2,306
edits
Changes
Jump to navigation
Jump to search
mLine 1:
Line 1: − + Line 6:
Line 6: − + − + − + − + − + Line 31:
Line 31: − + − ssh -N -L localport:remotehost:remoteport remoteuser@remotehost+ − ssh ip_maq_intermedia -L puerto_local_kali:ip_destino_real:puerto_remoto+ + + Line 40:
Line 42: − + − + − + − + Line 51:
Line 53: − + − + + + − + + − + + + + Line 74:
Line 82: − + − + − + − IdentityFile ~/.ssh/Trinity.pub+ − User rafa+ − port 10535+ − + − + − + − IdentityFile ~/.ssh/Trinity.pub+ − User rafa+ − port 10536</nowiki>+ − IdentityFile ~/.ssh/DNC-FKY.pem+ − + − + − ServerAliveInterval 30+ − ServerAliveCountMax 2+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + − Host mi6.rra.lan+ − IdentityFile ~/.ssh/rra_fake.pem+ − User rra − − Host leaks.rra.lan − IdentityFile ~/.ssh/rt_rsa − User xe50582 − − Host news.menupayapp.com − IdentityFile ~/.ssh/rra_id.pem − User ubuntu − − Host 20.1.40.109 − IdentityFile ~/.ssh/rt_rsa − User rra − − Host gitrra.dyndns.org − IdentityFile ~/.ssh/DNC-FKY.pem − User ubuntu − − Host mapper1 − IdentityFile ~/.ssh/id_rsa − HostName WF00MPA1.igrupobbva − User pi − − Host mapper2 − IdentityFile ~/.ssh/id_rsa − HostName WF00MPA2.igrupobbva − User pi − − − − # LEAVE THIS ONES AT THE BOTTOM (WILDCHARS) First match will be used − Host 20.1.40.* − IdentityFile ~/.ssh/rt_rsa − User xe50582 − − Host *.rra.lan − IdentityFile ~/.ssh/rt_rsa − User xe50582 − − − Host 10.255.0.* − IdentityFile ~/.ssh/rt_rsa − User xe50582</nowiki> − − − <source lang="bash">#!/usr/bin/env bash Line 153:
Line 161: − + − + − + − + − + − + − Host *+ − ServerAliveInterval 60+ − ServerAliveCountMax 2</nowiki>+ − + Line 183:
Line 191: − + Line 219:
Line 227: − + Line 225:
Line 233: − + − + − + − + − IdentityFile ~/.ssh/DNC-FKY.pem+ − User ubuntu+ − + − ServerAliveInterval 30+ − ServerAliveCountMax 2+ − + − + − IdentityFile ~/.ssh/rt_rsa+ − User xe50582+ − + − + − IdentityFile ~/.ssh/rt_rsa+ − User xe50582+ − + − + − IdentityFile ~/.ssh/rra_id.pem+ − User ubuntu+ − + − + − IdentityFile ~/.ssh/rt_rsa+ − User rra+ − + − + − IdentityFile ~/.ssh/rt_rsa+ − User xe50582+ − + − + − + − User rra+ − + − + − + − IdentityFile ~/.ssh/rra_springfield.pem+ − User ubuntu+ − + − + − IdentityFile ~/.ssh/DNC.pem+ − User ubuntu+ − + − + − User rra+ − + − + − User root+ − + − + − + − # IdentityFile ~/.ssh/rt_rsa+ − User xe50582+ − + − + − + − IdentityFile ~/.ssh/rra_fake.pem+ − user rra+ − + − + − IdentityFile ~/.ssh/DNC-FKY.pem+ − User ubuntu+ − + − + − IdentityFile ~/.ssh/whispers.pem+ − User ubuntu+ − + − + − IdentityFile /media/rafa/secrets/.ssh/rra_springfield+ − User ubuntu+ − + − + − IdentityFile ~/.ssh/Trinity.pub+ − User rafa+ − Port 10535+ − + − + − IdentityFile ~/.ssh/Trinity.pub+ − User rafa+ − Port 10536+ − + − + − User root+ − PreferredAuthentications password+ − PubkeyAuthentication no+ − + − + − + − + − + − + − User ubuntu+ − IdentityFile ~/.ssh/Trinity+ − + − + − User pi+ − IdentityFile ~/.ssh/Trinity+ − + − + − User rra+ − + − + − User xe50582+ − + − + − User ubuntu+ − IdentityFile ~/.ssh/felixInteractions.pem+ − + − + − IdentityFile ~/.ssh/bitbucket</nowiki>+
→ssh tunneling
SSH stands for Secure Shell. Establishes a secure communication between 2 computers.<br />
SSH stands for Secure Shell. Establishes a secure communication between 2 computers.<br />
== Create a key pair ==
==Create a key pair==
To create a key pair for the ssh:
To create a key pair for the ssh:
ssh-keygen -t rsa -C "your_email@example.com"
ssh-keygen -t rsa -C "your_email@example.com"
ssh-keygen -e -f id_rsa.pub > yourfilename.pub
ssh-keygen -e -f id_rsa.pub > yourfilename.pub
-i is the inverse of the -e switch
-i is the inverse of the -e switch
=== Change SSH key Password ===
===Change SSH key Password===
ssh-keygen -f id_rsa -p
ssh-keygen -f id_rsa -p
== Add the key to the ssh-agent ==
==Add the key to the ssh-agent==
eval "$(ssh-agent -s)"
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa
ssh-add ~/.ssh/id_rsa
== View key information ==
==View key information==
ssh-keygen -l -f id_rsa.pub
ssh-keygen -l -f id_rsa.pub
Returns something like: 2048 3f:4b:dd:ce:2b:cd:dc:99:13:ff:38:4a:24:95:d4:e9 rafahsolis@gmail.com (RSA)
Returns something like: 2048 3f:4b:dd:ce:2b:cd:dc:99:13:ff:38:4a:24:95:d4:e9 rafahsolis@gmail.com (RSA)
== Copy key to server ==
==Copy key to server==
ssh-copy-id -i path/to/key_name.pub user_name@host_name
ssh-copy-id -i path/to/key_name.pub user_name@host_name
If .pub is already uploaded to the server:
If .pub is already uploaded to the server:
cat filename.pub >> $HOME/.ssh/authorized_keys
cat filename.pub >> $HOME/.ssh/authorized_keys
== If home directory is encrypted ==
==If home directory is encrypted==
$ /sbin/umount.ecryptfs_private
$ /sbin/umount.ecryptfs_private
$ cd $HOME
$ cd $HOME
AuthorizedKeysFile /etc/ssh/%u/authorized_keys
AuthorizedKeysFile /etc/ssh/%u/authorized_keys
== ssh tunneling ==
==ssh tunneling==
This is used for example to connect to a database on a server that has the database port closed but ssh port open.<br />
This is used for example to connect to a database on a server that has the database port closed but ssh port open.<br />
<source lang="bash">ssh -N -L localport:remotehost:remoteport remoteuser@remotehost
ssh ip_maq_intermedia -L puerto_local_kali:ip_destino_real:puerto_remoto
ssh news.menupayapp.com -NL 5432:fsim-dbpg.c9hdfwhhklwy.eu-central-1.rds.amazonaws.com:5432</source>
Example:
Example:
ssh -i .ssh/MySshKey.pem -N -L 8888:localhost:3306 ubuntu@myserver.com
ssh -i .ssh/MySshKey.pem -N -L 8888:localhost:3306 ubuntu@myserver.com
the database on myserver.com using your local port 8888.<br />
the database on myserver.com using your local port 8888.<br />
(*) -N tells ssh that you won't execute any commands on the ssh shell.<br />
(*) -N tells ssh that you won't execute any commands on the ssh shell.<br />
=== Check/close open tunnels ===
===Check/close open tunnels===
<nowiki>
<nowiki>
netstat -n --protocol inet | grep ':22'
netstat -n --protocol inet | grep ':22'
sudo lsof -i -n | egrep '\<ssh\>'
sudo lsof -i -n | egrep '\<ssh\>'
sudo lsof -i -n | egrep '\<sshd\>'</nowiki>
sudo lsof -i -n | egrep '\<sshd\>'</nowiki>
'''To close open tunnels'''<br />
'''To close open tunnels'''<br />
'''To see what it will kill'''
'''To see what it will kill'''
ps aux | grep my_ssh_key.pem
ps aux | grep my_ssh_key.pem
=== Examples ===
===Examples===
* Access to a remote MySQL binded to 127.0.0.1 (it woudn't be accesible from outside)
*Access to a remote MySQL binded to 127.0.0.1 (it woudn't be accesible from outside)
Runing this command on your box:
Runing this command on your box:
ssh -N -L 3666:localhost:3306 user@some.remotehost.com
ssh -N -L 3666:localhost:3306 user@some.remotehost.com
Makes the MySQL Server accesible at your local machine at port 3666
Makes the MySQL Server accesible at your local machine at port 3666
== Configuration ==
==Configuration==
Edit the following files to configure ssh<br />
Edit the following files to configure ssh<br />
(Message of the Day)
(Message of the Day)
*/etc/motd (old)
*/etc/motd (old)
* /etc/update-motd.d/* (new)
*/etc/update-motd.d/* (new)
echo -e "\e[31m\\u2588\u2588\u2588\u2588\u2588\u2588\u2588\e[33m\\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\e[31m\\u2588\u2588\u2588\u2588\u2588\u2588\u2588\e[37m" > /etc/update-motd.d/flag
echo -e "\e[31m\\u2588\u2588\u2588\u2588\u2588\u2588\u2588\e[33m\\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\e[31m\\u2588\u2588\u2588\u2588\u2588\u2588\u2588\e[37m" > /etc/update-motd.d/flag
echo "cat /etc/update-motd.d/flag" >> /etc/update-motd.d/00-header
echo "cat /etc/update-motd.d/flag" >> /etc/update-motd.d/00-header
Other settings:
Other settings:
*/etc/ssh/sshd_config
*/etc/ssh/sshd_config
Recomended: Disable password login:
Recomended: Disable password login:
ChallengeResponseAuthentication no
ChallengeResponseAuthentication no
sudo service ssh restart
sudo service ssh restart
== Videos ==
==Videos==
[https://www.dropbox.com/s/uxng22kpge7luxf/SSH%20Tutorial%20-%20Basic%20server%20administration%20with%20SSH-DbPDraCYju8.mp4?dl=0 SSH Tutorial Basic server administration with SSH (mp4)]<br />
[https://www.dropbox.com/s/uxng22kpge7luxf/SSH%20Tutorial%20-%20Basic%20server%20administration%20with%20SSH-DbPDraCYju8.mp4?dl=0 SSH Tutorial Basic server administration with SSH (mp4)]<br />
[https://www.dropbox.com/s/hzvkdcdw11t1cxk/SSH%20SCP%20and%20key%20pairs%20tutorial%20%28Secure%20authentication%20and%20encrypted%20comunication%29-oHoRYCY-LYU.mp4?dl=0 SSH SCP and key pairs tutorial Secure authentication and encrypted comunication (mp4)]
[https://www.dropbox.com/s/hzvkdcdw11t1cxk/SSH%20SCP%20and%20key%20pairs%20tutorial%20%28Secure%20authentication%20and%20encrypted%20comunication%29-oHoRYCY-LYU.mp4?dl=0 SSH SCP and key pairs tutorial Secure authentication and encrypted comunication (mp4)]
== Config files ==
==Config files==
sudo nano /etc/ssh/sshd_config (ssh daemon config)<br />
sudo nano /etc/ssh/sshd_config (ssh daemon config)<br />
=== $HOME/.ssh/config ===
===$HOME/.ssh/config===
<nowiki>Host morpheus
<nowiki>Host morpheus
IdentityFile ~/.ssh/Trinity.pub
User rafa
port 10535
=== $WORK/.ssh/config ===
=== $WORK/.ssh/config ===
Host flirt
Host flirt
IdentityFile ~/.ssh/Trinity.pub
User rafa
port 10536</nowiki>
(connections config)
(connections config)
<nowiki>Host fpsim-frontend
<nowiki>Host fpsim-frontend
IdentityFile ~/.ssh/DNC-FKY.pem
Host *
Host *
ServerAliveInterval 30
ServerAliveCountMax 2
Host mi6.rra.lan
IdentityFile ~/.ssh/rra_fake.pem
User rra
Host leaks.rra.lan
IdentityFile ~/.ssh/rt_rsa
User xe50582
Host news.menupayapp.com
IdentityFile ~/.ssh/rra_id.pem
User ubuntu
Host 20.1.40.109
IdentityFile ~/.ssh/rt_rsa
User rra
Host gitrra.dyndns.org
IdentityFile ~/.ssh/DNC-FKY.pem
User ubuntu
Host mapper1
IdentityFile ~/.ssh/id_rsa
HostName WF00MPA1.igrupobbva
User pi
Host mapper2
IdentityFile ~/.ssh/id_rsa
HostName WF00MPA2.igrupobbva
User pi
# LEAVE THIS ONES AT THE BOTTOM (WILDCHARS) First match will be used
Host 20.1.40.*
IdentityFile ~/.ssh/rt_rsa
User xe50582
Host *.rra.lan
IdentityFile ~/.ssh/rt_rsa
User xe50582
Host 10.255.0.*
IdentityFile ~/.ssh/rt_rsa
User xe50582</nowiki>
==LDAP ldapkeyfile==
<source lang="bash">#!/usr/bin/env bash
== LDAP ldapkeyfile ==
ldapsearch -h rtLDAP01.igrupobbva -b dc=rtLDAP01,dc=igrupobbva -x '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
ldapsearch -h rtLDAP01.igrupobbva -b dc=rtLDAP01,dc=igrupobbva -x '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
#-b ou=users,dc=rtLDAP01,dc=igrupobbva</source>
#-b ou=users,dc=rtLDAP01,dc=igrupobbva</source>
== sshd_config LDAP ldapsearch ==
==sshd_config LDAP ldapsearch==
AuthorizedKeysCommand /bin/ldapkeyfile
AuthorizedKeysCommand /bin/ldapkeyfile
AuthorizedKeysCommandUser nobody
AuthorizedKeysCommandUser nobody
== Welcome message ==
==Welcome message==
Two files must be edited:<br />
Two files must be edited:<br />
/etc/motd (message of the day)<br />
/etc/motd (message of the day)<br />
/etc/ssh/sshd_config: Change the setting PrintLastLog to "no", this will disable the "Last login" message.
/etc/ssh/sshd_config: Change the setting PrintLastLog to "no", this will disable the "Last login" message.
== Convert rsa to ppk ==
==Convert rsa to ppk==
puttygen keyname -o keyname.ppk
puttygen keyname -o keyname.ppk
== Avoid broken pipe ==
==Avoid broken pipe==
2 options:<br />
2 options:<br />
=== ClientAliveInterval, SeverAliveInterval ===
===ClientAliveInterval, SeverAliveInterval===
==== Client side ====
====Client side====
Use ClientAliveInterval if you have a jump machine<br />
Use ClientAliveInterval if you have a jump machine<br />
create file: /home/user/.ssh/config with the following content: (client side) chmod 600
create file: /home/user/.ssh/config with the following content: (client side) chmod 600
<nowiki>
<nowiki>
Host *
ServerAliveInterval 60
ServerAliveCountMax 2</nowiki>
For each user, or ading to /etc/ssh/ssh_config
For each user, or ading to /etc/ssh/ssh_config
ServerAliveInterval 60
ServerAliveInterval 60
ClientAliveCountMax 2
ClientAliveCountMax 2
==== Server side ====
====Server side====
echo "ClientAliveInterval 60" | sudo tee -a /etc/ssh/sshd_config
echo "ClientAliveInterval 60" | sudo tee -a /etc/ssh/sshd_config
2:
2:
<nowiki>
<nowiki>
echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time</nowiki>
echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time</nowiki>
Shell script to reconnect on broken pipe:
Shell script to reconnect on broken pipe:
</source>
</source>
== known_hosts ==
==known_hosts==
===Remove offending key===
===Remove offending key===
If when trying to connect to a host you get the message:
If when trying to connect to a host you get the message:
and you trust the host (this can happen when you change CNAME file of your DNS to point to a different server
and you trust the host (this can happen when you change CNAME file of your DNS to point to a different server
ssh-keygen -f "/home/user/.ssh/known_hosts" -R server_dns_or_ip
ssh-keygen -f "/home/user/.ssh/known_hosts" -R server_dns_or_ip
== Enable ssh at boot ==
==Enable ssh at boot==
# update-rc.d -f ssh enable 2 3 4 5
# update-rc.d -f ssh enable 2 3 4 5
systemctl enable ssh
systemctl enable ssh
== Force password authentication ==
==Force password authentication==
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no example.com
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no example.com
== SSH Config ==
==SSH Config==
Path ~/.ssh/config
Path ~/.ssh/config
=== Work ===
===Work===
<nowiki>Host fpsim-frontend
<nowiki>Host fpsim-frontend
IdentityFile ~/.ssh/DNC-FKY.pem
User ubuntu
Host *
Host *
ServerAliveInterval 30
ServerAliveCountMax 2
Host 10.255.0.*
Host 10.255.0.*
IdentityFile ~/.ssh/rt_rsa
User xe50582
Host leaks.rra.lan
Host leaks.rra.lan
IdentityFile ~/.ssh/rt_rsa
User xe50582
Host news.menupayapp.com
Host news.menupayapp.com
IdentityFile ~/.ssh/rra_id.pem
User ubuntu
Host 20.1.40.109
Host 20.1.40.109
IdentityFile ~/.ssh/rt_rsa
User rra
Host 20.1.40.*
Host 20.1.40.*
IdentityFile ~/.ssh/rt_rsa
User xe50582
Host pdgrt.rra.lan
Host pdgrt.rra.lan
User rra
host geoip.dyndns.org
host geoip.dyndns.org
IdentityFile ~/.ssh/rra_springfield.pem
User ubuntu
host rrafara.dyndns.org
host rrafara.dyndns.org
IdentityFile ~/.ssh/DNC.pem
User ubuntu
host deathnote.rra.lan
host deathnote.rra.lan
User rra
host savvius.rra.lan
host savvius.rra.lan
User root
Host *.rra.lan
Host *.rra.lan
# IdentityFile ~/.ssh/rt_rsa
User xe50582
Host 10.255.0.32
Host 10.255.0.32
IdentityFile ~/.ssh/rra_fake.pem
user rra
Host aws-gitlab
Host aws-gitlab
IdentityFile ~/.ssh/DNC-FKY.pem
User ubuntu
</nowiki>
</nowiki>
=== Trinity ===
===Trinity===
<nowiki>Host *.herrerosolis.com
<nowiki>Host *.herrerosolis.com
IdentityFile ~/.ssh/whispers.pem
User ubuntu
Host geoip.dyndns.org
Host geoip.dyndns.org
IdentityFile /media/rafa/secrets/.ssh/rra_springfield
User ubuntu
Host morpheus
Host morpheus
IdentityFile ~/.ssh/Trinity.pub
User rafa
Port 10535
Host flirt
Host flirt
IdentityFile ~/.ssh/Trinity.pub
User rafa
Port 10536
Host kodi
Host kodi
User root
PreferredAuthentications password
PubkeyAuthentication no
#Host bitbucket.org
#Host bitbucket.org
# IdentityFile ~/.ssh/cpc_bitbucket
# IdentityFile ~/.ssh/cpc_bitbucket
Host peibol.duckdns.org
Host peibol.duckdns.org
User ubuntu
IdentityFile ~/.ssh/Trinity
Host lightning01
Host lightning01
User pi
IdentityFile ~/.ssh/Trinity
Host scripting-ssii.rra.lan
Host scripting-ssii.rra.lan
User rra
Host *.rra.lan
Host *.rra.lan
User xe50582
Host felixnomada.duckdns.org
Host felixnomada.duckdns.org
User ubuntu
IdentityFile ~/.ssh/felixInteractions.pem
Host bitbucket.org
Host bitbucket.org
IdentityFile ~/.ssh/bitbucket</nowiki>