Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/rgl/openssh-server-windows-vagrant

vagrant environment to test PowerShell/Win32-OpenSSH
https://github.com/rgl/openssh-server-windows-vagrant

ssh ssh-server vagrant windows

Last synced: 3 months ago
JSON representation

vagrant environment to test PowerShell/Win32-OpenSSH

Awesome Lists containing this project

README 

        
This is a vagrant environment to test the [PowerShell/Win32-OpenSSH](https://github.com/PowerShell/Win32-OpenSSH) service,

which intents to be integrated into the upstream [Portable OpenSSH](https://github.com/openssh/openssh-portable) project

as the native SSHD for Windows.



In this environment you'll also find [several language examples](examples/) on how to access a machine through SSH. 



# Usage



[Build and install the Windows 2022 base image](https://github.com/rgl/windows-vagrant).



Launch the SSH server machine:



```bash

vagrant up sshd --no-destroy-on-error

```



**NB** this step will also create a SSH key at `tmp/ida_rsa` which we will later use to connect to the `vagrant` account.



See the allocated SSH port:



```bash

vagrant ssh-config sshd

```



You should see something like:



```plain

Host sshd

  HostName 127.0.0.1

  User vagrant

  Port 2222

  ...

```



Try accessing the ssh server at that port with the created SSH key:



```bash

ssh -i tmp/id_rsa [email protected] -p 2222 "whoami /all"

```



Now try the same, but from within the Windows Client machine. First launch it:



```bash

vagrant up windows --no-destroy-on-error

```



Then login into the Windows Desktop, and inside a PowerShell window run:



```powershell

&'C:/Program Files/OpenSSH/ssh' -i c:/vagrant/tmp/id_rsa [email protected] "whoami /all"

```



List this repository dependencies (and which have newer versions):



```bash

export GITHUB_COM_TOKEN='YOUR_GITHUB_PERSONAL_TOKEN'

./renovate.sh

```



# sshd audit



# general

(gen) banner: SSH-2.0-OpenSSH_for_Windows_9.5

(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+

(gen) compression: enabled ([email protected])



# key exchange algorithms

(kex) curve25519-sha256                     -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76

                                            `- [info] default key exchange since OpenSSH 6.4

(kex) [email protected]          -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62

                                            `- [info] default key exchange since OpenSSH 6.4

(kex) ecdh-sha2-nistp256                    -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency

                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62

(kex) ecdh-sha2-nistp384                    -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency

                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62

(kex) ecdh-sha2-nistp521                    -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency

                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62

(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4

                                                      `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).

(kex) diffie-hellman-group16-sha512         -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73

(kex) diffie-hellman-group18-sha512         -- [info] available since OpenSSH 7.3

(kex) diffie-hellman-group14-sha256         -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength

                                            `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73

(kex) [email protected]          -- [info] pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)



# host-key algorithms

(key) rsa-sha2-512 (3072-bit)               -- [info] available since OpenSSH 7.2

(key) rsa-sha2-256 (3072-bit)               -- [info] available since OpenSSH 7.2

(key) ecdsa-sha2-nistp256                   -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency

                                            `- [warn] using weak random number generator could reveal the key

                                            `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62

(key) ssh-ed25519                           -- [info] available since OpenSSH 6.5



# encryption algorithms (ciphers)

(enc) [email protected]         -- [info] available since OpenSSH 6.5

                                            `- [info] default cipher since OpenSSH 6.9

(enc) aes128-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52

(enc) aes192-ctr                            -- [info] available since OpenSSH 3.7

(enc) aes256-ctr                            -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52

(enc) [email protected]                -- [info] available since OpenSSH 6.2

(enc) [email protected]                -- [info] available since OpenSSH 6.2



# message authentication code algorithms

(mac) [email protected]               -- [warn] using small 64-bit tag size

                                            `- [info] available since OpenSSH 6.2

(mac) [email protected]              -- [info] available since OpenSSH 6.2

(mac) [email protected]         -- [info] available since OpenSSH 6.2

(mac) [email protected]         -- [info] available since OpenSSH 6.2

(mac) [email protected]                   -- [warn] using encrypt-and-MAC mode

                                            `- [warn] using small 64-bit tag size

                                            `- [info] available since OpenSSH 4.7

(mac) [email protected]                  -- [warn] using encrypt-and-MAC mode

                                            `- [info] available since OpenSSH 6.2

(mac) hmac-sha2-256                         -- [warn] using encrypt-and-MAC mode

                                            `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56

(mac) hmac-sha2-512                         -- [warn] using encrypt-and-MAC mode

                                            `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56



# fingerprints

(fin) ssh-ed25519: SHA256:REDACTED

(fin) ssh-rsa: SHA256:REDACTED



# additional info

(nfo) Be aware that, while this target properly supports the strict key exchange method (via the [email protected] marker) needed to protect against the Terrapin vulnerability (CVE-2023-48795), all peers must also support this feature as well, otherwise the vulnerability will still be present.  The following algorithms would allow an unpatched peer to create vulnerable SSH channels with this target: [email protected].  If any CBC ciphers are in this list, you may remove them while leaving the *[email protected] MACs in place; these MACs are fine while paired with non-CBC cipher types.