Difference between revisions of "SSH"
From Alessandro's Wiki
Porcelinux (talk | contribs) |
Porcelinux (talk | contribs) (→Tunnel) |
||
Line 109: | Line 109: | ||
(ssh -f -N -R 2333:localhost:22 user@dyndns-ip) | (ssh -f -N -R 2333:localhost:22 user@dyndns-ip) | ||
ssh -f -N -R 2333:localhost:22 -p22251 user@dyndns-ip | ssh -f -N -R 2333:localhost:22 -p22251 user@dyndns-ip | ||
== X11 forwarding == | |||
* dependencies | |||
dnf install xorg-x11-xauth | |||
... | |||
apt install xorg-x11-xauth | |||
* forwarding X11 from client to local machine | |||
ssh -X user@host | |||
* insecure | |||
ssh -X -Y ... | |||
== putty == | == putty == |
Revision as of 15:54, 25 January 2022
Server configuration paramenters
- file to edit
/etc/ssh/sshd_config
- Allowed users
AllowUsers username username@ipaddress user@hostname
- Client keep alive
ClientAliveInterval 6000
- subsystems
Subsystem sftp /usr/lib64/misc/sftp-server
- X11 options
X11Forwarding no X11DisplayOffset 10 X11UseLocalhost yes
- Authentication
- disable tunneled clear text passwords
PasswordAuthentication no
PermitEmptyPasswords no RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
- use host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
- similar for protocol version 2
HostbasedAuthentication no
Client configuration paramenters
System wide
don't just put all of them in your config file, the list is just informational
/etc/ssh/ssh_config
- Timeout (keep alive)
ServerAliveInterval 50
- Host *
- ForwardAgent no
- ForwardX11 no
- RhostsRSAAuthentication no
- RSAAuthentication yes
- PasswordAuthentication yes
- HostbasedAuthentication no
- GSSAPIAuthentication no
- GSSAPIDelegateCredentials no
- BatchMode no
- CheckHostIP yes
- AddressFamily any
- ConnectTimeout 0
- StrictHostKeyChecking ask
- IdentityFile ~/.ssh/identity
- IdentityFile ~/.ssh/id_rsa
- IdentityFile ~/.ssh/id_dsa
- Port 22
- Protocol 2,1
- Cipher 3des
- Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
- MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
- EscapeChar ~
- Tunnel no
- TunnelDevice any:any
- PermitLocalCommand no
- VisualHostKey no
- ProxyCommand ssh -q -W %h:%p gateway.example.com
User Side
- config file ~/.ssh/config.
- matches wildcard domain
Host *.porcelinux.com
- match any host in the 192.168.0.[0-9] network
Host 192.168.0.?
- matches any 10.0.0.0/8
host 10.*
Host foo HostName 192.168.0.1 Port 2200 User username
- specify different key
Host 192.168.1.* IdentityFile KeyFile
- fix the
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
if you know what you're doing, the following command will remove the old known_host keys from the .ssh/known_hosts file
ssh-keygen -f "/home/username/.ssh/known_hosts" -R "computername"
Tunnel
- Col comando qui sotto è possibile creare un tunnel dal server (dietro il firewall) al client attraverso cui far passare in senso contrario la connessione al servizio che ci occorre, in questo caso 'telnet'.
Sul server lanciare il comando per creare il tunnel fino al nostro client:
$ ssh -f -N -R 2333:localhost:23 guest@80.100.100.100
- 2333 porta usata sul client
- 23 porta del servizio sul server (telnet)
- guest è un utente presente sul client
- 80.100.100.100 indirizzo IP (su internet) del client
- Il server si collega con il client usando ssh e gli dice di redirigere le richieste alla porta 2333 sul client alla porta 23 del server.
- Se va tutto bene verrà chiesta la password per accedere sul client come utente guest (a meno che ci sia autenticazione con chiave criptata).
- Ora sul client è possibile collegarsi via telnet al server:
$telnet localhost 2333
(ssh -f -N -R 2333:localhost:22 user@dyndns-ip)
ssh -f -N -R 2333:localhost:22 -p22251 user@dyndns-ip
X11 forwarding
- dependencies
dnf install xorg-x11-xauth ... apt install xorg-x11-xauth
- forwarding X11 from client to local machine
ssh -X user@host
- insecure
ssh -X -Y ...
putty
- ssh client for Windows
putty -D 8080 -P 443 -ssh homeIP