Categories
Linux Security Windows

Securing SSH with Yubikey using WSL

If using Windows, start with downloading Gpg4Win and Kleopatra. As i use Windows Terminal I wont be downloading Putty. After the installation of these two, open the configuration files of the gpg-agent and scdaemon and append the following:

# C:\Users\<username>\AppData\Roaming\gnupg\gpg-agent.conf
enable-putty-support
enable-ssh-support

You can also to this with powershell, using the following command:

Add-Content $env:APPDATA\gnupg\gpg-agent.conf "enable-putty-support"
Add-Content $env:APPDATA\gnupg\gpg-agent.conf "enable-ssh-support"

Add-Content $env:APPDATA\gnupg\scdaemon.conf "debug-level guru"
Add-Content $env:APPDATA\gnupg\scdaemon.conf "log-file scdaemon.log"
Add-Content $env:APPDATA\gnupg\scdaemon.conf "reader-port Yubico Yubi"

Restart the agent with the following commands:

gpgconf --kill gpg-agent
gpg-connect-agent /bye

Open up Powershell and check if the Yubikey is visible to the system. You should get output similair to this:

PS C:\Users\wiege> gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 0
Application ID ...: < .... >
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: < .... >
Name of cardholder: < .... >
Language prefs ...: < .... >
Salutation .......: < .... >
URL of public key : [not set]
Login data .......: < .... >
Signature PIN ....: not forced
Key attributes ...: < .... >
Max. PIN lengths .: < .... >
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off

When you open Kleopatra and go to Smartcards, you should also see your Yubikey present. If your Yubikey is new, there are no keys listed and you need to create them. This can be done several ways, through Kleopatra or on CLI (i prefer CLI as it provides more options).

Open up CMD or Powershell and use gpg to generate your new key:

$ gpg --expert --full-generate-key

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
Your selection? 11

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? E

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? S

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? Q

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

It will ask you for your name and emailadress, fill those in and conform with (O). Verify if your key has been generated:

$ gpg --list-keys
------------------------------------------------
pub   ed25519 2022-11-15 [C]
      E6444634F7318577BA18F43201A0XXXXXXXXXX

If you use Linux, you can export the key id (to be used for later)

export KEYID=E6444634F7318577BA18F43201A0XXXXXXXXXX

Now edit the master key and start adding sub-keys for encryption/signing and authentication:

$  gpg --expert --edit-key  E6444634F7318577BA18F43201A0XXXXXXXXXX
gpg (GnuPG) 2.3.8; Copyright (C) 2021 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  ed25519/01A0XXXXXXXXX
     created: 2022-11-15  expires: never       usage: C
     trust: ultimate      validity: ultimate

Add a new key for signing (and then repeat these for Encryption and Authentication):

gpg> addkey

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 10

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at xxxxxxxxxxxxxxxxxxx
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.


Again: Repeat for Encryption and Authentication, then use 'save'.

If you wish to add more e-mail addresses, use adduid to them. End result should look like this:

$ gpg -K

sec   ed25519 2022-11-15 [C]
      E6444634F7318577BA18F4XXXXXXXXXXXXXXXXXX
uid           [ultimate] Wieger Bontekoe <[email protected]>
uid           [ultimate] Wieger Bontekoe <[email protected]>
ssb   ed25519 2022-11-15 [S] [expires: 2027-11-14]
ssb   cv25519 2022-11-15 [E] [expires: 2027-11-14]
ssb   ed25519 2022-11-15 [A] [expires: 2027-11-14]

Now export everything, once you have moved them to Yubikey you can't anymore.

$ gpg --armor --export-secret-keys E6444634F7318577BA18F4XXXXXXXXXXXXXXXXXX
 > ./master.key
# Also do all the subs like this, repeat for all of them!
$ gpg --armor --export-secret-subkeys < SUBKEYID > ./sub1.key

You can also do this from Kleopatra if using windows, that is a lot simpler. Just go to 'certificates', right click the certificate and go to 'Details'. Under details go to 'more details'. Here you will see 4 certificates that you can export using right click.

Backup these files, you should never loose them. Now, transfer the keys to Yubikey!

$ gpg --edit-key E6444634F7318577BA18F4XXXXXXXXXXXXXXXXXX
gpg> key 1
gpg> keytocard
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1
gpg> key 1
gpg> key 2
gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2
gpg> key 2
gpg> key 3
Please select where to store the key:
   (3) Authentication key
Your selection? 3

gpg> save

Now verify if the sub-keys were really moved

$ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 0
Application ID ...: < .... >
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: < .... >
Name of cardholder: < .... >
Language prefs ...: < .... >
Salutation .......: < .... >
URL of public key : [not set]
Login data .......: < .... >
Signature PIN ....: not forced
Key attributes ...: < .... >
Max. PIN lengths .: < .... >
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: 4B3C 6B30 B22F 9C3E F196  D72D DE7D 3E9F XXXX XXXX
      created ....: 2022-11-15 07:14:18
Encryption key....: 30CE FB8F 54E6 0E63 93D3  9D6B A29B E406 XXXX XXXX
      created ....: 2022-11-15 07:14:48
Authentication key: 2477 02D2 511B 5407 F9A3  6005 DF86 A2D3 XXXX XXXX
      created ....: 2022-11-15 07:15:07

PGP Part, all set! Let's check if we have an up to date version of openssh that supports ecdsa-sk:

$ ssh-keygen --help
unknown option -- -
usage: ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile]
                  [-m format] [-N new_passphrase] [-O option]
                  [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
                  [-w provider] [-Z cipher]

If you do not see the '-sk' option you need to upgrade openssh. Generate a new key using ed25519-sk and it will ask your verification using Yubikey:

$ ssh-keygen -t ed25519-sk -f ~/.ssh/mynewkey
Generating public/private ed25519-sk key pair
You may need to touch your authenticator to authorize key generation.

Just touch the metal circle and it’ll bind the SSH key pair to your Yubikey.

When it says “Enter passphrase (empty for no passphrase)”, you can just press enter to leave it empty. If you use linux, now copy your private key to your server (Windows doesn't support this, you have to do that by hand).

Now when you would ssh to that host it should ask verification:

Categories
Ansible Security

Ansible Tower – Custom Credentials Type

Within playbooks you occasionally connect to external applications or services, in my case Zabbix and ServiceNow. Because I also need login details and do not want to leave this plain text in playbooks, I use a 'Custom Credentials Type'. The advantage of this is that I can use the login details within a playbook (as a macro) and they are stored encrypted in Ansible Tower.

I first create a new credential type by defining the fields it will have and how these will be passed to my playbook. Credential types consist of two parts – “inputs” and “injectors“.

  • Inputs:
    define the value types that are used for this credential – such as a username, a password, a token, or any other identifier that’s part of the credential.
  • Injectors:
    describe how these credentials are exposed for Ansible (or us) to use – this can be Ansible extra variables, environment variables, or templated file content.

Both these configurations are specified as YAML or as JSON. In my case, the new credential type is called "ServiceNow" and i’m providing the instance, username and password as part of this credential type:

fields:
  - id: instance
    type: string
    label: ServiceNow Instance
  - id: username
    type: string
    label: ServiceNow Username
  - id: password
    type: string
    label: ServiceNow password
    secret: true
required:
  - instance
  - username
  - password

Then in the Injector configuration:

extra_vars:
  snow_instance: '{{ instance }}'
  snow_password: '{{ password }}'
  snow_username: '{{ username }}'

Now go to Credentials and add a new one, selecting "ServiceNow" as Credential Type:

Thats it! When you link this credential to your host, or playbook, you can use this credentials from within your playbook!

Categories
Linux Networking Security

Ubuntu 18.04 – OpenVPN Server in less then 5 minutes

OpenVPN provides flexible VPN solutions to secure your data communications, whether it's for Internet privacy, remote access for employees, securing IoT, or for networking Cloud data centers. Our VPN Server software solution can be deployed on-premises using standard servers or virtual appliances, or on the cloud.

Prepare your system

Make sure all latests packages and updates have been installed:

$ sudo apt update
$ sudo apt upgrade
$ sudo apt dist-upgrade

Download and run installation script

$ wget https://git.io/vpn -O openvpn-install.sh
$ sudo chmod +x openvpn-install.sh
$ sudo ./openvpn-install.sh 

The script will ask you some questions for it's basic configuration.
- When your IP address is asked, choose your WAN (public) address
- When protocol is asked, i recommend default UDP
- Port can be anything you want, i normally keep default
- When asked, pick 1.1.1.1 as your DNS server as this is one of the fastest currently online.

After this the installation will go ahead and inform you when it's done. You can verify if OpenVPN is running or not:

$ sudo systemctl status [email protected] # <--- get server status

You can start or stop OpenVPN with the following commands:

$ sudo systemctl stop [email protected] # <--- stop server
$ sudo systemctl start [email protected] # <--- start server

Client configuration

At the end of the installation you whould see a message like this:

Your client configuration is available at: /root/bontekoe.ovpn

As i am using Linux (Ubuntu) on my laptop, i can simply copy that ovpn file to my computer using scp.

$ sudo scp [email protected]:/root/bontekoe.ovpn /etc/openvpn/client.conf

This should be enough to connect! Check if everything is working by running:

$ sudo openvpn --client --config /etc/openvpn/client.conf

Now, by opening another terminal you should be able to ping 10.8.0.1 (the VPN host).

If you are running windows, there is a client here.

Categories
Linux Networking Security

SSH Tunnel to watch Netflix

I often use a 'hopping server' when connecting to clients, that means i need to login twice each time. To make my life easier i sometimes use an SSH tunnel so i can connect to clients directly.

SSH Tunnel can also be usefull when your office blocks netflix 😉

Local Port Forwarding

This will allow you to access remote servers direcly from your local computer. Let's assume you want to use RDP (3389) to a clients hosts (10.0.1.1) and your hopping server is 'hopping.server'

ssh -L 6000:10.0.1.1:3389 [email protected]

Now you can open Remote Desktop and connect to 'localhost:6000', directing you through the tunnel!

Remote Port Forwarding

This will make your local service/port acccessible from a remote host. Sometimes i use this to keep a 'backdoor' and login remotely (home or whatever).

Let's say you want to make a webapplication (TCP 443) availible at port 6000 on the remote SSH server

ssh -R 6000:localhost:443 [email protected]

Now you should be able to connect to port 6000 on the remote host (bontekoe.technology)

Dynamic Forwarding (Proxy)

This is ideal for people who want to use the internet safely/anonymous or for offices where Netflix is blocked 😉

Use a remote server to tunnel all web traffic (eg. home server), connect through SSH to it using the -D flag

ssh -D 6000 [email protected]

Now open up your browser settings, navigate to the connection properties and enter a Proxy server (manually using SOCKS). Use 127.0.0.1 as host and 6000 as port. The tunnel will remain open as long as you are connected through SSH.

Categories
Security

Encrypt email with PGP

One of the most popular methods to encrypt messages is PGP, which is a cryptography system quite widespread on the Internet. Using PGP we can encrypt a message end-to-end. There are many tools that can help, i use Gpg4Win (Free tool, works with Outlook).

Download Gpg4win here.

Once the download is finished, fire up the installer. It's pretty much next-next finish. Optionally you can select "browser integration" during the installation process.

After the installation open it for the first time and click "New Key Pair", it will request your name and e-mail address. Hit "Create" so start the generation process. Also, it will ask a password to secure the private key. Once done, it will tell you "Key pair successfuly created" - you are good to go.

To access your public key, right click anywhere on the bar where it lists your name and email address. Select the option in the drop-down menu that says Export. Save the file somewhere, you can share this with other people you want to safely communicate with.

Now it’s time to find your private key. You will need it to decrypt messages that you receive. Right click on the bar where your certificate is displayed, then select Export Secret Keys. Save this file in a safe location!

In order to communicate safely with somebody you will have to import their public key in to Kleopatra. To search for someone’s public key, click on the Lookup on Server and simply search for e-mailaddresses. Found the person you were looking for? Right click and hit "Import". It will ask for confirmation, if correct hit Yes.

Here comes the magic. Open up Outlook and create a new email. In the top bar you will find a new header ("GpgOl"). Add the person you just imported in the "TO" field, add some content in the email and hit "Encrypt". If required, select the certicate that matches the recipient and hit "OK". Now you will see the message completely crypted.

For receiving a crypted email it's very simple, go to the top bar (GpgOL) and hit Decrypt. Remember, you must have this persons public key imported.