何者として,何を話すか : 対話型ワークショップにおける発話 ... › dspace › bitstream › 2115 › ... · 2019-03-15 · 何者として,何を話すか
sshdのお話
If you can't read please download the document
-
Upload
-togakushi -
Category
Technology
-
view
8.449 -
download
5
Transcript of sshdのお話
- 1. 2013/04/23 #ssmjp @togakushi2013/06/02 MaxStartups (P.52)sshd
2. 2 / 69 3. 2 OpenSSH-5.4 1 Linux OpenSSH 3 / 69 4. OpenSSH OpenSSH-4.1p1 2005/05/26 OpenSSH-5.2p1 2009/02/02OpenSSH-4.2p1 2005/09/01 OpenSSH-5.3p1 2009/10/01OpenSSH-4.3p2 2006/02/11 OpenSSH-5.4p1 2010/03/08OpenSSH-4.4p1 2006/09/27 OpenSSH-5.5p1 2010/04/16OpenSSH-4.5p1 2006/11/07 OpenSSH-5.6p1 2010/08/23OpenSSH-4.6p1 2007/03/08 OpenSSH-5.7p1 2011/01/24OpenSSH-4.7p1 2007/09/05 OpenSSH-5.8p2 2011/05/03OpenSSH-4.8p1 OpenSSH-5.9p1 2011/09/06OpenSSH-4.9p1 2008/03/31 OpenSSH-6.0p1 2012/04/22OpenSSH-5.0p1 2008/04/03 OpenSSH-6.1p1 2012/08/29OpenSSH-5.1p1 2008/07/21 OpenSSH-6.2p1 2013/03/224 / 69 5. SSH http://www.slideshare.net/tohakushi/ssh-13118950 http://www.slideshare.net/tohakushi/ssh-15554045 ~/.ssh/config https://docs.google.com/presentation/d/1TGaiAIKUAC2Y_hgN https://docs.google.com/presentation/d/1Zdg6qe0eA_353zyLz5 / 69 6. 6 / 69 7. /etc/ssh/sshd_config sshd /etc/ssh/sshrc /etc/motd ( ) 7 / 69 8. # TCPKeepAlive yes8 / 69 9. (s )/ (m)/ (h)/ (d)/ (w) % %u %h 9 / 69 10. IP 0 * 1 ? ! 192.168.1.? 192.168.1.1 9 *.co.jp .co.jp 10 / 69 11. AuthorizedKeysFile AuthorizedPrincipalsFile or 11 / 69 12. 12 / 69 13. OK (sshd) /var/empty (1 /etc/ssh/ssh_host_{dsa,rsa,ecdsa}_key /etc/ssh/ssh_host_key)# sshd_configUsePrivilegeSeparation noHostKey /path/to/key13 / 69 14. sshd -d( 3 ) 1 -f -t -D ( )-e syslog -T 14 / 69 15. UsePrivilegeSeparation sshd root (OpenSSH-3.4 ) sandbox sshd (OpenSSH-5.9 )15 / 69 16. MaxAuthTries 1 6 2: Too many authentication failures for 16 / 69 17. Too many authentication failures ssh -oPreferredAuthentications=password, ...17 / 69 18. ChallengeResponseAuthentication /etc/login.conf BSD Linux keyboard-interactive PAM 18 / 69 19. PubkeyAuthentication 19 / 69 20. AuthorizedKeysCommand (OpenSSH-6.2 ) AuthorizedKeysCommandUser ( ) 20 / 69 21. LDAP DB AuthorizedKeysCommand AuthorizedKeysFile AuthorizedKeysFile none 21 / 69 22. AuthenticationMethods (OpenSSH-6.2 ) 1 ( )22 / 69 23. AuthenticationMethods publickey,passwordpublickey,keyboard-interactive 23 / 69 24. PermitRootLogin root yes no without-password forced-commands-only ( command="..." )24 / 69 25. ForceCommand (OpenSSH-4.4 ) .ssh/rc( ) 25 / 69 26. VPN root PermitRootLogin Match Internal-sftp sftp Match ChrootDirectory 26 / 69 27. Match (OpenSSH-4.4 ) / / / / / ( ) ( ) 27 / 69 28. (1) PubkeyAuthentication yesPasswordAuthentication noMatch Address 192.168.1.0/24PasswordAuthentication yes28 / 69 29. (2) sftp sftponly sftp Subsystem sftp internal-sftpMatch Group sftponlyX11Forwarding noAllowTcpForwarding noForceCommand internal-sftp29 / 69 30. ChrootDirectory chroot (OpenSSH-4.8 ) root 30 / 69 31. (1) ( ) (null, zero,urandom, tty) ( )31 / 69 32. ldd chroot ( chroot )# find /opt/chroot -printf %M %u %g %pndrwxr-xr-x root root /opt/chroot/lib64-rwxr-xr-x root root /opt/chroot/lib64/ld-linux-x86-64.so.2-rwxr-xr-x root root /opt/chroot/lib64/libdl.so.2-rwxr-xr-x root root /opt/chroot/lib64/libtinfo.so.5-rwxr-xr-x root root /opt/chroot/lib64/libc.so.6drwxr-xr-x root root /opt/chroot/bin-rwxr-xr-x root root /opt/chroot/bin/bashdrwxr-xr-x root root /opt/chroot/devcrw-rw-rw- root root /opt/chroot/dev/ttycrw-rw-rw- root root /opt/chroot/dev/nullcr--r--r-- root root /opt/chroot/dev/urandom32 / 69 33. (2) sftponly chroot Subsystem sftp internal-sftpMatch Group sftponlyChrootDirectory /sftp-topX11Forwarding noAllowTcpForwarding noForceCommand internal-sftp33 / 69 34. AllowTcpForwarding TCP OpenSSH-6.2 remote local 34 / 69 35. TCP 35 / 69 36. PermitOpen TCP (OpenSSH-4.4 ) any none PermitOpen host:portPermitOpen IPv4_addr:portPermitOpen [IPv6_addr]:port36 / 69 37. stone nc ( ) SELinux 37 / 69 38. Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,[email protected],[email protected],aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour38 / 69 39. cbc plaintext disclosure 2 -14 -18 14 32bit CPNI-957037 SSH OpenSSH-5.2 CBC 39 / 69 40. Banner scp sftp 40 / 69 41. PrintLastLog (lastlog) ~/.hushlogin 41 / 69 42. PrintMotd /etc/motd( ) ~/.hushlogin 42 / 69 43. curlhttps://gist.github.com/shin1x1/5230392/raw/b27b4> /etc/motd43 / 69 44. UsePAM ChallengeResponseAuthentication PAM PasswordAuthentication PAM 44 / 69 45. pam_otpw PAM ssh PAM 45 / 69 46. certificate authentication (OpenSSH-5.4 ) ( ) CA ( ) 46 / 69 47. CA CA CA CA 47 / 69 48. (1/3) CA ssh-keygen -f ca-key CA AuthorizedKeysFile cert-authority CA ssh-keygen -s ca-key -I keyid -V +30d id_rsa.pub -V ( )48 / 69 49. (2/3) id_rsa-cert.pub ssh -i id_rsa remotehost -cert.pub OpenSSH-5.4 ssh ssh-agent 49 / 69 50. (3/3) ssh-keygen -k filename < > RevokedKeys 50 / 69 51. % ssh-keygen -L -f id_rsa-cert.pubid_rsa-cert.pub:Type: [email protected] user ...Public key: RSA-CERT 13:33:cc:d8:31:83:...Signing CA: RSA ac:a6:ba:61:5a:fc:ff:92:...Key ID: "keyid"Serial: 0Valid: from 2013-04-22T00:44:00 to 2014-04-22T00:45:11Principals: (none)Critical Options: (none)Extensions:permit-X11-forwardingpermit-agent-forwardingpermit-port-forwardingpermit-ptypermit-user-rc51 / 69 52. MaxStartups sshd 3 < > < > < > 2 3 10:100:10 (OpenSSH-6.1 ) 10:30:100 (OpenSSH-6.2 )52 / 69 53. CVE-2010-5107 MaxStartups DoS telnet ( ) LoginGraceTime 53 / 69 54. DenyUsers/AllowUsers/DenyGroups /AllowGroups ( ) StrictModes VersionAddendum54 / 69 55. 55 / 69 56. RHEL/CentOS (2013/04 )OS OpenSSH RHEL CentOS 5.0 openssh-4.3p2-16.el5.src.rpm 2007/03/14 34 2007/04/12 345.1 openssh-4.3p2-24.el5.src.rpm 2007/11/07 38 2007/12/02 385.2 openssh-4.3p2-26.el5.src.rpm 2008/05/21 39 2008/06/24 395.3 openssh-4.3p2-29.el5.src.rpm 2009/01/20 45 2009/03/31 455.4 openssh-4.3p2-36.el5.src.rpm 2009/09/02 49 2009/10/21 495.5 openssh-4.3p2-41.el5.src.rpm 2010/03/30 51 2010/05/14 515.6 openssh-4.3p2-72.el5.src.rpm 2011/01/12 56 2011/04/08 565.7 openssh-4.3p2-72.el5_6.3.src.rpm 2011/07/21 57 2011/09/13 575.8 openssh-4.3p2-82.el5.src.rpm 2012/02/21 63 2012/03/07 635.9 openssh-4.3p2-82.el5.src.rpm 2013/01/08 63 2013/01/16 636.0 openssh-5.3p1-20.el6.src.rpm 2010/11/10 31 2010/07/09 316.1 openssh-5.3p1-52.el6.src.rpm 2011/05/19 42 2011/12/09 426.2 openssh-5.3p1-70.el6.src.rpm 2011/12/06 45 2011/12/20 456.3 openssh-5.3p1-81.el6.src.rpm 2012/06/20 51 2012/07/09 516.4 openssh-5.3p1-84.1.el6.src.rpm 2013/02/21 53 2013/03/09 5356 / 69 57. 5 openssh-4.3p2-chroot.patch(5.4 ) openssh-4.3p2-forced.patch(5.4 ) openssh-4.3p2-biguid.patch(5.7 )57 / 69 58. 6 openssh-5.3p1-sftp_umask.patch(6.1 ) openssh-5.3p1-biguid.patch(6.1 ) openssh-5.3p1-linux-oomkiller.patch(6.3 ) openssh-5.3p1-netcat-mode.patch(6.4 )58 / 69 59. Out Of Memory killer oom_adj -17 (OpenSSH-5.4 /* kernels = 2.6.36 */)openssh-server/src> grep -r oom_score_adj *openssh-5.7p1/openbsd-compat/port-linux.c: {"/proc/self/oom_score_adj", -1000}, /* kernels >= 2.6.36 */openssh-5.8p1/openbsd-compat/port-linux.c: {"/proc/self/oom_score_adj", -1000}, /* kernels >= 2.6.36 */openssh-5.9p1/openbsd-compat/port-linux.c: {"/proc/self/oom_score_adj", -1000}, /* kernels >= 2.6.36 */openssh-6.0p1/openbsd-compat/port-linux.c: {"/proc/self/oom_score_adj", -1000}, /* kernels >= 2.6.36 */openssh-6.1p1/openbsd-compat/port-linux.c: {"/proc/self/oom_score_adj", -1000}, /* kernels >= 2.6.36 */openssh-6.2p1/openbsd-compat/port-linux.c: {"/proc/self/oom_score_adj", -1000}, /* kernels >= 2.6.36 */59 / 69 60. RHEL/CentOS RHEL6.3 rpm/rhel/6.3/openssh-5.3p1-linux-oomkiller.patch:+ {"/proc/self/oom_score_adj", -1000}, /* kernels >= 2.6.36 */...+ {"/proc/self/oom_adj", -17}, /* kernels = 2.6.36 */+ {"/proc/self/oom_adj", -17}, /* kernels
