Better SSH Management with Keepass and Putty

Out of the box keepass recognizes the URI ssh:// and will open it with putty. However it is limited, you can't change ports from the default port 22 nor can you save a convenient list of port forwards. Thankfully this is something you can change.

Things you will need:

  1. Keepass
  2. Putty
  3. Keeagent

Alternativly you can do an easy install with the windows package manager chocolatey

choco install putty.install keepass.install keepass-plugin-keeagent -y

URL overrides

We will now define a new ssh:// override globaly in keepass. It is possible to also do so per entry, for portability, however I do not use this feature as I run linux at home and use a separate override on that system.

  1. Tools -> Options
  2. Integration tab
  3. URL Overrides

  1. Click the add button
  2. Enter ssh in the Scheme field
  3. Enter: cmd://putty {T-REPLACE-RX:/{S:Forwards}/\{S:Forwards\}/ /} -P {T-REPLACE-RX:/{BASE:PORT}/-1/22 /} {BASE:HOST} -l {USERNAME} in the url override field. Note: add -pw {PASSWORD} to the end if you wish to auto submit your password. Just be aware this could be considered slightly insecure.

The Keepass entry

  1. Create an entry as you normally would adding the ssh:// URL

Note: to add a port just use ssh://example.tld:222

  1. If you need port forwards add then under the Advanced tab as a String Field entry in the following format: -L 6080:127.0.0.1:6080 -L 444:10.1.1.1:444

Now when you open the url you will have your putty session with port changes and port forwards.

Breaking it down

  1. cmd://putty

    Opens putty via a shell command

  2. {T-REPLACE-RX:/{S:Forwards}/\{S:Forwards\}/ /}

    If the string field Forwards doesn't exist delete the string {S:Forwards}

  3. -P {T-REPLACE-RX:/{BASE:PORT}/-1/22 /}

    The {BASE:PORT} placeholder returns -1 If a port is not defined. If this happens we should replace it with the default ssh port 22

  4. {BASE:HOST}

    The Hostname/IP address part of the URL

  5. -l {USERNAME} -pw {PASSWORD}

    Login with the username and (optionally) password of the entry

Are Email Clients Insecure?

@bryanleeward asked on the thunderbird discourse:

PLEASE HELP… this effects many Thunderbird & gmail users:

Every few months I get “Security” alerts from Google re my gmail Security Settings, saying: “Turn off less secure access.” IF I do that, then I can’t boot Thunderbird! I’ve had same problem with Thunderbird-gmail using Debian, Trisquel, and Ubuntu.

Yet ironically, when I receive these Google alerts, Thunderbird gives also gives me a warning - “To protect your privacy, Thunderbird has blocked remote content in this message.”

IE to get Thunderbird and gmail to work together, I have to disregard BOTH your security alerts! WHY?.. but more importantly:

  1. Is there a way to keep max Google Security Settings AND still use Thunderbird?
  2. Is Thunderbird really less secure, even with other email systems?

Thanks for any help, Bryan

Google considers all 3rd party access to email i.e. Thunderbird, Outlook ect to be Less secure than the web interface. This is both correct and incorrect depending on your situation. Google’s max security disables 3rd party access to your emails, this allows them to: block bad IP’s, use two factor auth and use browser fingerprinting to detect illegitimate access.

Thunderbird is not insecure at all. Google just want’s the majority of users to go through a more limited access method.

I don’t ever see such emails because I enabled two factor auth and use an app password with a limited scope to the Mail app. Consider going this route if it concerns you.

Thunderbird blocks remote content. I.e. it stops images and other files from being loaded from the internet when viewing an email. As email is mostly html automatically loading images from the web is not a great idea security wise. Initially this will be a pain point but you eventually build up a white-list of legitimate remote content, nice and secure.

I recommend using the allow from domain names rather than sender address as that’s harder to spoof than an email address:

Customizing the Nextcloud Mail App

As the mail app developers don’t want to add a horizontal reading pane to the app I have been using the custom css app 5 in order to do so, I also wrote a quick user script to automatically expand all my folders as that isn't an option in the mail app.

Jump to the Auto Expand script

Horizontal reading pane in mail app

Note: Tested in Firefox and Nextcloud 15

Usage:

  1. Know what you are doing.
  2. Install the custom css app.
  3. Navigate to Admin -> Theming.
  4. Paste contents of this CSS file into the custom CSS text area 6.
  5. Save.

Currently I have:

  • [x] The basic Horizontal layout
  • [x] Added a resize to the message list so you can drag it up and down for simpler management of mail
  • [x] Added a yellow highlight to The images have been blocked to protect your privacy notification
  • [x] Added the color #ebebeb as the message header background to better separate panes
  • [x] Added a thick border color #ebebeb to the top of the reply field to better separate it from the current message
  • [x] Shrunk the load more messages scroll down area
  • [x] Realigned the empty messages background
  • [x] Changed subfolder background color from gradient to solid
  • [x] Added indicator line to subfolder Parent
  • [x] Added indicator line and Bold text to open Parent Folder

Auto Expand mail folders using GreaseMonkey

Requirements:

  1. The Latest Firefox
  2. Greasemonkey 4.3 or greater

Open the Greasemonkey dashboard and click the + sign to add a new script.

Past the following code, changing the yourdomain.tld to your domain:

// ==UserScript==
// @name     Nextcloud Mail Expand folders
// @namespace   https://yourdomain.tld/
// @include     https://yourdomain.tld/apps/mail/*
// @require     https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js
// @require     https://gist.github.com/raw/2625891/waitForKeyElements.js
// @version  1
// @grant    NEXTCLOUDMAIL
// ==/UserScript==

/* Paste Here */

this.$ = this.jQuery = jQuery.noConflict(true);

console.log('[ NMEF ] - Waiting');
waitForKeyElements (".navigation-account", expandALL, true);

function expandALL() {
  console.log('[ NMEF ] - Expand ALL Folders');
  $('.account-toggle-collapse').trigger("click");
  console.log('[ NMEF ] - Expand individual Folders');
    $('.with-counter.collapsible > button').trigger('hover').trigger("click");
    $('.with-counter.collapsible.ui-droppable > button').trigger('hover').trigger("click");
}

Note: this loads the remote content jquery and waitForKeyElements.js, if you wish to have them bound locally open the // @require links and past the contents at the / Paste Here / line. Then just delete the lines:

// @require     https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js
// @require     https://gist.github.com/raw/2625891/waitForKeyElements.js

Have I Been Pwned Check

It's 2019 and Information security is a hot topic these days. Old stuffy bosses everywhere are asking about the companies security exposer, really they should be asking about their own security exposer. Hackers often target the older management types because they lack the knowledge to care about, or secure their own passwords properly.

I created this simple Python script to sit in cron, check a list of the companies emails and then issue a nicely formatted email.

Mako

For the emails I used smtplib and most importantly I generated the HTML using the Mako template engine.

Mako is fantastic, I was first exposed to it when fiddling around with the Nikola blogging engine (this blog is built with Nikola). After figuring out the in's and out's of mako you can string together a fairly robust template. I also use this with my signature generator

Python Boilerplate

Long ago I discovered that in my little projects I was often repeating what I did, over and over again. Building a sensible boiler plate has been the best thing I have done so far

The script is available on github for free under the MIT License

A New Site

It's been almost 12 years since I last had a blog and here I am again. I have leant many things since then and look forward to putting them into practice.

At writing this site only features my Artwork I have posted to Instagram and you would have come here from either Twitter or Mastadon. Thanks' for that!

I'll be adding more content during 2019

Buy me a Beer

image

Bitcoin

Bitcoin Address: 155xGQ2sPt2BAbmLUp5myyfjLmAm3c8pPP

image

Litecoin

Litecoin Address: LNiBt4ksgDgTqGq4BYcLS8vtNkdn1Lrmmh