OpenSSH tomas.corej@websupport.sk

@tomas_corej

● nastroj pre bezpecne, vzdialene prihlasovanie

● prepisana verzia originalneho SSH nastroja

● priklad flexibilneho nastroja pouzitelneho na ovela viac nez len vzdialene prihlasovanie

● nahrada za telnet, ftp, rlogin●

OpenSSH

Od zaciatku

pesnik:~$ ssh testor

alebo

pesnik:~$ ln -s /usr/bin/ssh-argv0 $HOME/bin/testorpesnik:~$ testor

Od zaciatku

pesnik:~$ ssh testoruser@testor password: ^Cpesnik:~$ ssh-keygen pesnik:~$ ssh-copy-id testorNow try logging into the machine, with "ssh 'testor'", and check in:

~/.ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

Od zaciatku

pesnik:~$ ssh testorWarning: the RSA host key for 'testor' differs from the key for the IP address '37.9.170.2'Offending key for IP in /home/tomas.corej/.ssh/known_hosts:57Matching host key in /home/tomas.corej/.ssh/known_hosts:875You have mail.Last login: Thu Jul 11 00:12:57 2012 from servicestestor:~$ ^Dpesnik: ~$ ssh-keygen -R 37.9.170.2

Od zaciatku

pesnik:~$ ssh testorYou have mail.Last login: Thu Jul 11 00:12:57 2012 from pesniktestor:~$

Od zaciatku

pesnik:~$ ssh testorYou have mail.Last login: Thu Jul 11 00:12:57 2012 from servicestestor:~$ testor:~$ ~?Supported escape sequences: ~. - terminate connection (and any multiplexed sessions) ~B - send a BREAK to the remote system ~C - open a command line ~R - Request rekey (SSH protocol 2 only) ~^Z - suspend ssh ~# - list forwarded connections ~& - background ssh (when waiting for connections to terminate) ~? - this message ~~ - send the escape character by typing it twice(Note that escapes are only recognized immediately after newline.)

Pouzitelne v skriptoch

pesnik:~$ ssh testor /bin/true && echo okok

if ssh testor prikaz; then...fi

Nechce sa mi pouzit scp

pesnik:~$ dllllhyyy prikaz | ssh testor "cat > remotefile"

pesnik:~$ mysqldump -uroot -p db | ssh testor "gzip - > db.gz"

pesnik:~$ mysqldump -uroot -p db |gzip - | ssh testor "cat > db.gz"

pesnik:~$ cat zoznam | ssh testor "while read input; do prikaz \$input $USER;done"

X11 jednoducho

pesnik:~$ ssh -X testor firefox

pesnik:~$ ssh -X testor.vpn gnome-terminal

pesnik:~$ ssh -X testor.vpn xeyes

Agent forwarding

tomas.corej@pesnik:~$ ssh-add -l2048 f8:c6:6a:f4:ca:ee:0e:57:86:ed:f1:4b:ec:d3:84:ba /home/tomas.corej/.ssh/id_rsa (RSA)

tomas.corej@pesnik:~$ ssh -A testor

tomas.corej@testor:~$ ssh-add -l2048 f8:c6:6a:f4:ca:ee:0e:57:86:ed:f1:4b:ec:d3:84:ba /home/tomas.corej/.ssh/id_rsa (RSA)

mozne bezpecnostne rizikoadresar s unixovym socketom pristupny v /tmpmoze viest k chybam hlavne pri spustani cron skriptov

tomas.corej@pesnik:~$ ssh -A testor2

SOCKS proxy a tunelovanie

pesnikl:~$ ssh -D 3128 testor

-L[bind_address:]port:host:hostport Request local forward -R[bind_address:]port:host:hostport Request remote forward

-D[bind_address:]port Request dynamic forward

1.

Ulozme si to vsetko do $HOME/.ssh/config

Host * User rootForwardAgent yes

ForwardX11 yesConnectTimeout=20PreferredAuthentications=publickey,password,keyboard-

interactiveStrictHostKeyChecking=no ControlMaster autoControlPath ~/.ssh/sockets/%r@%h:%pSendEnv BASH_ENVIdentityFile ~/.ssh/id_rsa

IdentityFile ~/.ssh/customers_vpsCompression yes

Host abcdIdentityFile ~/.ssh/abcd.pub

level++

ProxyCommand

● moze to byt cokolvek, dolezite je, aby to spracovavalo STDIN a STDOUT

ssh -o ProxyCommand="$HOME/.ssh/gateway.sh %h %p" testor

● Nahradzuje %h, %p a %r ● pristup cez prostrednika

ssh -o ProxyCommand="ssh user@testor nc %h %p" user@192.168.1.2 "uname -a"

● parameter -W ● riziko DOS

● pri castom generovani SSH spojeni a vo velkom mnozstve

● skracuje cas a znizuje overhead (0.2s vs 0.014s)

● config

ControlMaster autoControlPath ~/.ssh/sockets/%r@%h:%p● ovladanie cez -O check,forward,stop,exit

Multiplexovanie SSH spojeni

pesnik:~$ ssh testorYou have mail.Last login: Thu Jul 11 00:12:57 2012 from pesniktestor:~$ testor:~$ ~^Z

pesnik:~$ cd ~/.ssh/socketspesnik:~$ ~/.ssh/sockets$ lsuser@testor:22pesnik:~$ ssh -O check user@testorMaster running (pid=22797)

pesnik:~$ fgtestor:~$

Multiplexovanie SSH spojeni

● ina forma spustania remotnych prikazov● SFTP je subsystem● moze ist aj o internu funkcionalitu (sftp a

chroot) ● server sshd_config

Subsystem backup /root/bin/backupcmd● ssh klient

ssh -s backup root@testor

Subsystemy

● rozsireny sposob verifikacie odtlackov ● fingerprinty SSHD je mozne ulozit aj do

DNS zaznamov● VerifyHostKeyDNS yes|ask|no

DNS SSHFP

● sukromne kluce sa nachadzaju v $HOME/id_rsa (defaulne)

● Kluce je mozne dodatocne specifikovat

Sukromne kluce

no-port-forwarding,no-user-rc,no-X11-forwarding,no-pty,command="/bin/nc $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB3NzMMAND" ssh-rsa AAAAB3Nza....

● $SSH_ORIGINAL_COMMAND obsahuje text prikazu

ssh root@testor prikaz

● OpenSSH-lpk patch ○ sposobuje dotazovanie sa na verejne kluce na

LDAP server

OpenSSH-lpk

● prispevok zo sveta operacneho systemu Plan9

factotum