This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:network:ssh [2014/06/16 14:09] tkilla |
linux:network:ssh [2021/03/29 01:18] (current) tkilla [rrsync] |
||
---|---|---|---|
Line 6: | Line 6: | ||
Generate a (4096 bits long) private+public -key-pair on the local machine. To generate a key without password, just press enter: | Generate a (4096 bits long) private+public -key-pair on the local machine. To generate a key without password, just press enter: | ||
+ | |||
+ | Modern ssh supports elliptical curve keys (Ed25519 keys have a fixed length): | ||
+ | ssh-keygen -t ed25519 | ||
+ | |||
+ | Old rsa key: | ||
ssh-keygen -b 4096 | ssh-keygen -b 4096 | ||
+ | |||
Find the public key in **~/ | Find the public key in **~/ | ||
Line 19: | Line 25: | ||
Another option is to use the following command to add the key to authorized_keys on the remote machine: | Another option is to use the following command to add the key to authorized_keys on the remote machine: | ||
ssh-copy-id -i .ssh/ | ssh-copy-id -i .ssh/ | ||
+ | |||
+ | \\ | ||
+ | ===== Key authentication - restricted ===== | ||
+ | |||
+ | To secure the keyless login, you can restrict the key to (very) specific commands. For example one specific rsync: | ||
+ | |||
+ | in the rsync commandline add -v to the ssh command: | ||
+ | rsync $PARMS -e "ssh -v -p 123" | ||
+ | |||
+ | you will find a line like this in the output: | ||
+ | debug1: Sending command: rsync --server -vvlogasdasd.iLsf ..... | ||
+ | |||
+ | copy this line from rsync to the end to the authorized_keys on the remote machine and prepend command=" | ||
+ | command=" | ||
+ | |||
+ | test it and then remove -v | ||
+ | |||
+ | FIXME | ||
+ | |||
+ | **This can be problematic, | ||
+ | You need one line for each rsync command! | ||
+ | |||
+ | More restrictions: | ||
+ | |||
+ | Allow only specified IP(s): | ||
+ | from=" | ||
+ | |||
+ | No shell, and more: | ||
+ | |||
+ | command=" | ||
+ | |||
+ | \\ | ||
+ | ===== Keychain ===== | ||
+ | |||
+ | encrypt your key with passphrase, but enter phrase only once per session | ||
+ | |||
+ | http:// | ||
+ | |||
+ | add / change key passphrase: | ||
+ | |||
+ | cd ~/.ssh/ | ||
+ | ls | ||
+ | ssh-keygen -f id_rsa -p | ||
+ | |||
+ | setup keychain: | ||
+ | sudo apt-get install keychain | ||
+ | |||
+ | add keychain to ~/ | ||
+ | |||
+ | eval `keychain --eval --agents ssh --clear id_rsa` | ||
+ | |||
+ | everytime you login, keychain will ask for your passphrase and re-use it for all logins: | ||
+ | |||
+ | source ~/ | ||
+ | |||
Line 28: | Line 89: | ||
ssh -L 4950: | ssh -L 4950: | ||
+ | |||
+ | in / | ||
+ | |||
+ | X11Forwarding no | ||
+ | AllowTcpForwarding yes | ||
+ | PermitTunnel | ||
+ | |||
+ | To restrict tunneling: | ||
+ | |||
+ | PermitOpen 127.0.0.1: | ||
\\ | \\ | ||
===== SSHFS - SSH Filesystem ===== | ===== SSHFS - SSH Filesystem ===== | ||
- | Mount remote directories (for all users and reconnect, | + | Mount remote directories (for all users and reconnect, |
+ | Install: | ||
+ | apt-get install sshfs | ||
+ | |||
+ | Mount: | ||
sshfs -p 222 root@server:/ | sshfs -p 222 root@server:/ | ||
+ | \\ | ||
+ | ===== SFTP ===== | ||
+ | |||
+ | vsftp server is not required to run a sftp server - openssh handles it. | ||
+ | |||
+ | setup is tricky: permissions of dirs are very important! | ||
+ | |||
+ | / | ||
+ | #Subsystem sftp / | ||
+ | Subsystem sftp internal-sftp | ||
+ | #... | ||
+ | Match group sftp | ||
+ | ChrootDirectory / | ||
+ | X11Forwarding no | ||
+ | ForceCommand internal-sftp | ||
+ | |||
+ | # you can allow tunneling here, if you like: | ||
+ | AllowTcpForwarding yes | ||
+ | PermitOpen 192.168.10.10: | ||
+ | |||
+ | # or permit it: | ||
+ | AllowTcpForwarding no | ||
+ | |||
+ | |||
+ | alternative setup - use the homedir from /etc/passwd as chroot-dir: | ||
+ | ChrootDirectory %h | ||
+ | |||
+ | add group and user: | ||
+ | groupadd sftp | ||
+ | useradd -g sftp -d / | ||
+ | passwd user | ||
+ | |||
+ | set permissions, | ||
+ | chown root:root / | ||
+ | chmod 0755 /var/www/ | ||
+ | chown root:root / | ||
+ | |||
+ | "Their home directory must be owned as root and not writable by another user or group. This includes the path leading to the directory" | ||
+ | https:// | ||
+ | |||
+ | **debug:** | ||
+ | |||
+ | if / | ||
+ | comment this entry from / | ||
+ | |||
+ | # | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | \\ | ||
+ | ===== Bugs ===== | ||
+ | |||
+ | If you get errors like this and problems with logins and tunnels, it's an LXC problem: | ||
+ | |||
+ | pam_loginuid(sshd: | ||
+ | error: PAM: pam_open_session(): | ||
+ | |||
+ | Fix it with: | ||
+ | |||
+ | sed '/ | ||
+ | |||
+ | inside the container and restart ssh. | ||
+ | |||
+ | ===== rrsync ===== | ||
+ | |||
+ | Restricted rsync Setup - rrsync will be the only allowed Command. | ||
+ | Run rsync as usual, but the Destination Path on remote Server will be prefixed with the Path defined in authorized_keys | ||
+ | |||
+ | mcedit / | ||
+ | # prefix key with something like: | ||
+ | from="< | ||
+ | |||
+ | |||
+ | cp / | ||
+ | chmod +x / | ||
+ | chown root:root / | ||
+ | |||
+ | |||
+ | OLD jessie: | ||
+ | |||
+ | gunzip / | ||
+ | chmod +x / | ||
+ | chown root:root / |