Diferencia entre revisiones de «SSH»

De gacq wiki
Saltar a: navegación, buscar
 
m
 
(No se muestran 8 ediciones intermedias de 2 usuarios)
Línea 20: Línea 20:
 
== ssh sin password (Rapido) ==
 
== ssh sin password (Rapido) ==
 
<pre><nowiki>
 
<pre><nowiki>
ssh-keygen -t dsa
+
ssh-keygen -t rsa
 
# Si el archivo ~/.ssh/authorized_keys remoto existe
 
# Si el archivo ~/.ssh/authorized_keys remoto existe
cat ~/.ssh/id_dsa.pub | ssh remoteuser@remotehost 'cat - >> ~/.ssh/authorized_keys'
+
cat ~/.ssh/id_rsa.pub | ssh remoteuser@remotehost 'cat - >> ~/.ssh/authorized_keys'
 
# Si el archivo ~/.ssh/authorized_keys remoto NO existe
 
# Si el archivo ~/.ssh/authorized_keys remoto NO existe
cat ~/.ssh/id_dsa.pub | ssh remoteuser@remotehost 'cat - > ~/.ssh/authorized_keys'
+
cat ~/.ssh/id_rsa.pub | ssh remoteuser@remotehost 'cat - > ~/.ssh/authorized_keys'
 
# Opcional, qu enadie pueda leer el archivo con las claves publicas
 
# Opcional, qu enadie pueda leer el archivo con las claves publicas
 
ssh remoteuser@remotehost 'chmod 700 ~/.ssh ; chmod 600 ~/.ssh/authorized_keys'
 
ssh remoteuser@remotehost 'chmod 700 ~/.ssh ; chmod 600 ~/.ssh/authorized_keys'
Línea 34: Línea 34:
 
machines without having to enter your password each time.
 
machines without having to enter your password each time.
  
This is very useful when you are constantly invocating <tt>ssh</tt> or
+
This is very useful when you are constantly invoking <tt>ssh</tt> or
 
copying files with <tt>scp</tt>.  It also allows you to make <tt>scp</tt> transfers
 
copying files with <tt>scp</tt>.  It also allows you to make <tt>scp</tt> transfers
 
automatically (using a cron job in one of the machines).
 
automatically (using a cron job in one of the machines).
Línea 88: Línea 88:
 
<tt>ssh-agent(1)</tt>: this will require you to give your password to
 
<tt>ssh-agent(1)</tt>: this will require you to give your password to
 
<tt>ssh-agent</tt> once in order to be able to use your private key.
 
<tt>ssh-agent</tt> once in order to be able to use your private key.
 +
 +
== OTRO: SSH Nopasswd login ==
 +
=== Local ===
 +
<pre><nowiki>
 +
cd .ssh
 +
ssh-keygen -b 1024 -f identity -P '' -t dsa
 +
scp identity.pub gacq@192.168.0.20:
 +
</nowiki></pre>
 +
=== Remoto ===
 +
<pre><nowiki>
 +
cat identity.pub >> .ssh/authorized_keys
 +
</nowiki></pre>
 +
 +
=SSH Port forwarding=
 +
;Login to a NAT firewalled server from Internet
 +
==Base commands==
 +
;At internal host
 +
ssh -N -R 2222:localhost:22 user@gacq.com
 +
 +
;At localhost
 +
ssh -p 2222 root@localhost
 +
 +
==Script to maintain the forward UP==
 +
<pre><nowiki>
 +
#!/bin/sh
 +
CONNECT='ssh -N -R 22222:localhost:22 user@gacq.com'
 +
USER=gacq
 +
 +
while [ 1 ]
 +
do
 +
  SSH_RUNNING=`ps -eo args | grep "$CONNECT" | grep -v grep | wc -l`
 +
 +
  # Check if there are any ssh forward running
 +
  if [ $SSH_RUNNING -gt 0 ]
 +
  then
 +
    # Check if there are any user connected from localhost
 +
    if [ `who | grep $USER | grep localhost | grep pts | wc -l` -eq 0 ]
 +
    then
 +
      # If not kill ssh - This is to prevent crashed conenections
 +
      SSH_PID=`ps -ef | grep "$CONNECT" | grep -v grep | head -1 | awk '{print $2}'`
 +
      kill -15 $SSH_PID
 +
      sleep 1
 +
      nohup $CONNECT &
 +
    fi
 +
  else
 +
    # If not connected reconnect
 +
    nohup $CONNECT &
 +
  fi
 +
 +
  sleep 120
 +
done
 +
</nowiki></pre>
 +
 +
= Protegiendonos de ataques SSH =
 +
La mejor opcion es cambiar el puerto por defecto, si esto no es posible tenemos:
 +
*[http://fail2ban.sourceforge.net/ Fail2Ban (Tambien sirve para los logs del apache]
 +
*[http://daemonshield.sourceforge.net/ Daemon Shield]
 +
*[http://denyhosts.sourceforge.net/ DenyHosts]

Revisión actual del 06:37 27 may 2010

General

Abrir una aplicacion X remota

encontré cómo hacer que te puedas meter en tu casa y abrir una aplicación X desde una red privada con salida con NAT

1) xhost +

2) ssh -X -l sshuser pc.micasa.net

3) xclock  (debe funcionar)

4) El problema viene cuando vas a ejecutar algo de otro usuario porque haciendo su, no puede setear el DISPLAY adecuadamente, pero se resuelve así desde el usuario sshuser:

	gksu -g -u root /usr/X11R6/bin/xclock

te pide la password del usuario y nada más para ejecutar la aplicación. La performance, es otro tema.

ssh sin password (Rapido)

ssh-keygen -t rsa
# Si el archivo ~/.ssh/authorized_keys remoto existe
cat ~/.ssh/id_rsa.pub | ssh remoteuser@remotehost 'cat - >> ~/.ssh/authorized_keys'
# Si el archivo ~/.ssh/authorized_keys remoto NO existe
cat ~/.ssh/id_rsa.pub | ssh remoteuser@remotehost 'cat - > ~/.ssh/authorized_keys'
# Opcional, qu enadie pueda leer el archivo con las claves publicas
ssh remoteuser@remotehost 'chmod 700 ~/.ssh ; chmod 600 ~/.ssh/authorized_keys'	

ssh sin password (Explicado)

This document explains how to authenticate through ssh to multiple machines without having to enter your password each time.

This is very useful when you are constantly invoking ssh or copying files with scp. It also allows you to make scp transfers automatically (using a cron job in one of the machines).

Check the ssh watchdog for an example of something you could accomplish with this.

Generate a public/private key pair

Run ssh-keygen -t rsa on your host machine (the one you'll be connecting from). Use the default settings and an empty passphrase:

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
90:02:83:45:8b:3b:37:72:d4:0a:7a:5f:8e:1e:7a:38

This should generate the id_rsa.pub and id_rsa keys in your ~/.ssh directory:

-rw-r--r--   1 user group 221 Apr 10 00:08 id_rsa.pub
-rw-------   1 user group 883 Apr 10 00:08 id_rsa

The id_rsa file contains your private key. As such, it will only be readable by you (permissions mode 600). The id_rsa.pub file contains its corresponding public key.

Add the public key to the remote machine

You'll need to append your public key to the ~/.ssh/authorized_keys file in the remote machine.

You can do this with the following command:

$ ssh user@remote cat \>\> ~/.ssh/authorized_keys <~/.ssh/id_rsa.pub

If the ~/.ssh directory does not exist in the remote machine, you'll need to create it.

More information

You can read ssh-keygen(1), ssh(1) and ssh-agent(1) for more information.

Specifically, you might want to use a non-empty passphrase in combination with ssh-agent(1): this will require you to give your password to ssh-agent once in order to be able to use your private key.

OTRO: SSH Nopasswd login

Local

cd .ssh
ssh-keygen -b 1024 -f identity -P '' -t dsa
scp identity.pub gacq@192.168.0.20:

Remoto

cat identity.pub >> .ssh/authorized_keys

SSH Port forwarding

Login to a NAT firewalled server from Internet

Base commands

At internal host
ssh -N -R 2222:localhost:22 user@gacq.com
At localhost
ssh -p 2222 root@localhost

Script to maintain the forward UP

#!/bin/sh
CONNECT='ssh -N -R 22222:localhost:22 user@gacq.com'
USER=gacq

while [ 1 ]
do
  SSH_RUNNING=`ps -eo args | grep "$CONNECT" | grep -v grep | wc -l`

  # Check if there are any ssh forward running
  if [ $SSH_RUNNING -gt 0 ]
  then
    # Check if there are any user connected from localhost
    if [ `who | grep $USER | grep localhost | grep pts | wc -l` -eq 0 ]
    then
      # If not kill ssh - This is to prevent crashed conenections
      SSH_PID=`ps -ef | grep "$CONNECT" | grep -v grep | head -1 | awk '{print $2}'`
      kill -15 $SSH_PID
      sleep 1
      nohup $CONNECT &
    fi
  else
    # If not connected reconnect
    nohup $CONNECT &
  fi

  sleep 120
done

Protegiendonos de ataques SSH

La mejor opcion es cambiar el puerto por defecto, si esto no es posible tenemos: