Diferencia entre revisiones de «SSH»
(→Script to maintain the forward UP) |
m |
||
(No se muestran 3 ediciones intermedias de otro usuario) | |||
Línea 20: | Línea 20: | ||
== ssh sin password (Rapido) == | == ssh sin password (Rapido) == | ||
<pre><nowiki> | <pre><nowiki> | ||
− | ssh-keygen -t | + | ssh-keygen -t rsa |
# Si el archivo ~/.ssh/authorized_keys remoto existe | # Si el archivo ~/.ssh/authorized_keys remoto existe | ||
− | cat ~/.ssh/ | + | cat ~/.ssh/id_rsa.pub | ssh remoteuser@remotehost 'cat - >> ~/.ssh/authorized_keys' |
# Si el archivo ~/.ssh/authorized_keys remoto NO existe | # Si el archivo ~/.ssh/authorized_keys remoto NO existe | ||
− | cat ~/.ssh/ | + | cat ~/.ssh/id_rsa.pub | ssh remoteuser@remotehost 'cat - > ~/.ssh/authorized_keys' |
# Opcional, qu enadie pueda leer el archivo con las claves publicas | # Opcional, qu enadie pueda leer el archivo con las claves publicas | ||
ssh remoteuser@remotehost 'chmod 700 ~/.ssh ; chmod 600 ~/.ssh/authorized_keys' | ssh remoteuser@remotehost 'chmod 700 ~/.ssh ; chmod 600 ~/.ssh/authorized_keys' | ||
Línea 34: | Línea 34: | ||
machines without having to enter your password each time. | machines without having to enter your password each time. | ||
− | This is very useful when you are constantly | + | This is very useful when you are constantly invoking <tt>ssh</tt> or |
copying files with <tt>scp</tt>. It also allows you to make <tt>scp</tt> transfers | copying files with <tt>scp</tt>. It also allows you to make <tt>scp</tt> transfers | ||
automatically (using a cron job in one of the machines). | automatically (using a cron job in one of the machines). | ||
Línea 102: | Línea 102: | ||
=SSH Port forwarding= | =SSH Port forwarding= | ||
+ | ;Login to a NAT firewalled server from Internet | ||
==Base commands== | ==Base commands== | ||
− | ;At | + | ;At internal host |
− | ssh -N -R | + | ssh -N -R 2222:localhost:22 user@gacq.com |
;At localhost | ;At localhost | ||
− | ssh -p | + | ssh -p 2222 root@localhost |
==Script to maintain the forward UP== | ==Script to maintain the forward UP== |
Revisión actual del 06:37 27 may 2010
Contenido
General
Abrir una aplicacion X remota
encontré cómo hacer que te puedas meter en tu casa y abrir una aplicación X desde una red privada con salida con NAT
1) xhost + 2) ssh -X -l sshuser pc.micasa.net 3) xclock (debe funcionar) 4) El problema viene cuando vas a ejecutar algo de otro usuario porque haciendo su, no puede setear el DISPLAY adecuadamente, pero se resuelve así desde el usuario sshuser: gksu -g -u root /usr/X11R6/bin/xclock
te pide la password del usuario y nada más para ejecutar la aplicación. La performance, es otro tema.
ssh sin password (Rapido)
ssh-keygen -t rsa # Si el archivo ~/.ssh/authorized_keys remoto existe cat ~/.ssh/id_rsa.pub | ssh remoteuser@remotehost 'cat - >> ~/.ssh/authorized_keys' # Si el archivo ~/.ssh/authorized_keys remoto NO existe cat ~/.ssh/id_rsa.pub | ssh remoteuser@remotehost 'cat - > ~/.ssh/authorized_keys' # Opcional, qu enadie pueda leer el archivo con las claves publicas ssh remoteuser@remotehost 'chmod 700 ~/.ssh ; chmod 600 ~/.ssh/authorized_keys'
ssh sin password (Explicado)
This document explains how to authenticate through ssh to multiple machines without having to enter your password each time.
This is very useful when you are constantly invoking ssh or copying files with scp. It also allows you to make scp transfers automatically (using a cron job in one of the machines).
Check the ssh watchdog for an example of something you could accomplish with this.
Generate a public/private key pair
Run ssh-keygen -t rsa on your host machine (the one you'll be connecting from). Use the default settings and an empty passphrase:
$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: 90:02:83:45:8b:3b:37:72:d4:0a:7a:5f:8e:1e:7a:38
This should generate the id_rsa.pub and id_rsa keys in your ~/.ssh directory:
-rw-r--r-- 1 user group 221 Apr 10 00:08 id_rsa.pub -rw------- 1 user group 883 Apr 10 00:08 id_rsa
The id_rsa file contains your private key. As such, it will only be readable by you (permissions mode 600). The id_rsa.pub file contains its corresponding public key.
Add the public key to the remote machine
You'll need to append your public key to the ~/.ssh/authorized_keys file in the remote machine.
You can do this with the following command:
$ ssh user@remote cat \>\> ~/.ssh/authorized_keys <~/.ssh/id_rsa.pub
If the ~/.ssh directory does not exist in the remote machine, you'll need to create it.
More information
You can read ssh-keygen(1), ssh(1) and ssh-agent(1) for more information.
Specifically, you might want to use a non-empty passphrase in combination with ssh-agent(1): this will require you to give your password to ssh-agent once in order to be able to use your private key.
OTRO: SSH Nopasswd login
Local
cd .ssh ssh-keygen -b 1024 -f identity -P '' -t dsa scp identity.pub gacq@192.168.0.20:
Remoto
cat identity.pub >> .ssh/authorized_keys
SSH Port forwarding
- Login to a NAT firewalled server from Internet
Base commands
- At internal host
ssh -N -R 2222:localhost:22 user@gacq.com
- At localhost
ssh -p 2222 root@localhost
Script to maintain the forward UP
#!/bin/sh CONNECT='ssh -N -R 22222:localhost:22 user@gacq.com' USER=gacq while [ 1 ] do SSH_RUNNING=`ps -eo args | grep "$CONNECT" | grep -v grep | wc -l` # Check if there are any ssh forward running if [ $SSH_RUNNING -gt 0 ] then # Check if there are any user connected from localhost if [ `who | grep $USER | grep localhost | grep pts | wc -l` -eq 0 ] then # If not kill ssh - This is to prevent crashed conenections SSH_PID=`ps -ef | grep "$CONNECT" | grep -v grep | head -1 | awk '{print $2}'` kill -15 $SSH_PID sleep 1 nohup $CONNECT & fi else # If not connected reconnect nohup $CONNECT & fi sleep 120 done
Protegiendonos de ataques SSH
La mejor opcion es cambiar el puerto por defecto, si esto no es posible tenemos: