diff options
Diffstat (limited to 'tools/openssh.html')
-rw-r--r-- | tools/openssh.html | 305 |
1 files changed, 305 insertions, 0 deletions
diff --git a/tools/openssh.html b/tools/openssh.html new file mode 100644 index 0000000..53ca007 --- /dev/null +++ b/tools/openssh.html @@ -0,0 +1,305 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>1. OpenSSH</title> + </head> + <body> + <a href="index.html">Tools Index</a> + <h1>1. OpenSSH</h1> + + <p>OpenBSD Secure Shell, is a suite of security-related + network-level utilities based on the SSH protocol, + which help to secure network communications via the + encryption of network traffic over multiple authentication + methods and by providing secure tunneling capabilities.</p> + + <h2 id="sshd">1.1. Server</h2> + + <p>Crux openssh port install this files to etc;</p> + + <pre> + $ pkginfo -l openssh + etc/rc.d/sshd + etc/ssh/moduli + etc/ssh/ssh_config + etc/ssh/sshd_config + </pre> + + <p>User commands;</p> + + <pre> + usr/bin/scp + usr/bin/sftp + usr/bin/slogin + usr/bin/ssh + usr/bin/ssh-add + usr/bin/ssh-agent + usr/bin/ssh-keygen + usr/bin/ssh-keyscan + </pre> + + <p>More information about sshd in man;</p> + + <pre> + $ man sshd + </pre> + + <h3 id="sshdconf">1.1.1. Configure Server</h3> + + <p>Read OpenSSH server + <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html">Best Security Practices</a>, + This example uses 2222 port to avoid + "default" port, edit /etc/ssh/sshd_config;</p> + + <pre> + #Port 22 + Port 2222 + </pre> + + <p>By default ssh will listen on all local addresses, to restrict + to a specific ip edit;</p> + + <pre> + #AddressFamily any + AddressFamily inet + #ListenAddress 0.0.0.0 + #ListenAddress 192.168.1.254 + #ListenAddress :: + </pre> + + <p>Authentication settings;</p> + + <pre> + # Authentication: + + #LoginGraceTime 2m + LoginGraceTime 1m + #PermitRootLogin prohibit-password + PermitRootLogin no + #StrictModes yes + #MaxAuthTries 6 + MaxAuthTries 3 + #MaxSessions 10 + </pre> + + <p>Restrict AllowUsers, AllowGroups that can login;</p> + + <pre> + #RSAAuthentication yes + #PubkeyAuthentication yes + + AllowGroups admin users gitolite + </pre> + + <p>Disable interactive-keyboard and password login;</p> + + <pre> + # To disable tunneled clear text passwords, change to no here! + #PasswordAuthentication yes + PasswordAuthentication no + #PermitEmptyPasswords no + + # Change to no to disable s/key passwords + #ChallengeResponseAuthentication yes + ChallengeResponseAuthentication no + </pre> + + <p>Make sure PAM is disable or above settings can be + overridden. Set banner;</p> + + <pre> + # no default banner path + #Banner none + Banner /etc/issue + </pre> + + <p>Iptables;</p> + + <p>Example of <a href="../src/bash/iptables/iptables.sh">iptable script</a></p> + + <pre> + $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT + $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + </pre> + + <p>Change SyslogFacility in accordance with <a href="syslog-ng.html#syslog-conf">syslog-ng configuration;</a></p> + + <pre> + # Logging + # obsoletes QuietMode and FascistLogging + #SyslogFacility AUTH + SyslogFacility LOCAL1 + #LogLevel INFO + LogLevel VERBOSE + </pre> + + <p>Example rule for syslog-ng;</p> + + <pre> + destination d_sshd { file("/var/log/sshd"); }; + filter f_sshd { facility(local1); }; + log { source(s_log); filter(f_sshd); destination(d_sshd); }; + </pre> + + <p>Deny login for root, limit max sessions to 3 if you have limited + resources and only allow 3 failed logins;</p> + + + <p>Start sshd server;</p> + + <pre> + # sh /etc/rc.d/sshd start + # ss -f inet -l -p | grep ssh + </pre> + + <h2 id="ssh">1.2. Client</h2> + + <p>To create new key;</p> + + <pre> + $ ssh-keygen -t rsa + </pre> + + <p>By default this creates two files;</p> + + <pre> + ~/.ssh/id_rsa : identification (private) key + ~/.ssh/id_rsa.pub : public key + </pre> + + <p>Default uses id_rsa and id_rsa.pub as output files in + this example we will create keys for gitolite admin so we + name output as gitolte;</p> + + <pre> + $ ssh-keygen -t rsa -f ~/.ssh/gitolite + </pre> + + <p>Set correct permissions;</p> + + <pre> + $ chmod 700 ~/.ssh + $ touch ~/.ssh/authorized_keys + $ chmod 600 ~/.ssh/authorized_keys + $ chmod 600 ~/.ssh/gitolite + </pre> + + <h3 id="sshpubkey">1.2.1. Install Public Keys</h3> + + <p>Send gitolite.pub public key to server. In this example + bob (administrator of gitolite) is on same host, + first copy is public key to admin home directory;</p> + + <pre> + # install -o admin -g admin /home/bob/.ssh/gitolite.pub /home/admin/.ssh/gitolite.pub + </pre> + + <p>If the server is on remote a remote machine;</p> + + <pre> + $ scp /home/bob/.ssh/gitolite.pub admin@nark.biz.tm:/home/admin/.ssh/ + bob@nark.biz.tm's password: + gitolite.pub 100% 390 0.4KB/s 00:00 + </pre> + + <p>In case of bob public key for normal ssh login, admin can + add his public key to authorized keys;</p> + + <pre> + $ cat bob_rsa.pub >> ~/.ssh/authorized_keys + </pre> + + <pre> + $ ssh -P 2222 bob@remote.org + </pre> + + <h3 id="sshid">1.2.2. Configure Identities</h3> + + <p>When you have multiple accounts/identities you + can configure ssh client so you dont need to give + -i flag. Create or edit ~/.ssh/config</p> + + <pre> + Host admin + Hostname nark.biz.tm + IdentityFile ~/.ssh/id_rsa + Port 2222 + User admin + + Host gitolite + Hostname nark.biz.tm + IdentityFile ~/.ssh/gitolite + Port 2222 + User gitolite + + Host box + Hostname nark.biz.tm + IdentityFile ~/.ssh/id_rsa + Port 2222 + User bob + + Host devbox + Hostname nark.biz.tm + IdentityFile ~/.ssh/id_rsa + Port 2222 + User gitolite + </pre> + + <p>Now you can just type;</p> + + <pre> + $ ssh box + </pre> + + <p>On remote start <a href"../systools/tmux.html">tmux</a> + and detach from the session with ctrl + b d</p> + + <p>Create alias on ~/.profile;</p> + + <pre> + alias boxtmux="ssh servername -t tmux a" + </pre> + + <p>Source it and attach to remote;</p> + + <pre> + $ boxtmux + </pre> + + <p>Logout just detach from session with ctrl + b d </p> + + <h2 id="reverse">1.3. Reverse connection</h2> + + <p>This information is inspired by + <a href="http://www.vdomck.org/2005/11/reversing-ssh-connection.html">Reverse SSH connections</a> + and implement the update from <a href="http://www.vdomck.org/2009/11/ssh-all-time.html">SSH all the time</a>, + + <p>Simple way, run this command on the machine you want to + access (server);</p> + + <pre> + $ ssh -f -N -R 2222:localhost:22 user@laptop + </pre> + + <p>This creates a connection from server to client, client will listen + on 2222 port and forward requests to the server as they are on localhost + on port 22.</p> + + <pre> + wget http://github.com/mikeymckay/reverse_ssh_tunnel/raw/master/setup_reverse_tunnel.sh + chmod +x ./setup_reverse_tunnel.sh + sudo ./setup_reverse_tunnel.sh + </pre> + + <a href="index.html">Tools Index</a> + <p>This is part of the c9-doc Manual. +Copyright (C) 2016 +Silvino Silva. +See the file <a href="fdl-1.3-standalone.html">Gnu Free Documentation License</a> +for copying conditions.</p> + + + </body> +</html> |