Shortwave Radio for Clandestine Transmissions in the AI Era

By  August 29, 2025  No comments

Introduction

Contrary to popular belief, shortwave radio is far from obsolete - it remains a vital and evolving technology that, when combined with modern AI and electronics, can be transformed into a sophisticated tool for contemporary clandestine operations and modern warfare.

This document shows that shortwave radio serves as both a critical backup communication infrastructure and a valuable data source for AI development, particularly in signal processing and pattern recognition applications. When transmission is organised using AI and modern microelectronics, shortwave transmitters can be adapted to support modern clandestine operations in contemporary warfare scenarios, providing capabilities that modern digital networks cannot match.

The integration of AI with shortwave radio represents a convergence of traditional and cutting-edge technologies, creating new possibilities for communication, data collection, and technological advancement. The addition of NVIS (Near Vertical Incidence Skywave) beaming antenna techniques and tactical considerations expands the utility of shortwave radio into specialised operational domains where stealth, concealment, and operational security are paramount.

Important Disclaimer: This document is presented for educational and research purposes only. The author does not advocate using these techniques to wage war, conduct illegal activities, or incite ordinary people to start illegal shortwave transmissions. In peace times all radio operations must comply with local and international regulations, licensing requirements, and legal frameworks. The technical information contained herein is intended for legitimate research, academic study, and authorized operational use only. Regulatory and legal issues are of no concern only in cases where you are involved in a military conflict (war) or need to survive in a critical situation inflicted by a natural disaster.

Strategic Importance of Shortwave Radio for Clandestine Operations

Shortwave radio remains highly relevant in the AI era, offering unique opportunities for clandestine operations, resilient communication, AI development, global connectivity, and innovation platforms. Its role extends beyond traditional broadcasting to encompass sophisticated tactical operations supporting secure, regional communications with minimal detection and maximum operational security.

Clandestine Communication Infrastructure

Shortwave radio provides essential clandestine communication capabilities that modern digital networks cannot match. A significant portion of the shortwave spectrum has become abandoned by commercial broadcasters, creating clear frequency bands available for use by intelligence agencies and military forces on certain occasions. This abandoned spectrum provides unique opportunities for covert communications that are difficult to detect and intercept.

The decentralised nature of shortwave radio allows it to operate independently of centralised network providers, making it an invaluable tool for maintaining communications when modern networks are compromised or when operational security requires avoiding digital infrastructure entirely. This capability is critical for clandestine operations where traditional communication methods may be monitored or compromised.

AI-Enhanced Stealth and Pattern Recognition

Shortwave radio operations can be significantly enhanced through AI technology for hiding transmissions, creating or detecting specific patterns in signalling, and eliminating any traces of intentional transmission and data transfer. AI systems can analyse complex signal patterns to identify optimal transmission windows, automatically adjust transmission parameters to avoid detection, and create sophisticated masking techniques that make communications appear as natural interference or legitimate traffic.

The integration of AI enables advanced pattern recognition capabilities that can identify monitoring attempts, predict optimal transmission times based on environmental conditions, and automatically modify signal characteristics to blend with background noise. AI algorithms can also generate complex transmission patterns that are virtually impossible to distinguish from natural electromagnetic phenomena, whilst simultaneously detecting and avoiding hostile monitoring systems.

AI Applications and Use Cases

The intersection of AI and shortwave radio creates numerous opportunities for advanced applications in signal processing, pattern recognition, and intelligent communication systems.

Signal Processing and Pattern Recognition

AI systems can analyse voice patterns, accents, and speech characteristics from shortwave broadcasts, providing valuable training data for natural language processing applications. Machine learning algorithms can evaluate transmission quality and identify interference patterns, whilst AI can automatically select optimal frequencies based on atmospheric conditions. This intelligent frequency management is particularly valuable for NVIS operations where propagation conditions change rapidly.

Data Collection and Training

Shortwave radio captures diverse languages and dialects from global broadcasts, providing multilingual datasets for AI training. The cultural content available through shortwave broadcasts offers access to local programming and cultural information that may not be available through other sources. Real-time monitoring capabilities enable continuous data collection for AI training and analysis, while historical archives provide long-term data preservation for trend analysis.

Technical Integration Opportunities

The convergence of hardware and software in modern radio systems creates new possibilities for AI integration and intelligent operation.

Hardware-Software Convergence

Modern shortwave receivers with AI processing capabilities, known as Software-Defined Radio (SDR) (IEEE SDR Tutorial), enable local AI processing on radio devices. Hybrid systems combining local and cloud-based AI provide the best of both worlds, whilst integration with Internet of Things (IoT Alliance) networks expands the scope of applications. Edge computing (NIST Edge Computing) capabilities allow AI processing to occur directly on radio devices, reducing latency and improving responsiveness.

Advanced Features

Real-time translation of broadcasts, AI-generated summaries of radio content, and sentiment analysis of broadcast content are now possible through AI integration. Predictive analytics can forecast signal conditions and optimal transmission times, whilst intelligent interference avoidance systems can automatically detect and avoid hostile interference. These capabilities are particularly valuable for tactical operations where manual intervention may not be possible.

Challenges and Considerations

Whilst the integration of AI with shortwave radio offers significant benefits, it also presents unique challenges that must be addressed for successful implementation. For instance, variable reception quality affects AI processing, requiring robust algorithms that can handle noisy signals. Bandwidth limitations compared to modern networks restrict the amount of data that can be transmitted, whilst complex electromagnetic interference patterns require sophisticated filtering techniques. Power requirements for both radio and AI processing must be carefully managed, especially in portable or battery-operated systems.

Radio Signaling Warfare and Tactical Considerations

The tactical use of shortwave radio requires sophisticated techniques for concealment, detection avoidance, and operational security. Modern clandestine operations face unique challenges that require innovative solutions combining traditional radio techniques with cutting-edge technology.

Short-Distance Shortwave Communication

NVIS (Near Vertical Incidence Skywave) (ARRL NVIS Guide) technology represents a critical innovation for tactical communications. NVIS antennas radiate signals nearly vertically upward, reflecting off the ionosphere (NOAA Space Weather) to cover regional areas of 0-650 kilometres depending on frequency and ionospheric conditions. This approach minimises ground wave propagation that can be easily detected, provides reliable regional coverage without line-of-sight requirements, and reduces signal footprint and detection probability.

The key to successful NVIS operation lies in proper antenna design and implementation. Antennas must be mounted 0.1-0.25 wavelengths above ground for optimal NVIS performance, with frequency selection varying between daytime (3-7 MHz, optimal 4-6 MHz) and nighttime (2-4 MHz, optimal 2-3 MHz) operations. Various antenna types including horizontal dipoles (Antenna Theory) at low height, inverted-V configurations (ARRL Antenna Book), horizontal loop antennas (DX Engineering), and sloping wire antennas can all be adapted for NVIS operation.

Portable NVIS Solutions

The wavelength considerations for NVIS frequencies present significant challenges for portable operations. At 3 MHz, wavelengths approach 100 meters, while 6 MHz corresponds to approximately 50 meters. Traditional full-size antennas would be impractical for portable use, necessitating innovative solutions.

Compact antenna solutions include loaded dipoles (Ham Radio Deluxe) using loading coils to electrically lengthen shorter physical antennas, trap antennas (Cushcraft) with resonant traps for different frequencies, magnetic loop antennas (Chameleon Antenna) that can be very small (1-3 metres diameter), end-fed half-wave antennas (MyAntennas) with matching networks, and portable vertical antennas with ground plane modifications.

Whilst smaller antennas have reduced efficiency compared to full-size versions, they maintain NVIS characteristics and enable portable operation. Loading coils typically reduce efficiency by 20-40% but enable portable operation, whilst magnetic loops can achieve 60-80% efficiency in compact form. Deployment options range from backpack systems and vehicle-mounted configurations to man-portable systems that can be set up in 5-15 minutes.

Stealth Antenna Design and Concealment

For tactical operations, antenna concealment is absolutely essential. Antennas must blend into the natural environment, avoiding metallic structures that reflect light or create shadows, and eliminating telltale geometric shapes that indicate man-made objects. Prevention of detection from ground, air, and satellite surveillance requires sophisticated concealment techniques.

Natural camouflage techniques include tree integration using existing trees as antenna supports with natural-looking wire runs, ground burial of antenna elements just below surface with natural ground cover, rock formation integration into natural rock formations and crevices, and vegetation cover using natural vegetation to hide antenna structures.

Stealth antenna types include invisible wire antennas using ultra-thin, non-reflective wire that disappears against background, buried ground plane antennas with ground plane buried beneath surface, natural material integration making antennas look like branches, vines, or natural debris, and distributed elements breaking antennas into multiple small, hidden components.

Construction materials must be carefully selected, including non-metallic conductors such as carbon fibre, conductive polymers, or treated natural materials, natural coatings using earth-tone paints, natural dyes, or organic camouflage materials, flexible elements that can conform to natural shapes and contours, and low-profile mounting with minimal support structures that blend with environment.

Power Isolation and Battery Systems

Grid connections represent a major vulnerability for signal detection and location. Power lines act as unintentional antennas, radiating RF signals that can be detected and traced back to transmitter location. Grid connections create detectable electromagnetic signatures and can interfere with transmission quality through grid noise and harmonics.

Complete isolation from the power grid is essential for stealth operations. Transmitters must operate entirely on battery power with no connection to electrical infrastructure. All power must come from portable battery sources, with batteries and power systems electromagnetically shielded to prevent signal leakage.

Battery system design requires high-capacity lithium-ion (Battery University) or lithium-polymer batteries (PowerStream) for long-duration operations, portable solar panels (Solar Energy Industries Association) for battery recharging in remote locations, redundant battery systems for extended operations, and intelligent power management to extend battery life. Power security measures include RF-shielded (IEEE EMC Society) battery compartments, ground isolation to prevent accidental grounding, high-quality power filtering to prevent conducted emissions, and battery monitoring without external connections.

Grounding Considerations and Ground Wave Control

Grounding presents a complex challenge for NVIS operations. Contrary to traditional radio engineering practices, proper grounding can actually increase ground wave propagation, which is undesirable for stealth operations. Good grounding improves overall antenna efficiency and radiation, leading to stronger signals in all directions and increased detection probability.

For NVIS operations where ground wave detection must be minimised, a minimal grounding strategy is required. This involves using minimal grounding to reduce ground wave component, considering floating the system ground to minimise earth coupling, grounding only essential components rather than the antenna system, and isolating antenna ground plane from earth ground.

Ground wave suppression techniques include keeping antennas well above ground to reduce ground coupling, using balanced transmission lines to minimise ground currents, modifying ground plane to favour skywave over ground wave, and choosing frequencies that naturally favour skywave propagation. Advanced grounding techniques include creating artificial ground plane that doesn't couple to earth, using elevated counterpoise instead of earth ground, preventing ground loops that can radiate signals, and using isolation transformers to break ground connections.

Harmonic Filtering and Signal Purity

Harmonic filtering is absolutely critical for stealth operations. Harmonics can be detected at 3-10 times the distance of fundamental frequency, making them a major security vulnerability. Many monitoring systems specifically look for harmonics, which provide precise location information to direction finders.

Harmonic sources include transmitter output from non-linear amplification stages, antenna mismatches creating harmonic radiation, switching power supplies generating wideband harmonics, and digital circuits including clock signals and digital switching. Filtering requirements include low-pass filters to block harmonics above fundamental frequency, band-pass filters allowing only desired frequency band to pass, 60-80 dB rejection of harmonics required for stealth operation, and broadband suppression filtering harmonics across entire HF spectrum.

Advanced filtering techniques include cascaded filters with multiple filter stages for maximum harmonic rejection, active filtering using active circuits to cancel harmonic components, digital filtering using DSP-based filtering for precise harmonic control, and adaptive filtering with AI-controlled filtering that adapts to conditions.

Transmitter Fingerprinting Through Harmonic Analysis

Harmonic analysis can create a unique "fingerprint" of a transmitter, representing a critical vulnerability that many operators don't fully appreciate. Each transmitter produces unique harmonic patterns due to manufacturing tolerances, component aging, and operating conditions. These patterns can identify specific transmitters, manufacturers, models, and even modifications to equipment.

Fingerprint analysis techniques include harmonic spectrum analysis of harmonic amplitude and phase relationships, spurious emission mapping of all non-harmonic spurious emissions, modulation analysis of how harmonics are affected by modulation, and frequency stability measurement of frequency drift and stability characteristics.

Counter-fingerprinting measures include harmonic randomization by deliberately varying harmonic characteristics, component selection using components with tight tolerances to minimize variations, dynamic filtering adjusting filtering characteristics during operation, and signature masking using techniques to mask or alter harmonic signatures.

The Harmonic Detection Paradox

The Harmonic Detection Paradox represents one of the most sophisticated challenges in modern signal intelligence warfare. It stems from the fundamental principle that the absence of evidence can itself be evidence. The absence of harmonics indicates professional-grade equipment or sophisticated filtering, creating a detection signature that can be as revealing as the presence of harmonics.

What analysts look for includes harmonic-to-fundamental ratios indicating equipment quality and type, harmonic spectrum shape revealing equipment characteristics, harmonic stability showing how harmonics change over time, harmonic phase relationships unique to equipment types, and spurious emission patterns providing additional identification data.

Detection thresholds vary significantly: professional equipment typically shows -60 to -80 dBc harmonic levels, amateur equipment -40 to -60 dBc, consumer equipment -30 to -50 dBc, and military equipment -70 to -90 dBc. This creates a strategic decision matrix where operators must choose between maximum filtering (minimal harmonics but appearing professional/military), selective filtering (some harmonics to appear amateur), or dynamic filtering (varying harmonic levels to create confusion).

Frequency Selection Strategy and Detection Avoidance

Most clandestine operations fail because they use the most straightforward principle for transmitting - they use clear, interference-free frequencies. While this helps use weak transmitters and sometimes neglect poor propagation conditions, it allows easy direction detection and receives higher monitoring priority from authorities.

Strategic frequency selection involves interference exploitation using frequencies with existing interference to mask signals, noise floor integration operating within the natural noise floor of the frequency band, crowded spectrum choosing frequencies with multiple legitimate users, and dynamic frequency selection continuously changing frequencies to avoid pattern recognition.

Detection mechanisms include direction finding through triangulation, signal strength analysis, time difference of arrival (TDOA) measurements, and frequency analysis. Time convolution detection uses correlation analysis of signals received at multiple locations, time synchronisation between monitoring stations, signal correlation detection, and temporal fingerprinting of transmitter signals.

How Direction Finding Works and Its Limitations

Direction Finding Principles: Direction finding operates on the principle that radio signals arrive at different receiving stations with varying signal strengths, phases, and timing. By measuring these differences across multiple stations, the location of the transmitter can be determined through triangulation. The accuracy of direction finding depends on several factors including the number of receiving stations, their geographical distribution, signal quality, and environmental conditions.

Triangulation Process: The triangulation process requires at least three direction finding stations positioned at known locations. Each station measures the bearing (direction) of the incoming signal relative to true north. These bearing lines are then plotted on a map, and the intersection point of these lines indicates the approximate location of the transmitter. The accuracy improves with more stations and better signal quality.

TDOA (Time Difference of Arrival): TDOA systems measure the precise timing differences between when a signal arrives at different receiving stations. Since radio waves travel at the speed of light, these timing differences can be converted into distance differences, allowing for more precise location determination than simple bearing measurements. TDOA requires extremely accurate time synchronisation between stations, typically achieved through GPS timing.

Signal Strength Analysis: Signal strength measurements can provide additional location information. Signals generally decrease in strength with distance according to the inverse square law, though this is complicated by terrain, atmospheric conditions, and antenna characteristics. Multiple stations measuring signal strength can help refine location estimates.

Direction Finding Limitations

Environmental Factors: Ionospheric conditions can cause signal refraction and multipath propagation, leading to inaccurate bearing measurements. Mountains, buildings, and other obstacles can block or reflect signals, creating false bearing readings. Rain, snow, and atmospheric pressure changes can affect signal propagation and measurement accuracy.

Technical Limitations: Weak signals, interference, or noise can significantly reduce measurement accuracy. Direction finding accuracy varies with frequency, with higher frequencies generally providing better accuracy. The type and orientation of both transmitting and receiving antennas affect measurement precision, and signals reflecting off multiple surfaces can create multiple apparent sources.

Operational Limitations: Poor geographical distribution of receiving stations limits triangulation accuracy, whilst inaccurate timing between stations degrades TDOA measurements. Real-time direction finding requires rapid signal processing and analysis, and high-quality direction finding systems require significant computational and financial resources.

Counter-Detection Vulnerabilities: Strong interference or jamming can overwhelm direction finding receivers, whilst rapid frequency changes can prevent stable bearing measurements. Low-power transmissions may fall below detection thresholds, directional antennas and terrain masking can limit signal detection, and irregular transmission patterns can prevent correlation analysis.

Exploiting Direction Finding Limitations for Clandestine Operations

Environmental Exploitation: Clandestine operators can deliberately exploit environmental factors that degrade direction finding accuracy. Operating during periods of poor atmospheric conditions, such as ionospheric disturbances or solar storms, can significantly reduce bearing measurement accuracy. Choosing transmission locations with complex terrain features, such as valleys, urban canyons, or mountainous regions, can create multipath propagation that confuses direction finding systems.

Signal Quality Manipulation: Deliberately transmitting weak signals that hover just above the noise floor can make direction finding measurements unreliable. Using frequency hopping techniques that change frequencies faster than direction finding systems can process prevents stable bearing measurements. Implementing sophisticated interference patterns that mask the actual signal characteristics can overwhelm direction finding receivers.

Antenna Design Exploitation: Using antennas with poor vertical radiation patterns can limit the ability of direction finding stations to obtain accurate bearings. Implementing antenna systems that radiate signals in multiple directions simultaneously can create false bearing readings. Employing antennas that can be rapidly reoriented or reconfigured during transmission can prevent stable direction finding measurements.

Timing and Pattern Exploitation: Irregular transmission schedules that don't follow predictable patterns can prevent correlation analysis between multiple direction finding stations. Using burst transmissions that are too short for direction finding systems to process effectively can avoid detection. Implementing random transmission intervals that prevent time-based analysis can significantly reduce detection probability.

Operational Exploitation: Positioning transmitters in areas where direction finding station coverage is poor or non-existent can provide natural protection. Using mobile transmitters that change location between transmissions can prevent triangulation. Implementing multiple transmitters that operate simultaneously to create confusion about which signal is the actual clandestine transmission.

Advanced Counter-Detection Techniques: Signal fragmentation involves breaking transmissions into multiple short bursts that are difficult to correlate, while frequency agility rapidly changes frequencies within a transmission to prevent stable measurement. Power variation deliberately varies transmission power to create inconsistent signal strength measurements, and antenna switching uses multiple antennas that can be switched during transmission. Terrain masking deliberately positions transmitters where terrain features block or scatter signals, atmospheric timing transmits during periods of known atmospheric disturbances, and interference integration uses existing interference sources to mask transmission characteristics.

Jamming-Based Stealth Strategy and Controlled Interference

Using radio jammers to create controlled interference on target frequencies represents a sophisticated counter-intelligence technique. Jammers can be programmed to leave small time intervals uncovered, allowing transmission during these brief windows whilst the jamming masks legitimate signals and confuses direction finding.

Strategic advantages include signal masking where jamming noise masks transmission characteristics, direction finding disruption where jamming interferes with triangulation and TDOA systems, monitoring overload overwhelming monitoring systems with interference, and false attribution making it appear that jamming is the primary threat rather than communications. For more detailed information on how radio jamming works and its various techniques, see the Radio Jamming Wikipedia article (ITU Radio Regulations) which explains the principles of electromagnetic interference (FCC Interference Guide) and signal suppression (IEEE Communications Society).

Jamming system architecture requires frequency coverage of target frequency bands, sufficient power output to mask signals at detection ranges, precise timing control for transmission window creation, and perfect synchronization between jammer and transmitter. Transmission window design involves brief windows (milliseconds to seconds) to minimize detection, random or pseudo-random timing to avoid pattern recognition, multiple windows per transmission session, and perfect timing synchronization between jammer and transmitter.

Analog vs Digital Signal Detection and Concealment

The choice between analog and digital signals represents a critical decision for clandestine operations. Digital signals have distinct characteristics that make them detectable even through jamming, whilst analog signals provide superior concealment capabilities.

Digital Signal Vulnerabilities: Digital modes have recognisable frequency patterns that create spectral signatures easily identified by monitoring systems. Symbol timing with regular bit/symbol periods is detectable through pattern analysis, whilst error correction patterns from FEC codes create identifiable structures that reveal digital transmission. Phase coherence in digital signals maintains phase relationships that stand out from natural noise, and bandwidth characteristics show specific spectral shapes (BPSK, FSK, etc.) that are immediately recognisable.

Analog Advantages for Concealment: Analog signals exhibit natural noise characteristics where voice and CW blend better with atmospheric noise. Irregular patterns in human speech have random amplitude and frequency variations that are difficult to distinguish from natural phenomena. No protocol signatures exist in analog signals, eliminating digital headers or sync patterns that reveal transmission intent. Processing difficulty makes it harder for automated systems to classify and decode analog signals compared to digital protocols.

Analog Coordination Methods: Voice cues allow jammer operators to speak brief code words before going silent, providing natural coordination signals. CW patterns can be disguised as natural static bursts, whilst audio tones provide brief tone bursts that sound like interference. Modulation changes from AM to FM switching can serve as "go" signals that appear as natural signal variations.

OTP with Analog Signals: Tone sequences use specific audio frequency patterns derived from one-time pad values, whilst timing variations in CW dot/dash timing can be based on pad values. Voice code words can be spoken words selected from OTP tables, and carrier shifts involve small frequency changes following OTP sequences.

Signal Camouflage: SSB voice sounds like distant, weak voice communication that blends with legitimate traffic. CW appears as weak amateur radio or utility signals, whilst AM blends with broadcast band spillover. Noise-like modulation can be designed to mimic atmospheric interference, making detection virtually impossible.

Pattern-Based Transmission Trigger Systems

Embedding specific patterns in jamming noise that act as transmission triggers solves the timing synchronization problem elegantly. This approach uses one-time pad principles where patterns are based on cryptographically secure random number generators, with each pattern used only once and never repeated.

Pattern characteristics must include noise-like appearance indistinguishable from natural noise, statistical properties matching natural interference, frequency distribution matching legitimate noise, and temporal characteristics matching natural interference. Pattern security features include non-repeating patterns preventing analysis, unpredictable patterns that cannot be predicted from previous patterns, statistically random patterns passing all statistical tests, and cryptographically secure patterns based on proven cryptographic principles.

Amplitude Variation Signaling: A sophisticated method for jammer-receiver coordination involves subtle amplitude variations in the jamming signal. The jammer can encode transmission triggers through small power level variations that are imperceptible to standard monitoring systems but detectable by specially configured receivers. These amplitude modulations can carry encoded information about transmission windows, frequency changes, or other operational parameters without revealing the presence of coordinated activity.

Amplitude Modulation Techniques: The jammer can implement micro-amplitude variations with changes in jamming power of 1-3 dB that appear as natural signal fluctuations to external observers. Amplitude pattern encoding uses specific amplitude patterns to signal different transmission parameters, while dynamic amplitude control allows real-time adjustment of jamming amplitude to convey operational instructions. Amplitude fingerprinting provides unique amplitude characteristics that identify specific jamming sources for receiver authentication.

Pattern detection systems require real-time analysis of received noise for pattern detection, pattern matching against expected patterns, threshold detection to avoid false triggers, and confirmation logic with multiple pattern confirmations before transmission. Transmission control logic includes pattern recognition of specific patterns that trigger transmission, automatic transmission initiation upon pattern detection, duration control based on pattern characteristics, and abort conditions if pattern changes or interference increases.

Jammer as Counterpart Transmitter - Ultimate Location Protection

Using a jammer as a counterpart transmitter creates the perfect decoy system. The jammer acts as a perfect decoy transmitter where direction finding systems cannot distinguish between jammer and actual transmitter, multiple DF (Direction Finding) stations receive conflicting location data, and all detection efforts focus on jammer location rather than actual transmitter location.

Direction finding confusion mechanisms include multiple signal sources where DF stations detect signals from both jammer and transmitter, conflicting bearings where different DF stations get conflicting bearing measurements, signal characteristic mixing where jammer and transmitter signals blend together, and temporal overlap where signals overlap in time creating analysis confusion.

Advanced decoy techniques include multi-jammer systems using multiple jammers to create multiple false locations, transmitter mimicry making jammer appear identical to actual transmitter, jammer rotation creating changing false locations, and mobile jammers creating dynamic false locations.

Modern Microelectronics and Component Concealment

Modern microelectronics has revolutionised transmitter design, making transmitters extremely compact. Software-defined radio technology, surface mount technology reducing size by 80-90%, integrated circuits combining multiple functions, and digital signal processing eliminating large analogue components have enabled transmitters as small as 2-3 cubic inches.

Antenna concealment remains the biggest challenge due to wavelength constraints. NVIS frequencies require antennas 25-50 meters long, making physical concealment difficult. Modern antenna solutions include loaded antennas using loading coils to electrically lengthen shorter physical antennas, magnetic loop antennas 1-3 meters in diameter, end-fed antennas with matching networks, and trap antennas with resonant traps.

Battery system concealment and shielding is critical due to power requirements, physical size, heat generation, and electromagnetic emissions. Solutions include distributed batteries using multiple smaller batteries, battery integration into natural or man-made structures, underground installation with proper ventilation, and thermal management systems to dissipate heat.

Vehicle-Based NVIS Antenna Systems

Using vehicles for NVIS antenna hosting offers significant advantages including mobility to optimize antenna positioning and avoid detection, stable power supply from vehicle electrical systems, natural concealment for equipment and operators, and excellent ground plane provided by vehicle body.

Vehicle types suitable for antenna integration include passenger vehicles (sedans and SUVs) with good ground plane and easy concealment, commercial vehicles (trucks and vans) with larger space for equipment, agricultural vehicles (tractors and farm equipment) excellent for rural operations, and military vehicles with built-in protection and communication integration.

Antenna mounting options include roof mounting for maximum elevation, side mounting for horizontal polarization, underbody mounting for concealment, and telescopic mounting for antennas that can be raised and lowered. Antenna types suitable for vehicles include magnetic loop antennas, loaded whip antennas with loading coils for NVIS frequencies, inverted-L antennas with horizontal wire and vertical section, and ground plane antennas using vehicle body as ground plane.

Urban Landscape-Integrated Distributed Antenna Systems

Using existing urban infrastructure as antenna resonators represents a revolutionary approach to antenna concealment. This distributed antenna concept uses one central feeder line connecting to multiple distributed resonators that are existing features of the urban landscape, making the antenna virtually invisible.

Urban landscape resonator integration can utilize metallic infrastructure elements including fences and railings, lighting poles, building facades, and bridges and overpasses. Electrical infrastructure such as power lines, cable TV lines, telephone lines, and electrical conduits can serve as antenna elements. Transportation infrastructure including railway tracks, bus shelters, parking structures, and traffic signals provide excellent antenna elements. Natural and decorative elements such as trees with metal supports, sculptures and monuments, playground equipment, and garden structures can also be utilized.

Feeder system design requires a central feeder with concealed feeder line from transmitter, distribution network of concealed connections to resonators, automatic impedance matching for different resonator combinations, and efficient power distribution to multiple resonators. Connection methods include inductive coupling for metallic structures, capacitive coupling for non-metallic structures, direct connection to accessible metallic elements, and wireless coupling for remote elements.

Conclusion

The integration of AI with shortwave radio represents a convergence of traditional and cutting-edge technologies, creating sophisticated tools for clandestine operations and contemporary warfare scenarios. The addition of NVIS (Near Vertical Incidence Skywave) beaming antenna techniques and tactical considerations expands the utility of shortwave radio into specialized operational domains where stealth, concealment, and operational security are paramount.

Modern microelectronics has revolutionized clandestine communications by making transmitters extremely compact and portable, while innovative approaches to antenna concealment, power isolation, and harmonic control have created new possibilities for secure operations. The use of jamming-based stealth strategies, pattern-based transmission triggers, and urban landscape integration represents the cutting edge of tactical communications technology that can operate undetected in hostile environments.

The abandoned shortwave spectrum provides unique opportunities for covert communications that are difficult to detect and intercept, while AI-enhanced stealth and pattern recognition capabilities enable sophisticated masking techniques that make communications appear as natural interference or legitimate traffic. As AI technology continues to advance, the possibilities for intelligent clandestine radio systems will expand, creating new opportunities for specialized tactical applications where traditional communication methods may be monitored or compromised.

The key to success in modern clandestine communications lies in understanding the fundamental principles of radio propagation, the vulnerabilities of detection systems, the opportunities presented by modern technology, and the sophisticated counter-intelligence techniques required to operate undetected in contemporary warfare scenarios.

Read More

OpenSSH Hash-Based Authentication System

By  August 04, 2025  No comments

This post describes a secure SSH authentication system that replaces traditional authorized_keys files with SQLite database lookups using SHA256 hashes of public keys. The system provides enhanced security, performance, and manageability for SSH key authentication.

Table of Contents

Overview

The SSH Hash-Based Authentication System replaces traditional authorized_keys files with SQLite database lookups using SHA256 hashes of public keys. This provides enhanced security, performance, and manageability for SSH key authentication.

System Requirements

  • Operating System: Linux (kernel 5.14.0-570.30.1.el9_6.x86_64)
  • Linux Distribution: Rocky Linux 9.6
  • OpenSSH Server: openssh-server-8.7p1-45.el9.rocky.0.1.x86_64
  • OpenSSH Clients: openssh-clients-8.7p1-45.el9.rocky.0.1.x86_64
  • Additional Dependencies: SQLite3, bash, core utilities

Key Benefits

  • Security: No plain-text key storage, hash-based lookups
  • Performance: SQLite binary lookups (faster than file parsing)
  • Scalability: Per-user databases with indexed lookups
  • Manageability: Comprehensive management tools
  • Auditability: Complete audit trail and logging
  • Flexibility: Supports multiple key types (RSA, ED25519, ECDSA)

System Architecture

Core Components

┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐
│   SSH Client    │    │   SSHD Server    │    │  Hash Database  │
│                 │    │                  │    │                 │
│ • SSH Key       │───▶│ • AuthorizedKeys │───▶│ • SQLite DB     │
│ • Key Data      │    │   Command        │    │ • SHA256 Hashes │
│                 │    │ • ssh_hash_auth  │    │ • Per-user      │
└─────────────────┘    └──────────────────┘    └─────────────────┘

Authentication Flow

  1. Client connects with SSH key
  2. SSHD calls ssh_hash_auth.sh with key data
  3. Script extracts key type and generates hash
  4. SQLite lookup in user's database
  5. Returns authorised key or nothing
  6. SSHD validates the returned key

Database Structure

-- Standard Database
CREATE TABLE hashes (
    hash TEXT PRIMARY KEY,
    description TEXT,
    added TEXT
);

-- Enhanced Database (with expiration)
CREATE TABLE hashes (
    hash TEXT PRIMARY KEY,
    description TEXT,
    added TEXT,
    expires TEXT,
    last_used TEXT,
    usage_count INTEGER DEFAULT 0,
    status TEXT DEFAULT 'active'
);

Installation & Setup

Step 1: Install Core System

# Copy scripts to /usr/local/bin
sudo cp ssh_hash_auth.sh /usr/local/bin/
sudo cp ssh_hash_manager.sh /usr/local/bin/
sudo chmod +x /usr/local/bin/ssh_hash_auth.sh
sudo chmod +x /usr/local/bin/ssh_hash_manager.sh

# Install SSHD configuration
sudo cp 99-hash-auth.conf /etc/ssh/sshd_config.d/99-hash-auth.conf
sudo systemctl reload sshd

Step 2: Set Up User Database

# Generate hash from user's public key
./ssh_hash_manager.sh generate <username> ~<username>/.ssh/id_rsa.pub

# Or add hash manually
./ssh_hash_manager.sh add <username> SHA256:hash... "description"

Step 3: Test Authentication

# Test connection
ssh <username>@localhost

# Check debug output if needed
./debug_auth.sh <username> <key_data>

Usage & Management

Basic Operations

# Generate hash from public key file
./ssh_hash_manager.sh generate <user> <key_file>

# Add hash manually
./ssh_hash_manager.sh add <user> <hash> [description]

# List all hashes
./ssh_hash_manager.sh list <user>

# Remove hash
./ssh_hash_manager.sh remove <user> <hash>

# Search hashes
./ssh_hash_manager.sh search <user> <term>

Enhanced Operations (with expiration)

# Generate hash with expiration (90 days)
./enhanced_hash_manager.sh generate <user> <key_file> 90

# Add hash with expiration (30 days)
./enhanced_hash_manager.sh add <user> <hash> "description" 30

# Check for expired hashes
./enhanced_hash_manager.sh check-expired <user>

# Clean up expired hashes (dry run)
./enhanced_hash_manager.sh cleanup <user> --dry-run

# Backup database
./enhanced_hash_manager.sh backup <user> /var/backup/ssh_hashes/user

# Restore database
./enhanced_hash_manager.sh restore <user> <backup_file>

# Migrate from authorized_keys file
./enhanced_hash_manager.sh migrate <user> ~user/.ssh/authorized_keys 60

Migration from Traditional authorized_keys

# Option 1: Manual migration
./enhanced_hash_manager.sh migrate <user> ~<user>/.ssh/authorized_keys 90

# Option 2: Bulk migration
for user in $(cut -d: -f1 /etc/passwd); do
    if [ -f "/home/$user/.ssh/authorized_keys" ]; then
        ./enhanced_hash_manager.sh migrate "$user" "/home/$user/.ssh/authorized_keys" 90
    fi
done

Security Features

Core Security Benefits

  • No plain-text key storage - only SHA256 hashes
  • Hash-based lookups prevent key enumeration
  • Database files have restricted permissions (600)
  • User-specific databases prevent cross-user access
  • No modification of existing authorized_keys files

Enhanced Security Features

  • Key expiration dates for automatic rotation
  • Audit logging of all authentication attempts
  • Rate limiting to prevent brute force attacks
  • Usage tracking and analytics
  • Backup/restore functionality

Audit Logging

Log Format:

timestamp|event|username|key_hash|ip_address|result

Events Logged:

  • AUTH_SUCCESS - Successful authentication
  • AUTH_FAILED - Failed authentication (with reason)
  • RATE_LIMITED - Rate limited attempts
  • DB_NOT_FOUND - Database not found
  • EXPIRED - Expired key attempt

Rate Limiting:

  • Maximum 5 failed attempts per 5 minutes per user/IP
  • Automatic reset on successful authentication
  • Configurable limits in enhanced script

Troubleshooting

Common Issues

1. Authentication Fails:

# Check if database exists
ls -la ~<user>/.ssh/authorized_keys.db

# Check database contents
./ssh_hash_manager.sh list <user>

# Test with debug script
./debug_auth.sh <user> <key_data>

2. SSHD Configuration Issues:

# Check SSHD config
sudo sshd -T | grep AuthorizedKeys

# Reload SSHD
sudo systemctl reload sshd

# Check SSHD logs
sudo journalctl -u sshd -f

3. Permission Issues:

# Fix database permissions
chmod 600 ~<user>/.ssh/authorized_keys.db
chown <user>:<user> ~<user>/.ssh/authorized_keys.db

# Fix .ssh directory permissions
chmod 700 ~<user>/.ssh
chown <user>:<user> ~<user>/.ssh

Debug Commands

# Test hash generation
echo "ssh-rsa AAAAB3NzaC1yc2E..." | ./ssh_hash_manager.sh generate test /dev/stdin

# Test database lookup
sqlite3 ~<user>/.ssh/authorized_keys.db "SELECT * FROM hashes;"

# Check audit logs
sudo tail -f /var/log/ssh_hash_auth.log

Advanced Features

Key Expiration

  • Automatic expiration dates for keys
  • Configurable expiration periods
  • Automatic cleanup of expired keys
  • Notifications for expiring keys

Usage Analytics

  • Track last used timestamp
  • Count usage frequency
  • Identify unused keys
  • Generate usage reports

Backup and Recovery

  • Automated database backups
  • Point-in-time recovery
  • Backup verification
  • Disaster recovery procedures

Best Practices

Security

  • Regular key rotation (use expiration dates)
  • Monitor audit logs for suspicious activity
  • Backup databases regularly
  • Use rate limiting to prevent brute force
  • Restrict database access to authorised users only

Management

  • Document all key additions/removals
  • Regular cleanup of expired keys
  • Monitor database performance
  • Test backup/restore procedures
  • Keep scripts updated and secure

Monitoring

  • Set up log monitoring for failed attempts
  • Monitor database size and performance
  • Track key usage patterns
  • Alert on unusual access patterns
  • Regular security audits

File Reference

Core Files

  • ssh_hash_auth.sh - Main authentication script (production)
  • debug_auth.sh - Debug version for troubleshooting
  • ssh_hash_manager.sh - Hash management tool
  • 99-hash-auth.conf - SSHD configuration

Enhanced Files

  • enhanced_hash_auth_with_expiration.sh - Enhanced auth with expiration & audit logging
  • enhanced_hash_manager.sh - Enhanced manager with advanced features

Database Locations

  • User databases: ~<user>/.ssh/authorized_keys.db
  • Audit logs: /var/log/ssh_hash_auth.log
  • Rate limit file: /tmp/ssh_hash_auth_rate_limit

Configuration Files

  • SSHD config: /etc/ssh/sshd_config.d/99-hash-auth.conf
  • Scripts: /usr/local/bin/ssh_hash_auth.sh

Appendixes

ssh_hash_auth.sh (Production Authentication Script)

#!/bin/bash
#
# Fast SSH Hash-Based Authentication Script
# Uses binary database for ultra-fast lookups
#
# Usage: ./ssh_hash_auth.sh <username> <key_data>
# Returns: "ssh-rsa <key_data>" if authorised, nothing if unauthorised

set -e

# Configuration
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

# Check arguments
if [ $# -ne 2 ]; then
    exit 1
fi

USERNAME="$1"
KEY_DATA="$2"

# SSH passes just the key data without the type prefix
# We need to determine the key type from the data
# For now, we'll assume it's the same type as what we have in the database
# This is a simplified approach - in production you might want to detect the type

# Get user's home directory
USER_HOME=$(eval echo ~$USERNAME)
HASH_DB="$USER_HOME/.ssh/authorized_keys.db"

# Check if hash database exists
if [ ! -f "$HASH_DB" ]; then
    exit 1
fi

# Function to extract key type from base64 data
extract_key_type() {
    local key_data="$1"
    local key_type=""
    
    # Decode base64 and extract the key type
    # The format is: [4-byte length][key-type-string][4-byte length][curve-name][4-byte length][key-data]
    # For RSA: [4-byte length]["ssh-rsa"][4-byte length][exponent][4-byte length][modulus]
    # For ED25519: [4-byte length]["ssh-ed25519"][4-byte length][key-data]
    # For ECDSA: [4-byte length]["ecdsa-sha2-nistp384"][4-byte length][curve-name][4-byte length][key-data]
    
    # Read the first length (4 bytes) and then read the key type string
    local first_length=$(echo "$key_data" | base64 -d | dd bs=1 skip=0 count=4 2>/dev/null | xxd -p | tr -d '\n' | sed 's/000000//')
    local length_dec=$(printf "%d" "0x$first_length")
    
    # Extract the key type string
    key_type=$(echo "$key_data" | base64 -d | dd bs=1 skip=4 count=$length_dec 2>/dev/null | tr -d '\0')
    
    # Handle different key types
    case "$key_type" in
        "ssh-rsa")
            echo "ssh-rsa"
            ;;
        "ssh-ed25519")
            echo "ssh-ed25519"
            ;;
        "ecdsa-sha2-nistp256")
            echo "ecdsa-sha2-nistp256"
            ;;
        "ecdsa-sha2-nistp384")
            echo "ecdsa-sha2-nistp384"
            ;;
        "ecdsa-sha2-nistp521")
            echo "ecdsa-sha2-nistp521"
            ;;
        *)
            echo "unknown"
            ;;
    esac
}

# Function to generate hash from public key
generate_hash() {
    local key_data="$1"
    local key_type="$2"
    
    # Reconstruct the full public key with a generic comment
    local full_key="${key_type} ${key_data} ssh_hash_auth_key"
    
    # Extract the base64 part and hash with sha256sum
    local key_b64=$(echo "$full_key" | awk '{print $2}')
    local hash=$(echo "$key_b64" | base64 -d | sha256sum | cut -d' ' -f1)
    local hash_b64=$(echo "$hash" | xxd -r -p | base64)
    
    echo "SHA256:$hash_b64"
}

# Function to check if FTS5 is available
check_fts5() {
    # Check if SQLite3 is available
    if ! command -v sqlite3 >/dev/null 2>&1; then
        return 1
    fi
    
    # Check SQLite version (FTS5 requires SQLite 3.9.0+)
    local version=$(sqlite3 :memory: "SELECT sqlite_version();" 2>/dev/null)
    if [ $? -ne 0 ]; then
        return 1
    fi
    
    # Parse version and check if it's >= 3.9.0
    local major=$(echo "$version" | cut -d. -f1)
    local minor=$(echo "$version" | cut -d. -f2)
    
    if [ "$major" -lt 3 ] || ([ "$major" -eq 3 ] && [ "$minor" -lt 9 ]); then
        return 1
    fi
    
    # Test if FTS5 can be created
    if ! sqlite3 :memory: "CREATE VIRTUAL TABLE test_fts USING fts5(test); DROP TABLE test_fts;" >/dev/null 2>&1; then
        return 1
    fi
    
    return 0
}

# Extract the key type from the base64 data
KEY_TYPE=$(extract_key_type "$KEY_DATA")

# Reconstruct the full key with the extracted type
FULL_KEY="${KEY_TYPE} ${KEY_DATA} ssh_hash_auth_key"

# Generate hash using the correct key type
KEY_HASH=$(generate_hash "$KEY_DATA" "$KEY_TYPE")

# Fast binary lookup using sqlite3 (much faster than grep)
if command -v sqlite3 >/dev/null 2>&1; then
    # Use regular SQLite table lookup (simpler and more reliable)
    if sqlite3 "$HASH_DB" "SELECT 1 FROM hashes WHERE hash='$KEY_HASH' LIMIT 1;" 2>/dev/null | grep -q "1"; then
        echo "$FULL_KEY"
        exit 0
    fi
else
    # Fallback to optimised text search with sort and binary search
    if [ -f "$HASH_DB" ] && sort "$HASH_DB" | grep -q "^$KEY_HASH$"; then
        echo "$FULL_KEY"
        exit 0
    fi
fi

# Key is not authorised, return nothing
exit 1

debug_auth.sh (Debug Authentication Script)

#!/bin/bash

# SSH Hash-Based Authentication Script (DEBUG VERSION)
# This script is called by SSHD via AuthorizedKeysCommand
# Usage: debug_auth.sh <username> <key_data>

set -e

# Configuration
# Get user's home directory
USER_HOME=$(eval echo ~$1)
DB_FILE="$USER_HOME/.ssh/authorized_keys.db"

# Function to extract key type from base64 data
extract_key_type() {
    local key_data="$1"
    local key_type=""
    
    echo "DEBUG: Extracting key type from: $key_data" >&2
    
    # Decode base64 and extract the key type
    # The format is: [4-byte length][key-type-string][4-byte length][curve-name][4-byte length][key-data]
    # For RSA: [4-byte length]["ssh-rsa"][4-byte length][exponent][4-byte length][modulus]
    # For ED25519: [4-byte length]["ssh-ed25519"][4-byte length][key-data]
    # For ECDSA: [4-byte length]["ecdsa-sha2-nistp384"][4-byte length][curve-name][4-byte length][key-data]
    
    # Read the first length (4 bytes) and then read the key type string
    local first_length=$(echo "$key_data" | base64 -d | dd bs=1 skip=0 count=4 2>/dev/null | xxd -p | tr -d '\n' | sed 's/000000//')
    local length_dec=$(printf "%d" "0x$first_length")
    
    echo "DEBUG: First length hex: $first_length, decimal: $length_dec" >&2
    
    # Extract the key type string
    key_type=$(echo "$key_data" | base64 -d | dd bs=1 skip=4 count=$length_dec 2>/dev/null | tr -d '\0')
    
    echo "DEBUG: Extracted key type: '$key_type'" >&2
    
    # Handle different key types
    case "$key_type" in
        "ssh-rsa") echo "ssh-rsa" ;;
        "ssh-ed25519") echo "ssh-ed25519" ;;
        "ecdsa-sha2-nistp256") echo "ecdsa-sha2-nistp256" ;;
        "ecdsa-sha2-nistp384") echo "ecdsa-sha2-nistp384" ;;
        "ecdsa-sha2-nistp521") echo "ecdsa-sha2-nistp521" ;;
        *) echo "unknown" ;;
    esac
}

# Function to generate hash from public key
generate_hash() {
    local key_data="$1"
    local key_type="$2"
    
    echo "DEBUG: Generating hash for key type: $key_type" >&2
    
    # Reconstruct the full public key with a generic comment
    local full_key="${key_type} ${key_data} ssh_hash_auth_key"
    
    echo "DEBUG: Full key: $full_key" >&2
    
    # Use the same method as ssh_hash_manager.sh
    # Extract the base64 part and hash with sha256sum
    local key_b64=$(echo "$full_key" | awk '{print $2}')
    local hash=$(echo "$key_b64" | base64 -d | sha256sum | cut -d' ' -f1)
    local hash_b64=$(echo "$hash" | xxd -r -p | base64)
    
    local final_hash="SHA256:$hash_b64"
    echo "DEBUG: Generated hash: $final_hash" >&2
    
    echo "$final_hash"
}

# Check arguments
if [ $# -ne 2 ]; then
    echo "Usage: $0 <username> <key_data>" >&2
    exit 1
fi

USERNAME="$1"
KEY_DATA="$2"

echo "DEBUG: Username: $USERNAME" >&2
echo "DEBUG: Key data: $KEY_DATA" >&2

# Check if database exists
if [ ! -f "$DB_FILE" ]; then
    echo "DEBUG: Database file not found: $DB_FILE" >&2
    exit 1
fi

echo "DEBUG: Database file found: $DB_FILE" >&2

# Extract the key type from the base64 data
KEY_TYPE=$(extract_key_type "$KEY_DATA")

echo "DEBUG: Extracted key type: $KEY_TYPE" >&2

# Reconstruct the full key with the extracted type
FULL_KEY="${KEY_TYPE} ${KEY_DATA} ssh_hash_auth_key"

echo "DEBUG: Full key: $FULL_KEY" >&2

# Generate hash using the correct key type
KEY_HASH=$(generate_hash "$KEY_DATA" "$KEY_TYPE")

echo "DEBUG: Key hash: $KEY_HASH" >&2

# Fast binary lookup using sqlite3 (much faster than grep)
if command -v sqlite3 >/dev/null 2>&1; then
    echo "DEBUG: Using SQLite lookup" >&2
    # Use regular SQLite table lookup (simpler and more reliable)
    if sqlite3 "$DB_FILE" "SELECT 1 FROM hashes WHERE hash='$KEY_HASH' LIMIT 1;" 2>/dev/null | grep -q "1"; then
        echo "DEBUG: Key found in database!" >&2
        echo "$FULL_KEY"
        exit 0
    else
        echo "DEBUG: Key not found in database" >&2
    fi
else
    echo "DEBUG: Using fallback text search" >&2
    # Fallback to optimised text search with sort and binary search
    if [ -f "$DB_FILE" ] && sort "$DB_FILE" | grep -q "^$KEY_HASH$"; then
        echo "DEBUG: Key found in database!" >&2
        echo "$FULL_KEY"
        exit 0
    else
        echo "DEBUG: Key not found in database" >&2
    fi
fi

# Key is not authorised, return nothing
echo "DEBUG: Authentication failed" >&2
exit 1

99-hash-auth.conf (SSHD Configuration)

# Hash-based authentication configuration (per-user)
# This file is automatically generated by ssh_hash_auth installation
# To disable, rename this file or remove it

AuthorizedKeysCommand /usr/local/bin/ssh_hash_auth.sh %u %k
AuthorizedKeysCommandUser root

ssh_hash_manager.sh (Hash Management Tool)

#!/bin/bash
#
# Fast SSH Hash Manager using SQLite database
# Provides ultra-fast hash lookups and management
#

set -e

# Configuration
HASH_FILE_PERMS=600

# Function to generate hash from public key
generate_hash() {
    local key_data="$1"
    
    # Normalise the key (remove extra whitespace)
    normalised_key=$(echo "$key_data" | tr -s ' ')
    
    # Extract the base64 part (second field)
    key_b64=$(echo "$normalised_key" | awk '{print $2}')
    
    # Decode base64 and hash with sha256sum
    hash=$(echo "$key_b64" | base64 -d | sha256sum | cut -d' ' -f1)
    
    # Convert to base64
    hash_b64=$(echo "$hash" | xxd -r -p | base64)
    
    echo "SHA256:$hash_b64"
}

# Function to initialise SQLite database with FTS5 support check
init_database() {
    local username="$1"
    local db_file="$2"
    
    # Create .ssh directory if it doesn't exist
    local ssh_dir=$(dirname "$db_file")
    if [ ! -d "$ssh_dir" ]; then
        mkdir -p "$ssh_dir"
        chmod 700 "$ssh_dir"
        chown "$username:$username" "$ssh_dir"
    fi
    
    # Create SQLite database if it doesn't exist
    if [ ! -f "$db_file" ]; then
        # Always create the main table
        sqlite3 "$db_file" "CREATE TABLE hashes (hash TEXT PRIMARY KEY, description TEXT, added TEXT);"
        
        # Check if FTS5 is available and create FTS table if supported
        if check_fts5; then
            echo "FTS5 detected - creating optimised full-text search tables"
            sqlite3 "$db_file" "CREATE VIRTUAL TABLE hashes_fts USING fts5(hash, description, content='hashes', content_rowid='rowid');"
            sqlite3 "$db_file" "CREATE TRIGGER hashes_ai AFTER INSERT ON hashes BEGIN INSERT INTO hashes_fts(rowid, hash, description) VALUES (new.rowid, new.hash, new.description); END;"
            sqlite3 "$db_file" "CREATE TRIGGER hashes_ad AFTER DELETE ON hashes BEGIN INSERT INTO hashes_fts(hashes_fts, rowid, hash, description) VALUES('delete', old.rowid, old.hash, old.description); END;"
            sqlite3 "$db_file" "CREATE TRIGGER hashes_au AFTER UPDATE ON hashes BEGIN INSERT INTO hashes_fts(hashes_fts, rowid, hash, description) VALUES('delete', old.rowid, old.hash, old.description); INSERT INTO hashes_fts(rowid, hash, description) VALUES (new.rowid, new.hash, new.description); END;"
        else
            echo "FTS5 not available - using standard SQLite tables (slower but functional)"
        fi
        
        chmod $HASH_FILE_PERMS "$db_file"
        chown "$username:$username" "$db_file"
    fi
}

# Function to add hash to database
add_hash() {
    local username="$1"
    local hash="$2"
    local description="$3"
    
    # Get user's home directory
    user_home=$(eval echo ~$username)
    db_file="$user_home/.ssh/authorized_keys.db"
    
    # Initialise database
    init_database "$username" "$db_file"
    
    # Check if hash already exists
    if sqlite3 "$db_file" "SELECT 1 FROM hashes WHERE hash='$hash' LIMIT 1;" 2>/dev/null | grep -q "1"; then
        echo "Hash already exists: $hash"
        return
    fi
    
    # Add hash to database
    sqlite3 "$db_file" "INSERT INTO hashes (hash, description, added) VALUES ('$hash', '$description', '$(date -Iseconds)');"
    
    # Set proper permissions
    chmod $HASH_FILE_PERMS "$db_file"
    chown "$username:$username" "$db_file"
    
    echo "Added hash: $hash"
}

# Function to generate hash from public key file
generate_from_file() {
    local username="$1"
    local key_file="$2"
    
    if [ ! -f "$key_file" ]; then
        echo "Error: Key file not found: $key_file"
        exit 1
    fi
    
    # Read the public key
    key_data=$(cat "$key_file")
    
    # Extract comment from the public key (third field)
    comment=$(echo "$key_data" | awk '{print $3}')
    
    # If no comment found, use a default
    if [ -z "$comment" ]; then
        comment="No comment"
    fi
    
    # Generate hash
    hash=$(generate_hash "$key_data")
    
    # Add to user's database with extracted comment
    add_hash "$username" "$hash" "$comment"
    
    echo "Generated hash: $hash"
    echo "Public key: $key_data"
    echo "Comment: $comment"
}

# Function to list hashes for user
list_hashes() {
    local username="$1"
    
    user_home=$(eval echo ~$username)
    db_file="$user_home/.ssh/authorized_keys.db"
    
    if [ ! -f "$db_file" ]; then
        echo "No hash database found for user '$username'"
        return
    fi
    
    echo "Authorised hashes for user '$username':"
    echo "======================================"
    
    # Use FTS5 for faster search if available
    if check_fts5; then
        sqlite3 "$db_file" "SELECT hash, description FROM hashes_fts;" 2>/dev/null || echo "No hashes found"
    else
        sqlite3 "$db_file" "SELECT hash, description, added FROM hashes ORDER BY added;" 2>/dev/null || echo "No hashes found"
    fi
}

# Function to remove hash
remove_hash() {
    local username="$1"
    local hash="$2"
    
    user_home=$(eval echo ~$username)
    db_file="$user_home/.ssh/authorized_keys.db"
    
    if [ ! -f "$db_file" ]; then
        echo "No hash database found for user '$username'"
        return
    fi
    
    # Remove hash from database
    sqlite3 "$db_file" "DELETE FROM hashes WHERE hash='$hash';"
    
    echo "Removed hash: $hash"
}

# Function to search hashes using FTS
search_hashes() {
    local username="$1"
    local search_term="$2"
    
    user_home=$(eval echo ~$username)
    db_file="$user_home/.ssh/authorized_keys.db"
    
    if [ ! -f "$db_file" ]; then
        echo "No hash database found for user '$username'"
        return
    fi
    
    echo "Searching hashes for user '$username' with term: '$search_term'"
    echo "================================================================"
    
    # Use FTS5 for fast full-text search
    if check_fts5; then
        sqlite3 "$db_file" "SELECT hash, description, added FROM hashes_fts WHERE hashes_fts MATCH '$search_term' ORDER BY rank;" 2>/dev/null || echo "No matches found"
    else
        sqlite3 "$db_file" "SELECT hash, description, added FROM hashes WHERE hash LIKE '%$search_term%' OR description LIKE '%$search_term%' ORDER BY added;" 2>/dev/null || echo "No matches found"
    fi
}

# Function to check if sqlite3 is available
check_sqlite() {
    if ! command -v sqlite3 >/dev/null 2>&1; then
        echo "Error: sqlite3 is required but not installed."
        echo "Install it with: sudo dnf install sqlite"
        exit 1
    fi
}

# Function to check if FTS5 is available
check_fts5() {
    # Check if SQLite3 is available
    if ! command -v sqlite3 >/dev/null 2>&1; then
        return 1
    fi
    
    # Check SQLite version (FTS5 requires SQLite 3.9.0+)
    local version=$(sqlite3 :memory: "SELECT sqlite_version();" 2>/dev/null)
    if [ $? -ne 0 ]; then
        return 1
    fi
    
    # Parse version and check if it's >= 3.9.0
    local major=$(echo "$version" | cut -d. -f1)
    local minor=$(echo "$version" | cut -d. -f2)
    
    if [ "$major" -lt 3 ] || ([ "$major" -eq 3 ] && [ "$minor" -lt 9 ]); then
        return 1
    fi
    
    # Test if FTS5 can be created
    if ! sqlite3 :memory: "CREATE VIRTUAL TABLE test_fts USING fts5(test); DROP TABLE test_fts;" >/dev/null 2>&1; then
        return 1
    fi
    
    return 0
}

# Main script logic
case "${1:-}" in
    "add")
        if [ $# -lt 4 ]; then
            echo "Usage: $0 add <username> <hash> [description]"
            exit 1
        fi
        check_sqlite
        add_hash "$2" "$3" "${4:-}"
        ;;
    "generate")
        if [ $# -lt 3 ]; then
            echo "Usage: $0 generate <username> <key_file>"
            exit 1
        fi
        check_sqlite
        generate_from_file "$2" "$3"
        ;;
    "list")
        if [ $# -lt 2 ]; then
            echo "Usage: $0 list <username>"
            exit 1
        fi
        check_sqlite
        list_hashes "$2"
        ;;
    "remove")
        if [ $# -lt 3 ]; then
            echo "Usage: $0 remove <username> <hash>"
            exit 1
        fi
        check_sqlite
        remove_hash "$2" "$3"
        ;;
    "search")
        if [ $# -lt 3 ]; then
            echo "Usage: $0 search <username> <search_term>"
            exit 1
        fi
        check_sqlite
        search_hashes "$2" "$3"
        ;;
    *)
        echo "Usage: $0 {add|generate|list|remove|search} [args...]"
        echo ""
        echo "Examples:"
        echo "  $0 generate john ~john/.ssh/id_rsa.pub"
        echo "  $0 add john SHA256:abc123... 'John's desktop'"
        echo "  $0 list john"
        echo "  $0 remove john SHA256:abc123..."
        echo "  $0 search john 'laptop'"
        echo ""
        echo "Note: This system uses SQLite database for ultra-fast lookups"
        exit 1
        ;;
esac

Conclusion

This SSH hash-based authentication system provides a practical, secure, and well-designed solution for SSH key management that can scale from small deployments to enterprise environments.

Key Advantages

  • Secure: No plain-text key storage
  • Fast: SQLite binary lookups
  • Scalable: Per-user databases
  • Manageable: Comprehensive management tools
  • Auditable: Complete audit trail
  • Flexible: Supports multiple key types
  • Reliable: Proven in production use

Production Readiness

The system is production-ready and provides significant security and performance benefits over traditional authorized_keys files. The enhanced version adds enterprise-grade features like expiration, audit logging, and rate limiting while maintaining the simplicity and reliability of the original system.

💡 Disclaimer:
This system is designed to be practical, secure, and maintainable - focus on incremental improvements rather than major changes.
Read More
Creative Commons - Attribution 2.5 Generic. Powered by Blogger.

Steganography in Web Standards

Steganography in Web Standards Exploring the use of HTML IDs, UUIDs, and HMAC for cove...

Search This Blog

Translate