curveprotect software (experimental)

using CurveCP to protect ssh

OpenSSH client configuration

add to /etc/ssh/ssh_config or ~/.ssh/config:

ProxyCommand /opt/curveprotect/bin/nettunnel -u -c %h %p

or from commandline (replace user@host with your user and your host):

ssh -o "ProxyCommand /opt/curveprotect/bin/nettunnel -u -c %h %p" user@host

OpenSSH server configuration

Replace domain, IP, extension, CurveCP key directory with Your domain, IP, extension, CurveCP key directory.

  • domain
  • IP, port 22
  • extension 00000000000000000000000000000000
  • CurveCP key in directory /etc/ssh/key

  • prerequisites:

  • install daemontools
  • install curveprotect
  • as a root create CurveCP key directory:

    /opt/curveprotect/bin/curvecpmakekey /etc/ssh/key

    as a root create a run script like this and run it under daemontools:

    exec 2>&1
    PATH="/opt/curveprotect/bin:${PATH}"; export PATH; export NAME
    KEYDIR=/etc/ssh/key; export KEYDIR
    IP=; export IP
    PORT=22; export PORT
    EXTENSION=00000000000000000000000000000000; export EXTENSION
    exec curvecpserver "${NAME}" "${KEYDIR}" "${IP}" "${PORT}" "${EXTENSION}" curvecpmessage sshd -i -e -D

    insert the key and the extension into the DNS record:

  • how-to do is found here
  • check it:

    ssh -o "ProxyCommand /opt/curveprotect/bin/nettunnel -u -c %h %p"
    Linux 2.6.32-5-amd64 #1 SMP Sun May 6 04:00:17 UTC 2012 x86_64
    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    Last login: Fri Aug 24 22:19:34 2012 from UNKNOWN