This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
linux:network:ssh [2016/09/10 12:45] tkilla [SFTP] |
linux:network:ssh [2021/03/29 01:18] (current) tkilla [rrsync] |
||
---|---|---|---|
Line 6: | Line 6: | ||
Generate a (4096 bits long) private+public -key-pair on the local machine. To generate a key without password, just press enter: | Generate a (4096 bits long) private+public -key-pair on the local machine. To generate a key without password, just press enter: | ||
+ | |||
+ | Modern ssh supports elliptical curve keys (Ed25519 keys have a fixed length): | ||
+ | ssh-keygen -t ed25519 | ||
+ | |||
+ | Old rsa key: | ||
ssh-keygen -b 4096 | ssh-keygen -b 4096 | ||
+ | |||
Find the public key in **~/ | Find the public key in **~/ | ||
Line 83: | Line 89: | ||
ssh -L 4950: | ssh -L 4950: | ||
+ | |||
+ | in / | ||
+ | |||
+ | X11Forwarding no | ||
+ | AllowTcpForwarding yes | ||
+ | PermitTunnel | ||
+ | |||
+ | To restrict tunneling: | ||
+ | |||
+ | PermitOpen 127.0.0.1: | ||
\\ | \\ | ||
Line 108: | Line 124: | ||
#... | #... | ||
Match group sftp | Match group sftp | ||
- | | + | |
- | X11Forwarding no | + | X11Forwarding no |
- | | + | ForceCommand internal-sftp |
- | | + | |
+ | # you can allow tunneling here, if you like: | ||
+ | AllowTcpForwarding yes | ||
+ | PermitOpen 192.168.10.10: | ||
+ | |||
+ | # or permit it: | ||
+ | AllowTcpForwarding no | ||
alternative setup - use the homedir from /etc/passwd as chroot-dir: | alternative setup - use the homedir from /etc/passwd as chroot-dir: | ||
Line 136: | Line 159: | ||
# | # | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | \\ | ||
+ | ===== Bugs ===== | ||
+ | |||
+ | If you get errors like this and problems with logins and tunnels, it's an LXC problem: | ||
+ | |||
+ | pam_loginuid(sshd: | ||
+ | error: PAM: pam_open_session(): | ||
+ | |||
+ | Fix it with: | ||
+ | |||
+ | sed '/ | ||
+ | |||
+ | inside the container and restart ssh. | ||
+ | |||
+ | ===== rrsync ===== | ||
+ | |||
+ | Restricted rsync Setup - rrsync will be the only allowed Command. | ||
+ | Run rsync as usual, but the Destination Path on remote Server will be prefixed with the Path defined in authorized_keys | ||
+ | |||
+ | mcedit / | ||
+ | # prefix key with something like: | ||
+ | from="< | ||
+ | |||
+ | |||
+ | cp / | ||
+ | chmod +x / | ||
+ | chown root:root / | ||
+ | |||
+ | |||
+ | OLD jessie: | ||
+ | |||
+ | gunzip / | ||
+ | chmod +x / | ||
+ | chown root:root / |