SSH
Contents
SSH usual modifiers
ssh -L [bind_address:]port:host:hostport -l login_name] -p port -R [bind_address:]port:host:hostport [user@]hostname [command]
Private Key Authentication
Sometimes is easier to authenticate ourselves using private/public key.
For this, first we need to generate our private and public keys. From a linux machine we need to run:
gforns@test:~> ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/gforns/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/gforns/.ssh/id_rsa. Your public key has been saved in /home/gforns/.ssh/id_rsa.pub. The key fingerprint is: f6:61:a8:27:35:cf:4c:6d:13:22:70:cf:4c:c8:a0:23 gforns@test
You can add a passphrase to protect your private key.
The private key is going to be saved in /home/gforns/.ssh/id_rsa. You never have to give this file, and should always be protected
Instead, you should give your public key to the systems admins or add it yourself into the systems you want to be authenticated with it.
Your public key has been saved in /home/gforns/.ssh/id_rsa.pub.
On the server we want to authenticate with these key, we need to copy the public key in the ~/.ssh/authorized_keys.
In order to do that, first, we are going to create the directory .ssh in the home folder
mkdir .ssh chmod 700 .ssh
Then, we log out and we copy the public key into this directory
gforns@test:~$ scp .ssh/id_rsa.pub gestio:/home/gforns/.ssh/authorized_keys
Convert OpenSSH key to SSH2 key
Run the OpenSSH version of ssh-keygen on your OpenSSH public key to convert it into the format needed by SSH2 on the remote machine. This must be done on the system running OpenSSH.
ssh-keygen -e -f ~/.ssh/id_dsa.pub > ~/.ssh/id_dsa_ssh2.pub
Convert SSH2 key to OpenSSH key
Run the OpenSSH version of ssh-keygen on your ssh2 public key to convert it into the format needed by OpenSSH. This needs to be done on the system running OpenSSH.
ssh-keygen -i -f ~/.ssh/id_dsa_1024_a.pub > ~/.ssh/id_dsa_1024_a_openssh.pub
SSH Client config file
In order to automate the ssh client and directly connect to the server with no need to specify options. We can use the ~/.ssh/config file
more /home/gforns/.ssh/config
Host * PreferredAuthentications publickey,keyboard-interactive,password
# Different hosts we need to login Host gestio Hostname gestio.trifasic.cat Port 2022 User pepito IdentityFile ~/.ssh/id_rsa_personal
Jail a user to a given direcory - chroot ssh
Debian lenny has OpenSSH version 5.1, so we can use the OpenSSH option:
http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny
OpenSSH versions prior than 4.8
We want to jail a user sftpuser in the /home/jail directory.
First we create this script as /bin/chroot-shell
#!/bin/sh /usr/bin/sudo /usr/sbin/chroot /home/jail /bin/su - $USER "$@"
Let's change the permssions and add it into the valid shells file:
chmod 755 /bin/chroot-shell echo '/bin/chroot-shell' >> /etc/shells
We create the new user usersftp
useradd -m usersftp -s /bin/chroot-shell
We need to allow this user to use sudo by adding in the sudoeers file:
usersftp ALL=NOPASSWD: /usr/sbin/chroot, /bin/su - usersftp
We need to create a minimal structure of files in the jail.
cd /home/jail mkdir ./bin mkdir ./dev mkdir ./etc mkdir ./lib mkdir ./lib/tls mkdir ./lib/tls/i686 mkdir ./usr mkdir ./usr/lib mkdir ./usr/lib/i686 mkdir ./usr/lib/openssh mkdir ./usr/bin cp /bin/sh bin/ cp /bin/cp bin/ cp /bin/false bin/ cp /bin/ls bin/ cp /bin/mv bin/ cp /bin/pwd bin/ cp /bin/rm bin/ cp /bin/rmdir bin/ cp /bin/sh bin/ cp /bin/true bin/ cp /bin/bash bin/ cp /bin/su bin/ cp /usr/lib/openssh/sftp-server usr/lib/openssh/ cp /usr/bin/scp usr/bin/ mknod -m 0666 dev/tty c 5 0 mknod -m 0644 dev/urandom c 1 9 mknod -m 0666 dev/null c 1 3 mknod -m 0666 dev/zero c 1 12 cp /etc/group etc/ cp /etc/passwd etc/ cp /etc/shadow etc/ cp /etc/login.defs etc/ cp -r /etc/pam.d etc/ cp -r /etc/security etc/ cp /lib/ld-linux.so.2 lib/ cp /lib/libacl.so.1 lib/ cp /lib/libattr.so.1 lib/ cp /lib/libcom_err.so.2 lib/ cp /lib/libcrypt.so.1 lib/ cp /lib/libc.so.6 lib/ cp /lib/libdl.so.2 lib/ cp /lib/libncurses.so.5 lib/ cp /lib/libnsl.so.1 lib/ cp /lib/libnss_compat.so.2 lib/ cp /lib/libpamc.so.0 lib/ cp /lib/libpam_misc.so.0 lib/ cp /lib/libpam.so.0 lib/ cp /lib/libpthread.so.0 lib/ cp /lib/libresolv.so.2 lib/ cp /lib/librt.so.1 lib/ cp /lib/libselinux.so.1 lib/ cp /lib/libsepol.so.1 lib/ cp /lib/libutil.so.1 lib/ cp /lib/libkeyutils.so.1 lib/ cp -r /lib/security lib/ cp -r /lib/tls/i686/cmov lib/tls/i686 cp /usr/lib/libgssapi_krb5.so.2 usr/lib/ cp /usr/lib/libk5crypto.so.3 usr/lib/ cp /usr/lib/libkrb5.so.3 usr/lib/ cp /usr/lib/libkrb5support.so.0 usr/lib/ cp /usr/lib/libz.so.1 usr/lib/ cp /usr/lib/sftp-server usr/lib/ cp -r /usr/lib/i686/cmov usr/lib/i686/
We only need to clean the /etc/shadow file and the /etc/passwd and the /etc/groups
We need to change as well the shell of the user usersftp
chef-web-05:/home/jail/etc# more passwd root:x:0:0:root:/root:/bin/bash usersftp:x:1004:1005::/home/usersftp:/bin/bash
OpenSSH versions greater than 4.8
We can edit the /etc/ssh/sshd_config file and make sure there is:
Subsystem sftp /usr/lib/openssh/sftp-server
Then we add the following lines:
Match User falko
ChrootDirectory /home/jail
AllowTCPForwarding no
X11Forwarding no
We need also to create the structure of the jailed system on /home/jail and clean the /etc/passwd, /etc/group and /etc/shadow
Allow only sftp to a user and not ssh
OpenSSH later than 4.8
SFT is different than scp. For scp you need ssh access.
We need to follow the procedure of enabling ssh but we add the ForceCommand like this:
Match User falko
ChrootDirectory /home/jail
AllowTCPForwarding no
X11Forwarding no
ForceCommand /usr/lib/openssh/sftp-server
