Hey I just found your channel and started watching your vids and it's obvious this is high-quality and professional education. Wanted to thank you for your work and education efforts!
Yeah, great guides! I had started with PKI but watched all the videos. SSH is such a versatile protocol and tool. There are little vulnerabilities in OpenSSH compared to some other projects. On the other hand, there is plenty of opportunities to misconfigure SSH and key management is often sloppy.
Paweł, I’m glad you liked the guides and appreciate you taking the time to watch several. Yes, SSH is a great technology but, like all technology, must be configured and used properly.
Hi, Teo. Sorry for the slow reply. Doing an inventory requires a solution that will collect the information. There are several solutions on the market (Venafi, ssh.com, etc.). The ways they collect information include: 1) doing an unauthenticated discovery (which collects server public keys and config information available via the SSH protocol), 2) authenticated discovery (where a central server authenticates/connects to each SSH system and collects keys and config info into a central inventory), and 3) agent-based discovery (where an specialized agent is installed on each SSH system and collects keys/config info). Please tell me if this helps or if you were looking for more information. There is more detailed information at csrc.nist.gov/publications/detail/nistir/7966/final.
Good question. 1) The user (client) attempts to connect to RealServer. 2) The attacker somehow redirects the the client to their server (RogueServer), which returns its SSH public key. This redirection can be done via DNS poisoning or some other method. 3) The client trusts that public key and places it in its known_hosts file as the public key for RealServer (even though it is RogueServer's public key) and establishes an encrypted connection with RogueServer. 4) The client enters their username and password for RealServer into RogueServer. 5) RogueServer immediately establishes an SSH session with RealServer and, when prompted for username and password, sends the client's username and password. 6) So that client doesn't suspect anything is wrong, RogueServer returns the RealServer responses to the client and sends all of clients entries to RealServer. 7) The client then starts going about their work, including potentially entering sudo credentials or logging into other servers. RogueServer sees all of this in decrypted form. As I believe I mentioned in the video, this is quite a sophisticated attack. Hope this helps.
Paul, this series is fantastic. I can't thank you enough for sharing your knowledge and experience with us.
Dear Paul, we need more off this. Please
Hey I just found your channel and started watching your vids and it's obvious this is high-quality and professional education. Wanted to thank you for your work and education efforts!
Thank you very much for the feedback, D.S. I’m glad you’ve found the videos helpful.
Yeah, great guides! I had started with PKI but watched all the videos. SSH is such a versatile protocol and tool. There are little vulnerabilities in OpenSSH compared to some other projects. On the other hand, there is plenty of opportunities to misconfigure SSH and key management is often sloppy.
Paweł, I’m glad you liked the guides and appreciate you taking the time to watch several. Yes, SSH is a great technology but, like all technology, must be configured and used properly.
Great series! Hoping for more videos on remediating these individual risks presented in the end. Any idea when should we expect them?
Glad you liked the series. I’m trying to get back to making some more videos. Hopefully soon.
@@PaulTurnerChannel Impatiently looking forward to:-)
OP this really helps to put SSH things, i.e. priorities in a comprehensive set of rules. Thanks!
Eye opener
Thank you, Miriyala. I’m hope it was a good eye opener ;-)
Since an inventory of ssh keys and configs seems to be a good bang for the buck, can you go into how to do it practically?
Hi, Teo. Sorry for the slow reply. Doing an inventory requires a solution that will collect the information. There are several solutions on the market (Venafi, ssh.com, etc.). The ways they collect information include: 1) doing an unauthenticated discovery (which collects server public keys and config information available via the SSH protocol), 2) authenticated discovery (where a central server authenticates/connects to each SSH system and collects keys and config info into a central inventory), and 3) agent-based discovery (where an specialized agent is installed on each SSH system and collects keys/config info).
Please tell me if this helps or if you were looking for more information. There is more detailed information at csrc.nist.gov/publications/detail/nistir/7966/final.
It's a shame this Paul doesn't have more subscribers. This channel has really helped me understand SSH
Ryan, I'm really glad the channel has been helpful and appreciate you taking the time to comment on it. Thank you.
Great vid.... we need more
Hi Paul, great vid! I was just wondering though, how does a rogue public key enable a man in the middle attack?
Good question.
1) The user (client) attempts to connect to RealServer.
2) The attacker somehow redirects the the client to their server (RogueServer), which returns its SSH public key. This redirection can be done via DNS poisoning or some other method.
3) The client trusts that public key and places it in its known_hosts file as the public key for RealServer (even though it is RogueServer's public key) and establishes an encrypted connection with RogueServer.
4) The client enters their username and password for RealServer into RogueServer.
5) RogueServer immediately establishes an SSH session with RealServer and, when prompted for username and password, sends the client's username and password.
6) So that client doesn't suspect anything is wrong, RogueServer returns the RealServer responses to the client and sends all of clients entries to RealServer.
7) The client then starts going about their work, including potentially entering sudo credentials or logging into other servers. RogueServer sees all of this in decrypted form.
As I believe I mentioned in the video, this is quite a sophisticated attack. Hope this helps.
It Was an excellent tutorial
Thank you very much for your feedback, Luis!