Removing passwords from SSH keys and converting .ppk to .pem

SSH keys are a great thing. They improve security (provided that passwords are disabled) and they save you the drudgery of having to enter password each time you connect to your server. With a little tweaking of ~/.ssh/config file, you can connect to your server just by typing “ssh” followed by a space and a few letters for the hostname of your server, followed by Tab key. That’s only a few key strokes and it’s really fast. Furthermore, if you want to run any sort of automated scripts (SSH, SCP, Ansible…), you pretty much have to have password-less key.

First thing that irks me is when I get password protected private key from a client. Most of the time that’s generated from cPanel (ugh!) where keys must have password. This sounds like a good idea at first, but it’s really just an annoyance. cPanel generates longish random passwords for SSH keys, which you cannot remember, so you have to put write it down either in a password manager, or in plaintext (bad idea). If someone had compromised your PC, or intercepted your email, they are going to get to your SSH key, so this doesn’t offer any real protection. On the other hand, you have to enter the password each time you are logging in. I keep SSH keys on an encrypted storage which is protected by a strong password and an external key, so, that’s reasonably secure.

Fortunately, it’s easy to remove this password, it’s just one simple command:

1
ssh-keygen -p -P 'old-pass' -N '' -f <key_filename>

Another annoying thing is when you get .ppk key. .ppk keys are used in putty. This little program is great for connecting to your SSH server when you are condemned to use windows. Compared any terminal emulator on any Linux distro, putty is ugly and awkward. Fortunately, .ppk key can be converted to .pem key with one simple command (provided that you have putty installed):

1
puttygen key.ppk -O private-openssh -o key.pem

Read More

Simple automated backup solution

There are many tools today that can be used to backup your data. Most of them come with shiny eye-candy GUIs and with a few clicks you can synchronize your data to Dropbox, Google Drive or wherever you want. So, why not use some of them and end this blog post right here? First of all, these solutions are boring, then there is the problem of giving your data to third parties (call me crazy, but I’m never going to upload private SSH keys to Google) and finally I wanted to have daily snapshots. So, I wrote a small shell script that does the job.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#!/bin/bash

## Automated backup script
##
## Uploads backed up archived to the server, runs daily
##
## Author Milos Milutinovic
## 2017-02-07

#put all backup dirs here
bkp_start_dir='/home/milos/tmp/bkp'
bkp_sec_dir='/home/milos/secure/tmp/bkp'

#daily dir
today=`date +"%Y-%m-%d"`

cd $bkp_start_dir

#create archives into this dir
tar -cjf ssh.tar.bz2 /home/milos/.ssh

#encrypt SSH archive
rm ssh.tar.bz2.gpg #remove old
gpg --passphrase-file /home/milos/secure/keys/gpg.key --simple-sk-checksum --batch -c ssh.tar.bz2
rm ssh.tar.bz2

# secure
cd $bkp_sec_dir
rm sec.tar.bz2.gpg #remove old
tar -cjf sec.tar.bz2 /home/milos/secure
gpg --passphrase-file /home/milos/secure/keys/gpg2.key --simple-sk-checksum --batch -c sec.tar.bz2
rm sec.tar.bz2

cd $bkp_start_dir

#create one daily archive
tar -cjf $today.tar.bz2 ssh.tar.bz2.gpg /home/milos/scripts /home/milos/Documents/AC /home/milos/secure/tmp/bkp/sec.tar.bz2.gpg /home/milos/Documents/db1/code

#scp to the server
scp -p -i /home/milos/secure/keys/bkpuser $today.tar.bz2 bkpuser@miloske.tk:/path/to/folder/

Let me explain it. First interesting bit is line 15. This is how archive name is generated, it will be in format YYYY-MM-DD. Then I archive my ~/.ssh folder and encrypt it with gpg, using symmetric encryption with a passphrase file stored in an secure location. I have to remove the encrypted archive from the previous day and after encrypting it, I remove the plaintext one.

I then do similar thing with another location I want to backup securely and finally, on line 37, I create an archive that contains all of the data. You might say that for creating those encrypted archives, I didn’t have to use bzip2 option (create .tar archive instead), as they would be packed into the final archive, but think again. Those archive are encrypted, if I was creating tar archive (which are compressible) and then encrypting them, I wouldn’t be able to compress them. Random data is not compressible.

Another approach would be to create a folder each day and put several archives in it, then upload the folder to the server. This would be a bit more efficient, as it would avoid running bzip2 compression on archives that are already compressed (and encrypted), but the difference in negligible and having all files instead of folders means that it’s a lot easier to get rid of the old files on my server. On the server, I just have this kind of thing in a file in /etc/cron.daily:

1
find /var/www/miloske.tk/bkp/ -mtime +15 | xargs rm

This deletes any files older than 15 days in this location.

In the end, I scp data to my server. I’m uploading only one file, so rsync is not necessary. I do use rsync on my home backup server to pull the data from the online server, but here I’m synchronizing several folders, so I need rsync. This script is set to run as cron job on my work machine, so I always have backups of important files.

Read More

What to do with a very old computer

Recently I obtained an old PC that’s pretty much useless for anything. It has 1.5 GB of RAM, single core CPU and 13 GB hard drive. Even 10 years ago this was pretty weak. But this old machine can still be useful. By adding another network card I made router for my home network, that is also DNS server, file backup server and hopefully something more. Here’s how I’ve set it up:

First off, I started by installing Debian, without GUI since it was not needed and installing some basic software (I have to have vim everywhere). I try to use Ansible for every step of the setup, I keep separate folders with playbooks for each server. That way I also have documentation of what was installed.

During the installation, I chose a static IP, so that I would know where to connect over SSH. I have only one functioning monitor now, which I had to use during the installation, but I wanted to connect it back to my main PC as soon as possible, so everything other than the installation was done over SSH. I configured the network in the following way:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 192.168.2.1
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
dns-nameservers 127.0.0.1

# The secondary network interface
allow-hotplug eth1
iface eth1 inet static
address 192.168.1.3
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.1

eth0 is connected to my private network, notice that the gateway is not specified here. Also note that I’ve set the DNS to localhost (more on that later). eth1 is plugged into my ADSL modem.

I wanted DHCP on the private network, although I’m using static addresses for most of the devices. I installed ISC DHCP server:

1
apt install isc-dhcp-server

set INTERFACES=”eth0″ in /etc/default/isc-dhcp-server and configured /etc/dhcp/dhcp.conf like this:

1
2
3
4
5
6
7
option domain-name "milos.lab";
option domain-name-servers 192.168.2.1;
...
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.150 192.168.2.199;
option routers 192.168.2.1;
}

Finally, I had to restart the service /etc/init.d/isc-dhcp-server restart, and that was it. If you want to check if it’s up and running, you can see if it’s listening to port 67 (netstat -tulnp).

I also wanted to have local DNS server. I use it for ad blocking (I got list of some 2500 domains) and local name resolution. Query caching is another (yet small) benefit. I chose dnsmasq, bind9 would have been an overkill here and having only one config file is much better option. I’ll write another blog post on how I maintain a database of ad servers and how I generate dnsmasq.conf files automatically.

Now, the main part of the setup, routing. I found very nice script here, that was almost perfect for my case.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#drop all incoming
iptables -A INPUT -i eth1 -j REJECT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth1 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

My only modification (line 22 here) was to add a rule for rejecting all the incoming traffic. This machine is behind NAT, but (call me crazy if you will) I never put too much trust in embedded devices (backdoors, bugs, no security updates…) and this feels cleaner.

This script must be executable and it goes into /etc/network/if-up.d. It will be executed at each boot.

This was actually the first time I’ve set up routing and DHCP server on a Debian box, and I have to admit that I expected some problems after I’ve rebooted the machine, but to my surprise and delight everything worked. The only problem I have is that it’s heating up the small space where I’ve put it.

This is one of the key benefits of Linux. With this old machine, I would not be able to use recent versions of Windows, I’d be forced to use an old version, XP or Server 2003, which are no longer supported. Instead, I have an OS that is using only a fraction of available resources, it is more secure than Windows will ever be and it’s all free.

Read More