Libre Things

marcmaurice.fr Diaspora
fr

Tag - SSH

Entries feed - Comments feed

Saturday 8 September 2012

ssh-agent: automatic ssh-add on demand

By dooblem on Saturday 8 September 2012, 23h40

Several desktop environments (Gnome, KDE) automatically start an SSH agent at startup. However, you have to think of running ssh-add before connecting to a server.

Waiting for automatic ssh-add in OpenSSH, you can add this to your .bashrc:

ssh-add -l >/dev/null || alias ssh='ssh-add -l >/dev/null || ssh-add && unalias ssh; ssh'

The alias is created only if the identity is not added, and the alias destroys itself once run.

This way the regular ssh command is used after the identity has been added.

http://superuser.com/questions/325662/how-to-make-ssh-agent-automatically-add-the-key-on-demand/471640#471640

one comment

Wednesday 29 December 2010

Rsync command restriction over SSH

By dooblem on Wednesday 29 December 2010, 18h36

You have 2 systems and you want to set up a secure backup with rsync + SSH of one system to the other.

Very simply, you can use:

backup.example.com# rsync -avz --numeric-ids --delete root@myserver.example.com:/path/ /backup/myserver/

To do the backup, you have to be root on the remote server, because some files are only root readable.

Problem: you will allow backup.example.com to do anything on myserver.example.com, where just read only access on the directory is sufficient.

To solve it, you can use the command="" directive in the authorized_keys file to filter the command.

To find this command, start rsync adding the -e'ssh -v' option:

rsync -avz -e'ssh -v' --numeric-ids --delete root@myserver.example.com:/path/ /backup/myserver/ 2>&1 | grep "Sending command"

You get a result like:

debug1: Sending command: rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/

Now, just add the command before the key in /root/.ssh/authorized_keys:

command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/" ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......

And for even more security, you can add an IP filter, and other options:

from="backup.example.com",command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......

Now try to open a ssh shell on the remote server.. and try some unauthorized rsync commands...

Notes:

  • Beware that if you change rsync command options, change also the authorized_keys file.
  • No need for complex chroot anymore. Forget my previous article: /post/SFTP-chroot-rsync

See also:

  • man ssh #/AUTHORIZED_KEYS FILE FORMAT
  • man rsync
  • view /usr/share/doc/rsync/scripts/rrsync.gz (restricted rsync, allows you to manage allowed options precisely)

one comment

Sunday 20 June 2010

Reverse SSH Tunnel for SSH connection to a NATed machine

By dooblem on Sunday 20 June 2010, 23h48

This is how to open a SSH connexion to a serveur hidden behind a NAT gateway.

We use a reverse SSH tunnel:

nated-host$ ssh -R 2222:localhost:22 anyuser@public-host
anyuser@public-host$

This command opens 2222 port on public-host, forwarding it to local 22 port on nated-host.

Finally, from public-host we connect to 2222 local port with SSH, to end on nated-host:

public-host$ ssh -p2222 localhost
nated-host$

References:

no comment

Thursday 10 December 2009

[SSH] Change directory while connecting

By dooblem on Thursday 10 December 2009, 21h09 - Linux

Problem:

I want to create a server-www alias that connects me to the SSH server and change the directory to /var/www/ right after the connection.

There it is :

ssh -t server 'cd /var/www && $SHELL'

And for the alias, add this in your ~/.bashrc:

alias server-www="ssh -t server 'cd /var/www && $SHELL'"
server-www # test it !

References :

2 comments

Monday 3 August 2009

Fail2ban

By dooblem on Monday 3 August 2009, 14h20 - Linux

If you discover lots of ssh connection tries in your /var/log/auth.log (bots testing users/passwords), you have to do something.

The simpler is to use an IP restriction rule in your iptables firewall, or in /etc/hosts.deny

If you don't want or can't use this restriction, use Fail2ban:

aptitude install fail2ban

The default install blocks SSH connection tries.

You can tune the config a bit or activate Fail2ban for other services. Example:

vi /etc/fail2ban/jail.conf
bantime  = 86400
maxretry = 10 # pour ssh
enabled  = true # pour vsftpd
maxretry = 10 # pour vsftpd

Then, the iptables -L command gives you all banned IP addresses.

no comment