Difference between revisions of "SSH"
From Alessandro's Wiki
(→Tunnel) |
|||
Line 99: | Line 99: | ||
$telnet localhost 2333 | $telnet localhost 2333 | ||
(ssh -f -N -R 2333:localhost:22 | (ssh -f -N -R 2333:localhost:22 user@dyndns-ip) | ||
ssh -f -N -R 2333:localhost:22 -p22251 | ssh -f -N -R 2333:localhost:22 -p22251 user@dyndns-ip | ||
== putty == | == putty == | ||
Revision as of 00:22, 28 February 2018
Server configuration paramenters
- file to edit
/etc/ssh/sshd_config
- Allowed users
AllowUsers username username@ipaddress user@hostname
- Client keep alive
ClientAliveInterval 6000
- subsystems
Subsystem sftp /usr/lib64/misc/sftp-server
- X11 options
X11Forwarding no X11DisplayOffset 10 X11UseLocalhost yes
- Authentication
- disable tunneled clear text passwords
PasswordAuthentication no
PermitEmptyPasswords no RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
- use host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
- similar for protocol version 2
HostbasedAuthentication no
Client configuration paramenters
System wide
/etc/ssh/ssh_config
- Timeout (keep alive)
ServerAliveInterval 50
- Host *
- ForwardAgent no
- ForwardX11 no
- RhostsRSAAuthentication no
- RSAAuthentication yes
- PasswordAuthentication yes
- HostbasedAuthentication no
- GSSAPIAuthentication no
- GSSAPIDelegateCredentials no
- BatchMode no
- CheckHostIP yes
- AddressFamily any
- ConnectTimeout 0
- StrictHostKeyChecking ask
- IdentityFile ~/.ssh/identity
- IdentityFile ~/.ssh/id_rsa
- IdentityFile ~/.ssh/id_dsa
- Port 22
- Protocol 2,1
- Cipher 3des
- Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
- MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
- EscapeChar ~
- Tunnel no
- TunnelDevice any:any
- PermitLocalCommand no
- VisualHostKey no
- ProxyCommand ssh -q -W %h:%p gateway.example.com
User Side
- config file ~/.ssh/config.
- matches wildcard domain
Host *.porcelinux.com
- match any host in the 192.168.0.[0-9] network
Host 192.168.0.?
- matches any 10.0.0.0/8
host 10.*
Host foo HostName 192.168.0.1 Port 2200 User username
- specify different key
Host 192.168.1.* IdentityFile KeyFile
Tunnel
- Col comando qui sotto è possibile creare un tunnel dal server (dietro il firewall) al client attraverso cui far passare in senso contrario la connessione al servizio che ci occorre, in questo caso 'telnet'.
Sul server lanciare il comando per creare il tunnel fino al nostro client:
$ ssh -f -N -R 2333:localhost:23 guest@80.100.100.100
- 2333 porta usata sul client
- 23 porta del servizio sul server (telnet)
- guest è un utente presente sul client
- 80.100.100.100 indirizzo IP (su internet) del client
- Il server si collega con il client usando ssh e gli dice di redirigere le richieste alla porta 2333 sul client alla porta 23 del server.
- Se va tutto bene verrà chiesta la password per accedere sul client come utente guest (a meno che ci sia autenticazione con chiave criptata).
- Ora sul client è possibile collegarsi via telnet al server:
$telnet localhost 2333
(ssh -f -N -R 2333:localhost:22 user@dyndns-ip)
ssh -f -N -R 2333:localhost:22 -p22251 user@dyndns-ip
putty
- ssh client for Windows
putty -D 8080 -P 443 -ssh homeIP