Kategorie: client

Veröffentlicht am

Refresh ENVironment Variables

The „refreshenv“-CMD/Powershell-Command updates all Environment-Variables e.g. after installing a new software package.

C:\WINDOWS\system32>refreshenv
Refreshing environment variables from registry for cmd.exe. Please wait...Finished..
Veröffentlicht am

Windows Client Setup: Disable Teredo/ISATAP

Both Protocols are absolutely useless for all common use-cases, but enabled – just „providing“ potential security issues.

Disable like this:

netsh interface isatap set state disabled
netsh interface teredo set state disabled
Veröffentlicht am

Enable ESXi-Host as VNC-Server to access a vSphere-VM remotely

I prefer accessing VMs using SSH or RDP directly. Sometimes, the IP-Address of the VM isn’t reachable, or protocols for remoteaccess need to be disabled for security reasons.

In these cases, if an IP-connection to the ESXi-Server is available this could be an option to use the ESXi hypervisor as VNC-Server to provide access to VM keyboard, video, mouse…

Three VM advanced Configuration Parameters need to be set:

  • „password“ is optional, but mRemoteNG as VNC-Client doesn’t work without password set.
RemoteDisplay.vnc.enabled = TRUE
RemoteDisplay.vnc.port = <TCP-Port>
RemoteDisplay.vnc.password = <Passwort>
Veröffentlicht am

Old Firefox Stable for Admins

This is not for general usage, but an „admin-Jumphost“-computer/vm which needs to get flash enabled from time to time and is never used for public internet browsing…

There it might be an un-dogmatic solution to install the last Firefox 78.15 ESR Release.

Find it here: https://ftp.mozilla.org/pub/firefox/releases/78.15.0esr/win64/de/

Disable Auto-Update

That’s easy

  • Firefox Settings => Update Settings => „Disable Automatic Updates“

Disable Update-Notification

That’s harder – Firefox guys (think to) know better what’s good for their users and they don’t even provide an „about:config“-switch: fail!

Add the following registry Key:

HKEY_LOCAL_MACHINE\Software\Policies\Mozilla\Firefox

Add the following 32-Bit DWORD

DisableAppUpdate

with value set to

1

and restart Firefox.

Veröffentlicht am

Windows CCM Cache eats diskspace

Don’t delete the content of „c:\windows\ccmcache\“ manually with the File-Explorer:

  • it is managed by „Windows System Center Configuration Manager (SCCM)“.

You need „local Administrator“ access to your computer.

Let SCCM to cleanup it’s cache for you:

1) open the „Control Panel“

Control Panel – Configuration Manager

2) select „Configuration Manager“

3) go to „Cache“-Tab

4) click „Delete Files“

Configuration Manager – Delete Cache

Wait a second and the CCM-Cache is empty.

c:\Windows\ccmcache>dir
 Volume in drive C is Windows
 Volume Serial Number is 5Q4C-0K08

 Directory of c:\Windows\ccmcache

23.09.2021  19:10    <DIR>          .
23.09.2021  19:10    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)  11.164.721.152 bytes free
Veröffentlicht am

Cisco IOS – Public-Key User-Authentication

It’s a two step process to get rid of insecure username/password-authentication.

  1. Generate a RSA keypair at your SSH-client

    2. btw. Cisco-IOS doesn’t support DSA-keys

  2. Configure your network device(s) to assign the (public-)key of this keypair to an user-account

This user-account could get privileges from a Radius/TACACS+-Server which could provide access-logs, too.

  1. Generate RSA-Key: Windows as SSH-Client

    2. I prefer Putty, usually in form of „mRemoteNG“, so i use PuttyGen to generate the RSA keypair.

    • Windows.Start => PuttyGen
    • (x) RSA, 4096-bits are supported, use it

    • [Generate]
    • move the mouse to improve the randomgenerator

    • change the „comment“ – for example replace it by an username
    • add a passphrase – using this key-pair is possible only for people knowing this passphrase

    • Save both parts of the RSA keypair:
      • [Save public key] => Filename for example „labuser.pub“
      • [Save private key] => Filename for example „labuser.ppk“
    • Verify
      • C:>dir labuser*.* -l
-rw-rw-rw-   1 user     group        2710 Oct 17 18:26 labuser.ppk
-rw-rw-rw-   1 user     group         820 Oct 17 18:26 labuser.pub
    • Since the contained keys are BASE64-Encoded (The Secure Shell (SSH) Public Key File Format) you could extract them using grep.
      • C:>cat labuser.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "labuser"
AAAAB3NzaC1yc2EAAAABJQAAAgEAg+0v9spZ0ZaBmgK3eVWJmY1Q4bNYcuY/uZDn
c0JFPXgn9dA5r44GksqIEpYjkbMZf61Nkwazz4Cfxw4byS/HeajYP8Rs/eWXV6dh
k829tqvqSLN6TwH+v49MllGpiHbiVGyoRvzfPgUVddN1j8cMEIJHgVJk4AS4fJmx
Mp+2wMFWGldJ5xlUaOXO+XaOaTlAFYimgdYNbO7x4+vMRtrqp3ORJJZ5Tdf0JuFp
cUHRlV46e2FL1FZ8p2PDLVUiAlg8o8yxI8D52r0A5VQToKz3wKUchTWIWqRmIfOR
fS5jJz8+yTb/swkFs4FzAEpxD8CgvArz7ewTkna0zm8/wbysZCH1lKyce7AmZCp9
lm1Nsythl+6ztB9M01AbzBo2ElVo3GZHEr3AclsON8aCKgf8hVaZww5BqN1YHvUj
dKH0Mb8i0zLs+XFSgV7rYXg1EcHyBqsRFAi5OdkuGwd5D2NfWkcwk2XBsi6qG8bP
951MlHi0SuiMTSTmskdf1OyzzIFaPYjaW9VQe36tg07MsBP48KOPEB4803k35gWx
Sw2nxAO4O9KisYNCfw0SHna9RiAWRsyykLUTe6Z39vzppTEiC+j2f6IQs9Celk4S
s9r8IIoI0yswtvc/DsJBLd8y0CmNwyZof9L5MSY1RlcBiCykUPh1Z+UFLEYrFBa1
qQCAwU8=
---- END SSH2 PUBLIC KEY ----
    • THIS output could be directly used within Cisco-IOS command syntax:
      • C:>egrep "^[a-zA-Z0-9+\/=]+$" labuser.pub
AAAAB3NzaC1yc2EAAAABJQAAAgEAg+0v9spZ0ZaBmgK3eVWJmY1Q4bNYcuY/uZDn
c0JFPXgn9dA5r44GksqIEpYjkbMZf61Nkwazz4Cfxw4byS/HeajYP8Rs/eWXV6dh
k829tqvqSLN6TwH+v49MllGpiHbiVGyoRvzfPgUVddN1j8cMEIJHgVJk4AS4fJmx
Mp+2wMFWGldJ5xlUaOXO+XaOaTlAFYimgdYNbO7x4+vMRtrqp3ORJJZ5Tdf0JuFp
cUHRlV46e2FL1FZ8p2PDLVUiAlg8o8yxI8D52r0A5VQToKz3wKUchTWIWqRmIfOR
fS5jJz8+yTb/swkFs4FzAEpxD8CgvArz7ewTkna0zm8/wbysZCH1lKyce7AmZCp9
lm1Nsythl+6ztB9M01AbzBo2ElVo3GZHEr3AclsON8aCKgf8hVaZww5BqN1YHvUj
dKH0Mb8i0zLs+XFSgV7rYXg1EcHyBqsRFAi5OdkuGwd5D2NfWkcwk2XBsi6qG8bP
951MlHi0SuiMTSTmskdf1OyzzIFaPYjaW9VQe36tg07MsBP48KOPEB4803k35gWx
Sw2nxAO4O9KisYNCfw0SHna9RiAWRsyykLUTe6Z39vzppTEiC+j2f6IQs9Celk4S
s9r8IIoI0yswtvc/DsJBLd8y0CmNwyZof9L5MSY1RlcBiCykUPh1Z+UFLEYrFBa1
qQCAwU8=
  2. Generate RSA-Key: Linux as SSH-Client
    • there might already exist a rsa-key in the „.ssh“-path of your home-directory
      • $ cd ~/.ssh/
$ ls -l
total 20
-rw------- 1 administrator administrator 1675 Aug 28 09:43 id_rsa
-rw-r--r-- 1 administrator administrator  405 Aug 28 09:43 id_rsa.pub
-rw-r--r-- 1 administrator administrator  222 Aug 28 11:07 known_hosts

      $ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCohMsS3gJ/OcF4Hg43mKeVHKWl2lECCn0iZQu9QSrUjAb4PVHWXIbj11yy5Jh/ygMys0n9IED6357fkRmq8Cc8ujpU0sCen7kBFUt3UqbLg1PLT9wMmJAEv4dcxbX9WRvwYXjLd8+EgDYDmrj7vTB3xIvw1I2WWuUK2jPWbVI57vbyGtw224Qb9Qk0KQfyGiTvErZnddDg65/rn9Pyt7FQlzCwUPH0nyJVoFhiYYJYJszTKc8BTFB6VdIbALHc4atFmjYt7YDUvEvaZqOL+zwQtr7FmXsZ5oaRGV6ZChuBPTpNEL41w/Il1mSJicRykpD90O2AxlUFebQfABTWadnr administrator@lx-ubuntu

      The RFC states that the key should get split into multiple lines containing max. 72 characters.

    • use
      • „cut“ to extract the encoded-key
      • „fold“ to split the key into multiple lines
      • $ cut -d " " -f 2 id_rsa.pub
AAAAB3NzaC1yc2EAAAADAQABAAABAQCohMsS3gJ/OcF4Hg43mKeVHKWl2lECCn0iZQu9QSrUjAb4PVHWXIbj11yy5Jh/ygMys0n9IED6357fkRmq8Cc8ujpU0sCen7kBFUt3UqbLg1PLT9wMmJAEv4dcxbX9WRvwYXjLd8+EgDYDmrj7vTB3xIvw1I2WWuUK2jPWbVI57vbyGtw224Qb9Qk0KQfyGiTvErZnddDg65/rn9Pyt7FQlzCwUPH0nyJVoFhiYYJYJszTKc8BTFB6VdIbALHc4atFmjYt7YDUvEvaZqOL+zwQtr7FmXsZ5oaRGV6ZChuBPTpNEL41w/Il1mSJicRykpD90O2AxlUFebQfABTWadnr

$ cut -d " " -f 2 id_rsa.pub | fold -b -w 72
AAAAB3NzaC1yc2EAAAADAQABAAABAQCohMsS3gJ/OcF4Hg43mKeVHKWl2lECCn0iZQu9QSrU
jAb4PVHWXIbj11yy5Jh/ygMys0n9IED6357fkRmq8Cc8ujpU0sCen7kBFUt3UqbLg1PLT9wM
mJAEv4dcxbX9WRvwYXjLd8+EgDYDmrj7vTB3xIvw1I2WWuUK2jPWbVI57vbyGtw224Qb9Qk0
KQfyGiTvErZnddDg65/rn9Pyt7FQlzCwUPH0nyJVoFhiYYJYJszTKc8BTFB6VdIbALHc4atF
mjYt7YDUvEvaZqOL+zwQtr7FmXsZ5oaRGV6ZChuBPTpNEL41w/Il1mSJicRykpD90O2AxlUF
ebQfABTWadnr
    • otherwise generate a new rsa key-pair („newid_rsa“) 
      • $ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/administrator/.ssh/id_rsa): newid_rsa
Enter passphrase (empty for no passphrase): *****
Enter same passphrase again: *****
Your identification has been saved in newid_rsa.
Your public key has been saved in newid_rsa.pub.
The key fingerprint is:
SHA256:4g/JkvpFQmlTaOE2VQAZ9IHfz/+6NJiI8W/WVt9TJGA administrator@lx-ubuntu
The key's randomart image is:
+---[RSA 4096]----+
|   .=B=o.        |
|   .== .    E    |
|   .O...   . .   |
|   + o. .     . .|
|    . + So     o |
|     * * .oo  . .|
|    o B o ooo. .o|
|   . o o .o.+. .o|
|  ...   .o..o+. .|
+----[SHA256]-----+

$ ls -l
total 36
...
-rw------- 1 administrator administrator 3326 Oct 18 07:19 newid_rsa
-rw-r--r-- 1 administrator administrator  749 Oct 18 07:19 newid_rsa.pub
  3. IOS-Router: Add those public-keys to your IOS-Config
    • i’ll use both clients (linux & windows) with the same cisco-user-account „labuser“
      • conf t
ip ssh pubkey-chain
username labuser
  key-string
AAAAB3NzaC1yc2EAAAABJQAAAgEAg+0v9spZ0ZaBmgK3eVWJmY1Q4bNYcuY/uZDn
c0JFPXgn9dA5r44GksqIEpYjkbMZf61Nkwazz4Cfxw4byS/HeajYP8Rs/eWXV6dh
k829tqvqSLN6TwH+v49MllGpiHbiVGyoRvzfPgUVddN1j8cMEIJHgVJk4AS4fJmx
Mp+2wMFWGldJ5xlUaOXO+XaOaTlAFYimgdYNbO7x4+vMRtrqp3ORJJZ5Tdf0JuFp
cUHRlV46e2FL1FZ8p2PDLVUiAlg8o8yxI8D52r0A5VQToKz3wKUchTWIWqRmIfOR
fS5jJz8+yTb/swkFs4FzAEpxD8CgvArz7ewTkna0zm8/wbysZCH1lKyce7AmZCp9
lm1Nsythl+6ztB9M01AbzBo2ElVo3GZHEr3AclsON8aCKgf8hVaZww5BqN1YHvUj
dKH0Mb8i0zLs+XFSgV7rYXg1EcHyBqsRFAi5OdkuGwd5D2NfWkcwk2XBsi6qG8bP
951MlHi0SuiMTSTmskdf1OyzzIFaPYjaW9VQe36tg07MsBP48KOPEB4803k35gWx
Sw2nxAO4O9KisYNCfw0SHna9RiAWRsyykLUTe6Z39vzppTEiC+j2f6IQs9Celk4S
s9r8IIoI0yswtvc/DsJBLd8y0CmNwyZof9L5MSY1RlcBiCykUPh1Z+UFLEYrFBa1
qQCAwU8=
exit
username labuser
  key-string    
AAAAB3NzaC1yc2EAAAADAQABAAABAQCohMsS3gJ/OcF4Hg43mKeVHKWl2lECCn0iZQu9QSrU
jAb4PVHWXIbj11yy5Jh/ygMys0n9IED6357fkRmq8Cc8ujpU0sCen7kBFUt3UqbLg1PLT9wM
mJAEv4dcxbX9WRvwYXjLd8+EgDYDmrj7vTB3xIvw1I2WWuUK2jPWbVI57vbyGtw224Qb9Qk0
KQfyGiTvErZnddDg65/rn9Pyt7FQlzCwUPH0nyJVoFhiYYJYJszTKc8BTFB6VdIbALHc4atF
mjYt7YDUvEvaZqOL+zwQtr7FmXsZ5oaRGV6ZChuBPTpNEL41w/Il1mSJicRykpD90O2AxlUF
ebQfABTWadnr
exit

exit
exit
end
    • Now two RSA-keys are valid to authenticate the user „labuser“
      • The Router stores only the key-hashes:
      VBOX-CSR-1#show run | section key-chain
ip ssh pubkey-chain
  username labuser
   key-hash ssh-rsa CE7178C1D6D025F7EA5345CCBA22ED54
   key-hash ssh-rsa ABBF42AB330CA79B235FB369FCC4D53E
    • btw. look (above) – puttygen displayed the hash
      • ssh-rsa 4096 ce:71:78:c1:d6:d0:25:f7:ea:53:45:cc:ba:22:ed:54

      so you could save time to just configure the hash.

  4. Prove SSH-Client-access: Linux
    • Who am i?
      • $ who
administrator pts/0        Oct 18 17:37 (192.168.56.1)

      Linux re-uses the name of the current linux-user to login into the ssh-device unless a user is specified

      $ ssh 192.168.56.102
Password:

      The IOS-Router prompts for a password for users who have no known-public-key in the running-config – and there is no public-key for a user named „administrator“.

      • This is the default-behaviour:
      (config)# ip ssh server algorithm authentication publickey keyboard password
      • Change this undesired behaviour (disable „keyboard“ and „password“):
      conf t
  ip ssh server algorithm authentication publickey
end
        Now the router blocks the access since the publickey of „administrator“ is not known.
      $ ssh 192.168.56.102
administrator@192.168.56.102: Permission denied (publickey).
    • Let the linux-user „administrator“ log into the router as „labuser“:
      • Manually specify a username to use and gain CLI access
      • $ ssh -l labuser 192.168.56.102

VBOX-CSR-1>who
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:02:43
*  1 vty 0     labuser    idle                 00:00:00 192.168.56.101
    • You don’t want to configure an „enable secret“-password in 2018..
      • VBOX-CSR-1>enable
% No password set
      • configure a local user-privilege or use for example the Cisco ISE for centralized Authorization and additional Accounting if needed.
        • conf t
  username labuser privilege 15
end
      • Check – you’ll access privileged-mode immediately
        • $ ssh -l labuser 192.168.56.102

VBOX-CSR-1#who
    Line       User       Host(s)              Idle       Location
   0 con 0                idle                 00:00:10
*  1 vty 0     labuser    idle                 00:00:00 192.168.56.101

  Interface    User               Mode         Idle     Peer Address

VBOX-CSR-1#show priv
Current privilege level is 15
  5. Prove SSH-Client-access: Windows/Putty
    • Specify the „Auto-Login-Username“: „labuser“

    • Specify the private-key-file (*.ppk)

    • [Open]
      • since the ppk-file was password-protected (in PuttyGen) this password has to be entered:

      • privilege-15 access for the windows-user

      [btw. the linux-ssh-client „labuser“ is still logged in]

That’s all.

Veröffentlicht am

Chrome – Using with HTTPs-Proxy

Security is important.

But sometimes it’s important, too, to be productive, for example during work hours.

Maybe at a trusted customer site with a restrictive security policy to intercept all HTTPs-Traffic using a customer-provided certificate which never fits to the visited web-sites.

Most of my technical research jobs using Google aren’t secret, otherwise I won’t pass them to Google, so HSTS for at least Google-Sites doesn’t makes sense in these cases.

Google knows that and invented the no-HSTS-Switch:
--ignore-certificate-errors

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ignore-certificate-errors

Thank you!