Monday, February 29, 2016

Generate an ECDSA P521 SSH Host Key

Elliptic curve cryptography provides stronger protection with smaller keys when compared to non-elliptic curve algorithms. Let's start by seeing what key-pairs already exist

$ ls /etc/ssh | grep .pub
ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_ecdsa_key
ssh_host_ecdsa_key.pub
ssh_host_ed25519_key
ssh_host_ed25519_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub


There is already one elliptic curve key-pair. Let's see how many bits it is using

$ cat ssh_host_ecdsa_key.pub | cut -d" " -f1
ecdsa-sha2-nistp256


This means the key-pair uses the ECDSA algorithm with a SHA2 hash and the NIST P256 curve. We can do better than that. Start by generating a new key-pair using the P521 curve

# ssh-keygen -b 521 -o -t ecdsa -f /etc/ssh/ssh_host_ecdsa_p521_key


The -b option specifies the number of bits to use for the key and 521 is the highest OpenSSH supports right now. The -o option saves the keys in a newer format that is more resistant to brute-force password attempts, but is not supported on versions of OpenSSH prior to 6.5. The -t option specifies the type of key to create. The -f option is the name and location for the new key-pair. The name specified is for the private key. The corresponding public key will also be generated in the same directory.

Now you are going to have to edit your SSH daemon configuration file in order to use the new key. Before making any changes, backup the original configuration

# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak


Now let's take a look at the existing host keys that are configured

$ cat sshd_config | grep HostKey
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key


You'll have to add an entry for the newly created key. If you like to keep your config files organized, you can use your text editor of choice to add the new entry with the others. This will add a new line at the bottom of the file for the new key

# echo HostKey /etc/ssh/ssh_host_ecdsa_p521_key >> /etc/ssh/sshd_config


Restart the SSH daemon to make the changes take effect

# /etc/init.d/ssh restart


Now your OpenSSH server is ready to use the newly created key-pair.

Monday, February 22, 2016

Grant Sudo Permissions in Linux

To grant sudo powers to a user account, use the usermod command

# usermod -a -G sudo <username>


The -a flag specifies that the user should be added to a group. The -G flag is used to specify which group the user should be added to, in this case it is the sudo group.

Alternatively, the adduser command can be used to accomplish the same objective

# adduser <username> sudo


This will add the specified user to the specified group.

To remove a user from the sudo group, run the deluser command

# deluser <username> sudo


It should be noted that only root has permission to manage the sudo group, so these commands will have to be performed either by a user who already has sudo powers, or by the root user.

Friday, February 12, 2016

Set a Static IP Address in Debian Based Linux

Out of the box, most systems seem to be configured to use DHCP to automatically obtain an IP address. For laptops/desktops, this is usually fine. For servers or any system that is going to accept incoming connections, setting a static IP address will make things easier. These instructions should apply to any Debian based Linux distribution, to include Ubuntu, Mint, Kali, etc.

The networking configuration is located at
/etc/network/interfaces


Let's look at the default contents of the file
$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp


Before changing the default configuration, make a copy just in case something gets messed up
$ sudo cp /etc/network/interfaces /etc/network/interfaces.bak


The part of the file that matter is the last line. I like to leave the old content there, commented out. The last line of the file looked like this
iface eth0 inet dhcp


And now I've updated that line and added some additional configuration so now it looks like this
#iface eth0 inet dhcp
iface eth0 inet static
       address 192.168.1.5
       gateway 192.168.1.1
       netmask 255.255.255.0
       network 192.168.1.0
       broadcast 192.168.1.255


You'll have to update those values based on your network setup. Now restart the networking daemon so the new settings take effect
$ sudo /etc/init.d/networking restart


Verify the new configuration using ifconfig
$ /sbin/ifconfig eth0