Difference between revisions of "Linux: SSH"

From RHS Wiki
Jump to navigation Jump to search
Tag: visualeditor
Line 239: Line 239:
 
==Force password authentication==
 
==Force password authentication==
 
  ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no example.com
 
  ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no example.com
 +
==Open ssh SOCKS5 Proxy Server (Dynamic port redirection)==
 +
ssh -ND 1111 ubuntu@ec2-52-57-220-220.eu-central-1.compute.amazonaws.com -i ~/.ssh/DNC-FKY.pem
 +
ssh -D 10.28.0.81:1111 rafa@10.28.0.81
 +
 
==SSH Config==
 
==SSH Config==
 
Path ~/.ssh/config
 
Path ~/.ssh/config

Revision as of 10:08, 29 March 2019

SSH stands for Secure Shell. Establishes a secure communication between 2 computers.

Create a key pair

To create a key pair for the ssh: 

ssh-keygen -t rsa -C "your_email@example.com"

To convert the key pair to PEM format: 

ssh-keygen -e -f id_rsa.pub > yourfilename.pub

-i is the inverse of the -e switch

Change SSH key Password

ssh-keygen -f id_rsa -p

Add the key to the ssh-agent

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa

View key information

ssh-keygen -l -f id_rsa.pub

Returns something like: 2048 3f:4b:dd:ce:2b:cd:dc:99:13:ff:38:4a:24:95:d4:e9 rafahsolis@gmail.com (RSA)

Copy key to server

ssh-copy-id -i path/to/key_name.pub user_name@host_name

If .pub is already uploaded to the server: 

cat filename.pub >> $HOME/.ssh/authorized_keys

If home directory is encrypted

$ /sbin/umount.ecryptfs_private
$ cd $HOME
$ chmod 700 .
$ mkdir -m 700 .ssh
$ chmod 500 .
$ echo $YOUR_REAL_PUBLIC_KEY > .ssh/authorized_keys
$ /sbin/mount.ecryptfs_private

or change in /etc/ssh/sshd_config the line: 

AuthorizedKeysFile /etc/ssh/%u/authorized_keys

ssh tunneling

This is used for example to connect to a database on a server that has the database port closed but ssh port open.

ssh -N -L localport:remotehost:remoteport remoteuser@remotehost
ssh ip_maq_intermedia -L puerto_local_kali:ip_destino_real:puerto_remoto
ssh www.intermediate.com -NL 5432:fesfe-dbpg.c9hdfwhhklwy.eu-central-1.rds.amazonaws.com:5432

Example: 

ssh -i .ssh/MySshKey.pem -N -L 8888:localhost:3306 ubuntu@myserver.com

This will tunnel local port 8888 to the remote port 3306 (MySQL port) So you would be able to connect to
the database on myserver.com using your local port 8888.
(*) -N tells ssh that you won't execute any commands on the ssh shell.

Check/close open tunnels

  netstat -n --protocol inet | grep ':22'
  sudo lsof -i -n | egrep '\<ssh\>'
  sudo lsof -i -n | egrep '\<sshd\>'

To close open tunnels
kill using the pattern: 

kill pkill -f my_ssh_key.pem

To see what it will kill 

ps aux | grep my_ssh_key.pem

Examples

  • Access to a remote MySQL binded to 127.0.0.1 (it woudn't be accesible from outside)

Runing this command on your box: 

ssh -N -L 3666:localhost:3306 user@some.remotehost.com

Makes the MySQL Server accesible at your local machine at port 3666

Configuration

Edit the following files to configure ssh
(Message of the Day)

  • /etc/motd (old)
  • /etc/update-motd.d/* (new)
echo -e "\e[31m\\u2588\u2588\u2588\u2588\u2588\u2588\u2588\e[33m\\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\e[31m\\u2588\u2588\u2588\u2588\u2588\u2588\u2588\e[37m" > /etc/update-motd.d/flag
echo "cat /etc/update-motd.d/flag" >> /etc/update-motd.d/00-header

Other settings:

  • /etc/ssh/sshd_config

Recomended: Disable password login: 

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no 

sudo service ssh restart

Videos

SSH Tutorial Basic server administration with SSH (mp4)
SSH SCP and key pairs tutorial Secure authentication and encrypted comunication (mp4)

Config files

sudo nano /etc/ssh/sshd_config (ssh daemon config)

$HOME/.ssh/config

Host morpheus
      IdentityFile ~/.ssh/Trinity.pub
      User rafa
      port 10535
  
  === $WORK/.ssh/config ===
  Host flirt
      IdentityFile ~/.ssh/Trinity.pub
      User rafa
      port 10536

(connections config) 

Host fpsim-frontend
      IdentityFile ~/.ssh/DNC-FKY.pem
  
  Host *
      ServerAliveInterval 30
      ServerAliveCountMax 2
  
  Host mi6.rra.lan
      IdentityFile ~/.ssh/rra_fake.pem
      User rra
  
  Host leaks.rra.lan
      IdentityFile ~/.ssh/rt_rsa
      User xe50582
  
  Host news.menupayapp.com
      IdentityFile ~/.ssh/rra_id.pem
      User ubuntu
  
  Host 20.1.40.109
      IdentityFile ~/.ssh/rt_rsa
      User rra
  
  Host gitrra.dyndns.org
      IdentityFile ~/.ssh/DNC-FKY.pem
      User ubuntu
  
  Host mapper1
      IdentityFile ~/.ssh/id_rsa
      HostName WF00MPA1.igrupobbva
      User pi
  
  Host mapper2
      IdentityFile ~/.ssh/id_rsa
      HostName WF00MPA2.igrupobbva
      User pi
  
  
  
  # LEAVE THIS ONES AT THE BOTTOM (WILDCHARS) First match will be used 
  Host 20.1.40.*
      IdentityFile ~/.ssh/rt_rsa
      User xe50582
  
  Host *.rra.lan
      IdentityFile ~/.ssh/rt_rsa
      User xe50582
  
  
  Host 10.255.0.*
      IdentityFile ~/.ssh/rt_rsa
      User xe50582

LDAP ldapkeyfile

#!/usr/bin/env bash
ldapsearch -h rtLDAP01.igrupobbva -b dc=rtLDAP01,dc=igrupobbva -x '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'

#sudo ldapsearch -x '(objectClass=*)' -h 192.168.56.103
#-b ou=users,dc=rtLDAP01,dc=igrupobbva

sshd_config LDAP ldapsearch

AuthorizedKeysCommand /bin/ldapkeyfile
AuthorizedKeysCommandUser nobody

Welcome message

Two files must be edited:
/etc/motd (message of the day)
/etc/ssh/sshd_config: Change the setting PrintLastLog to "no", this will disable the "Last login" message.

Convert rsa to ppk

puttygen keyname -o keyname.ppk

Avoid broken pipe

2 options:

ClientAliveInterval, SeverAliveInterval

Client side

Use ClientAliveInterval if you have a jump machine
create file: /home/user/.ssh/config with the following content: (client side) chmod 600 

   Host *
       ServerAliveInterval 60
       ServerAliveCountMax 2

For each user, or ading to /etc/ssh/ssh_config 

ServerAliveInterval 60
ClientAliveCountMax 2

Server side

echo "ClientAliveInterval 60" | sudo tee -a /etc/ssh/sshd_config


2: 

  echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time

Shell script to reconnect on broken pipe: 

#!/bin/sh

#This is an SSH-D proxy with auto-reconnect on disconnect

#Created by Liang Sun on 28, Sep, 2011
#Email: i@liangsun.org

i=0
while test 1==1
do
    remote_ip=YOUR_REMOTE_IP
    remote_user=YOUR_REMOTE_USER
    local_port=YOUR_LOCAL_PORT

    exist=`ps aux | grep $remote_user@$remote_ip | grep $local_port`
    #echo $exist
    if test -n "$exist"
    then
        if test $i -eq 0
        then
            echo "I'm alive since $(date)"
        fi
        i=1
    else
        i=0
        echo "I died... God is bringing me back..."
        ssh $remote_user@$remote_ip -f -N -D 0.0.0.0:$local_port
    fi
    sleep 1
done

known_hosts

Remove offending key

If when trying to connect to a host you get the message: 

Offending ECDSA key in /home/user/.ssh/known_hosts:#:

and you trust the host (this can happen when you change CNAME file of your DNS to point to a different server 

ssh-keygen -f "/home/user/.ssh/known_hosts" -R server_dns_or_ip

Enable ssh at boot

# update-rc.d -f ssh enable 2 3 4 5
systemctl enable ssh

Force password authentication

ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no example.com

Open ssh SOCKS5 Proxy Server (Dynamic port redirection)

ssh -ND 1111 ubuntu@ec2-52-57-220-220.eu-central-1.compute.amazonaws.com -i ~/.ssh/DNC-FKY.pem
ssh -D 10.28.0.81:1111 rafa@10.28.0.81

SSH Config

Path ~/.ssh/config

Work

Host fpsim-frontend
      IdentityFile ~/.ssh/DNC-FKY.pem
      User ubuntu
  Host *
      ServerAliveInterval 30
      ServerAliveCountMax 2
  
  Host 10.255.0.*
      IdentityFile ~/.ssh/rt_rsa
      User xe50582
  
  Host leaks.rra.lan
      IdentityFile ~/.ssh/rt_rsa
      User xe50582
  
  Host news.menupayapp.com
      IdentityFile ~/.ssh/rra_id.pem
      User ubuntu
  
  Host 20.1.40.109
      IdentityFile ~/.ssh/rt_rsa
      User rra
  
  Host 20.1.40.*
      IdentityFile ~/.ssh/rt_rsa
      User xe50582
  
  
  Host pdgrt.rra.lan
      User rra
  
  
  host geoip.dyndns.org
      IdentityFile ~/.ssh/rra_springfield.pem
      User ubuntu
  
  host rrafara.dyndns.org
      IdentityFile ~/.ssh/DNC.pem
      User ubuntu
  
  host deathnote.rra.lan
      User rra
  
  host savvius.rra.lan
      User root
  
  
  Host *.rra.lan
      # IdentityFile ~/.ssh/rt_rsa
      User xe50582
  
  
  Host 10.255.0.32
      IdentityFile ~/.ssh/rra_fake.pem
      user rra
  
  Host aws-gitlab
      IdentityFile ~/.ssh/DNC-FKY.pem
      User ubuntu

Trinity

Host *.herrerosolis.com
      IdentityFile ~/.ssh/whispers.pem
      User ubuntu
  
  Host geoip.dyndns.org
      IdentityFile /media/rafa/secrets/.ssh/rra_springfield
      User ubuntu
  
  Host morpheus
      IdentityFile ~/.ssh/Trinity.pub
      User rafa
      Port 10535
  
  Host flirt
      IdentityFile ~/.ssh/Trinity.pub
      User rafa
      Port 10536
  
  Host kodi
      User root
      PreferredAuthentications password
      PubkeyAuthentication no
  
  
  #Host bitbucket.org
  #   IdentityFile ~/.ssh/cpc_bitbucket
  
  Host peibol.duckdns.org
      User ubuntu
      IdentityFile ~/.ssh/Trinity
  
  Host lightning01
      User pi
      IdentityFile ~/.ssh/Trinity
  
  Host scripting-ssii.rra.lan
      User rra
  
  Host *.rra.lan
      User xe50582
  
  Host felixnomada.duckdns.org
      User ubuntu
      IdentityFile ~/.ssh/felixInteractions.pem
  
  Host bitbucket.org
      IdentityFile ~/.ssh/bitbucket
Retrieved from "https://wiki.herrerosolis.com/index.php?title=Linux:_SSH&oldid=1834"