Difference between revisions of "SSH"
From Alessandro's Wiki
Porcelinux (talk | contribs) |
Porcelinux (talk | contribs) |
||
Line 31: | Line 31: | ||
* Timeout (keep alive) | * Timeout (keep alive) | ||
ServerAliveInterval 50 | ServerAliveInterval 50 | ||
# Host * | |||
# ForwardAgent no | |||
# ForwardX11 no | |||
# RhostsRSAAuthentication no | |||
# RSAAuthentication yes | |||
# PasswordAuthentication yes | |||
# HostbasedAuthentication no | |||
# GSSAPIAuthentication no | |||
# GSSAPIDelegateCredentials no | |||
# BatchMode no | |||
# CheckHostIP yes | |||
# AddressFamily any | |||
# ConnectTimeout 0 | |||
# StrictHostKeyChecking ask | |||
# IdentityFile ~/.ssh/identity | |||
# IdentityFile ~/.ssh/id_rsa | |||
# IdentityFile ~/.ssh/id_dsa | |||
# Port 22 | |||
# Protocol 2,1 | |||
# Cipher 3des | |||
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc | |||
# MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160 | |||
# EscapeChar ~ | |||
# Tunnel no | |||
# TunnelDevice any:any | |||
# PermitLocalCommand no | |||
# VisualHostKey no | |||
# ProxyCommand ssh -q -W %h:%p gateway.example.com | |||
== Tunnel == | == Tunnel == |
Revision as of 22:59, 5 December 2010
Server configuration paramenters
- file to edit
/etc/ssh/sshd_config
- Allowed users
AllowUsers username username@ipaddress user@hostname
- Client keep alive
ClientAliveInterval 6000
- subsystems
Subsystem sftp /usr/lib64/misc/sftp-server
- X11 options
X11Forwarding no X11DisplayOffset 10 X11UseLocalhost yes
- Authentication
- disable tunneled clear text passwords
PasswordAuthentication no
PermitEmptyPasswords no RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
- use host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
- similar for protocol version 2
HostbasedAuthentication no
Client configuration paramenters
- file to edit
/etc/ssh/ssh_config
- Timeout (keep alive)
ServerAliveInterval 50
- Host *
- ForwardAgent no
- ForwardX11 no
- RhostsRSAAuthentication no
- RSAAuthentication yes
- PasswordAuthentication yes
- HostbasedAuthentication no
- GSSAPIAuthentication no
- GSSAPIDelegateCredentials no
- BatchMode no
- CheckHostIP yes
- AddressFamily any
- ConnectTimeout 0
- StrictHostKeyChecking ask
- IdentityFile ~/.ssh/identity
- IdentityFile ~/.ssh/id_rsa
- IdentityFile ~/.ssh/id_dsa
- Port 22
- Protocol 2,1
- Cipher 3des
- Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
- MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
- EscapeChar ~
- Tunnel no
- TunnelDevice any:any
- PermitLocalCommand no
- VisualHostKey no
- ProxyCommand ssh -q -W %h:%p gateway.example.com
Tunnel
- Col comando qui sotto è possibile creare un tunnel dal server (dietro il firewall) al client attraverso cui far passare in senso contrario la connessione al servizio che ci occorre, in questo caso 'telnet'.
Sul server lanciare il comando per creare il tunnel fino al nostro client:
$ ssh -f -N -R 2333:localhost:23 guest@80.100.100.100
- 2333 porta usata sul client
- 23 porta del servizio sul server (telnet)
- guest è un utente presente sul client
- 80.100.100.100 indirizzo IP (su internet) del client
- Il server si collega con il client usando ssh e gli dice di redirigere le richieste alla porta 2333 sul client alla porta 23 del server.
- Se va tutto bene verrà chiesta la password per accedere sul client come utente guest (a meno che ci sia autenticazione con chiave criptata).
- Ora sul client è possibile collegarsi via telnet al server:
$telnet localhost 2333
(ssh -f -N -R 2333:localhost:22 zombie@porcelinux.no-ip.info)
ssh -f -N -R 2333:localhost:22 -p22251 zombie@porcelinux.no-ip.info
putty
- ssh client for Windows
http://www.buzzsurf.com/surfatwork/
putty -D 8080 -P 443 -ssh homeIP