Single purpose SSH-key

I’m no guru – I simply “borrowed” this from a website.
Single-purpose keys
So now you’re sshing and scping your brains out. Sooner or later you’ll come across one or both of these situations:
1. You want to automate some ssh/scp process to be done after hours, but can’t because no one will be around to type the passphrase.
2. You want to allow an account to do some sort of ssh/scp operation on another machine, but are hesitant to append a key to your authorized_keys2 file because that essentially “opens the barn door” to anything that other account wants to do, not just the one operation you want to let it do. (This is the situation if you use a .shosts file.)
Single-purpose keys to the rescue!
1. Make yourself another key:
ssh-keygen -t dsa -f ~/.ssh/whoisit
Just press return when it asks you to assign it a passphrase- this will make a key with no passphrase required. If this works right you will get two files called whoisit and whoisit.pub in your .ssh dir.
2. cp ~/.ssh/whoisit.pub tempfile
We want to work on it a little. tempfile should consist of one really long line that looks kind of like this:
ssh-dss AAAAB3NzaC1k[…]9qE9BTfw== [email protected]
3. Edit tempfile and prepend some things to that line so that it looks like this:
command=”echo I\’m `/usr/ucb/whoami` on `/usr/bin/hostname`”,no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss AAAAB3NzaC1k[…]9qE9BTfw== whoisitnow
That will do what we want on Solaris; to try this example on Linux use this:
command=”echo I\’m `/usr/bin/whoami` on `/bin/hostname`”,no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss AAAAB3NzaC1k[…]9qE9BTfw== whoisitnow
The stuff to prepend is your command that will be run when this key is activated, and some options to keep it from being abused (hopefully). The last thing on the line is just a comment, but you probably want to set it to something meaningful.
Also, most examples I see use no-pty as an additional option, but this messes up the carriage-return/linefeediness of the output of the above example. (Try it.) I haven’t looked into it enough to see why you would want it, but there you go.
4. cat tempfile |ssh burly ‘sh -c “cat – >>~/.ssh/authorized_keys2″‘
Append tempfile to your authorized_keys2 file on burly.
5. To “activate” (or perhaps “detonate”) the key from hurly (or anywhere that has the secret key), do this (maybe there is a better way?):
ssh -i ~/.ssh/whoisit burly
The following also works but is cumbersome:
ssh-agent sh -c ‘ssh-add ~/.ssh/whoisit < /dev/null && ssh burly' You can also append this "command key" to a different account's authorized_keys2 file and trigger it from a different username. You just need the secret key. Like so: ssh -i ~/.ssh/whoisit -l paulkeck burly' The next leap in the pattern is something like this: ssh -i /home/pkeck/.ssh/whoisit -l paulkeck burly' This could be run by any user on the box if they could read your secret key, so always keep your .ssh dir and all your keys chmodded to 700 and 600 respectively. 6. You could make single-purpose keys with commands to (haven't tested all these): * mt -f /dev/nst0 rewind Rewind a tape on a remote machine * nice -n 19 dd of=/dev/nst0 Send STDIN to that tape drive. Maybe STDIN is a tar stream from tar -cf -. * nice -n 19 dd if=/dev/nst0 Read stuff from there to my STDIN * cat claxon.au > /dev/audio
Play an alarm noise on a remote machine
*
cat – > /dev/audio
Play any sound you send on STDIN
*
cat – > /etc/dhcpd.conf
Replace /etc/dhcpd.conf with some stuff from STDIN on the triggering machine (sounds like a temp file would be better)
*
*
*
*
*
*
You can send the stuff on STDIN with something like this on the triggering machine:
ssh-agent sh -c ‘ssh-add ~/.ssh/whoisit < /dev/null && cat alarm.au | ssh burly' or ssh-agent sh -c 'ssh-add ~/.ssh/whoisit < /dev/null && tar cf - /home/pkeck | ssh burly' Maybe for that one the corresponding command to "catch" that stream would be: cat - > ~/backups/pkeck.tar.`date +%Y%m%d.%H-%M-%S`
You get the idea! Go crazy!
Tape examples from Ed Cashin’s Gettin’ Fancy with SSH Keys, my inspiration for getting into this whole thing!

"default" iptables-setup.

This is always something in progress – but, more or less this is (was) a basic fw-setup:

#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
#
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
# and some good stuff to have enabled..
#no spoofing
echo "net.ipv4.conf.default.rp.filter=1" >> /etc/sysconf.conf
echo "net.ipv4.conf.all.rp_filter=1" >> /etc/sysconf.conf
#no broadcasts
#echo "net.ipv4.icmp_echo_ignore_broadcasts" = 1 >> /etc/sysconf.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses" = 1 >> /etc/sysconf.conf
#more..
echo "net.ipv4.conf.all.secure_redirects = 1" >> /etc/sysconf.conf
#echo "net.ipv4.conf.all.send_redirects = 1" >> /etc/sysconf.conf
echo "net.ipv4.conf.all.accept_source_route = 1" >> /etc/sysconf.conf
#echo "net.ipv6.conf.all.accept_source_route = 1" >> /etc/sysconf.conf
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
#yes, you should have fail2ban ;)
#/etc/init.d/./fail2ban restart
#fix tap0 forwarding etc.
#clarify - eth1 internet
#clarify - eth0 lan
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -m state --state NEW -i eth1 -j REJECT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT
# portforwarding-rules
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport [port] -j DNAT --to [ip:port]

kernel: Neighbour table overflow

This issues is related to a bit too many arp-entries (in ie – a router).
If you’re for instance having bittorrent traffic doing all those arp’s, you’ll end up with a lot of
entries in your logs. Also, it’s a performance issue later on, since you’ll have problem flushing
and creating new connections to ip’s not listed in the arp already.
Example log:

 kernel: Neighbour table overflow.
  kernel: printk: 100 messages suppressed.
  kernel: Neighbour table overflow.
  kernel: printk: 151 messages suppressed.
  kernel: Neighbour table overflow.

To the solution:
start with doing a couple of arp -anv, or by someother means check your concurrent connections.
Next up (example)

echo 2048 > /proc/sys/net/ipv4/neigh/default/gc_thresh1
echo 3072 > /proc/sys/net/ipv4/neigh/default/gc_thresh2
echo 4096 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

By default, you will have (a guess) a value of 128 in gc_thresh1 and *2 for thresh2 (256) and *2 for thresh3 (512).
Set your limits with how many concurrent connections your hardware and software can handle.
Now, if you’re running something like zeroshell, add the echo-parts into your startup-scripts.
Otherwise, I’d recommend that this is added as a if-up.d script or it’s relevant counterpart.

openvas 3.1.x "bundle" on ubuntu 10.04

Two versions, one is the classic one, the other contains a bunch of ‘new stuff’.

#!/bin/bash
#make me as a [name.sh] and do me a chmod +x [name.sh]
#Ran on ubu 10.04
#Run as root (ie - sudo -i )
#classic
cd $HOME
wget http://wald.intevation.org/frs/download.php/767/openvas-libraries-3.1.2.tar.gz
wget http://wald.intevation.org/frs/download.php/754/openvas-scanner-3.1.0.tar.gz
wget http://wald.intevation.org/frs/download.php/757/openvas-client-3.0.1.tar.gz
gunzip -d $HOME/openvas*.gz
tar -xvvf $HOME/openvas-libraries-3.1.2.tar
tar -xvvf $HOME/openvas-scanner-3.1.0.tar
##tar -xvvf $HOME/openvas-client-3.0.1.tar
apt-get install -y build-essential libgtk2.0-dev libglib2.0-dev libssl-dev htmldoc libgnutls-dev libpcap0.8-dev bison libgpgme11-dev libsmbclient-dev snmp pnscan cmake uuid uuid-dev libgtk2.0-dev
#libraries --
$HOME/openvas-libraries-3.1.2/./configure
$HOME/openvas-libraries-3.1.2/./make
$HOME/openvas-libraries-3.1.2/./make install
echo "include /usr/local/lib" >> /etc/ld.so.conf && ldconfig
#scanner
$HOME/openvas-scanner-3.1.0/./configure
$HOME/openvas-scanner-3.1.0/./make
$HOME/openvas-scanner-3.1.0/./make install
##client
##$HOME/openvas-client-3.0.1/./configure
##$HOME/openvas-client-3.0.1/./make
##$HOME/openvas-client-3.0.1/./make install

// second full is wip. (or, just work it out yourself…);

#manual fix
#!/bin/bash
#full
wget http://wald.intevation.org/frs/download.php/767/openvas-libraries-3.1.2.tar.gz
wget http://wald.intevation.org/frs/download.php/754/openvas-scanner-3.1.0.tar.gz
wget http://wald.intevation.org/frs/download.php/757/openvas-client-3.0.1.tar.gz
wget http://wald.intevation.org/frs/download.php/773/openvas-manager-1.0.2.tar.gz
wget http://wald.intevation.org/frs/download.php/774/greenbone-security-assistant-1.0.2.tar.gz
wget http://wald.intevation.org/frs/download.php/766/openvas-cli-1.0.0.tar.gz
wget http://wald.intevation.org/frs/download.php/739/openvas-administrator-0.9.0.tar.gz
wget http://wald.intevation.org/frs/download.php/771/gsa-desktop-0.2.0.tar.gz
https://wald.intevation.org/tracker/index.php?func=detail&aid=1079&group_id=29&atid=exit
220
apt-get install uuid uuid-dev libgtk2.0-dev

after libs:
^? Be sure to add /usr/local/lib in /etc/ld.so.conf and type ‘ldconfig’
echo “include /usr/local/lib/*.conf” >> /etc/ld.so.conf
ldconfig
openvassd
OpenVas-Client
gsa-desktop 0.2.0
apt-get install libqt4-dev