Tag Archives: security

Openssl cheat sheet

This is my cheat sheet for establishing Public Key Infrastructure. These are the commands that I usually use in my setups for the PKI

Generate private key:

openssl genpkey -algorithm RSA -out tim.pkey

Get the public key from the private key:

openssl pkey -in tim.pkey -pubout -out tim_public_key

Encrypt file

openssl pkeyutl -in my_private_infor.txt -out encrypted_data.txt -encrypt -pubin -inkey tim_public_key

Decrypt file

openssl pkeyutl -out decrypted.txt -in encrypted_data.txt -decrypt -inkey tim.pkey

Commands to handle CA, generation of CSR and signing the CSR by the CA.

First need to setup the CA

Generate private key for the CA:

openssl genrsa -aes256 -out myCA.key 2048

Generate CA certificate from the private key of the CA

openssl req -x509 -new -key myCA.key -sha256 -days 3650 -out myCA.pem

On the device that I want to request from the CA to sign the CSR:

First generate private key for the device, or some kind of an endpoint

openssl genrsa -out dev.key

Generate CSR from the private key. This CSR needs to be sent to the CA server.

openssl req -new -key dev.key -out dev.csr

Then on CA, sign the CSR, and the recieved certificate to be sent to the device

openssl x509 -req -in device/dev.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out dev.crt -days 365 -sha256

SSH tunneling

Ssh tunneling allows to route traffic via ssh tunnel. For example, in the following topology I would like to to access 172.217.171.228 on port 80 via 101.1.1.1. But on local port on 192.168.0.10 I would like to go to port 5050.

In that case my command that I”ll issue on 192.168.0.10 will be:

ssh -L 5050:172.217.171.228:80 username@101.1.1.1

This command will open ssh to 101.1.1.1 from 192.168.0.10, and will hold local port 5050 on the Client open. Every connection that is made to localhost:5050 on the Client will be forwarded to the SSH session and from the “SSH tunnel intermediate” will open session to 172.217.171.228:80

There also another option for ssh tunnel, where the Server connects to client, and then on the client machine user can open connection to some local port and the session ends up in the server.

The following command will make this happen:

ssh -R 5050:localhost:80 username@192.168.0.10

In that case the Server will open ssh session to the Client. Every connection made on the client to port localhost:5050 will be forwarded to 172.217.171.228

With the same topology described above, I want to access any server from any port. In that case, the command will be used:

ssh -D 5050 username@101.1.1.1

This will act as a SOCKS server. Meaning, after ssh established to 101.1.1.1 from 192.168.0.10, every connection that is made to localhost:5050 will be forwarded to outside world with random port from 101.1.1.1. This is useful if some proxy is used to firewall your connections to the internet. The initiator of the connection needs to work with SOCKS4 or SOCKS5 protocol. Firefox can be this initiator.

To configure SOCKS in firefox, in address on top write and go to about:preferences. Search for proxy in search field. Click on settings and write localhost in address and port number 5050 under “SOCKs host”

Obviously the ssh server needs to support ssh tunneling. My ubuntu did not support this by default. To enable this in the file /etc/ssh/sshd_config this configuration should be applyed:

AllowTcpForwarding yes
GatewayPorts yes

After this configuration changed, ssh service should be restarted

service ssh restart