formation ssh

IntroductionAuthentification

TunnelDivers

Secure SHell

Nicolas Ledez

15 septembre 2008

Nicolas Ledez Secure SHell


TunnelDivers

Plan

1 Introduction

2 Authentification

3 Tunnel

4 Divers



TunnelDivers

Historique et fonctionnalitésClé/chiffrement symétrique et asymétrique

Historique

1995 par Tatu Ylönen (Helsinki Finland)Remplacement de Telnet et les r*



TunnelDivers


Fonctionnalités 1/2

AuthentificationChiffrementIntégrité



TunnelDivers


Fonctionnalités 2/2

Login distantTransfert de fichierExécution de commande distanteClés et agentsRedirection de portsVPN


Clé/chiffrement symétrique

Clé/chiffrement asymétrique

Chiffrement dans ssh


TunnelDivers

PasswordClésSSH-AgentAgent forwarding

Password

ssh AhostBroot@AhostB’s password:



TunnelDivers


Clés

ssh -i ~/.ssh/id_dsa_who AhostBEnter passphrase for key ’~/.ssh/id_dsa_who’:

AhostB # cat .ssh/authorized_keysssh-dss AAAAB3NzaC1kc3MAAACBAKDWEj3QEEvNYADeGTOPXuj[...]kZQlsoVSbNM5ocYUGFE3aWWWw== Un commentaire complet sur le user

AhostB # ls -ld ~/ ~/.ssh/ ~/.ssh/authorized_keysdrwx------ 5 root root 512 Jul 19 16:38 ~/drwxr-xr-x 2 root root 512 Jul 3 11:45 ~/.ssh/-rw-r--r-- 1 root other 4202 Jul 3 10:05 ~/.ssh/authorized_keys



TunnelDivers


SSH-Agent 1/2



TunnelDivers


SSH-Agent 2/2

admin@station:~$ ssh-agentexport SSH_AUTH_SOCK=/tmp/ssh-EFGVug1775/agent.1775;export SSH_AGENT_PID=1776;echo Agent pid 1776;admin@station:~$ ssh-add -lThe agent has no identities.admin@station:~$ ssh-add ~/.ssh/id_dsa_whoEnter passphrase for ~/.ssh/id_dsa_who:Identity added: ~/.ssh/id_dsa_who (~/.ssh/id_dsa_who)admin@station:~$ ssh-add -l1024 06:b3:0e:fe:bc:97:7e:37:b7:a1:7d:e0:7f:0f:3b:7c

~/.ssh/id_dsa_who (DSA)



TunnelDivers


Agent forwarding 1/2



TunnelDivers


Agent forwarding 2/2

AhostB # ssh-add -l1024 40:33:2e:2a:71:2a:9b:a8:d1:4c:a4:4e:13:a5:b4:b1

/home/admin/.ssh/station/idd (DSA)1024 06:b3:0e:fe:bc:97:7e:37:b7:a1:7d:e0:7f:0f:3b:7c

/home/admin/.ssh/id_dsa_who (DSA)



TunnelDivers

LocalRemoteDynamiquesX11

Tunnel 1/2



TunnelDivers


Tunnel 2/2



TunnelDivers


Local 1/4



TunnelDivers


Local 2/4



TunnelDivers


Local 3/4



TunnelDivers


Local 4/4

ssh -L P :S :W B$ ssh -L2001 :localhost :143 server.example.com



TunnelDivers


Remote



TunnelDivers


Dynamiques

ssh -D 8080 AhostBDans le navigateur proxy socks 127.0.0.1 port 8080



TunnelDivers


X11

AhostB # env | grep DISPLAYDISPLAY=localhost:10.0

The following connections are open:#1 x11 (t4 r3 i0/0 o0/0 fd 7/7 cfd -1)



TunnelDivers

TimeoutAuthentificationCaractère d’échappementScripting

.config et ligne de commande

admin@station:~$ cat ~/.ssh/confighost *

ForwardX11 yesUser rootConnectTimeout 1ForwardAgent yesServerAliveInterval 60

admin@station:~$ ssh -o ’ConnectTimeout=10’ AhostB



TunnelDivers


Timeout

ConnectTimeout



TunnelDivers


Authentification

ForwardAgent yesPasswordAuthentication noStrictHostKeyChecking no



TunnelDivers


Caractère d’échappement

Alt-Gr-˜

AhostB # ~?Supported escape sequences:~. - terminate connection~B - send a BREAK to the remote system~C - open a command line~R - Request rekey (SSH protocol 2 only)~^Z - suspend ssh~# - list forwarded connections~& - background ssh (when waiting for connections to terminate)~? - this message~~ - send the escape character by typing it twice(Note that escapes are only recognized immediately after newline.)



TunnelDivers


Scripting 1/4

cat << "EOF" | ssh $1 / b in / sh −ps −edf −o comm, args | grep [ h ] t t p d | s o r t −u

$ {ORACLE_HOME} / b in / sq lp l us " / as sysdba " << EOFspool $ {ORACLE_BASE} / admin / $ {ORACLE_SID } / c reate / scorac le . logEOF

cat << EOF | ssh $1 / b in / sh −chown −R $ {USERTOTO_NAME} : $ {USERTOTO_GROUP} $ {HOMEDIR}EOF



TunnelDivers


Scripting 2/4

expect << EOFspawn ssh − t $1 passwd $ {USERTOTO_NAME}expect "New Password : "send " $ {USERTOTO_PASSWD} \ r "expect "Re−enter new Password : "send " $ {USERTOTO_PASSWD} \ r "expect eofEOF



TunnelDivers


Scripting 3/4

cat << "EOF" | ssh $1 / b in / bash −SITES=/ s i t e s

i f [ −d $SITES ] ; thencd $SITESf o r s i t e i n ∗ ; do

NB_PROC= ‘ ps −edf | grep $ s i t e | grep −vc grep ‘i f [ $NB_PROC −eq 0 ] ; then

echo " $ s i t e missing "f i

donef i



TunnelDivers


Scripting 4/4

cat << EOF > $ { SED_FILE }s %172.30.47.11.∗hostname01 .∗# Front−End%172.30.156.142hostname01%s %172.30.47.14.∗hostname04 .∗# Front−End%172.30.156.144hostname04%EOF

cat << EOF | ssh $1 / b in / bash − | tee r e p o r t / $1echo ’uname −a ’uname −aechoEOF



TunnelDivers


Conclusion

Conclusion



TunnelDivers


Bibliographie

http ://gnrt.terena.org/content.php ?section_id=103SSH, The Secure Shell : The Definitive GuideEd. O’Reilly & Associates



TunnelDivers


Questions

Questions ?


formation ssh

Technology