Differences

This shows you the differences between two versions of the page.

--- linux:network:ssh [2016/07/21 20:00]
tkilla
+++ linux:network:ssh [2021/03/29 01:18] (current)
tkilla [rrsync]
@@ Line 6: / Line 6: @@
 Generate a (4096 bits long) private+public -key-pair on the local machine. To generate a key without password, just press enter:
+Modern ssh supports elliptical curve keys (Ed25519 keys have a fixed length):
+  ssh-keygen -t ed25519
+Old rsa key:
   ssh-keygen -b 4096
 Find the public key in **~/.ssh/id_rsa.pub**
@@ Line 31: / Line 37: @@
   debug1: Sending command: rsync  --server -vvlogasdasd.iLsf .....
-copy this line from rsync to the end to the authorized_keys on the remote machine and prepend the key-line:
+copy this line from rsync to the end to the authorized_keys on the remote machine and prepend command=".." to the key-line:
   command="rsync --server -vvlogasdasd.iLsf ......" ssh-rsa AAAA.....
 test it and then remove -v
+FIXME
+**This can be problematic, because the allowed command will always be executed - no matter what your script says!!**
+You need one line for each rsync command!
+More restrictions:
+Allow only specified IP(s):
+  from="host1,host2",command="..."  ssh-rsa AAA...
+No shell, and more:
+  command="...",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty  ssh-rsa AAA...
 \\
@@ Line 70: / Line 89: @@
   ssh -L 4950:localhost:4949 -f -N -p222 -M -S /var/run/ssh_tunnel1.sock -o ExitOnForwardFailure=yes root@re.mo.te.IP
+in /etc/ssh/sshd_config you only need to AllowTcpForwarding:
+  X11Forwarding no
+  AllowTcpForwarding yes
+  PermitTunnel  # not sure,if it's required
+To restrict tunneling:
+  PermitOpen 127.0.0.1:3306
 \\
@@ Line 95: / Line 124: @@
   #...
   Match group sftp
-  ChrootDirectory /var/www/%u
+    ChrootDirectory /var/www/%u
-  X11Forwarding no
+    X11Forwarding no
-  AllowTcpForwarding no
+    ForceCommand internal-sftp
-  ForceCommand internal-sftp
+    # you can allow tunneling here, if you like:
+    AllowTcpForwarding yes
+    PermitOpen 192.168.10.10:3306
+    # or permit it:
+    AllowTcpForwarding no
+alternative setup - use the homedir from /etc/passwd as chroot-dir:
+  ChrootDirectory %h
 add group and user:
@@ Line 113: / Line 151: @@
 "Their home directory must be owned as root and not writable by another user or group. This includes the path leading to the directory"
 https://wiki.archlinux.org/index.php/SFTP_chroot
+**debug:**
+if /var/log/auth.log gives this error: pam_loginuid(sshd:session): set_loginuid failed
+comment this entry from /etc/pam.d/sshd:
+  #session    required     pam_loginuid.so
+\\
+===== Bugs =====
+If you get errors like this and problems with logins and tunnels, it's an LXC problem:
+  pam_loginuid(sshd:session): set_loginuid failed
+  error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
+Fix it with:
+  sed '/pam_loginuid.so/s/^/#/g' -i /etc/pam.d/*
+inside the container and restart ssh.
+===== rrsync =====
+Restricted rsync Setup - rrsync will be the only allowed Command.
+Run rsync as usual, but the Destination Path on remote Server will be prefixed with the Path defined in authorized_keys
+  mcedit /root/.ssh/authorized_keys
+  # prefix key with something like:
+  from="<IP>",command="$HOME/bin/rrsync /home/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519
+  cp /usr/share/doc/rsync/scripts/rrsync /root/bin/
+  chmod +x /root/bin/rrsync
+  chown root:root /root/bin/rrsync
+OLD jessie:
+  gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c > /root/bin/rrsync
+  chmod +x /root/bin/rrsync
+  chown root:root /root/bin/rrsync

fr33.info

User Tools

Site Tools

Differences

Page Tools