Differences

This shows you the differences between two versions of the page.

--- linux:network:ssh [2014/06/16 14:09]
tkilla
+++ linux:network:ssh [2021/03/29 01:18] (current)
tkilla [rrsync]
@@ Line 6: / Line 6: @@
 Generate a (4096 bits long) private+public -key-pair on the local machine. To generate a key without password, just press enter:
+Modern ssh supports elliptical curve keys (Ed25519 keys have a fixed length):
+  ssh-keygen -t ed25519
+Old rsa key:
   ssh-keygen -b 4096
 Find the public key in **~/.ssh/id_rsa.pub**
@@ Line 19: / Line 25: @@
 Another option is to use the following command to add the key to authorized_keys on the remote machine:
   ssh-copy-id -i .ssh/id_rsa.pub user@remoteserver
+\\
+===== Key authentication - restricted =====
+To secure the keyless login, you can restrict the key to (very) specific commands. For example one specific rsync:
+in the rsync commandline add -v to the ssh command:
+  rsync $PARMS -e "ssh -v -p 123"
+you will find a line like this in the output:
+  debug1: Sending command: rsync  --server -vvlogasdasd.iLsf .....
+copy this line from rsync to the end to the authorized_keys on the remote machine and prepend command=".." to the key-line:
+  command="rsync --server -vvlogasdasd.iLsf ......" ssh-rsa AAAA.....
+test it and then remove -v
+FIXME
+**This can be problematic, because the allowed command will always be executed - no matter what your script says!!**
+You need one line for each rsync command!
+More restrictions:
+Allow only specified IP(s):
+  from="host1,host2",command="..."  ssh-rsa AAA...
+No shell, and more:
+  command="...",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty  ssh-rsa AAA...
+\\
+===== Keychain =====
+encrypt your key with passphrase, but enter phrase only once per session
+http://www.funtoo.org/Keychain
+add / change key passphrase:
+  cd ~/.ssh/
+  ls
+  ssh-keygen -f id_rsa -p
+setup keychain:
+  sudo apt-get install keychain
+add keychain to ~/.bash_profile
+  eval `keychain --eval --agents ssh --clear id_rsa`
+everytime you login, keychain will ask for your passphrase and re-use it for all logins:
+  source ~/.bash_profile
@@ Line 28: / Line 89: @@
   ssh -L 4950:localhost:4949 -f -N -p222 -M -S /var/run/ssh_tunnel1.sock -o ExitOnForwardFailure=yes root@re.mo.te.IP
+in /etc/ssh/sshd_config you only need to AllowTcpForwarding:
+  X11Forwarding no
+  AllowTcpForwarding yes
+  PermitTunnel  # not sure,if it's required
+To restrict tunneling:
+  PermitOpen 127.0.0.1:3306
 \\
 ===== SSHFS - SSH Filesystem =====
-Mount remote directories (for all users and reconnect, when network is interrupted)
+Mount remote directories (for all users and reconnect, if network is interrupted)
+Install:
+  apt-get install sshfs
+Mount:
   sshfs -p 222 root@server:/path/ /mnt/server -o allow_other -o reconnect
+\\
+===== SFTP =====
+vsftp server is not required to run a sftp server - openssh handles it.
+setup is tricky: permissions of dirs are very important!
+/etc/ssh/sshd_config:
+  #Subsystem sftp /usr/lib/openssh/sftp-server
+  Subsystem sftp internal-sftp
+  #...
+  Match group sftp
+    ChrootDirectory /var/www/%u
+    X11Forwarding no
+    ForceCommand internal-sftp
+    # you can allow tunneling here, if you like:
+    AllowTcpForwarding yes
+    PermitOpen 192.168.10.10:3306
+    # or permit it:
+    AllowTcpForwarding no
+alternative setup - use the homedir from /etc/passwd as chroot-dir:
+  ChrootDirectory %h
+add group and user:
+  groupadd sftp
+  useradd -g sftp  -d /var/www/user/  -s /sbin/nologin user
+  passwd user
+set permissions, **chown to root**:
+  chown root:root /var/www/  # basedir must belong to root
+  chmod 0755 /var/www/
+  chown root:root /var/www/user/  #root not only for for parent!
+"Their home directory must be owned as root and not writable by another user or group. This includes the path leading to the directory"
+https://wiki.archlinux.org/index.php/SFTP_chroot
+**debug:**
+if /var/log/auth.log gives this error: pam_loginuid(sshd:session): set_loginuid failed
+comment this entry from /etc/pam.d/sshd:
+  #session    required     pam_loginuid.so
+\\
+===== Bugs =====
+If you get errors like this and problems with logins and tunnels, it's an LXC problem:
+  pam_loginuid(sshd:session): set_loginuid failed
+  error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
+Fix it with:
+  sed '/pam_loginuid.so/s/^/#/g' -i /etc/pam.d/*
+inside the container and restart ssh.
+===== rrsync =====
+Restricted rsync Setup - rrsync will be the only allowed Command.
+Run rsync as usual, but the Destination Path on remote Server will be prefixed with the Path defined in authorized_keys
+  mcedit /root/.ssh/authorized_keys
+  # prefix key with something like:
+  from="<IP>",command="$HOME/bin/rrsync /home/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519
+  cp /usr/share/doc/rsync/scripts/rrsync /root/bin/
+  chmod +x /root/bin/rrsync
+  chown root:root /root/bin/rrsync
+OLD jessie:
+  gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c > /root/bin/rrsync
+  chmod +x /root/bin/rrsync
+  chown root:root /root/bin/rrsync

fr33.info

User Tools

Site Tools

Differences

Page Tools