fr33.info

User Tools

Site Tools

linux:network:ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux:network:ssh [2015/01/16 14:38]
tkilla 		linux:network:ssh [2021/03/29 01:18] (current)
tkilla [rrsync]
Line 6: Line 6:
  
 Generate a (4096 bits long) private+public -key-pair on the local machine. To generate a key without password, just press enter: Generate a (4096 bits long) private+public -key-pair on the local machine. To generate a key without password, just press enter:
 +
 +Modern ssh supports elliptical curve keys (Ed25519 keys have a fixed length):
 +  ssh-keygen -t ed25519
 +
 +Old rsa key:
  
   ssh-keygen -b 4096   ssh-keygen -b 4096
 +
  
 Find the public key in **~/.ssh/id_rsa.pub** Find the public key in **~/.ssh/id_rsa.pub**
Line 19: Line 25:
 Another option is to use the following command to add the key to authorized_keys on the remote machine: Another option is to use the following command to add the key to authorized_keys on the remote machine:
   ssh-copy-id -i .ssh/id_rsa.pub user@remoteserver   ssh-copy-id -i .ssh/id_rsa.pub user@remoteserver
 +
 +\\
 +===== Key authentication - restricted =====
 +
 +To secure the keyless login, you can restrict the key to (very) specific commands. For example one specific rsync:
 +
 +in the rsync commandline add -v to the ssh command:
 +  rsync $PARMS -e "ssh -v -p 123"
 +
 +you will find a line like this in the output:
 +  debug1: Sending command: rsync  --server -vvlogasdasd.iLsf .....
 +
 +copy this line from rsync to the end to the authorized_keys on the remote machine and prepend command=".." to the key-line:
 +  command="rsync --server -vvlogasdasd.iLsf ......" ssh-rsa AAAA.....
 +
 +test it and then remove -v
 +
 +FIXME
 +
 +**This can be problematic, because the allowed command will always be executed - no matter what your script says!!**
 +You need one line for each rsync command!
 +
 +More restrictions:
 +
 +Allow only specified IP(s):
 +  from="host1,host2",command="..."  ssh-rsa AAA...
 +
 +No shell, and more:
 +
 +  command="...",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty  ssh-rsa AAA...
 +
 +\\
 +===== Keychain =====
 +
 +encrypt your key with passphrase, but enter phrase only once per session
 +
 +http://www.funtoo.org/Keychain
 +
 +add / change key passphrase:
 +
 +  cd ~/.ssh/
 +  ls
 +  ssh-keygen -f id_rsa -p
 +
 +setup keychain:
 +  sudo apt-get install keychain
 +
 +add keychain to ~/.bash_profile
 +
 +  eval `keychain --eval --agents ssh --clear id_rsa`
 +
 +everytime you login, keychain will ask for your passphrase and re-use it for all logins:
 +
 +  source ~/.bash_profile
 +
  
  
Line 28: Line 89:
   ssh -L 4950:localhost:4949 -f -N -p222 -M -S /var/run/ssh_tunnel1.sock -o ExitOnForwardFailure=yes root@re.mo.te.IP   ssh -L 4950:localhost:4949 -f -N -p222 -M -S /var/run/ssh_tunnel1.sock -o ExitOnForwardFailure=yes root@re.mo.te.IP
  
 +
 +in /etc/ssh/sshd_config you only need to AllowTcpForwarding:
 +
 +  X11Forwarding no
 +  AllowTcpForwarding yes
 +  PermitTunnel  # not sure,if it's required
 +
 +To restrict tunneling:
 +
 +  PermitOpen 127.0.0.1:3306
  
 \\ \\
Line 53: Line 124:
   #...   #...
   Match group sftp   Match group sftp
-  ChrootDirectory /var/www +    ChrootDirectory /var/www/%u  
-  X11Forwarding no +    X11Forwarding no 
-  AllowTcpForwarding no +    ForceCommand internal-sftp 
-  ForceCommand internal-sftp+ 
 +    # you can allow tunneling here, if you like: 
 +    AllowTcpForwarding yes 
 +    PermitOpen 192.168.10.10:3306 
 + 
 +    # or permit it: 
 +    AllowTcpForwarding no 
  
 +alternative setup - use the homedir from /etc/passwd as chroot-dir:
 +  ChrootDirectory %h
  
 add group and user: add group and user:
   groupadd sftp   groupadd sftp
   useradd -g sftp  -d /var/www/user/  -s /sbin/nologin user   useradd -g sftp  -d /var/www/user/  -s /sbin/nologin user
 +  passwd user
  
 set permissions, **chown to root**: set permissions, **chown to root**:
Line 70: Line 151:
 "Their home directory must be owned as root and not writable by another user or group. This includes the path leading to the directory" "Their home directory must be owned as root and not writable by another user or group. This includes the path leading to the directory"
 https://wiki.archlinux.org/index.php/SFTP_chroot https://wiki.archlinux.org/index.php/SFTP_chroot
 +
 +**debug:**
 +
 +if /var/log/auth.log gives this error: pam_loginuid(sshd:session): set_loginuid failed
 +comment this entry from /etc/pam.d/sshd:
 +
 +  #session    required     pam_loginuid.so
 +
 +
 +
 +
 +
 +\\
 +===== Bugs =====
 +
 +If you get errors like this and problems with logins and tunnels, it's an LXC problem:
 +
 +  pam_loginuid(sshd:session): set_loginuid failed
 +  error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
 +
 +Fix it with:
 +
 +  sed '/pam_loginuid.so/s/^/#/g' -i /etc/pam.d/
 +
 +inside the container and restart ssh.
 +
 +===== rrsync =====
 +
 +Restricted rsync Setup - rrsync will be the only allowed Command.
 +Run rsync as usual, but the Destination Path on remote Server will be prefixed with the Path defined in authorized_keys
 +
 +  mcedit /root/.ssh/authorized_keys
 +  # prefix key with something like:
 +  from="<IP>",command="$HOME/bin/rrsync /home/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519
 +
 +
 +  cp /usr/share/doc/rsync/scripts/rrsync /root/bin/
 +  chmod +x /root/bin/rrsync
 +  chown root:root /root/bin/rrsync
 +
 +
 +OLD jessie:
 +
 +  gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c > /root/bin/rrsync
 +  chmod +x /root/bin/rrsync
 +  chown root:root /root/bin/rrsync
linux/network/ssh.1421415488.txt.gz · Last modified: 2015/01/16 14:38 by tkilla

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki