Archive for the ‘ssh’ Category

How to download ca certificate chain

Thursday, January 10th, 2013

It might happen that some machine has missing CA chain certificates and you get error

OpenSSL: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
 Unable to establish SSL connection.

If accessing the specific URL in browser works without warning then you can export and download CA certificate chain

In Firefox right-click > View Page Info > Security > View Certificate > Details . There you see Certificate hierarchy and can export each certificate in chain individually.  Depending on OS you need to add these certificate in PEM format ti /etc/pki/tls/cert.pem or similar.

See more useful tricks about SSL here.

Multiple ssh keys for logging to different sites

Thursday, November 24th, 2011

It is secure and easy to login into servers with openssh using public/private key client authentication. You only need to generate keys with ssh-keygen and these keys are used automatically.

Challenge starts when you dont want to use same key everywhere but prefer or have to use different keys for different sites.

Firstly lets create a few keys. Add also meaningful comments immediately that help you to remember which key was for what. ssh-keygen offers you choice what you want to have key names

$ ssh-keygen -C "my work key"
$ ssh-keygen -C "personal stuff"

Now copy public key to remote into ~/.ssh/server authenticated_keys or ~/.ssh/authenticated_keys2 file.

Change ssh configuration. Either systemwide in /etc/ssh/ssh_config account basis in ~/.ssh/config. Write into this file where your private keys are and which hosts they apply to.

Host server.atwork.com
  IdentityFile ~/.ssh/id_rsa.work
Host personal.webserver.com
  IdentityFile ~/.ssh/id_rsa.personal

See also Setting up public key authentication

 

 

Configure Apache to support multiple SSL sites on a single IP

Wednesday, September 14th, 2011

You can host unlimited NameVirtualHost-s with http protocol. But how can you have many virtual hosts in vhost file over https? Not possible ????

Most of websites have some sort of CMS which has admin passwords and these must not be sent over plaintext, little security warning for admins is not a big problem. When using apache default conf and defining many VirtualHost-s for port *:443 you still see only one when you open any of these sites.

Problem can be located from error_log like this.

[Wed Sep 14 10:05:28 2011] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Wed Sep 14 16:06:28 2011] [warn] _default_ VirtualHost overlap on port 443, the first has precedence

Solution is to explicitly tell apache to host NameVirutalHost also for port 443 in addition to 80 which is default. Make sure you have something like htis in ports.conf or similar httpd configuration file.

<IfModule mod_ssl.c>
    NameVirtualHost *:443
    Listen 443
</IfModule>

Simple way to route all traffic via gateway with OpenVPN

Wednesday, December 15th, 2010

You need VPN when you are connected to unsecured WIFI. Also VPN is needed when this public wifi or your ISP is restricting you. One example of such restrictions is blocking P2P programs and alike.

Good way to overcome those problems is OpenVPN. This can be quite complicated to set up but simple configurations is actually simple.

Firstly is needed server. Server can be your home router or some small server in datacentre that has extra bandwith left over. Your laptop will be called client which sends all(or some) of your traffic through one TCP/IP connection to server and server forwards it so it looks like traffic is originating from server.

Lets have our internal ips 10.66.77.1 for server and 10.66.77.2 for client. Network is selected in the middle of 10.0.0.0/24 network because then it has smaller chance of colliding with your existing network.

Server needs ip forwarding and nat to be enabled. You achieve this with following commands. 10.66.77.0/24 and eth0 needs to be changed to your actual values.

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.66.77.0/24 -o eth0 -j MASQUERADE

Next we need static key. Bear in mind that this need to be kept secret. Key generating looks like:

openvpn --genkey --secret static.key
chmod 600 static.key

Now preparation is ready and you can make OpenVPN configuration file. (more…)

Putty: “Server refused our key”

Tuesday, July 14th, 2009

Scenario: you want to log into the server from one location with one key and from other location with another key.

First i did this easy way between 2 linux servers: generated key with ssh-keygen, added public key to server with ssh-copy-id, tested and it was all working.

I have also windows machine at hand and i want to use putty to log into server along with different key. Little problem is that openssh and putty keys are not interoperable. You need to import private key generated with ssh-keygen into puttygen and convert this into putty format key.

So far so good until i tried logging into server and i got error message in putty saying “Server refused our key”. I tried several times over until i managed to find out that if you have more than one authenticated key then you need to add them to authenticated_keys2 not authenticated_keys.

There are 2 good pages also about this subject http://ornellas.apanela.com/dokuwiki/pub:ssh_key_auth and http://andremolnar.com/how_to_set_up_ssh_keys_with_putty_and_not_get_server_refused_our_key

When apache ignores your SSL certificate!

Friday, July 3rd, 2009

Almost everybody realizes nowadays that pages where login and passwords are used must use encrypted datatransfer like https. To use secure connection webserver must have correctly configured certificate.

Usually certificates are bought from some Certificate Authority and these cost around $100 per year. Here i will show how to make your own cert for free and very simple.

  1. Create private 1024bit RSA key encrypted with des3 into file server.key:
    openssl genrsa -des3 -out server.key 	1024

    http://www.openssl.org/docs/apps/genrsa.html#

  2. Create new certificate signing request for private key located in file server.key and plase request into server.csr. This asks information about your site and most important common name must match your site name:
    openssl req -new -key server.key -out 	server.csr

    http://www.openssl.org/docs/apps/req.html#

  3. Finally create certificate in X.509 format from request in file server.csr, sign it with server.key and save results in server.crt, certificate is valid for 365 days.http://www.openssl.org/docs/apps/x509.html#

vhost conf in /etc/httpd/conf/httpd.conf for https with newly created certificate and private key looks like this:

<VirtualHost *:443>
ServerName marguspala.com
DocumentRoot /var/www/marguspala.com
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/server.crt
SSLCertificateKeyFile /etc/httpd/ssl/server.key
</VirtualHost>

If you are lucky then now after apache restart you have encrypted connection, if not so lucky then apache will not start 🙂

Problems:

  • If you have several https enabled sites then whatever you want to use you end up only in one site. Probably you are using default httpd.conf and you must enable name based virtual hosts for https. Add this line to httpd.conf
    NameVirtualHost *:443
  • No matter what certificate you define apache still uses its own that you dont know about and have not seen before.
    If you navigate to webpage, rightclick, view page info etc then you can see certificate data that you entered when creating signing request. If this is not what you enterd then something is not correct.
    I searched whole server to see if there are any other certificates present and found one at /etc/pki/tls/certs/localhost.crt:

    find / 	-name *crt

    Something was using this cert but this was not defined in httpd.conf but instead in /etc/httpd/conf.d/ssl.conf. Command findig this out was

    find / |xargs grep localhost.crt

    Changing location of SSLCertificateFile and SSLCertificateKeyFile in ssl.conf made server work.

Some more useful tips

openssl x509 -text -in /etc/pki/tls/certs/localhost.crt

shows sertificate information

openssl s_client -connect marguspala.com:443

connects to https enabled website and shows among others this website certificate info.