Secure Cartography is a secure, Python-based network discovery and mapping tool designed for network engineers and IT professionals. It leverages SSH-based device interrogation to automate network discovery, visualize network topologies, and merge network maps across multi-vendor environments.
Keychain helps you to manage SSH and GPG keys in a convenient and secure manner. It acts as a frontend to ssh-agent and ssh-add, but allows you to easily have one long running ssh-agent process per system, rather than the norm of one ssh-agent per login session.
This dramatically reduces the number of times you need to enter your passphrase. With keychain, you only need to enter a passphrase once every time your local machine is rebooted. Keychain also makes it easy for remote cron jobs to securely "hook in" to a long-running ssh-agent process, allowing your scripts to take advantage of key-based logins.
If your workflow is such that you have one terminal window but multiple tabs, this will fix quite a few annoyances.
Github: https://github.com/funtoo/keychain
Works very well on Linux, I've been using it for years. Also works on OSX; it's in Homebrew.
Vuls is an open-source, agentless vulnerability scanner based on information from uses multiple vulnerability databases NVD, JVN, OVAL, RHSA/ALAS/ELSA/FreeBSD-SA and Changelogs. The latest versions detect vulnerabilities that patches have not been published from distributors. Runs on a single machine, does its job over SSH, no need for installing and managing agent software. Runs anywhere you set it up. Remote scan mode is required to only setup one machine that is connected to other scan target servers via SSH. If you don't want the central Vuls server to connect to each server by SSH, you can use Vuls in the Local Scan mode. Fast scan mode scans without root privilege, no internet access, almost no load on the scan target server. Deep scan mode scans in more detail. It is possible to detect vulnerabilities in non-OS packages, such as something you compiled by yourself, language libraries and frameworks, that have been registered in the CPE.
While xthulu is intended to be a community server with multiple avenues of interaction (e.g. terminal, browser, REST API), its primary focus is to provide a modern SSH terminal interface which pays homage to the bulletin boards of the 1990s. Rather than leaning entirely into DOS-era nostalgia, modern character sets (UTF-8) and terminal capabilities are taken advantage of.
WezTerm is a powerful cross-platform terminal emulator and multiplexer written by @wez and implemented in Rust. Runs on Linux, macOS, Windows 10 and FreeBSD. Multiplex terminal panes, tabs and windows on local and remote hosts like GNU Screen or tmux, with native mouse and scrollback. Ligatures, Color Emoji and font fallback, with true color and dynamic color schemes. Scrollback buffer search. SGR-style mouse reporting. Render underline, double-underline, italic, bold, strikethrough. Has an SSH client built in. Can connect to serial ports as a client. iTerm2 compatible improtocol support. Kitty graphics support.
Configuration files are written in Lua. Hot reloading is active by default.
Github: https://github.com/wez/wezterm
Devzat is a custom SSH server that takes you to a chat instead of a shell prompt. Because there's SSH apps on all platforms (even on phones) you can connect to Devzat on any device!
Supports commands, rooms (channels?), Markdown formatting, private messages, and pseudo-shell commands.
SSH-Snake is a powerful tool designed to perform automatic network traversal using SSH private keys discovered on systems, with the objective of creating a comprehensive map of a network and its dependencies, identifying to what extent a network can be compromised using SSH and SSH private keys starting from a particular system.
SSH-Snake can automatically reveal the relationship between systems which are connected via SSH, which would normally take a tremendous amount of time and effort to perform manually. It's completely self-replicating and self-propagating -- and completely fileless. In many ways, SSH-Snake is actually a worm: It replicates itself and spreads itself from one system to another as far as it can. SSH-Snake takes a depth-first approach to discovery: once it connects to one system, it tries to connect further from that system before backtracking.
- On the current system, find any SSH private keys
- On the current system, find any hosts or destinations (user@host) that the private keys may be accepted,
- Attempt to SSH into all of the destinations using all of the private keys discovered,
- If a destination is successfully connected to, repeats steps #1 - #4 on the connected-to system.
A collection of wrapper scripts that make it easy to run some of the more obscure ssh features without having to read the manpage every time.
- ping
- sshd version check
- diff a file remotely against a local file
- remote system facts
- print hostkeys
- print local pubkeys
- information about local SSH certs
- force password auth
In the AUR.
CryptoLyzer is a fast and flexible server cryptographic settings analyzer library for Python with an easy-to-use command line interface with both human- and machine-readable output. It works with multiple cryptographic protocols (SSL/TLS, opportunistic TLS, SSH) and analyzes additional security mechanisms (web security related HTTP response header fields, JA3 tag).
This repo contains the PDF book The Cyber Plumber's Handbook - The definitive guide to Secure Shell (SSH) tunneling, port redirection, and bending traffic like a boss. The book was first published in October 2018 for purchase, but now I'm providing it for FREE to anyone interested in learning more about the magic of SSH tunnels and port redirection.
Repo contains the PDF for download. CC-BY-NCv4
ssh-audit is a tool for ssh server and client configuration auditing. Analyzes client and server configuration, connection negotiation parameters, and cryptographic settings and outputs a security report. Has no dependencies.
Prefer using SSH over HTTP(S) for git.
In your ~/.gitconfig file:
[url "git@github.com:"]
insteadOf = http://github.com/
insteadOf = https://github.com/Wants to be the "cryptographic right answers" document, but for SSH.
Archived.
Maybe have Glitch monitor it?
/etc/ssh/sshd_config:
Protocol 2
AuthenticationMethods publickey
PasswordAuthentication no
PermitEmptyPasswords no
X11Forwarding no
AllowAgentForwarding no
# The problem with having "MaxAuthTries 2" is, the more keys your
# SSH agent has, the more chances you'll have to get locked out.
# I set it to <my number of SSH keys> +2.
MaxAuthTries 10
MaxSessions 10
HostbasedAuthentication no
IgnoreRhosts yes
PermitRootLogin no
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.comEternal Terminal (ET) is a remote shell that automatically reconnects without interrupting the session. A layer in between an application and unix TCP sockets that make the sockets robust to TCP disconnects including roaming and connection failure. Implements some of the tmux user experience, even works with the tmux control center (tmux -CC). Buffers bytes written and read so they can be replayed in the event of a disconnection. Starts with SSH to make the initial connection and authentication. After that, it uses its own encrypted network protocol.
Apache Guacamole is a clientless remote desktop gateway. It supports standard protocols like VNC, RDP, and SSH.
We call it clientless because no plugins or client software are required.
Thanks to HTML5, once Guacamole is installed on a server, all you need to access your desktops is a web browser.
The original tilde?
Homepage of one of the tildes out there.
A good blog post about using SSH's little-known proxy functionality to tunnel traffic back through your home network to prevent eavesdropping. The best thing is, you don't have to set up a proxy on the other end because SSH does it for you.
Have you ever tried to SSH into one of your boxes, only to get dropped with a "Too many authentication failures" error? Here's how to fix it (it's a server side problem).