https://wiki.gacq.com/api.php?action=feedcontributions&feedformat=atom&user=Newacctgacq wiki - Contribuciones del usuario [es]2026-04-09T12:35:01ZContribuciones del usuarioMediaWiki 1.29.2https://wiki.gacq.com/index.php?title=SSH&diff=3017SSH2010-05-27T09:37:57Z<p>Newacct: </p>
<hr />
<div>= General =<br />
== Abrir una aplicacion X remota ==<br />
=== encontré cómo hacer que te puedas meter en tu casa y abrir una aplicación X desde una red privada con salida con NAT ===<br />
<br />
<pre><nowiki><br />
1) xhost +<br />
<br />
2) ssh -X -l sshuser pc.micasa.net<br />
<br />
3) xclock (debe funcionar)<br />
<br />
4) El problema viene cuando vas a ejecutar algo de otro usuario porque haciendo su, no puede setear el DISPLAY adecuadamente, pero se resuelve así desde el usuario sshuser:<br />
<br />
gksu -g -u root /usr/X11R6/bin/xclock<br />
</nowiki></pre><br />
<br />
te pide la password del usuario y nada más para ejecutar la aplicación.<br />
La performance, es otro tema.<br />
<br />
== ssh sin password (Rapido) ==<br />
<pre><nowiki><br />
ssh-keygen -t rsa<br />
# Si el archivo ~/.ssh/authorized_keys remoto existe<br />
cat ~/.ssh/id_rsa.pub | ssh remoteuser@remotehost 'cat - >> ~/.ssh/authorized_keys'<br />
# Si el archivo ~/.ssh/authorized_keys remoto NO existe<br />
cat ~/.ssh/id_rsa.pub | ssh remoteuser@remotehost 'cat - > ~/.ssh/authorized_keys'<br />
# Opcional, qu enadie pueda leer el archivo con las claves publicas<br />
ssh remoteuser@remotehost 'chmod 700 ~/.ssh ; chmod 600 ~/.ssh/authorized_keys' <br />
</nowiki></pre><br />
<br />
== ssh sin password (Explicado) ==<br />
<br />
This document explains how to authenticate through <tt>ssh</tt> to multiple<br />
machines without having to enter your password each time.<br />
<br />
This is very useful when you are constantly invoking <tt>ssh</tt> or<br />
copying files with <tt>scp</tt>. It also allows you to make <tt>scp</tt> transfers<br />
automatically (using a cron job in one of the machines).<br />
<br />
Check the<br />
[[ssh watchdog]] for an example of something you could accomplish with<br />
this.<br />
<br />
== Generate a public/private key pair ==<br />
<br />
Run <tt>ssh-keygen -t rsa</tt> on your host machine<br />
(the one you'll be connecting from). Use the default settings<br />
and an empty passphrase:<br />
<br />
$ ssh-keygen -t rsa<br />
Generating public/private rsa key pair.<br />
Enter file in which to save the key (/home/user/.ssh/id_rsa): <br />
Enter passphrase (empty for no passphrase): <br />
Enter same passphrase again: <br />
Your identification has been saved in /home/user/.ssh/id_rsa.<br />
Your public key has been saved in /home/user/.ssh/id_rsa.pub.<br />
The key fingerprint is:<br />
90:02:83:45:8b:3b:37:72:d4:0a:7a:5f:8e:1e:7a:38<br />
<br />
This should generate the <tt>id_rsa.pub</tt> and <tt>id_rsa</tt><br />
keys in your <tt>~/.ssh</tt> directory:<br />
<br />
-rw-r--r-- 1 user group 221 Apr 10 00:08 id_rsa.pub<br />
-rw------- 1 user group 883 Apr 10 00:08 id_rsa<br />
<br />
The <tt>id_rsa</tt> file contains your private key. As such, it<br />
will only be readable by you (permissions mode 600). The <tt>id_rsa.pub</tt><br />
file contains its corresponding public key.<br />
<br />
== Add the public key to the remote machine ==<br />
<br />
You'll need to append your public key to the <tt>~/.ssh/authorized_keys</tt><br />
file in the remote machine.<br />
<br />
You can do this with the following command:<br />
<br />
$ ssh user@remote cat \>\> ~/.ssh/authorized_keys <~/.ssh/id_rsa.pub<br />
<br />
If the <tt>~/.ssh</tt> directory does not exist in the<br />
remote machine, you'll need to create it.<br />
<br />
== More information ==<br />
<br />
You can read <tt>ssh-keygen(1)</tt>, <tt>ssh(1)</tt> and <tt>ssh-agent(1)</tt><br />
for more information.<br />
<br />
Specifically, you might want to use a non-empty passphrase in combination with <br />
<tt>ssh-agent(1)</tt>: this will require you to give your password to<br />
<tt>ssh-agent</tt> once in order to be able to use your private key.<br />
<br />
== OTRO: SSH Nopasswd login ==<br />
=== Local ===<br />
<pre><nowiki><br />
cd .ssh<br />
ssh-keygen -b 1024 -f identity -P '' -t dsa<br />
scp identity.pub gacq@192.168.0.20:<br />
</nowiki></pre><br />
=== Remoto ===<br />
<pre><nowiki><br />
cat identity.pub >> .ssh/authorized_keys<br />
</nowiki></pre><br />
<br />
=SSH Port forwarding=<br />
;Login to a NAT firewalled server from Internet<br />
==Base commands==<br />
;At internal host<br />
ssh -N -R 2222:localhost:22 user@gacq.com<br />
<br />
;At localhost<br />
ssh -p 2222 root@localhost<br />
<br />
==Script to maintain the forward UP==<br />
<pre><nowiki><br />
#!/bin/sh<br />
CONNECT='ssh -N -R 22222:localhost:22 user@gacq.com'<br />
USER=gacq<br />
<br />
while [ 1 ]<br />
do<br />
SSH_RUNNING=`ps -eo args | grep "$CONNECT" | grep -v grep | wc -l`<br />
<br />
# Check if there are any ssh forward running<br />
if [ $SSH_RUNNING -gt 0 ]<br />
then<br />
# Check if there are any user connected from localhost<br />
if [ `who | grep $USER | grep localhost | grep pts | wc -l` -eq 0 ]<br />
then<br />
# If not kill ssh - This is to prevent crashed conenections<br />
SSH_PID=`ps -ef | grep "$CONNECT" | grep -v grep | head -1 | awk '{print $2}'`<br />
kill -15 $SSH_PID<br />
sleep 1<br />
nohup $CONNECT &<br />
fi<br />
else<br />
# If not connected reconnect<br />
nohup $CONNECT &<br />
fi<br />
<br />
sleep 120<br />
done<br />
</nowiki></pre><br />
<br />
= Protegiendonos de ataques SSH =<br />
La mejor opcion es cambiar el puerto por defecto, si esto no es posible tenemos:<br />
*[http://fail2ban.sourceforge.net/ Fail2Ban (Tambien sirve para los logs del apache]<br />
*[http://daemonshield.sourceforge.net/ Daemon Shield]<br />
*[http://denyhosts.sourceforge.net/ DenyHosts]</div>Newacct