openssh-sk-winhello
endlessh
openssh-sk-winhello | endlessh | |
---|---|---|
7 | 40 | |
181 | 6,883 | |
- | - | |
0.0 | 0.0 | |
over 1 year ago | 10 months ago | |
C | C | |
GNU Lesser General Public License v3.0 only | The Unlicense |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
openssh-sk-winhello
-
Use TouchID to Authenticate Sudo on macOS
For Windows, it seems it's possible[0, see footnote], however there are problems like general incompatibilities [1], and official support status is " We have this in our backlog. At this point it's not prioritized.".
0: https://github.com/tavrez/openssh-sk-winhello
0.footnote: "Windows Hello also supports other types of authenticators like internal TPM device(if they support generating ECDSA or Ed25519 keys, they can be used instead of FIDO/U2F security keys)."
1: https://github.com/tavrez/openssh-sk-winhello/issues
2: https://github.com/PowerShell/Win32-OpenSSH/issues/1804#issu...
-
Hardening SSH
Awesome article! Also found this tool (tavrez/OpenSsh-sk-winhello) for windows that lets you do this without admin access
-
[QUESTION] Is there a best way to manage multiple SSH on multiple Yubikeys?
Which is also how they are generated when retrieving them on a new computer via ssh-keygen -K since I used the application=ssh:yubikey_5 flag when first generating them. So something like ssh-keygen -t ed25519-sk -O resident -O application=ssh:yubikey_5c, but because I am on Windows I also had the -w winhello.dll flag (In case anyone stumbles on this question)
-
Using Yubikey FIDO with ssh-agent on macOS?
This is what i used but YMMV https://github.com/tavrez/openssh-sk-winhello/releases/tag/v2.0.0
-
Tell HN: GitHub no longer supporting unauthenticated `git://`
> Because AFAIK, (Fido) yubikey support is still missing.
Correct, hopefully Microsoft will provide an updated SSH client soon. It only requires recompiling OpenSSH with the correct flags.
Alternatively, use these build instruction for openssh with FIDO for windows:
https://gist.github.com/martelletto/6a7cf806c6433ac9ce71d66a...
> Using either the PKCS#11 support or the gpg applet requires some extra piece of software
For those wanting to do that, here are some ways:
Using a premade dll:
https://github-wiki-see.page/m/mooltipass/minible/wiki/Setti...
Or with a middleware:
https://github.com/mgbowen/windows-fido-bridge
Using the Hello API:
https://github.com/tavrez/openssh-sk-winhello
Given how many people came with their own ways, I believe there's enough demand for Microsoft to fix that.
- Unable to generate ssh sk keys on Windows 10
-
How often should I rotate my SSH keys?
My knowledge of WebAuthn is limited but their invocation of the relevant API seems like it should work for fingerprints also.
[1] https://github.com/tavrez/openssh-sk-winhello
endlessh
-
Why so many bots?
You can reduce the noise a lot by moving ssh to a non standard port. Security through obscurity isn't actually security, but it will reduce the number of attempts you receive. Another thing I like to do is put Endlessh on the standard port 22. That way as bots go by they will get stuck or at least slow down on that connection.
-
Is SSH secure enough?
SSH tarpit with Endlessh and for the hidden SSH: auth with both a key files (that need unlocking and is on the computer) AND an One Time Password on my phone.
-
"Failed password for root" SSH login hacking attemp?
If you change the ssh port, install https://github.com/skeeto/endlessh to slow down the attackers
-
ChatGPT doxes itself
Even this requires you to successfully guess the username and password correctly, and if it's just not the default most people won't bother brute forcing further. Sidenote: you can use endlessh on a computer and port forward port 22 to trap scanners that scan the entire internet for open ssh ports to exploit.
-
Ssh brute force attack with fail2ban.
The fun way is moving your ssh port somewhere else and installing endlessh to f the bots.
-
Security for your Homeserver
Such as endlessh
-
Keep it tight everyone! This is a day of sshd logs from a proxy server in China pinging my SSH server and trying every username imaginable. Does anyone have any tips to increase security?
But, as a prank to Chinese hackers, what I did on my system was to run endless ssh. It keeps the ssh client busy as it slowly sends the ssh banner. I modified the code to send strings like:
-
VPN to remotely access dockerized services
For hardening: I use lynis for some guidance, the VPS runs rkhunter, AIDE and other things nightly and mails me the reports, fail2ban manages the SSH port, having SSH on a custom port helps to keep things quiet. If you're into these kind of things, have a look at the Endlessh tarpit to learn about login attempts on port 22 on your machine - I found it eye-opening.
- Any app out there to trap port scanners?
- Mein Server wird für Bruteforce Attacken genutzt, was kann ich tun?
What are some alternatives?
libfido2 - Provides library functionality for FIDO2, including communication with a device over USB or NFC.
opencanary - Modular and decentralised honeypot
windows-fido-bridge - An OpenSSH SK middleware that allows you to use a FIDO/U2F security key (e.g. a YubiKey) to SSH into a remote server from WSL or Cygwin.
sshesame - An easy to set up and use SSH honeypot, a fake SSH server that lets anyone in and logs their activity
wsl2-ssh-pageant - bridge between windows pageant and wsl2
cowrie - Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io
secretive - Store SSH keys in the Secure Enclave
docker-swag - Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.
sekey - Use Touch ID / Secure Enclave for SSH Authentication!
minerstat-os - msOS - Open Source Mining OS. Repository moved, no longer using github
Win32-OpenSSH - Win32 port of OpenSSH
geoip-blocking-w-firewalld - Block unwanted countries IPv4 & IPv6 ranges with firewalld using ipdeny.com