This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:network:ssh [2015/05/07 10:24] tkilla |
linux:network:ssh [2021/03/29 01:18] (current) tkilla [rrsync] |
||
---|---|---|---|
Line 6: | Line 6: | ||
Generate a (4096 bits long) private+public -key-pair on the local machine. To generate a key without password, just press enter: | Generate a (4096 bits long) private+public -key-pair on the local machine. To generate a key without password, just press enter: | ||
+ | |||
+ | Modern ssh supports elliptical curve keys (Ed25519 keys have a fixed length): | ||
+ | ssh-keygen -t ed25519 | ||
+ | |||
+ | Old rsa key: | ||
ssh-keygen -b 4096 | ssh-keygen -b 4096 | ||
+ | |||
Find the public key in **~/ | Find the public key in **~/ | ||
Line 20: | Line 26: | ||
ssh-copy-id -i .ssh/ | ssh-copy-id -i .ssh/ | ||
+ | \\ | ||
+ | ===== Key authentication - restricted ===== | ||
+ | |||
+ | To secure the keyless login, you can restrict the key to (very) specific commands. For example one specific rsync: | ||
+ | |||
+ | in the rsync commandline add -v to the ssh command: | ||
+ | rsync $PARMS -e "ssh -v -p 123" | ||
+ | |||
+ | you will find a line like this in the output: | ||
+ | debug1: Sending command: rsync --server -vvlogasdasd.iLsf ..... | ||
+ | |||
+ | copy this line from rsync to the end to the authorized_keys on the remote machine and prepend command=" | ||
+ | command=" | ||
+ | |||
+ | test it and then remove -v | ||
+ | |||
+ | FIXME | ||
+ | |||
+ | **This can be problematic, | ||
+ | You need one line for each rsync command! | ||
+ | |||
+ | More restrictions: | ||
+ | |||
+ | Allow only specified IP(s): | ||
+ | from=" | ||
+ | |||
+ | No shell, and more: | ||
+ | |||
+ | command=" | ||
\\ | \\ | ||
Line 54: | Line 89: | ||
ssh -L 4950: | ssh -L 4950: | ||
+ | |||
+ | in / | ||
+ | |||
+ | X11Forwarding no | ||
+ | AllowTcpForwarding yes | ||
+ | PermitTunnel | ||
+ | |||
+ | To restrict tunneling: | ||
+ | |||
+ | PermitOpen 127.0.0.1: | ||
\\ | \\ | ||
Line 79: | Line 124: | ||
#... | #... | ||
Match group sftp | Match group sftp | ||
- | | + | |
- | X11Forwarding no | + | X11Forwarding no |
- | | + | ForceCommand internal-sftp |
- | | + | |
+ | # you can allow tunneling here, if you like: | ||
+ | AllowTcpForwarding yes | ||
+ | PermitOpen 192.168.10.10: | ||
+ | |||
+ | # or permit it: | ||
+ | AllowTcpForwarding no | ||
+ | alternative setup - use the homedir from /etc/passwd as chroot-dir: | ||
+ | ChrootDirectory %h | ||
add group and user: | add group and user: | ||
Line 97: | Line 151: | ||
"Their home directory must be owned as root and not writable by another user or group. This includes the path leading to the directory" | "Their home directory must be owned as root and not writable by another user or group. This includes the path leading to the directory" | ||
https:// | https:// | ||
+ | |||
+ | **debug:** | ||
+ | |||
+ | if / | ||
+ | comment this entry from / | ||
+ | |||
+ | # | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | \\ | ||
+ | ===== Bugs ===== | ||
+ | |||
+ | If you get errors like this and problems with logins and tunnels, it's an LXC problem: | ||
+ | |||
+ | pam_loginuid(sshd: | ||
+ | error: PAM: pam_open_session(): | ||
+ | |||
+ | Fix it with: | ||
+ | |||
+ | sed '/ | ||
+ | |||
+ | inside the container and restart ssh. | ||
+ | |||
+ | ===== rrsync ===== | ||
+ | |||
+ | Restricted rsync Setup - rrsync will be the only allowed Command. | ||
+ | Run rsync as usual, but the Destination Path on remote Server will be prefixed with the Path defined in authorized_keys | ||
+ | |||
+ | mcedit / | ||
+ | # prefix key with something like: | ||
+ | from="< | ||
+ | |||
+ | |||
+ | cp / | ||
+ | chmod +x / | ||
+ | chown root:root / | ||
+ | |||
+ | |||
+ | OLD jessie: | ||
+ | |||
+ | gunzip / | ||
+ | chmod +x / | ||
+ | chown root:root / |