sometime, one have to access to old and legacy devices. they may do not support the current ciphers and key algorithms, so, we have to modify the “.ssh/config” File or provide some additional cli arguments.
If you have todo this regualary, you may wanna extend the current parameters with the legacy ones like this:
# add gopkg_add go
# add user 'sshchat'adduser
# switch usersu - sshchat
ftp https://github.com/shazow/ssh-chat/archive/v1.10.tar.gz
tar zxf v1.10.tar.gz
cd ssh-chat-1.10/
make build
# back to rootexit
cp /home/sshchat/ssh-chat-1.10/ssh-chat /usr/local/bin/
do you wanna login into your cisco switches with ssh & public key. you can build your config easily and copy/paste it to your switch(es).
Set & Check Variables
pubkey: read from ~/.ssh/id_rsa.pub
username: root
password: will be generated. or set it by hand
# get & convert public keypubkey=$(cat ~/.ssh/id_rsa.pub |cut -d' ' -f 2 |fold -b -w 72)# Username Switchusername=root
# Password for Userpassword=$(openssl rand -hex 12)# Full Lineecho "username $username privilege 15 password $password"
SSH Pubkey Auth Config Snippet
# Build Configcat << EOF
############################################
# Copy/Paste to your Cisco Devices - START #
############################################
conf t
# Set Version
ip ssh version 2
no aaa new-model
# Set User
username $username privilege 15 password $password
# Set Key
ip ssh pubkey-chain
username $username
key-string
$pubkey
exit
exit
exit
# vty Stuff
line vty 0 15
login local
transport input ssh
end
write
exit
############################################
# Copy/Paste to your Cisco Devices - END #
############################################
EOF
you should test it in a lab environment before running on productiv switches ;)
In SSH, the LogLevel option allows you to control the level of logging information generated by the SSH client and server.
There are several log levels you can use to adjust the verbosity of SSH logging. Here are the most commonly used log levels:
QUIET:
Suppresses all log messages, except for fatal errors. It provides the least amount of information.
FATAL:
Logs only fatal errors, indicating severe issues that may prevent the SSH session from being established.
ERROR:
Logs error messages, which are issues that might cause problems but don't necessarily prevent the session from being established.
INFO:
Logs informational messages, such as connection status and key exchange details. This is the default log level.
VERBOSE:
Provides more detailed logging than INFO, including additional debugging information.
DEBUG:
Generates detailed debugging messages. This level is useful when diagnosing connection and authentication issues.
DEBUG1, DEBUG2, DEBUG3:
Provides even more verbose debugging output, with DEBUG3 being the most detailed.
If you need multiple SSH keys with passphrases for educational purposes, you can generate them as follows. The passphrase is set in the comments of the corresponding public key.
cd /tmp
chmod +x /tmp/ssh-key-generator.sh
./ssh-key-generator.sh; ls -la /tmp/id*
a few test runs
user@host /tmp$ ./ssh-key-generator.sh; ls -la id_ed25519-*
Generating public/private ed25519 key pair.
Your identification has been saved in /tmp/id_ed25519
Your public key has been saved in /tmp/id_ed25519.pub
The key fingerprint is:
SHA256:IdJGeVPDOMrk9BidtIKrIzFBn8vNgjHVT8/sdSA9hik user@host
The key's randomart image is:
+--[ED25519 256]--+
| . .. .+.=* |
|. o .==EB=.* |
|.o oo=B*Boo o |
| .= ++=+.= . . |
|o. +.o S . . |
| o .. . |
|. o |
| . . |
| |
+----[SHA256]-----+
Old comment: user@host
Comment 'Password: S4seK144' applied
Key has comment 'Password: S4seK144'
Your identification has been saved with the new passphrase.
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMKxvcjpd8DvAfdO0nZ34uCxalQHgN0XUSRxS4seK144 Password: S4seK144
Identity added: /tmp/id_ed25519-K144 (Password: S4seK144)
-rw------- 1 user wheel 464 Jan 25 22:36 id_ed25519-Bhxt
-rw-r--r-- 1 user wheel 100 Jan 25 22:36 id_ed25519-Bhxt.pub
-rw------- 1 user wheel 464 Jan 25 22:30 id_ed25519-GCow
-rw-r--r-- 1 user wheel 100 Jan 25 22:30 id_ed25519-GCow.pub
-rw------- 1 user wheel 464 Jan 25 22:36 id_ed25519-K144
-rw-r--r-- 1 user wheel 100 Jan 25 22:36 id_ed25519-K144.pub
pkg_add yubikey-manager-3.1.2p4
quirks-6.42 signed on 2023-01-08T01:39:04Z
yubikey-manager-3.1.2p4:py3-click-7.1.2: ok
yubikey-manager-3.1.2p4:py3-pyusb-1.0.2p5: ok
yubikey-manager-3.1.2p4:pcsc-lite-1.9.8: ok
yubikey-manager-3.1.2p4:py3-cparser-2.19p2: ok
yubikey-manager-3.1.2p4:py3-cffi-1.15.1: ok
yubikey-manager-3.1.2p4:py3-cryptography-38.0.0p0: ok
yubikey-manager-3.1.2p4:py3-pyscard-2.0.3: ok
yubikey-manager-3.1.2p4:py3-openssl-22.0.0: ok
yubikey-manager-3.1.2p4:libyubikey-1.13p4: ok
yubikey-manager-3.1.2p4:json-c-0.16: ok
yubikey-manager-3.1.2p4:ykpers-1.20.0p2: ok
yubikey-manager-3.1.2p4: ok
The following new rcscripts were installed: /etc/rc.d/pcscd
See rcctl(8) for details.
--- +yubikey-manager-3.1.2p4 -------------------
NOTE: yubikey-manager (ykman) is only partially functional on OpenBSD.
Most of the "ykman fido xxx" commands (pin-setting and others) stall.
PC/SC Smart Card Daemon
rcctl enable pcscd
rcctl start pcscd
Attack Key
you have to Attack your Yubikey via USB Port …
… and ask dmesg about the latest news ;)