====== SSH ====== secure shell... ===== Key authentication - login without password ===== Generate a (4096 bits long) private+public -key-pair on the local machine. To generate a key without password, just press enter: Modern ssh supports elliptical curve keys (Ed25519 keys have a fixed length): ssh-keygen -t ed25519 Old rsa key: ssh-keygen -b 4096 Find the public key in **~/.ssh/id_rsa.pub** To login on a remote machine without password, you need to add the public key to the file **~/.ssh/authorized_keys** on that box. less ~/.ssh/id_rsa.pub # copy this .. on the remote machine: nano ~/.ssh/authorized_keys # paste key in **ONE** line Another option is to use the following command to add the key to authorized_keys on the remote machine: ssh-copy-id -i .ssh/id_rsa.pub user@remoteserver \\ ===== Key authentication - restricted ===== To secure the keyless login, you can restrict the key to (very) specific commands. For example one specific rsync: in the rsync commandline add -v to the ssh command: rsync $PARMS -e "ssh -v -p 123" you will find a line like this in the output: debug1: Sending command: rsync --server -vvlogasdasd.iLsf ..... copy this line from rsync to the end to the authorized_keys on the remote machine and prepend command=".." to the key-line: command="rsync --server -vvlogasdasd.iLsf ......" ssh-rsa AAAA..... test it and then remove -v FIXME **This can be problematic, because the allowed command will always be executed - no matter what your script says!!** You need one line for each rsync command! More restrictions: Allow only specified IP(s): from="host1,host2",command="..." ssh-rsa AAA... No shell, and more: command="...",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAA... \\ ===== Keychain ===== encrypt your key with passphrase, but enter phrase only once per session http://www.funtoo.org/Keychain add / change key passphrase: cd ~/.ssh/ ls ssh-keygen -f id_rsa -p setup keychain: sudo apt-get install keychain add keychain to ~/.bash_profile eval `keychain --eval --agents ssh --clear id_rsa` everytime you login, keychain will ask for your passphrase and re-use it for all logins: source ~/.bash_profile \\ ===== setup a tunnel ===== this creates a tunnel from local port 4950 to port 4949 on the remote machine, using a socket ssh -L 4950:localhost:4949 -f -N -p222 -M -S /var/run/ssh_tunnel1.sock -o ExitOnForwardFailure=yes root@re.mo.te.IP in /etc/ssh/sshd_config you only need to AllowTcpForwarding: X11Forwarding no AllowTcpForwarding yes PermitTunnel # not sure,if it's required To restrict tunneling: PermitOpen 127.0.0.1:3306 \\ ===== SSHFS - SSH Filesystem ===== Mount remote directories (for all users and reconnect, if network is interrupted) Install: apt-get install sshfs Mount: sshfs -p 222 root@server:/path/ /mnt/server -o allow_other -o reconnect \\ ===== SFTP ===== vsftp server is not required to run a sftp server - openssh handles it. setup is tricky: permissions of dirs are very important! /etc/ssh/sshd_config: #Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftp #... Match group sftp ChrootDirectory /var/www/%u X11Forwarding no ForceCommand internal-sftp # you can allow tunneling here, if you like: AllowTcpForwarding yes PermitOpen 192.168.10.10:3306 # or permit it: AllowTcpForwarding no alternative setup - use the homedir from /etc/passwd as chroot-dir: ChrootDirectory %h add group and user: groupadd sftp useradd -g sftp -d /var/www/user/ -s /sbin/nologin user passwd user set permissions, **chown to root**: chown root:root /var/www/ # basedir must belong to root chmod 0755 /var/www/ chown root:root /var/www/user/ #root not only for for parent! "Their home directory must be owned as root and not writable by another user or group. This includes the path leading to the directory" https://wiki.archlinux.org/index.php/SFTP_chroot **debug:** if /var/log/auth.log gives this error: pam_loginuid(sshd:session): set_loginuid failed comment this entry from /etc/pam.d/sshd: #session required pam_loginuid.so \\ ===== Bugs ===== If you get errors like this and problems with logins and tunnels, it's an LXC problem: pam_loginuid(sshd:session): set_loginuid failed error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session Fix it with: sed '/pam_loginuid.so/s/^/#/g' -i /etc/pam.d/* inside the container and restart ssh. ===== rrsync ===== Restricted rsync Setup - rrsync will be the only allowed Command. Run rsync as usual, but the Destination Path on remote Server will be prefixed with the Path defined in authorized_keys mcedit /root/.ssh/authorized_keys # prefix key with something like: from="",command="$HOME/bin/rrsync /home/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519 cp /usr/share/doc/rsync/scripts/rrsync /root/bin/ chmod +x /root/bin/rrsync chown root:root /root/bin/rrsync OLD jessie: gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c > /root/bin/rrsync chmod +x /root/bin/rrsync chown root:root /root/bin/rrsync