SSH

From Wiki
Jump to: navigation, search

Contents

SSH usual modifiers

ssh 
-L [bind_address:]port:host:hostport
-l login_name] 
-p port
-R [bind_address:]port:host:hostport
[user@]hostname [command]


Private Key Authentication

Sometimes is easier to authenticate ourselves using private/public key.

For this, first we need to generate our private and public keys. From a linux machine we need to run:

gforns@test:~> ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/gforns/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/gforns/.ssh/id_rsa.
Your public key has been saved in /home/gforns/.ssh/id_rsa.pub.
The key fingerprint is:
f6:61:a8:27:35:cf:4c:6d:13:22:70:cf:4c:c8:a0:23 gforns@test

You can add a passphrase to protect your private key.

The private key is going to be saved in /home/gforns/.ssh/id_rsa. You never have to give this file, and should always be protected

Instead, you should give your public key to the systems admins or add it yourself into the systems you want to be authenticated with it.

Your public key has been saved in /home/gforns/.ssh/id_rsa.pub.

On the server we want to authenticate with these key, we need to copy the public key in the ~/.ssh/authorized_keys.

In order to do that, first, we are going to create the directory .ssh in the home folder

mkdir .ssh
chmod 700 .ssh

Then, we log out and we copy the public key into this directory

gforns@test:~$ scp .ssh/id_rsa.pub gestio:/home/gforns/.ssh/authorized_keys


Convert OpenSSH key to SSH2 key

Run the OpenSSH version of ssh-keygen on your OpenSSH public key to convert it into the format needed by SSH2 on the remote machine. This must be done on the system running OpenSSH.

ssh-keygen -e -f ~/.ssh/id_dsa.pub > ~/.ssh/id_dsa_ssh2.pub

Convert SSH2 key to OpenSSH key

Run the OpenSSH version of ssh-keygen on your ssh2 public key to convert it into the format needed by OpenSSH. This needs to be done on the system running OpenSSH.

ssh-keygen -i -f ~/.ssh/id_dsa_1024_a.pub > ~/.ssh/id_dsa_1024_a_openssh.pub


SSH Client config file

In order to automate the ssh client and directly connect to the server with no need to specify options. We can use the ~/.ssh/config file

more /home/gforns/.ssh/config
Host *
PreferredAuthentications publickey,keyboard-interactive,password
# Different hosts we need to login
Host gestio
Hostname gestio.trifasic.cat
Port 2022
User pepito
IdentityFile ~/.ssh/id_rsa_personal

Jail a user to a given direcory - chroot ssh

Debian lenny has OpenSSH version 5.1, so we can use the OpenSSH option:

http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny


OpenSSH versions prior than 4.8

We want to jail a user sftpuser in the /home/jail directory.

First we create this script as /bin/chroot-shell

#!/bin/sh
/usr/bin/sudo /usr/sbin/chroot /home/jail /bin/su - $USER "$@"

Let's change the permssions and add it into the valid shells file:

chmod 755 /bin/chroot-shell
echo '/bin/chroot-shell' >> /etc/shells

We create the new user usersftp

useradd -m usersftp -s /bin/chroot-shell

We need to allow this user to use sudo by adding in the sudoeers file:

usersftp   ALL=NOPASSWD: /usr/sbin/chroot, /bin/su - usersftp


We need to create a minimal structure of files in the jail.

cd /home/jail

mkdir ./bin
mkdir ./dev
mkdir ./etc
mkdir ./lib
mkdir ./lib/tls
mkdir ./lib/tls/i686
mkdir ./usr
mkdir ./usr/lib
mkdir ./usr/lib/i686
mkdir ./usr/lib/openssh
mkdir ./usr/bin

cp /bin/sh bin/
cp /bin/cp bin/
cp /bin/false bin/
cp /bin/ls bin/
cp /bin/mv bin/
cp /bin/pwd bin/
cp /bin/rm bin/
cp /bin/rmdir bin/
cp /bin/sh bin/
cp /bin/true bin/
cp /bin/bash bin/
cp /bin/su bin/
cp /usr/lib/openssh/sftp-server usr/lib/openssh/
cp /usr/bin/scp usr/bin/

mknod -m 0666 dev/tty c 5 0
mknod -m 0644 dev/urandom c 1 9
mknod -m 0666 dev/null c 1 3
mknod -m 0666 dev/zero c 1 12

cp  /etc/group   etc/
cp  /etc/passwd  etc/
cp  /etc/shadow  etc/

cp /etc/login.defs etc/
cp -r /etc/pam.d etc/
cp -r /etc/security etc/

cp  /lib/ld-linux.so.2 lib/
cp  /lib/libacl.so.1 lib/
cp  /lib/libattr.so.1 lib/
cp  /lib/libcom_err.so.2 lib/
cp  /lib/libcrypt.so.1 lib/
cp  /lib/libc.so.6 lib/
cp  /lib/libdl.so.2 lib/
cp  /lib/libncurses.so.5 lib/
cp  /lib/libnsl.so.1 lib/
cp  /lib/libnss_compat.so.2 lib/
cp  /lib/libpamc.so.0 lib/
cp  /lib/libpam_misc.so.0 lib/
cp  /lib/libpam.so.0 lib/
cp  /lib/libpthread.so.0 lib/
cp  /lib/libresolv.so.2 lib/
cp  /lib/librt.so.1 lib/
cp  /lib/libselinux.so.1 lib/
cp  /lib/libsepol.so.1 lib/
cp  /lib/libutil.so.1 lib/
cp  /lib/libkeyutils.so.1 lib/

cp -r /lib/security lib/
cp -r /lib/tls/i686/cmov lib/tls/i686

cp  /usr/lib/libgssapi_krb5.so.2 usr/lib/
cp  /usr/lib/libk5crypto.so.3 usr/lib/
cp  /usr/lib/libkrb5.so.3 usr/lib/
cp  /usr/lib/libkrb5support.so.0 usr/lib/
cp  /usr/lib/libz.so.1 usr/lib/
cp  /usr/lib/sftp-server usr/lib/
cp  -r  /usr/lib/i686/cmov usr/lib/i686/

We only need to clean the /etc/shadow file and the /etc/passwd and the /etc/groups

We need to change as well the shell of the user usersftp

chef-web-05:/home/jail/etc# more passwd 
root:x:0:0:root:/root:/bin/bash
usersftp:x:1004:1005::/home/usersftp:/bin/bash

OpenSSH versions greater than 4.8

We can edit the /etc/ssh/sshd_config file and make sure there is:

Subsystem sftp /usr/lib/openssh/sftp-server

Then we add the following lines:

Match User falko
    ChrootDirectory /home/jail
    AllowTCPForwarding no
    X11Forwarding no

We need also to create the structure of the jailed system on /home/jail and clean the /etc/passwd, /etc/group and /etc/shadow

Allow only sftp to a user and not ssh

OpenSSH later than 4.8

SFT is different than scp. For scp you need ssh access.

We need to follow the procedure of enabling ssh but we add the ForceCommand like this:

Match User falko
    ChrootDirectory /home/jail
    AllowTCPForwarding no
    X11Forwarding no
    ForceCommand /usr/lib/openssh/sftp-server
Personal tools
Namespaces
Variants
Actions
Navigation
Content
Toolbox