[[http://tmade.de|Home tmade.de]] [[http://wiki.tmade.de|Home Wiki]] ===== SSH ===== ==== SSHD ==== Service config: /etc/ssh/sshd_config UseDNS no #To avoid dns lookup edit /etc/ssh/sshd_conf and add the command To deny password-authentification for non-root-users set the following options: PasswordAuthentication no PubkeyAuthentication yes RSAAuthentication yes To deny root login: PermitRootLogin no To allow root-login just for particular IP´s: PermitRootLogin yes AllowUsers root@10.6.3.100 root@10.6.3.101 root@10.6.3.102 To deny (additionally) password authentification (in combination with "PasswordAuthentication no"): ChallengeResponseAuthentication no ==== Login ===== ssh -X -c 172.22.49.120 # ssh -XCl stream 172.22.49.113 #Login with "X" on X-Terminal ssh -l root suse10 ssh root@suse10 #root = user, suse10 = host (or IP Adress) ==== SSH KEY-Authentication ==== Howto: Generate private and public key (stored in ~/.ssh/) on the server_A ssh-keygen -t rsa -b 4096 #Generate "rsa" Keyfile. Note: there is also "dsa" encrytion Created files: id_rsa #File location "/home/username/.ssh" or "/root/.ssh" and id_rsa.pub #Private Key. File location "/home/username/.ssh" or "/root/.ssh" To copy the authorized_keys (contains "id_rsa.pub") to remoteHost ("/home/user/.ssh/authorized_keys"): ssh-copy-id –i ~/.ssh/id_rsa.pub user@remoteHost **Note: "/home/user/.ssh/authorized_keys" will be created!** \\ Copy the authorized_keys to remoteHost (explained in single manual steps): Create a new file called authorized_keys #Public Key. File location "/home/username/.ssh" or "/root/.ssh" Copy the content of id_rsa.pub into authorized_keys (or append) with: cat id_rsa.pub >> authorized_keys Copy authorized_keys to server_B scp authorized_keys root@IP: On server_B copy content of authorized_keys (from server_A) to ~/.ssh cat authorized_keys > ~/.ssh/authorized_keys or cat authorized_keys >> ~/.ssh/authorized_keys Access server_B from server_A via SSH ssh Server_B or ssh IP(server_B) To copy the key at once: ssh-copy-id –i ~/.ssh/id_rsa.pub user@remoteHost ==== Public Key from id_rsa ==== ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub ==== "authorized_keys" ==== To limit ssh-access to one host add the following code to the "authorized_keys" file: from="testhost.domain.local",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty Example entry (private key inclusive): from="testhost.domain.local",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyPW9iLLvMA4sfiDLDst6cLbrxQiw0xjFV+uZA+pnulcxotbyNzRDhi3PMjXce7V6WQSJ6izYFCN8Xv0w5HIju8BpPBob9d9VyU2wdFx+nCX3xFzlcquVUTR8WqzikbipLJF52nPLuemH5xBTZXgagnpX9ESZFhhYXol+MQuPC8+HW5xtCCN3+8D4K8GJiauL/0Uq0N9SfXK/0G8wBb28499F483ZnSm31DTTJq13iyiphtfwjqncW+H2mJKGoum8HoeQHx8ArfCtwelTKrXc7E/94ZFO/z7b0jPNXFH4jCZmq2/fjgwnO/nVPvfNbis4wxSomuihU7fA0ywxBferx root@testhost ==== SSH Authentication from Windows -> Linux ==== Create the key-files on a windows client with putty. Start "puttygen.exe" and generate the key. The public and private key has to be saved to a folder. Append the content of the public file to: /home/user/.ssh/authorized_keys #(via samba e.g.) Note: always restart the sshd server: /etc/init.d/sshd restart rcsshd restart service sshd restart or other distributed way ==== ssh remote ==== # ---------------------------------------------------------- # Machine 1 # ---------------------------------------------------------- $ cat free_hosts IP=testtesttest # ---------------------------------------------------------- # Machine 2 # ---------------------------------------------------------- $ . <(ssh machine1 cat free_hosts); echo "$IP" testtesttest . <(ssh 192.168.64.131 cat /root/somefile); echo "$IP" ==== ssh + script/ command ==== ssh user@IP sudo /scripts/linux_modify.sh #Execute "/scripts/linux_modify.sh" on remote machine with non root priveleagues (sudo) ssh user@IP /scripts/linux_modify.sh #Execute "/scripts/linux_modify.sh" on remote machine ssh user@IP "sudo uname -a" #Execute command "uname -a" on remote machine with non root priveleagues (sudo) ssh user@IP "uname -a" #Execute command "uname -a" on remote machine ==== ssh-agent ==== ssh-agent -s #Start the agent ssh-add ~/.ssh/id_rsa #Add the key (passphrase will be promted) Script: #!/bin/bash ssh-agent -s && ssh-add ~/.ssh/id_rsa ==== ssh Tunnel ==== ssh -L 4242:suse10.site:110tmade@suse10.site #user tmade forwards the connection comming in on port 4242 of his local host suse10 to port 110(POP3) on the remote host suse10 via ssh tunnel (port forwarding) ====ssh over Proxy ==== ssh -o ProxyCommand="nc -X connect -x proxy_host_or_IP:port %h %p" username@hostname ssh -o PORT=2022 -o ProxyCommand="nc -X connect -x proxy_host_or_IP:port %h %p" username@hostname #with ssh port 2022 **Hint**: Package "netcat-openbsd" which contains the programm "nc" has to been installed! ==== X11 ==== To run a X11-Programm with root, if root-login is not allowed: *Login with your normal user (don´t execute "sudo su -" during login) *xauth -f ~/.Xauthority extract /tmp/Xauthtmp :10 *Start an external X-Server (such as Xming) *sudo su - *xauth merge /tmp/Xauthtmp *export DISPLAY=localhost:10.0 *xclock (or another X-Programm) ====Check ssh-config==== sshd -t #command to check for syntax errors in your configuration file sshd -T #output active directives