[[http://tmade.de|Home tmade.de]]
[[http://wiki.tmade.de|Home Wiki]]
===== SSH =====
==== SSHD ====
Service config:
/etc/ssh/sshd_config
UseDNS no #To avoid dns lookup edit /etc/ssh/sshd_conf and add the command
To deny password-authentification for non-root-users set the following options:
PasswordAuthentication no
PubkeyAuthentication yes
RSAAuthentication yes
To deny root login:
PermitRootLogin no
To allow root-login just for particular IP´s:
PermitRootLogin yes
AllowUsers root@10.6.3.100 root@10.6.3.101 root@10.6.3.102
To deny (additionally) password authentification (in combination with "PasswordAuthentication no"):
ChallengeResponseAuthentication no
==== Login =====
ssh -X -c 172.22.49.120 #
ssh -XCl stream 172.22.49.113 #Login with "X" on X-Terminal
ssh -l root suse10
ssh root@suse10 #root = user, suse10 = host (or IP Adress)
==== SSH KEY-Authentication ====
Howto:
Generate private and public key (stored in ~/.ssh/) on the server_A
ssh-keygen -t rsa -b 4096 #Generate "rsa" Keyfile. Note: there is also "dsa" encrytion
Created files:
id_rsa #File location "/home/username/.ssh" or "/root/.ssh"
and
id_rsa.pub #Private Key. File location "/home/username/.ssh" or "/root/.ssh"
To copy the authorized_keys (contains "id_rsa.pub") to remoteHost ("/home/user/.ssh/authorized_keys"):
ssh-copy-id –i ~/.ssh/id_rsa.pub user@remoteHost
**Note: "/home/user/.ssh/authorized_keys" will be created!**
\\
Copy the authorized_keys to remoteHost (explained in single manual steps):
Create a new file called
authorized_keys #Public Key. File location "/home/username/.ssh" or "/root/.ssh"
Copy the content of id_rsa.pub into authorized_keys (or append) with:
cat id_rsa.pub >> authorized_keys
Copy authorized_keys to server_B
scp authorized_keys root@IP:
On server_B copy content of authorized_keys (from server_A) to ~/.ssh
cat authorized_keys > ~/.ssh/authorized_keys
or
cat authorized_keys >> ~/.ssh/authorized_keys
Access server_B from server_A via SSH
ssh Server_B
or
ssh IP(server_B)
To copy the key at once:
ssh-copy-id –i ~/.ssh/id_rsa.pub user@remoteHost
==== Public Key from id_rsa ====
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
==== "authorized_keys" ====
To limit ssh-access to one host add the following code to the "authorized_keys" file:
from="testhost.domain.local",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
Example entry (private key inclusive):
from="testhost.domain.local",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyPW9iLLvMA4sfiDLDst6cLbrxQiw0xjFV+uZA+pnulcxotbyNzRDhi3PMjXce7V6WQSJ6izYFCN8Xv0w5HIju8BpPBob9d9VyU2wdFx+nCX3xFzlcquVUTR8WqzikbipLJF52nPLuemH5xBTZXgagnpX9ESZFhhYXol+MQuPC8+HW5xtCCN3+8D4K8GJiauL/0Uq0N9SfXK/0G8wBb28499F483ZnSm31DTTJq13iyiphtfwjqncW+H2mJKGoum8HoeQHx8ArfCtwelTKrXc7E/94ZFO/z7b0jPNXFH4jCZmq2/fjgwnO/nVPvfNbis4wxSomuihU7fA0ywxBferx root@testhost
==== SSH Authentication from Windows -> Linux ====
Create the key-files on a windows client with putty. Start "puttygen.exe" and generate the key.
The public and private key has to be saved to a folder.
Append the content of the public file to:
/home/user/.ssh/authorized_keys #(via samba e.g.)
Note: always restart the sshd server:
/etc/init.d/sshd restart
rcsshd restart
service sshd restart
or other distributed way
==== ssh remote ====
# ----------------------------------------------------------
# Machine 1
# ----------------------------------------------------------
$ cat free_hosts
IP=testtesttest
# ----------------------------------------------------------
# Machine 2
# ----------------------------------------------------------
$ . <(ssh machine1 cat free_hosts); echo "$IP"
testtesttest
. <(ssh 192.168.64.131 cat /root/somefile); echo "$IP"
==== ssh + script/ command ====
ssh user@IP sudo /scripts/linux_modify.sh #Execute "/scripts/linux_modify.sh" on remote machine with non root priveleagues (sudo)
ssh user@IP /scripts/linux_modify.sh #Execute "/scripts/linux_modify.sh" on remote machine
ssh user@IP "sudo uname -a" #Execute command "uname -a" on remote machine with non root priveleagues (sudo)
ssh user@IP "uname -a" #Execute command "uname -a" on remote machine
==== ssh-agent ====
ssh-agent -s #Start the agent
ssh-add ~/.ssh/id_rsa #Add the key (passphrase will be promted)
Script:
#!/bin/bash
ssh-agent -s && ssh-add ~/.ssh/id_rsa
==== ssh Tunnel ====
ssh -L 4242:suse10.site:110tmade@suse10.site #user tmade forwards the connection comming in on port 4242 of his local host suse10 to port 110(POP3) on the remote host suse10 via ssh tunnel (port forwarding)
====ssh over Proxy ====
ssh -o ProxyCommand="nc -X connect -x proxy_host_or_IP:port %h %p" username@hostname
ssh -o PORT=2022 -o ProxyCommand="nc -X connect -x proxy_host_or_IP:port %h %p" username@hostname #with ssh port 2022
**Hint**: Package "netcat-openbsd" which contains the programm "nc" has to been installed!
==== X11 ====
To run a X11-Programm with root, if root-login is not allowed:
*Login with your normal user (don´t execute "sudo su -" during login)
*xauth -f ~/.Xauthority extract /tmp/Xauthtmp :10
*Start an external X-Server (such as Xming)
*sudo su -
*xauth merge /tmp/Xauthtmp
*export DISPLAY=localhost:10.0
*xclock (or another X-Programm)
====Check ssh-config====
sshd -t #command to check for syntax errors in your configuration file
sshd -T #output active directives