlLTHcxVjRFRVBSWEVnQk81TThVaG5u
QWZRYS9vVlQKZHppT25RYnZKaUFSbm5sSVhMZUVMTG1Fc2FPTUl4aFQvdmVEeXBG
b1dDQ1loMEdYM0QyKzNIN2V6eStlbkQ2ZQpFeVJJeFovd3FzUzZSS3pNMG9YeEtp
Qm0rYitkeWFIR2N2T05tMHB0RW5TTWRvelBmOXdpN0tjVlhZUS8xWGxJClJBMjk3
WDV5d3BBaFdWbWtFcjIyWHhHMy93cmsrUTd3cGdwaTAzMTN4M3RaQ0o5cUN3TzRw
cklrTGpVUVBRSE4KNnA4MHhvMVJ6LzduM0JHaTNKNFZKRURuSjhZNldoV1h2N3Qw
bTRMZ0xqaVkvOVJVR004a3A1bU9JSU9pK0ErKwpKdmtVcEphWk9zbzJ1eHdOV0k0
RXpBYm9jY3RneDNJSm9mcWQ4SzY5bERxUjV0bWhCRFB5K210M29VL1ZKVGwvCmo1
eHQ4eFRIaDVFTVBaMnRlbkFGLzNZWFA4NVpWVlloVUc1YnlrdUFRSTJqRXdGR3Vl
NkFWTjlyR05DQUxlMVcKN0xaQTA2bENBY09pZHNtL0dCcU5QVmFDQVVsNUI2eHlH
dUYyTkc2QXRZN0k1WUZXTHV3UGxPWDgvdlJoNnE4NgoKLS0tICtSSUV0bnRRSjU1
TUY3cjRJM3ZYV0x6ZXpLbXFnaEttYTZhY01nZzEzd28KLJcw48jawhSaZm1BZ7a1
Qm0770UO7troZcvViUfFJzHSXQsE4n4=
-----END AGE ENCRYPTED FILE-----
$ echo 'plain' | age --armor -R ./rsa4096.pub
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2Egc0tyUVpRCnluWk1qUFdI
S2w3c3hmK0ZyMmcvUmZVWUpKejF0RTlSalVzKzQ1QkpCMklHUjlCcGJIeGFKSVNv
UVdSa2pRbnkKQm5OWHlocEUyQjZYZjRJanVkN2YyMWJKaThwd0hEWkkwQURnWUVF
bkxnR2ZSTktRRDdEWHZaYTVuVSsvYUY1UQpCa3lMdURsamhWdm52RE0yaE53QUxX
WnVaRWdPRExnL2lIYSs4SE9YZUlNTldidG5QTC9XQU1IUll2NTQ0RzBjCjJnL0lC
emtTdDlaNlpQM1JEbHRDdnROWmV3VTNpMDRxcDdabVU3bU5xODg4eUJ3dWZwYnpG
QWtnbWlzc3RVV2IKZkVnSmQyZ2pOaXluYmFhMllvZ0tKNzcwS3FBWlJtS29LNGYx
Y3dxSFV4UHZpcmJleHFFNXI5ekUxQzNlYzdIWgpackFqemdMV1JjRjdnY3RBTTky
bDlXVDVrQktjZkszQk12L3hlSDhHTllIdkVIS2FERUtCbWgyaUNad0NuRjRCCjZK
SUYxYXkyNE1oKzN5VUZ0a1VVQjRnOVBLRUF4VU0yOFJUcEtUZDU2OHFDT2djekxO
Y3o4eGhQay9vNnlMRDUKVm14KzlrS1hOU1JrYTVHYjBwZWZzYXVsNHhPMEY5bTJ4
ZWZZQW5LVVQxRjVBUUQ4eDBEbDNkRTFFTGNvL21Kcgp5YkkxR3FrMTJQdnA3MFFl
ckgvZjBvT3I2WlZ6Q1ZuM3JFeGczTXFwU3FCV3FWbVIrTk1sL0RSWEZwL2Q4NC9m
CjlDZUJ2NXZnQU5BUUNrVzdPODM1WUxFTzVrT3Q1VGZISThtSzJPb2xvVnU0R2g0
TlY5RmJnbWhJbnU3TGMvTHoKVEt1OUZwR1UvNlFEVmRnWHZvay8wSGhnZWgrcnRN
ZWZsRHd5YnlCS0ovNAotLS0gYWQ4WXBodENuNDBKVVkwK3c5YnpSeG5OdndCRWph
eW5aU1QvekRLWlhkdwpjWnxdCQrEjd0NbP2ed0AFRLYH94R8EQTGEyYDMwEuzhsk
M8fb2A==
-----END AGE ENCRYPTED FILE-----

RSA1024 だとエラーとなりました．現在 RSA は 3072 が規定値だったと思うので鍵帳の短い 1024 は足切りされているのかもしれないですね．

複数の鍵で暗号化

$ echo 'plain' | age --armor -R ./rsa2048.pub -R ./rsa3072.pub -R ./rsa4096.pub -R ~/.ssh/id_ed25519.pub
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgNXd4UUtBCjFaajdDV3hh
dXRuNkNNRVpRTUJ2ZDI0ZkRObGdCRmpydlZNUDAzSjhXbGdsWXJZa1lyWnFzSFlo
bXFJbjNpSFYKcHZrWisyek1MWjZvVlJtV3djUEY1ei82bVFISzdwYm96a2FYeXRR
amdxTEhjWllCcGJsSytQN3ZWay82clZEZwp4bG5HSmVGNEFFVW5xMEx4UXhlT3A0
eHBONUhkbU1qRnRPUUFoR3BldzVhamFrc0xBWVp4Y001bUdqNGROT0dmCkhOUCtF
TytsbXRTU1Exait5bG9DRVR4ZjRTT3owY01JTGRyOUN4eWFnd0hmTDlOenlWRE12
a0ZrM2E4NkFweTEKMEZvZ3h2TzdOZlJ5YnVpYm1yOXFIUkV2MXI0QnZtT1VMTFRT
Z2JDOGI4VGpYRVROb3J1TzAvd2xYTHozSVdhOQoyMVFQNHBxb3AzaUQwa0hqeE5C
bEF3Ci0+IHNzaC1yc2EgZFNIbVJ3Cm9KcEoyZndZK0JCakFURWl2eUt4dHNqdExy
K0dzNkRpUXF1U0dJSXFIMlFWOFhGcGtkNFRXd1BuVGJBSmZhNkgKNjZZZStZZFFi
Wko2dXFkQ2hKMHVIcWV0ekVaeUhBOTJoSnZUWnFacmVFczE4UnllZnp4cXZCQWE4
ckdFNU5nbQpNaXB4eHhaUG1vWE5HQ2xoRkF5amVPL3kvaUlPL0h6ZVNtL05lV2VK
OGdkVmpGZjVSNVNOZ1NsbEc1b0NBODFlCkNQTTFWb3orNC9WVWdadThFN3YwUTNr
YXNCaDZ5KzBSckJpeEdZWllYMml0RmFpTWNZc3FEbHhXaUM0YTU1emMKbXRvQzh2
UG1lM1FWYzRreDJINGY1MEV0cnArTzdMaklVS1VWRE5haWV0UzlFOG9CN3U0dFNu
MU0vVFpYVXRoNwp5aHRDc2ZoWWVBeGZwWTlyQ2ZIVjcxczZ1ajJoVy93dDFlVWsy
NlF0ZEFCTHlBNTk1YlhTNmtKY1RPZ2tqZU94CjJkT3REWTRTZFZuR0pneDNtZjND
UXVjMWRqeCtVODZEb2J6bkgxWm4ycGRxQWI0amVqdXNFdnJtdkFlZmZMUFYKdlVT
ekhlK1hQSFRuRFBmV09JWTUrSS9VNnQ5RTY2T0dEeG9ONVVXdFRVY0g1ZmdqTStR
NDRUc21LQXhyK0dNbQoKLT4gc3NoLXJzYSBzS3JRWlEKc2FIQ20zUmRQYmhrRTlO
bjF0V2lKZXhFWXVNcVJmdk5jNXhMaDdkdGZWcGc4WVVBbGdGZGhTM0dLSFpkbWlP
SAo4aEl6U2xRTXhTTFUzTzhsWThtbngwZUl6VGQ1Z09IKzJWK29XNzNOL2ZMaEc4
WkdxUkI0cXVHaS9IT0NTS3M0Ci8vYjJDczQrUzdaSmxrU0ZsOFU4VUk0Nzh3eHh6
elYzOWJVaUxNbjM3cGRTdkd5Vlc3YWtHUjRiWDNoYU83WGYKNklxMkZCanBMZ0N5
b2ZvN3VwZkNLcUxTM0FVNU1TMmczSFR1Nm9HMHJQdlIyemxwNWNjVktIWlRnSks2
VWlwVAoyR3VQZmJCTGJSQ2xGemRWM1lUbmFhcFpmNE5ITmdjUFZZNTFaMW9ZcCtp
Q0V6ajFwbjEyTkZvT3JRZ3NCK011Cm9EOFcyQTNBT2pOVk5mZDU1cFQ3TFE5MnNK
eEVxWE1uMUNadkhMTVZVcUdBRythZmJnVG81ZG93YlE4K2JLWkYKbTgrTmVOSTEx
RWRqTXdRRDlmRjBrNUJpenZoenU0NnNzVmlxMmZKVERqTDdoZnlUZUNVaUxZNE91
RHNsK2NmawpacUVZdU9sdUJEWE83Z1FYYnhFQU5pMlZQVVhiV2hDbzBhM0YwOFZ5
Ny9EclZLK29XTUJ3K25ldDV2dTZpVlgxCkxsN3ZMRjVJekZ2aXl6UnFaSXpoYzUr
QWRQR0VjOUZPSnpnMk1uL0k4SW11VHdheW1xN25yR3VYbGNoNW9LTUkKUXNXVGFJ
c3dXY0hxaURhSEllN1o0Rm9nQnZlck53V0R5YTdDYWltTURSbHBGc0JFTUZkL1hz
MXRqTUNVNUs5MQoxNnFxN1AxenhYUFZnb0hMRDlnaWY3VmRCd0NnZk44UVNpb2Zk
RUZ4U1Y4Ci0+IHNzaC1lZDI1NTE5IGVSY0tCZyBSNml6R2pvQnV6WWV2WmFHaFo5
L0hTSFl5Y1h4S1lBNkFSZjNod29TV1dnCnhpVGNIVW44dnNrZlJyWWZxUGhsVGY1
TlMyR0tkcjUxTnI3NStaL2UwM1kKLS0tIFg3VEg5MGNCZnJBNmU0NXUza1d1aVlM
cmk0eXVab1RmTzhVTTZid1ZWclUKe1wXH51zJI3GYYwGVPhoXDcuV8vBZIcvGPQz
5pSAkRa/YrHMrfk=
-----END AGE ENCRYPTED FILE-----

RSA, ED25519 両方を含む複数の鍵で暗号化も問題なかったです．(紙幅をとるのでここには載せませんがそれぞれの鍵で復号も大丈夫でした．)

age 作者の鍵を入手して暗号化……失敗

$ wget https://github.com/FiloSottile.keys
$ age -a -R ./FiloSottile.keys data
age: warning: recipients file "./FiloSottile.keys": ignoring unsupported SSH key of type "ecdsa-sha2-nistp256" at line 1
age: error: failed to parse recipient file "./FiloSottile.keys": "./FiloSottile.keys": no recipients found
age: report unexpected or unhelpful errors at https://filippo.io/age/report
$ dd if=FiloSottile.keys bs=20 count=1 2>/dev/null; echo
ecdsa-sha2-nistp256

GitHub から age 作者の鍵をダウンロードして暗号化しようとしましたが，公開されている鍵形式が ed25519-sk のようで age に対応していない鍵だったので暗号化出来ませんでした．

Note	鍵の入手例 Codeberg https://codeberg.org/${USERNAME}.keys Github https://github.com/${USERNAME}.keys GitLab https://gitlab.com/${USERNAME}.keys Launchpad https://launchpad.net/~${USERNAME}/+sshkeys

GPG を公開していない人で GitHub などで SSH鍵を公開している人は結構居る気がするので SSH鍵で暗号化，復号化ができると便利そうです．
openssl でも出来るし導入された環境も多いと思いますがコマンドが煩雑，age だと利用が簡単なので普及すれば便利そうです．

環境

$ dpkg-query -W age openssh-client openssl
age     1.1.1-1+b3
openssh-client  1:9.2p1-2+deb12u2
openssl 3.0.11-1~deb12u2+rpt1
$ lsb_release -a
No LSB modules are available.
Distributor ID: Raspbian
Description:    Raspbian GNU/Linux 12 (bookworm)
Release:        12
Codename:       bookworm
$ arch
armv7l
$ cat /proc/device-tree/model ;echo
Raspberry Pi 3 Model B Rev 1.2

DeleGate をTelnet SSH gateway として動かす

matoken — Thu, 21 Dec 2023 11:07:00 +0000

鹿児島Linux 勉強会 2023.11 でDelGate を最近のディストリビューションでで動かす話があったのでメモ．

以下のDeleGate の項目の通り．

Resetting Linux ( and DeleGate + Postfix )

$ wget ftp://ftp.delegate.org/pub/DeleGate/delegate9.9.13.tar.gz ftp://ftp.delegate.org/pub/DeleGate/delegate9.9.13.tar.sign
$ tar xf delegate9.9.13.tar.gz
$ wget https://i-red.info/docs/dg2204.patch
$ cd delegate9.9.13
$ patch -p0 < ../dg2204.patch
$ make CFLAGS="-Wno-narrowing -DHCASE=1"

Note	手元では Debian sid amd64 及び Raspberry Pi OS bullseye armhf で確認しました．

今回試したかったのは以下の Telnet → SSH の gateway

DeleGate version 9.9 リファレンスマニュアルの日本語訳 / Telnet gateway to SSH server

ERRORは出るけど起動します

$ src/delegated -P8023 SERVER=telnet://-ssh
-- ERROR: can't link the SSL/Crypto library.
-- Hint: use -vl option to trace the required library,
--- find it (ex. libssl.so.X.Y.Z) under /usr/lib or /lib,
--- then set the library version as DYLIB='+,lib*.so.X.Y.Z'
 [17373] -P8023 READY

DeleGate 経由でSSH 出来ます

$ nc localhost 8023
''--
--  @ @  localhost PROXY-telnet server DeleGate/9.9.13
-- ( - ) { Hit '?' or enter `help' for help. }
DeleGate/9.9.13 (October 31, 2014)
AIST-Product-ID: 2000-ETL-198715-01, H14PRO-049, H15PRO-165, H18PRO-443
Copyright (c) 1994-2000 Yutaka Sato and ETL,AIST,MITI
Copyright (c) 2001-2014 National Institute of Advanced Industrial Science and Technology (AIST)
WWW: http://www.delegate.org/delegate/
-- -- -- This (proxy) service is maintained by 'matoken@gmail.com'

>> Host name: matoken@localhost

カエル懐かしいですね．

moshが起動しなくなって困る

matoken — Mon, 28 Feb 2022 14:33:57 +0000

Debian sid amd64環境でmoshが動かなくなった．

$ mosh
IO.c: loadable library and perl binaries are mismatched (got handshake key 0xed00080, needed 0xeb00080)

Mosh: the mobile shell

mosh-clientは動くけど ~/.ssh/config を見てくれないので面倒

$ mosh-client
mosh-client (mosh 1.3.2) [build mosh 1.3.2]
Copyright 2012 Keith Winstein 
License GPLv3+: GNU GPL version 3 or later .
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Usage: mosh-client [-# 'ARGS'] IP PORT
       mosh-client -c

mosh は perl script

$ file /bin/mosh
/bin/mosh: Perl script text executable
$ grep -v ^# /bin/mosh | head


use 5.8.8;

use warnings;
use strict;
use Getopt::Long;
use IO::Socket;
use Text::ParseWords;
use Socket qw(IPPROTO_TCP);

mosh-client はelf

$ file /bin/mosh-client
/bin/mosh-client: ELF 64-bit LSB pie executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=9145424edb62c61b0081efeaa68ea20a25a73e5f, for GNU/Linux 3.2.0, stripped

sidだしPerlのアップデートもあったのでそのせいかなと思っていたけどしばらく経っても直らない．

cpanやcpanmも動かない．cpanは ~/perl5 を見ている．
最近Debian sidのPerlのバージョンが上がったのに ~/perl5 を更新していないので不整合となっていたよう．
一旦 ~/perl5 を退避して動作するように．
ディストリビューションアップデート時などにも嵌りそう．

$ cpanm --list
IO.c: loadable library and perl binaries are mismatched (got handshake key 0xed00080, needed 0xeb00080)
$ which cpan
/home/matoken/perl5/bin/cpan
$ which cpan
/home/matoken/perl5/bin/cpan
$ mosh
Usage: /usr/bin/mosh [options] [--] [user@]host [command...]
        --client=PATH        mosh client on local machine
                                (default: "mosh-client")
        --server=COMMAND     mosh server on remote machine
                                (default: "mosh-server")

        --predict=adaptive      local echo for slower links [default]
-a      --predict=always        use local echo even on fast links
-n      --predict=never         never use local echo
        --predict=experimental  aggressively echo even when incorrect

-4      --family=inet        use IPv4 only
-6      --family=inet6       use IPv6 only
        --family=auto        autodetect network type for single-family hosts only
        --family=all         try all network types
        --family=prefer-inet use all network types, but try IPv4 first [default]
        --family=prefer-inet6 use all network types, but try IPv6 first
-p PORT[:PORT2]
        --port=PORT[:PORT2]  server-side UDP port or range
                                (No effect on server-side SSH port)
        --bind-server={ssh|any|IP}  ask the server to reply from an IP address
                                       (default: "ssh")

        --ssh=COMMAND        ssh command to run when setting up session
                                (example: "ssh -p 2222")
                                (default: "ssh")

        --no-ssh-pty         do not allocate a pseudo tty on ssh connection

        --no-init            do not send terminal initialization string

        --local              run mosh-server locally without using ssh

        --experimental-remote-ip=(local|remote|proxy)  select the method for
                             discovering the remote IP address to use for mosh
                             (default: "proxy")

        --help               this message
        --version            version and copyright information

Please report bugs to mosh-devel@mit.edu.
Mosh home page: https://mosh.org

環境

$ dpkg-query -W mosh perl
mosh    1.3.2-2.1+b3
perl    5.34.0-3
$ lsb_release -dr
Description:    Debian GNU/Linux bookworm/sid
Release:        unstable
$ arch
x86_64

sshuttle がエラーになる

matoken — Mon, 29 Jul 2019 14:55:46 +0000

SSH VPN がお手軽に利用できる sshuttle を久々に使おうとしたら失敗します．いくつかのremotehostを試してもうまくいかない．

GitHub – sshuttle/sshuttle: Transparent proxy server that works as a poor man’s VPN. Forwards over ssh. Doesn’t require admin. Works with Linux and MacOS. Supports DNS tunneling.

Debian sid 環境でのエラー

$ sshuttle -v -r user@remotehost 0/0
Starting sshuttle proxy.
firewall manager: Starting firewall with Python version 3.7.4
firewall manager: ready method name nat.
IPv6 enabled: False
UDP enabled: False
DNS enabled: False
User enabled: False
TCP redirector listening on ('127.0.0.1', 12300).
Starting client with Python version 3.7.4
c : connecting to server...
Host key fingerprint is SHA256:kUoWT4bCu7+HiegN9R5tYqO5nnvpQPobzSk46T8WEwU
+---[ECDSA 256]---+
|   .E...o        |
|    o o= .       |
|     +o +        |
|    oo . .       |
|    oo. S        |
|   *++ o         |
|  *.+=X+o        |
| ..=+X*=.        |
| .o+%B+o         |
+----[SHA256]-----+
Enter passphrase for key '/home/matoken/.ssh/id_ed25519':
Authenticated to nnn.nnn.nnn.nnn ([nnn.nnn.nnn.nnn]:nn).
-c:3: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
Starting server with Python version 3.7.3
 s: latency control setting = True
c : Connected.
 s: auto-nets:False
firewall manager: setting up.
>> iptables -t nat -N sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -I OUTPUT 1 -j sshuttle-12300
>> iptables -t nat -I PREROUTING 1 -j sshuttle-12300
>> iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.1/32 -p tcp
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 -p tcp --to-ports 12300 -m ttl ! --ttl 42
firewall manager: undoing changes.
>> iptables -t nat -D OUTPUT -j sshuttle-12300
>> iptables -t nat -D PREROUTING -j sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -X sshuttle-12300
c : fatal: server died with error code 255

最後の行のエラーメッセージで検索すると以下のIssue を見つけました．

sshuttle crashes with server died with error code 255 · Issue #150 · sshuttle/sshuttle · GitHub

参考にして -x remotehostip で使えるようになりました．-x は除外オプションで接続先のip を指定して除外するとOKのようです．

NG $ sshuttle -r user@remotehost 0/0
OK $ sshuttle -r user@remotehost 0/0 -x remotehostip

VPN 対象のサブネットと同様 -x にも複数のサブネット/ip の指定ができます．

Debian sid 環境

$ dpkg-query -W sshuttle
sshuttle        0.78.5-1
$ hostnamectl|grep -E 'Operating System|Architecture'
  Operating System: Debian GNU/Linux bullseye/sid
	  Architecture: x86-64

Raspbian Buster 環境でのエラー

ちなみに sshuttle を Raspbian Buster で試すとまた違うこんなエラーに．でもやっぱり -x で解決しました．

Raspbian Buster での error message

 :
client: Connected.
packet_write_wait: Connection to 192.168.1.102 port 22: Broken pipe
Traceback (most recent call last):
  File "/usr/bin/sshuttle", line 11, in 
	load_entry_point('sshuttle==0.78.5', 'console_scripts', 'sshuttle')()
  File "/usr/lib/python3/dist-packages/sshuttle/cmdline.py", line 82, in main
	opt.sudo_pythonpath)
  File "/usr/lib/python3/dist-packages/sshuttle/client.py", line 787, in main
	seed_hosts, auto_hosts, auto_nets, daemon, to_nameserver)
  File "/usr/lib/python3/dist-packages/sshuttle/client.py", line 547, in _main
	ssnet.runonce(handlers, mux)
  File "/usr/lib/python3/dist-packages/sshuttle/ssnet.py", line 598, in runonce
	h.callback(s)
  File "/usr/lib/python3/dist-packages/sshuttle/ssnet.py", line 488, in callback
	self.flush()
  File "/usr/lib/python3/dist-packages/sshuttle/ssnet.py", line 439, in flush
	wrote = _nb_clean(os.write, self.wsock.fileno(), self.outbuf[0])
  File "/usr/lib/python3/dist-packages/sshuttle/ssnet.py", line 79, in _nb_clean
	return func(*args)
BrokenPipeError: [Errno 32] Broken pipe

Raspbian Buster の環境

$ dpkg-query -W sshuttle
sshuttle        0.78.5-1
$ lsb_release -d
Description:    Raspbian GNU/Linux 10 (buster)
$ uname -m
armv6l
$ cat /proc/device-tree/model ;echo
Raspberry Pi Model B Rev 2

Ubuntu 18.04 LTS 環境(OK)

Ubuntu 18.04 LTS のsshuttle でも試してみましたがこれは -x を付けなくても問題なしでした．sshuttle 0.78.4 〜 0.78.5 の間の修正での影響でしょうか?

error の出なかった環境

$ dpkg-query -W sshuttle
sshuttle        0.78.3-1ubuntu1
$ lsb_release -d
Description:    Ubuntu 18.04.2 LTS
$ uname -m
x86_64

Endlessh を使って ssh 接続をとてもゆっくりと処理して攻撃者に嫌がらせをする

matoken — Mon, 25 Mar 2019 15:19:39 +0000

ssh は攻撃が多いです．公開鍵認証にしておくと大分侵入に強くなりますがインターネットに直接繋がっているサーバでは攻撃はとても多いです．

Endlessh はsshd の代わりに起動してバージョン情報を送る前のデータにほぼランダムな文字列をゆっくりと配信し続けて攻撃者の足止めをするプログラムのようです．
本当の sshd は別ポートで起動してそっちを使う感じでしょうか．22番を無くして port knocking や sslh を使うなどのほうがいいかもですが面白そうです．

Endlessh: an SSH Tarpit « null program

ということで手元で少し試してみました．

導入とビルド

$ git clone https://github.com/skeeto/endlessh
$ cd endlessh
$ git log |head -1
commit 548a7b1521b2912e7e133d0d9df50e0e514f1f2c
$ make

port 22222 で起動

$ ./endlessh -v -p22222 &
[1] 22698
2019-03-24T04:56:10.338Z Port 22222
2019-03-24T04:56:10.338Z Delay 10000
2019-03-24T04:56:10.338Z MaxLineLength 32
2019-03-24T04:56:10.338Z MaxClients 4096

ssh 接続してみると700分ほど捕まえていた

$ time ssh localhost -p 22222
2019-03-24T04:56:19.510Z ACCEPT host=::1 port=59402 fd=4 n=1/4096
ssh_exchange_identification: No banner received

real    700m30.650s
user    0m0.040s
sys     0m0.240s
2019-03-24T16:37:00.162Z CLOSE host=::1 port=59402 fd=4 time=42040.652 bytes=73944

終了

$ kill %1
[1]+  Done                    ./endlessh -v -p22222

数回試しましたが，標準オプションでは700分前後捕まりました．単にありもののscriptを動かすレベルの攻撃者であればツールが対応するまでは妨害になりそうです．

環境

$ git log |head -1
commit 548a7b1521b2912e7e133d0d9df50e0e514f1f2c
$ dpkg-query -W openssh-client
openssh-client  1:7.9p1-9
$ lsb_release -dr
Description:    Debian GNU/Linux buster/sid
Release:        unstable
$ uname -m
x86_64

ssh環境での誤ったシステム停止を防ぐmolly-guard

matoken — Wed, 26 Sep 2018 21:34:31 +0000

最近 shutdown の man を見比べたりしてたのですが，そのときに systemd, sysvinit 以外に molly-guard という見知らぬものが．

$ apt-file search /sbin/shutdown
molly-guard: /sbin/shutdown
systemd-sysv: /sbin/shutdown
sysvinit-core: /sbin/shutdown

パッケージ情報をみると shutdown コマンドなどを置き換えて ssh 接続時には確認のためにホスト名を聞くようになるようです．
これにより手元のPCの再起動をしたつもりがリモートのサーバを再起動してしまうなどといったことが防げるようになります．

$ apt show molly-guard
Package: molly-guard
Version: 0.6.4
Priority: extra
Section: admin
Maintainer: Francois Marier 
Installed-Size: 57.3 kB
Depends: procps
Enhances: init, kexec-tools, mosh, openssh-server, pm-utils, systemd, sysvinit, upstart
Tag: implemented-in::shell, interface::commandline, network::server,
 protocol::ssh, role::program, scope::utility
Download-Size: 13.8 kB
APT-Manual-Installed: yes
APT-Sources: http://ftp.jp.debian.org/debian stretch/main amd64 Packages
Description: protects machines from accidental shutdowns/reboots
 The package installs a shell script that overrides the existing
 shutdown/reboot/halt/poweroff/coldreboot/pm-hibernate/pm-suspend* commands
 and first runs a set of scripts, which all have to exit successfully,
 before molly-guard invokes the real command.
 .
 One of the scripts checks for existing SSH sessions. If any of the four
 commands are called interactively over an SSH session, the shell script
 prompts you to enter the name of the host you wish to shut down. This should
 adequately prevent you from accidental shutdowns and reboots.
 .
 molly-guard diverts the real binaries to /lib/molly-guard/.  You can bypass
 molly-guard by running those binaries directly.

早速試してみます．

$ sudo apt install molly-guard
    :
package diverts others to: /lib/molly-guard/coldreboot
/sbin/halt
package diverts others to: /lib/molly-guard/halt
/sbin/pm-hibernate
/sbin/pm-suspend
/sbin/pm-suspend-hybrid
/sbin/poweroff
package diverts others to: /lib/molly-guard/poweroff
/sbin/reboot
package diverts others to: /lib/molly-guard/reboot
/sbin/shutdown
package diverts others to: /lib/molly-guard/shutdown

このあたりのコマンドが置き換わっています．

$ ls -l /sbin | grep molly
lrwxrwxrwx 1 root root        28 Aug 16  2016 coldreboot -> /lib/molly-guard/molly-guard
lrwxrwxrwx 1 root root        28 Aug 16  2016 halt -> /lib/molly-guard/molly-guard
lrwxrwxrwx 1 root root        28 Aug 16  2016 pm-hibernate -> /lib/molly-guard/molly-guard
lrwxrwxrwx 1 root root        28 Aug 16  2016 pm-suspend -> /lib/molly-guard/molly-guard
lrwxrwxrwx 1 root root        28 Aug 16  2016 pm-suspend-hybrid -> /lib/molly-guard/molly-guard
lrwxrwxrwx 1 root root        28 Aug 16  2016 poweroff -> /lib/molly-guard/molly-guard
lrwxrwxrwx 1 root root        28 Aug 16  2016 reboot -> /lib/molly-guard/molly-guard
lrwxrwxrwx 1 root root        28 Aug 16  2016 shutdown -> /lib/molly-guard/molly-guard

コマンド類は /lib/molly-guard 以下に退避されるようです．

sysvinit

$ ls -lA /lib/molly-guard
total 48
-rwxr-xr-x 1 root root 18952 Feb 13  2017 halt
-rwxr-xr-x 1 root root  2767 Aug 16  2016 molly-guard
lrwxrwxrwx 1 root root     4 Feb 13  2017 poweroff -> halt
lrwxrwxrwx 1 root root     4 Feb 13  2017 reboot -> halt
-rwxr-xr-x 1 root root 23368 Feb 13  2017 shutdown

systemd

$ ls -lA /lib/molly-guard
total 4
lrwxrwxrwx 1 root root   14 Jun 14 05:20 halt -> /bin/systemctl
-rwxr-xr-x 1 root root 2767 Aug 16  2016 molly-guard
lrwxrwxrwx 1 root root   14 Jun 14 05:20 poweroff -> /bin/systemctl
lrwxrwxrwx 1 root root   14 Jun 14 05:20 reboot -> /bin/systemctl
lrwxrwxrwx 1 root root   14 Jun 14 05:20 shutdown -> /bin/systemctl

ssh 経由で shutdown(sysvinit) を試みるとこのように hostname を求められます．ここで誤った hostname を書くと shutdown がキャンセルされました．

$ sudo shutdown -f -P -h +10 "kernel update (`uname -r`)"
W: molly-guard: SSH session detected!
Please type in hostname of the machine to shutdown: desktop
Good thing I asked; I won't shutdown debian ...
W: aborting shutdown due to 30-query-hostname exiting with code 1.

正しい hostname を指定すると shutdown が呼ばれます．

$ sudo shutdown -f -P -h +10 "kernel update (`uname -r`)"
W: molly-guard: SSH session detected!
Please type in hostname of the machine to shutdown: debian

Broadcast message from root@debian (pts/0) (Thu Sep 27 06:15:28 2018):

kernel update (4.9.0-3-amd64)
The system is going DOWN for system halt in 10 minutes!
^C
Shutdown cancelled.

ssh経由でない場合は molly-guard はすぐに shutdown を呼びます．

$ sudo shutdown -f -P -h +10 'poweroff'
^C
Shutdown cancelled.

環境

$ dpkg-query -W systemd-sysv molly-guard
molly-guard     0.6.4
systemd-sysv    232-25+deb9u4
$ dpkg-query -W sysvinit-core
sysvinit-core   2.88dsf-59.9
$ cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
$ cat /etc/debian_version
9.5
$ uname -m
x86_64

Windows10標準のsshの鍵はレジストリに保存されているらしい

matoken — Wed, 30 May 2018 21:30:49 +0000

[janog:14329] より．

Janog Mailing List (Archiveはあるけど要login)

Windows 10標準のssh-keygenで鍵を作ると標準で %HOMEPATH%/.ssh で鍵が管理されるようだけどここから消した鍵が再起動後も使えてしまうという話からはじまっている．

Extracting SSH Private Keys from Windows 10 ssh-agent

HKCU\Software\OpenSSH\Agent\Keys 以下に保存されているらしい．

以下のscriptでレジストリ内の鍵が取り出せるよう．

GitHub – ropnop/windows_sshagent_extract: PoC code to extract private keys from Windows 10's built in ssh-agent service

今環境がないけどなんか嵌りそうだし今度試してみよう．