SSH

From Alessandro's Wiki
Jump to: navigation, search

Server configuration paramenters

  • file to edit
/etc/ssh/sshd_config
  • Allowed users
AllowUsers username username@ipaddress user@hostname
  • Client keep alive
ClientAliveInterval 6000
  • subsystems
Subsystem       sftp    /usr/lib64/misc/sftp-server
  • X11 options
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost yes
  • Authentication
    • disable tunneled clear text passwords
PasswordAuthentication no
PermitEmptyPasswords no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys
    • use host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
    • similar for protocol version 2
HostbasedAuthentication no

Client configuration paramenters

System wide

/etc/ssh/ssh_config
  • Timeout (keep alive)
ServerAliveInterval 50


  1. Host *
  2. ForwardAgent no
  3. ForwardX11 no
  4. RhostsRSAAuthentication no
  5. RSAAuthentication yes
  6. PasswordAuthentication yes
  7. HostbasedAuthentication no
  8. GSSAPIAuthentication no
  9. GSSAPIDelegateCredentials no
  10. BatchMode no
  11. CheckHostIP yes
  12. AddressFamily any
  13. ConnectTimeout 0
  14. StrictHostKeyChecking ask
  15. IdentityFile ~/.ssh/identity
  16. IdentityFile ~/.ssh/id_rsa
  17. IdentityFile ~/.ssh/id_dsa
  18. Port 22
  19. Protocol 2,1
  20. Cipher 3des
  21. Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
  22. MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
  23. EscapeChar ~
  24. Tunnel no
  25. TunnelDevice any:any
  26. PermitLocalCommand no
  27. VisualHostKey no
  28. ProxyCommand ssh -q -W %h:%p gateway.example.com

User Side

  • config file ~/.ssh/config.
  • matches wildcard domain
Host *.porcelinux.com
  • match any host in the 192.168.0.[0-9] network
Host 192.168.0.?
  • matches any 10.0.0.0/8
host 10.*
Host foo
HostName 192.168.0.1
Port 2200
User username
  • specify different key
Host 192.168.1.*
IdentityFile KeyFile

Tunnel

  • Col comando qui sotto è possibile creare un tunnel dal server (dietro il firewall) al client attraverso cui far passare in senso contrario la connessione al servizio che ci occorre, in questo caso 'telnet'.

Sul server lanciare il comando per creare il tunnel fino al nostro client:

$ ssh -f -N -R 2333:localhost:23 guest@80.100.100.100
  • 2333 porta usata sul client
  • 23 porta del servizio sul server (telnet)
  • guest è un utente presente sul client
  • 80.100.100.100 indirizzo IP (su internet) del client
  • Il server si collega con il client usando ssh e gli dice di redirigere le richieste alla porta 2333 sul client alla porta 23 del server.
    • Se va tutto bene verrà chiesta la password per accedere sul client come utente guest (a meno che ci sia autenticazione con chiave criptata).
  • Ora sul client è possibile collegarsi via telnet al server:
$telnet localhost 2333

(ssh -f -N -R 2333:localhost:22 zombie@porcelinux.no-ip.info)

ssh -f -N -R 2333:localhost:22 -p22251 zombie@porcelinux.no-ip.info

putty

  • ssh client for Windows

http://www.putty.org

putty -D 8080 -P 443 -ssh homeIP