Friday, June 21, 2013

Using ssh's ProxyCommand and netcat to access Servers with no Public IP

It is not unusual to have servers with no public IP address.  In some cases you can access these servers via VPN, or utilize alternate ports for SSH, but sometimes that is just inconvenient and you need to hop through another server.  This can be accomplished using the ssh ProxyCommand configuration directive in ~/.ssh/config, and netcat.

For example, if I can ssh to 'machine-a' and from machine-a can ssh to 'machine-b' I could add the following into my ~/.ssh/config file

Host machine-b
ProxyCommand ssh -q machine-a nc -q0 machine-b 22

I then would use 'ssh machine-b' from the commandline to tunnel through machine-a.

Friday, June 7, 2013

Verifying that a SSL Certificate matches a Key

When configuring SSL under apache, if an error is made, Apache is unlikely to start. This can be a bit of a problem. So when a non-technical person provides you with CRT/KEY and you are expected to install that pair into Apache, while incurring minimal downtime, it can be useful to check the pairs validity before starting. The relevant portion of the key/crt pair is the modulus. It can be checked using the commandline openssl tools.
openssl x509 -in filename.crt -modulus -noout | openssl md5
openssl rsa -in filename.key -modulus -noout | openssl md5

If you want to be ambitious, verify the certificates date ranges as well
openssl x509 -in filename.crt -dates -noout

Tuesday, June 4, 2013

Hardware Tokens Followup

I was contacted by someone trying to get a Gemalto Ezio Time Token to work with Google Authenticator. It looks like it would be a slightly better solution than the Gooze token because it uses the correct step window (The pam lib wouldn't require being patched). Unfortunately, the only place I can find to purchase them (For use with AWS by Amazon) doesn't provide the seed/key, so no dice. Hopefully they become available with the seed, because they look like nice devices.

Monday, June 3, 2013

Sending File Attachments from the Shell

There is bad news and more bad news on this subject.  The first bad news is there is no simple, standard, default tool that will allow you to do this on the commandline.  The second bad news is that the old standard way to do this seems to have been stopped as a security problem in Outlook.  Specifically, you used to be able to use the 'uuencode' tool piped to 'mail' to accomplish this, but Outlook no longer interprets that as an attachment (probably to fight the spread of viruses).

The old way of doing it
uuencode filename.csv filename.csv | mail -s 'Subject of email'
'uuencode' was a fairly common tool and was packaged for most Linux variants and was even installed by default on some.  Now we have to scavenge a bit, but the tool I have used most is 'mpack'.  It is packaged for both Debian and Ubuntu by the distribution, and you can find pre-rolled versions for Redhat/CentOS/etc.  Once you get it installed, using it is easy.

The new way of doing it
mpack -s 'Subject of email' filename.csv
Hopefully the target doesn't move again.