Remote X through ssh
<![CDATA[
install package xauth on the server
make sure that sshd_confing contains X11Forwarding yes
ssh -Y user@host xterm
]]>
Creating Tunnels with SSH
assuming I'm on hostA and I can ssh to hostB but I want to ssh to hostC which is in another network accessible only by hostB
<![CDATA[
hostA hostB hostC
192.168.1.12 -> { } -> ext ip: 24.200.12.135
int ip: 10.24.2.34 -> 192.168.10.26
]]>
Then I could make a tunnel like this:
<![CDATA[
ssh myUser@hostB -g -L 2222:hostC:22
]]>
an ssh session to hostA on port 2222 will then be opening an ssh (port 22) connection to hostC
we can also redirect more than one port within one connection:
<![CDATA[
ssh myUser@hostB -g -L 2222:hostC:22 -L 8080:hostC:80
]]>
A reverse tunnel
<![CDATA[
ssh myUser@hostB -g -R 2422:hostA:22
]]>
an ssh session on port 2422 of hostB will result in an ssh connection to hostA
Key Management
Server side key initialisations
<![CDATA[
ssh-keygen -t rsa /etc/ssh/ssh_host_rsa_key
ssh-keygen -t dsa /etc/ssh/ssh_host_dsa_key
ssh-keygen -t rsa1 /etc/ssh/ssh_host_key
]]>
Generating user's dsa keys
<![CDATA[
ssh-keygen -t dsa -N ""
ssh-keygen -f ~/.ssh/id_ecdsa -t ecdsa -b 521
]]>
Note: specifiying and empty passphrase ( -N ""), allows to login without typing any password or passphrase. Using a passphrase increases the security level. It may seem pointless to use a passphrase instead of a password unless using an ssh-agent.
Distribute the public key to the remote host
<![CDATA[
cat ~/.ssh/id_dsa.pub | ssh user@host '(cat - >> ~/.ssh/authorized_keys)'
]]>
it is now possible to logon the remote server without any prompt. Note: permissions on users home directory should be 750. It will not work if the user's home is set to 770. Seem to work with 751. .ssh at 700 and .ssh/authorized_keys at 600
Setting up an ssh-agent
start a konsole through the ssh-agent
<![CDATA[
ssh-agent konsole
]]>
once konsole is started add your default key to the agent (~/.ssh/id_dsa)
<![CDATA[
ssh-add
]]>
after entering the passphrase it is now possible to ssh to any servers that uses the key without entering any password or passphrase within the konsole session including all tabs.
Implementing Restrictions on authorized_keys
It is possible to allow only "one" command to be run when connecting with a key. This is done by prepending the key in the authorized_keys file with a command:
<![CDATA[
command="echo test > /tmp/thistest" ssh-dss AAAAB3NzaC1kc3MAAACBAPtQ3kCw6fvfRE11DXPlB ...
]]>
It is also possible to restrict on ip's:
<![CDATA[
from="192.168.104.*" ssh-dss AAAAB3NzaC1kc3MAAACBAPtQ3kCw6fvfRE11DXPlB ...
]]>
These can also be mixted together and there are other restrictions in the following example:
<![CDATA[
command="echo test > /tmp/thistest",,no-pty,no-agent-forwarding,no-X11-forwarding,no-port-forwarding,
from="192.168.104.*" ssh-dss AAAAB3NzaC1kc3MAAACBAPtQ3kCw6fvfRE11DXPlB ...
]]>
Notes: add ${SSH_ORIGINAL_COMMAND#* } to reveive the parameters from the command
restrictions in the authorized_keys doesn't prevent a user from login on without a key (by entering a password).
Multiplexing
add to ~/.ssh/config
<![CDATA[
Host *
ControlMaster auto
ControlPath ~/.ssh/sockets/%h-%p-%r
]]>
%h = host
%p = port
%r = remote username
Permissions on ~/.ssh/sockets should be 0700
Socket files should be 0600
sudo su - and remote X
<![CDATA[
echo $DISPLAY
sudo su -
export DISPLAY=<what we got from echo $DISPLAY>
export XAUTHORITY=<homeOfInitialUser>/.Xauthority
]]>
Create rules per users in sshd_config
<![CDATA[
Match User <userName>
AllowTcpForwarding no
KbdInteractiveAuthentication no
KerberosAuthentication no
PasswordAuthentication no
RSAAuthentication yes
]]>
Removing a host from the known_hosts file
<![CDATA[
ssh-keygen -R <hostname>
]]>
Get the known_hosts key of a host
<![CDATA[
ssh-keyscan <hostname>
]]>
To connect ignoring the know_host and not get prompted to add the host
<![CDATA[
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no
]]>
Can create a system wide known_hosts file in /etc/ssh/known_hosts
* t to force a pseudo tty. Example to rum commands as root and even scp to other machine
<![CDATA[
ssh -t <serverName> sudo scp /path/to/file <userName>@<serverName2>:/path/to/.
]]>