fr33.info

User Tools

Site Tools

linux:network:ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux:network:ssh [2016/09/09 21:36]
tkilla [SFTP] 		linux:network:ssh [2021/03/29 01:18] (current)
tkilla [rrsync]
Line 6: Line 6:
  
 Generate a (4096 bits long) private+public -key-pair on the local machine. To generate a key without password, just press enter: Generate a (4096 bits long) private+public -key-pair on the local machine. To generate a key without password, just press enter:
 +
 +Modern ssh supports elliptical curve keys (Ed25519 keys have a fixed length):
 +  ssh-keygen -t ed25519
 +
 +Old rsa key:
  
   ssh-keygen -b 4096   ssh-keygen -b 4096
 +
  
 Find the public key in **~/.ssh/id_rsa.pub** Find the public key in **~/.ssh/id_rsa.pub**
Line 83: Line 89:
   ssh -L 4950:localhost:4949 -f -N -p222 -M -S /var/run/ssh_tunnel1.sock -o ExitOnForwardFailure=yes root@re.mo.te.IP   ssh -L 4950:localhost:4949 -f -N -p222 -M -S /var/run/ssh_tunnel1.sock -o ExitOnForwardFailure=yes root@re.mo.te.IP
  
 +
 +in /etc/ssh/sshd_config you only need to AllowTcpForwarding:
 +
 +  X11Forwarding no
 +  AllowTcpForwarding yes
 +  PermitTunnel  # not sure,if it's required
 +
 +To restrict tunneling:
 +
 +  PermitOpen 127.0.0.1:3306
  
 \\ \\
Line 108: Line 124:
   #...   #...
   Match group sftp   Match group sftp
-  ChrootDirectory /var/www/%u  +    ChrootDirectory /var/www/%u  
-  X11Forwarding no +    X11Forwarding no 
-  AllowTcpForwarding no +    ForceCommand internal-sftp 
-  ForceCommand internal-sftp+ 
 +    # you can allow tunneling here, if you like: 
 +    AllowTcpForwarding yes 
 +    PermitOpen 192.168.10.10:3306 
 + 
 +    # or permit it: 
 +    AllowTcpForwarding no 
  
 +alternative setup - use the homedir from /etc/passwd as chroot-dir:
 +  ChrootDirectory %h
  
 add group and user: add group and user:
Line 134: Line 159:
   #session    required     pam_loginuid.so   #session    required     pam_loginuid.so
  
 +
 +
 +
 +
 +\\
 +===== Bugs =====
 +
 +If you get errors like this and problems with logins and tunnels, it's an LXC problem:
 +
 +  pam_loginuid(sshd:session): set_loginuid failed
 +  error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
 +
 +Fix it with:
 +
 +  sed '/pam_loginuid.so/s/^/#/g' -i /etc/pam.d/
 +
 +inside the container and restart ssh.
 +
 +===== rrsync =====
 +
 +Restricted rsync Setup - rrsync will be the only allowed Command.
 +Run rsync as usual, but the Destination Path on remote Server will be prefixed with the Path defined in authorized_keys
 +
 +  mcedit /root/.ssh/authorized_keys
 +  # prefix key with something like:
 +  from="<IP>",command="$HOME/bin/rrsync /home/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-ed25519
 +
 +
 +  cp /usr/share/doc/rsync/scripts/rrsync /root/bin/
 +  chmod +x /root/bin/rrsync
 +  chown root:root /root/bin/rrsync
 +
 +
 +OLD jessie:
 +
 +  gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c > /root/bin/rrsync
 +  chmod +x /root/bin/rrsync
 +  chown root:root /root/bin/rrsync
linux/network/ssh.1473449781.txt.gz · Last modified: 2016/09/09 21:36 by tkilla

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki