tomáš Čorej - openssh
TRANSCRIPT
OpenSSH [email protected]
@tomas_corej
● nastroj pre bezpecne, vzdialene prihlasovanie
● prepisana verzia originalneho SSH nastroja
● priklad flexibilneho nastroja pouzitelneho na ovela viac nez len vzdialene prihlasovanie
● nahrada za telnet, ftp, rlogin●
OpenSSH
Od zaciatku
pesnik:~$ ssh testor
alebo
pesnik:~$ ln -s /usr/bin/ssh-argv0 $HOME/bin/testorpesnik:~$ testor
Od zaciatku
pesnik:~$ ssh testoruser@testor password: ^Cpesnik:~$ ssh-keygen pesnik:~$ ssh-copy-id testorNow try logging into the machine, with "ssh 'testor'", and check in:
~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
Od zaciatku
pesnik:~$ ssh testorWarning: the RSA host key for 'testor' differs from the key for the IP address '37.9.170.2'Offending key for IP in /home/tomas.corej/.ssh/known_hosts:57Matching host key in /home/tomas.corej/.ssh/known_hosts:875You have mail.Last login: Thu Jul 11 00:12:57 2012 from servicestestor:~$ ^Dpesnik: ~$ ssh-keygen -R 37.9.170.2
Od zaciatku
pesnik:~$ ssh testorYou have mail.Last login: Thu Jul 11 00:12:57 2012 from pesniktestor:~$
Od zaciatku
pesnik:~$ ssh testorYou have mail.Last login: Thu Jul 11 00:12:57 2012 from servicestestor:~$ testor:~$ ~?Supported escape sequences: ~. - terminate connection (and any multiplexed sessions) ~B - send a BREAK to the remote system ~C - open a command line ~R - Request rekey (SSH protocol 2 only) ~^Z - suspend ssh ~# - list forwarded connections ~& - background ssh (when waiting for connections to terminate) ~? - this message ~~ - send the escape character by typing it twice(Note that escapes are only recognized immediately after newline.)
Pouzitelne v skriptoch
pesnik:~$ ssh testor /bin/true && echo okok
if ssh testor prikaz; then...fi
Nechce sa mi pouzit scp
pesnik:~$ dllllhyyy prikaz | ssh testor "cat > remotefile"
pesnik:~$ mysqldump -uroot -p db | ssh testor "gzip - > db.gz"
pesnik:~$ mysqldump -uroot -p db |gzip - | ssh testor "cat > db.gz"
pesnik:~$ cat zoznam | ssh testor "while read input; do prikaz \$input $USER;done"
X11 jednoducho
pesnik:~$ ssh -X testor firefox
pesnik:~$ ssh -X testor.vpn gnome-terminal
pesnik:~$ ssh -X testor.vpn xeyes
Agent forwarding
tomas.corej@pesnik:~$ ssh-add -l2048 f8:c6:6a:f4:ca:ee:0e:57:86:ed:f1:4b:ec:d3:84:ba /home/tomas.corej/.ssh/id_rsa (RSA)
tomas.corej@pesnik:~$ ssh -A testor
tomas.corej@testor:~$ ssh-add -l2048 f8:c6:6a:f4:ca:ee:0e:57:86:ed:f1:4b:ec:d3:84:ba /home/tomas.corej/.ssh/id_rsa (RSA)
mozne bezpecnostne rizikoadresar s unixovym socketom pristupny v /tmpmoze viest k chybam hlavne pri spustani cron skriptov
tomas.corej@pesnik:~$ ssh -A testor2
SOCKS proxy a tunelovanie
pesnikl:~$ ssh -D 3128 testor
-L[bind_address:]port:host:hostport Request local forward -R[bind_address:]port:host:hostport Request remote forward
-D[bind_address:]port Request dynamic forward
1.
Ulozme si to vsetko do $HOME/.ssh/config
Host * User rootForwardAgent yes
ForwardX11 yesConnectTimeout=20PreferredAuthentications=publickey,password,keyboard-
interactiveStrictHostKeyChecking=no ControlMaster autoControlPath ~/.ssh/sockets/%r@%h:%pSendEnv BASH_ENVIdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/customers_vpsCompression yes
Host abcdIdentityFile ~/.ssh/abcd.pub
level++
ProxyCommand
● moze to byt cokolvek, dolezite je, aby to spracovavalo STDIN a STDOUT
ssh -o ProxyCommand="$HOME/.ssh/gateway.sh %h %p" testor
● Nahradzuje %h, %p a %r ● pristup cez prostrednika
ssh -o ProxyCommand="ssh user@testor nc %h %p" [email protected] "uname -a"
● parameter -W ● riziko DOS
● pri castom generovani SSH spojeni a vo velkom mnozstve
● skracuje cas a znizuje overhead (0.2s vs 0.014s)
● config
ControlMaster autoControlPath ~/.ssh/sockets/%r@%h:%p● ovladanie cez -O check,forward,stop,exit
Multiplexovanie SSH spojeni
pesnik:~$ ssh testorYou have mail.Last login: Thu Jul 11 00:12:57 2012 from pesniktestor:~$ testor:~$ ~^Z
pesnik:~$ cd ~/.ssh/socketspesnik:~$ ~/.ssh/sockets$ lsuser@testor:22pesnik:~$ ssh -O check user@testorMaster running (pid=22797)
pesnik:~$ fgtestor:~$
Multiplexovanie SSH spojeni
● ina forma spustania remotnych prikazov● SFTP je subsystem● moze ist aj o internu funkcionalitu (sftp a
chroot) ● server sshd_config
Subsystem backup /root/bin/backupcmd● ssh klient
ssh -s backup root@testor
Subsystemy
● rozsireny sposob verifikacie odtlackov ● fingerprinty SSHD je mozne ulozit aj do
DNS zaznamov● VerifyHostKeyDNS yes|ask|no
DNS SSHFP
● sukromne kluce sa nachadzaju v $HOME/id_rsa (defaulne)
● Kluce je mozne dodatocne specifikovat
Sukromne kluce
no-port-forwarding,no-user-rc,no-X11-forwarding,no-pty,command="/bin/nc $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB3NzMMAND" ssh-rsa AAAAB3Nza....
● $SSH_ORIGINAL_COMMAND obsahuje text prikazu
ssh root@testor prikaz
● OpenSSH-lpk patch ○ sposobuje dotazovanie sa na verejne kluce na
LDAP server
OpenSSH-lpk
● prispevok zo sveta operacneho systemu Plan9
factotum