formation ssh
DESCRIPTION
Pour tout savoir sur SSHTRANSCRIPT
IntroductionAuthentification
TunnelDivers
Secure SHell
Nicolas Ledez
15 septembre 2008
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
Plan
1 Introduction
2 Authentification
3 Tunnel
4 Divers
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
Historique et fonctionnalitésClé/chiffrement symétrique et asymétrique
Historique
1995 par Tatu Ylönen (Helsinki Finland)Remplacement de Telnet et les r*
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
Historique et fonctionnalitésClé/chiffrement symétrique et asymétrique
Fonctionnalités 1/2
AuthentificationChiffrementIntégrité
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
Historique et fonctionnalitésClé/chiffrement symétrique et asymétrique
Fonctionnalités 2/2
Login distantTransfert de fichierExécution de commande distanteClés et agentsRedirection de portsVPN
Nicolas Ledez Secure SHell
Clé/chiffrement symétrique
Clé/chiffrement asymétrique
Chiffrement dans ssh
IntroductionAuthentification
TunnelDivers
PasswordClésSSH-AgentAgent forwarding
Password
ssh AhostBroot@AhostB’s password:
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
PasswordClésSSH-AgentAgent forwarding
Clés
ssh -i ~/.ssh/id_dsa_who AhostBEnter passphrase for key ’~/.ssh/id_dsa_who’:
AhostB # cat .ssh/authorized_keysssh-dss AAAAB3NzaC1kc3MAAACBAKDWEj3QEEvNYADeGTOPXuj[...]kZQlsoVSbNM5ocYUGFE3aWWWw== Un commentaire complet sur le user
AhostB # ls -ld ~/ ~/.ssh/ ~/.ssh/authorized_keysdrwx------ 5 root root 512 Jul 19 16:38 ~/drwxr-xr-x 2 root root 512 Jul 3 11:45 ~/.ssh/-rw-r--r-- 1 root other 4202 Jul 3 10:05 ~/.ssh/authorized_keys
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
PasswordClésSSH-AgentAgent forwarding
SSH-Agent 1/2
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
PasswordClésSSH-AgentAgent forwarding
SSH-Agent 2/2
admin@station:~$ ssh-agentexport SSH_AUTH_SOCK=/tmp/ssh-EFGVug1775/agent.1775;export SSH_AGENT_PID=1776;echo Agent pid 1776;admin@station:~$ ssh-add -lThe agent has no identities.admin@station:~$ ssh-add ~/.ssh/id_dsa_whoEnter passphrase for ~/.ssh/id_dsa_who:Identity added: ~/.ssh/id_dsa_who (~/.ssh/id_dsa_who)admin@station:~$ ssh-add -l1024 06:b3:0e:fe:bc:97:7e:37:b7:a1:7d:e0:7f:0f:3b:7c
~/.ssh/id_dsa_who (DSA)
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
PasswordClésSSH-AgentAgent forwarding
Agent forwarding 1/2
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
PasswordClésSSH-AgentAgent forwarding
Agent forwarding 2/2
AhostB # ssh-add -l1024 40:33:2e:2a:71:2a:9b:a8:d1:4c:a4:4e:13:a5:b4:b1
/home/admin/.ssh/station/idd (DSA)1024 06:b3:0e:fe:bc:97:7e:37:b7:a1:7d:e0:7f:0f:3b:7c
/home/admin/.ssh/id_dsa_who (DSA)
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
LocalRemoteDynamiquesX11
Tunnel 1/2
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
LocalRemoteDynamiquesX11
Tunnel 2/2
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
LocalRemoteDynamiquesX11
Local 1/4
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
LocalRemoteDynamiquesX11
Local 2/4
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
LocalRemoteDynamiquesX11
Local 3/4
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
LocalRemoteDynamiquesX11
Local 4/4
ssh -L P :S :W B$ ssh -L2001 :localhost :143 server.example.com
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
LocalRemoteDynamiquesX11
Remote
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
LocalRemoteDynamiquesX11
Dynamiques
ssh -D 8080 AhostBDans le navigateur proxy socks 127.0.0.1 port 8080
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
LocalRemoteDynamiquesX11
X11
AhostB # env | grep DISPLAYDISPLAY=localhost:10.0
The following connections are open:#1 x11 (t4 r3 i0/0 o0/0 fd 7/7 cfd -1)
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
TimeoutAuthentificationCaractère d’échappementScripting
.config et ligne de commande
admin@station:~$ cat ~/.ssh/confighost *
ForwardX11 yesUser rootConnectTimeout 1ForwardAgent yesServerAliveInterval 60
admin@station:~$ ssh -o ’ConnectTimeout=10’ AhostB
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
TimeoutAuthentificationCaractère d’échappementScripting
Timeout
ConnectTimeout
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
TimeoutAuthentificationCaractère d’échappementScripting
Authentification
ForwardAgent yesPasswordAuthentication noStrictHostKeyChecking no
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
TimeoutAuthentificationCaractère d’échappementScripting
Caractère d’échappement
Alt-Gr-˜
AhostB # ~?Supported escape sequences:~. - terminate connection~B - send a BREAK to the remote system~C - open a command line~R - Request rekey (SSH protocol 2 only)~^Z - suspend ssh~# - list forwarded connections~& - background ssh (when waiting for connections to terminate)~? - this message~~ - send the escape character by typing it twice(Note that escapes are only recognized immediately after newline.)
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
TimeoutAuthentificationCaractère d’échappementScripting
Scripting 1/4
cat << "EOF" | ssh $1 / b in / sh −ps −edf −o comm, args | grep [ h ] t t p d | s o r t −u
$ {ORACLE_HOME} / b in / sq lp l us " / as sysdba " << EOFspool $ {ORACLE_BASE} / admin / $ {ORACLE_SID } / c reate / scorac le . logEOF
cat << EOF | ssh $1 / b in / sh −chown −R $ {USERTOTO_NAME} : $ {USERTOTO_GROUP} $ {HOMEDIR}EOF
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
TimeoutAuthentificationCaractère d’échappementScripting
Scripting 2/4
expect << EOFspawn ssh − t $1 passwd $ {USERTOTO_NAME}expect "New Password : "send " $ {USERTOTO_PASSWD} \ r "expect "Re−enter new Password : "send " $ {USERTOTO_PASSWD} \ r "expect eofEOF
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
TimeoutAuthentificationCaractère d’échappementScripting
Scripting 3/4
cat << "EOF" | ssh $1 / b in / bash −SITES=/ s i t e s
i f [ −d $SITES ] ; thencd $SITESf o r s i t e i n ∗ ; do
NB_PROC= ‘ ps −edf | grep $ s i t e | grep −vc grep ‘i f [ $NB_PROC −eq 0 ] ; then
echo " $ s i t e missing "f i
donef i
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
TimeoutAuthentificationCaractère d’échappementScripting
Scripting 4/4
cat << EOF > $ { SED_FILE }s %172.30.47.11.∗hostname01 .∗# Front−End%172.30.156.142hostname01%s %172.30.47.14.∗hostname04 .∗# Front−End%172.30.156.144hostname04%EOF
cat << EOF | ssh $1 / b in / bash − | tee r e p o r t / $1echo ’uname −a ’uname −aechoEOF
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
TimeoutAuthentificationCaractère d’échappementScripting
Conclusion
Conclusion
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
TimeoutAuthentificationCaractère d’échappementScripting
Bibliographie
http ://gnrt.terena.org/content.php ?section_id=103SSH, The Secure Shell : The Definitive GuideEd. O’Reilly & Associates
Nicolas Ledez Secure SHell
IntroductionAuthentification
TunnelDivers
TimeoutAuthentificationCaractère d’échappementScripting
Questions
Questions ?
Nicolas Ledez Secure SHell