Categories
Linux Security Windows

Securing SSH with Yubikey using WSL

If using Windows, start with downloading Gpg4Win and Kleopatra. As i use Windows Terminal I wont be downloading Putty. After the installation of these two, open the configuration files of the gpg-agent and scdaemon and append the following:

# C:\Users\<username>\AppData\Roaming\gnupg\gpg-agent.conf
enable-putty-support
enable-ssh-support

You can also to this with powershell, using the following command:

Add-Content $env:APPDATA\gnupg\gpg-agent.conf "enable-putty-support"
Add-Content $env:APPDATA\gnupg\gpg-agent.conf "enable-ssh-support"

Add-Content $env:APPDATA\gnupg\scdaemon.conf "debug-level guru"
Add-Content $env:APPDATA\gnupg\scdaemon.conf "log-file scdaemon.log"
Add-Content $env:APPDATA\gnupg\scdaemon.conf "reader-port Yubico Yubi"

Restart the agent with the following commands:

gpgconf --kill gpg-agent
gpg-connect-agent /bye

Open up Powershell and check if the Yubikey is visible to the system. You should get output similair to this:

PS C:\Users\wiege> gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 0
Application ID ...: < .... >
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: < .... >
Name of cardholder: < .... >
Language prefs ...: < .... >
Salutation .......: < .... >
URL of public key : [not set]
Login data .......: < .... >
Signature PIN ....: not forced
Key attributes ...: < .... >
Max. PIN lengths .: < .... >
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off

When you open Kleopatra and go to Smartcards, you should also see your Yubikey present. If your Yubikey is new, there are no keys listed and you need to create them. This can be done several ways, through Kleopatra or on CLI (i prefer CLI as it provides more options).

Open up CMD or Powershell and use gpg to generate your new key:

$ gpg --expert --full-generate-key

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
Your selection? 11

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? E

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? S

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? Q

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

It will ask you for your name and emailadress, fill those in and conform with (O). Verify if your key has been generated:

$ gpg --list-keys
------------------------------------------------
pub   ed25519 2022-11-15 [C]
      E6444634F7318577BA18F43201A0XXXXXXXXXX

If you use Linux, you can export the key id (to be used for later)

export KEYID=E6444634F7318577BA18F43201A0XXXXXXXXXX

Now edit the master key and start adding sub-keys for encryption/signing and authentication:

$  gpg --expert --edit-key  E6444634F7318577BA18F43201A0XXXXXXXXXX
gpg (GnuPG) 2.3.8; Copyright (C) 2021 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  ed25519/01A0XXXXXXXXX
     created: 2022-11-15  expires: never       usage: C
     trust: ultimate      validity: ultimate

Add a new key for signing (and then repeat these for Encryption and Authentication):

gpg> addkey

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 10

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at xxxxxxxxxxxxxxxxxxx
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.


Again: Repeat for Encryption and Authentication, then use 'save'.

If you wish to add more e-mail addresses, use adduid to them. End result should look like this:

$ gpg -K

sec   ed25519 2022-11-15 [C]
      E6444634F7318577BA18F4XXXXXXXXXXXXXXXXXX
uid           [ultimate] Wieger Bontekoe <[email protected]>
uid           [ultimate] Wieger Bontekoe <[email protected]>
ssb   ed25519 2022-11-15 [S] [expires: 2027-11-14]
ssb   cv25519 2022-11-15 [E] [expires: 2027-11-14]
ssb   ed25519 2022-11-15 [A] [expires: 2027-11-14]

Now export everything, once you have moved them to Yubikey you can't anymore.

$ gpg --armor --export-secret-keys E6444634F7318577BA18F4XXXXXXXXXXXXXXXXXX
 > ./master.key
# Also do all the subs like this, repeat for all of them!
$ gpg --armor --export-secret-subkeys < SUBKEYID > ./sub1.key

You can also do this from Kleopatra if using windows, that is a lot simpler. Just go to 'certificates', right click the certificate and go to 'Details'. Under details go to 'more details'. Here you will see 4 certificates that you can export using right click.

Backup these files, you should never loose them. Now, transfer the keys to Yubikey!

$ gpg --edit-key E6444634F7318577BA18F4XXXXXXXXXXXXXXXXXX
gpg> key 1
gpg> keytocard
Please select where to store the key:
   (1) Signature key
   (3) Authentication key
Your selection? 1
gpg> key 1
gpg> key 2
gpg> keytocard
Please select where to store the key:
   (2) Encryption key
Your selection? 2
gpg> key 2
gpg> key 3
Please select where to store the key:
   (3) Authentication key
Your selection? 3

gpg> save

Now verify if the sub-keys were really moved

$ gpg --card-status
Reader ...........: Yubico YubiKey OTP FIDO CCID 0
Application ID ...: < .... >
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Yubico
Serial number ....: < .... >
Name of cardholder: < .... >
Language prefs ...: < .... >
Salutation .......: < .... >
URL of public key : [not set]
Login data .......: < .... >
Signature PIN ....: not forced
Key attributes ...: < .... >
Max. PIN lengths .: < .... >
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: 4B3C 6B30 B22F 9C3E F196  D72D DE7D 3E9F XXXX XXXX
      created ....: 2022-11-15 07:14:18
Encryption key....: 30CE FB8F 54E6 0E63 93D3  9D6B A29B E406 XXXX XXXX
      created ....: 2022-11-15 07:14:48
Authentication key: 2477 02D2 511B 5407 F9A3  6005 DF86 A2D3 XXXX XXXX
      created ....: 2022-11-15 07:15:07

PGP Part, all set! Let's check if we have an up to date version of openssh that supports ecdsa-sk:

$ ssh-keygen --help
unknown option -- -
usage: ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile]
                  [-m format] [-N new_passphrase] [-O option]
                  [-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
                  [-w provider] [-Z cipher]

If you do not see the '-sk' option you need to upgrade openssh. Generate a new key using ed25519-sk and it will ask your verification using Yubikey:

$ ssh-keygen -t ed25519-sk -f ~/.ssh/mynewkey
Generating public/private ed25519-sk key pair
You may need to touch your authenticator to authorize key generation.

Just touch the metal circle and it’ll bind the SSH key pair to your Yubikey.

When it says “Enter passphrase (empty for no passphrase)”, you can just press enter to leave it empty. If you use linux, now copy your private key to your server (Windows doesn't support this, you have to do that by hand).

Now when you would ssh to that host it should ask verification:

Categories
Windows

Enable ‘Previous Versions’

Anyone who’s ever trashed a spreadsheet, or accidentally deleted a file, will appreciate the 'previous versions' function. However, you will only find out that this is not enabled by default when it is already too late.

You can enable previous versions by enabling shadow copies at a ‘volume’ level, Server Manager> Tools> Computer Management > Share Folders > Configure Shadow Copies > Select the Volume > Enable. It will take about 15% of your space, so make sure you have enough room.

In my case i want a copy each hour, go to Advanced Schedule Options interface, select Repeat task, and then set the frequency to every 1 hours, then Select Time, and then change the time value to 2:58 AM.

Categories
Windows

Enable LLDP on Windows Server 2016/2019

The Link Layer Discovery Protocol (LLDP) is a vendor-neutral link layer protocol used by network devices for advertising their identity, capabilities, and neighbors on a local area network based on IEEE 802 technology, principally wired Ethernet. The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery specified in IEEE 802.1AB and IEEE 802.3 section 6 clause 79. More info here

The following will install the DatacenterBridging feature and enable lldp and all interfaces:

Enable-WindowsOptionalFeature -Online -FeatureName 'DataCenterBridging'
Get-NetAdapter | Where-Object { $_.Name -like "*Ethernet*" -and $_.Status -eq 'Up' } | ForEach { Enable-NetLldpAgent -NetAdapterName $_.Name -Verbose }
Categories
Windows

Enable NTP Server in Windows 2019

The Windows Time service uses the Network Time Protocol (NTP) to help synchronize time across a network. It's as easy as 3 commands using powershell:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\w32time\TimeProviders\NtpServer" -Name "Enabled" -Value 1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\services\W32Time\Config" -Name "AnnounceFlags" -Value 5 
Restart-Service w32Time