Ssh
Inhaltsverzeichnis
- 1 AUTHOR | HACKBUGZ
- 2 Links
- 3 SSH|SCP|SFTP FUSE, SSHFS
- 4 RANKING DER REMOTE CLIENTS|TOOLS NACH SICHERHEIT
- 4.1 SSH STATUS
- 4.2 SSH tools
- 4.3 SSH|SSHFS|FUSE CONFIG FILES
- 4.4 Create SSH Key
- 4.5 Copy SSH Key
- 4.6 Login with SSH Key
- 4.7 ssh config files & folders
- 4.8 ssh sshd_config file
- 4.9 ssh motd file
- 4.10 ssh known_hosts file
- 4.11 ssh authorized_keys file
- 4.12 SSHFS FUSE
- 4.13 SSHFS FUSE | USER MAPPING
- 4.14 SSHFS FUSE | SYMLINKS
- 4.15 SSHFS FUSE | FUSERMOUNT
- 4.16 SSHFS FUSE | Denied root access to user mounted FUSE file system
- 4.17 SSHFS TIMEOUT
- 4.18 SSHFS SYSTEMSTART | /etc/fstab
- 4.19 SSHFS SHOW MOUNTS/CHECK MOUNTED | /etc/mtab
- 4.20 SSH Port-Tunneling
- 4.21 Reverse SSH Tunnel
- 4.22 AutoSSH SSH Tunnel
- 4.23 ssh commands
- 4.24 ssh execute command
- 4.25 ssh execute script
- 4.26 secure file transfer
AUTHOR | HACKBUGZ
StackExchange | HACKBUGZ TIKTOK | HACKBUGZ
Links
sshfs(1) - Linux man page wiki.ubuntuusers.de FUSE/SSHFS wiki.ubuntuusers.de FUSE
SSH Key Management Authorized_keys file in SSH How to restrict a user to one folder and not allow them to move out his folder - Unix & Linux Stack Exchange Restrict SSH User Access to Certain Directory Using Chrooted Jail Debian/Ubuntu Linux: Restrict an SSH user session to a specific directory by setting chrooted jail - nixCraft SSHFS - ArchWiki
security - How to create a restricted SSH user for port forwarding? - Ask Ubuntu Aus dem Alltag eines Sysadmin: Reverse-SSH-Tunnel und Autossh What Is Reverse SSH Tunneling? (and How to Use It) ssh tunneling - SSH: tunnel without shell on ssh server - Unix & Linux Stack Exchange linux - ssh tunneling only access - Server Fault How to Setup Reverse SSH Tunnel on Raspberry Pi behind a 3G USB stick modem - IT-REACT Create a reverse SSH tunnel for remote access to a restricted Linux machine - DEV Community https://unix.stackexchange.com/questions/55106/disable-user-shell-for-security-reasons SSH tunnelling for fun and profit: Autossh ssh-keygen(1) - Linux manual page linux - ssh_exchange_identification: Connection closed by remote host (not using hosts.deny) - Unix & Linux Stack Exchange
Miklos Szeredi | github Evolution of FUSE and OverlayFS | Miklos Szeredi
explainshell Screen nohup linuxcommand ssh1 open ip
SSH|SCP|SFTP FUSE, SSHFS
Mit dem SSH-Clients SSHSSH|SCP|SFTP kann man sich über ein Terminal auf entfernte Rechner anmelden. Die Kommunikation und die Authentifizierung findet dabei verschlüsselt statt. SSH kann dabei interaktiv oder nicht interaktiv genutzt werden
RANKING DER REMOTE CLIENTS|TOOLS NACH SICHERHEIT
# SSH # SCP # SFTP # RLOGIN # TELNET # FTP
SSH STATUS
$ systemctl status ssh
$ whoami $ who $ w
$ ps $ ps aux $ ps aux | grep ssh $ ps aux | grep sshd
$ lsof -i -n | egrep 'ssh' $ lsof -i -n | egrep 'sshd'
$ ss $ ss -l $ ss | grep tcp $ ss | grep -i ssh $ ss -u -a
$ last -a | grep -i still
apk*error $ service ssh status $ netstat -tanup | grep ssh $ netstat -tnpa | grep 'ESTABLISHED.*sshd $ netstat -an | grep 8090/port $ firewall-cmd --list-all-zones
SSH tools
ssh-keygen $ ssh-keyscan ip > known_hosts $ ssh-keyscan -f txtwithhosts
ssh-keyscan
ssh-copy-id
ssh-add $ ssh-add -l $ ssh-add KEY
ssh-agent $ pgrep ssh-agent $ ps aux | grep ssh-agent
SSH|SSHFS|FUSE CONFIG FILES
$ cat /etc/ssh/sshd_config $ cat /etc/ssh/ssh_config $ /etc/fuse.conf $ /etc/modules
IN LAB AllowHosts AllowUsers AllowGroups ChRootGroups(Syntax: AllowGroups) ChRootUsers(Syntax: AllowUsers)
Create SSH Key
$ ssh-keygen -t ed25519 -b 4096
Copy SSH Key
$ ssh-copy-id -i KEY user@IP $ ssh-copy-id -i ~/.ssh/KEY user@IP
copy key while login with key $ ssh-copy-id -i KEYTOCOPY -f -o 'IdentityFile KEYTOLOGIN' -p 5000 USER@IP
Login with SSH Key
$ ssh -i ~/.ssh/KEY user@IP -p 5001
ssh config files & folders
/etc/ssh/ssh_config /etc/ssh/sshd_config ~/.ssh ~/.ssh/authorized_keys ~/.ssh/known_hosts
ssh sshd_config file
$ nano /etc/ssh/sshd_config Port 5000 PubkeyAuthentication yes PasswordAuthentication no PermitEmptyPasswords no X11Forwarding no Banner /path/ (Message before login) ListenAddress (Strict/Diff Networks) MaxSessions MaxSessions parameter
ssh motd file
$ nano /etc/motd (Message after Login)
ssh known_hosts file
$ nano ~/.ssh/known_hosts
ssh authorized_keys file
$ nano ~/.ssh/authorized_keys
How to manually copy SSH public keys to server: On the local machine $ cat ~/.ssh/id_rsa.pub copy ssh-rsa .STRING. USER@IP
On the remote server paste the line to: ~/.ssh/authorized_keys
SSHFS FUSE
$ sshfs user@host:/dir /dir -o IdentityFile=~/.ssh/KEY
$ sshfs user@host:/dir /dir -o IdentityFile=~/.ssh/KEY -o idmap=user -o uid=$(id -u) -o gid=$(id -g)
$ sshfs user@host:/dir /dir -C -p 5001
SSHFS FUSE | USER MAPPING
$ sshfs Benutzername@irgendEinRechner:/pfad_auf_dem_server/ ~/fusessh -o idmap=user -o uid=$(id -u) -o gid=$(id -g) $ sshfs user@host:/dir /dir -o IdentityFile=~/.ssh/KEY -o idmap=user -o uid=$(id -u) -o gid=$(id -g) -o nonempty -p 5001
SSHFS FUSE | SYMLINKS
$ sshfs -o follow_symlinks
$ sshfs Benutzername@irgendEinRechner:/pfad_auf_dem_server/ ~/fusessh -o follow_symlinks
SSHFS FUSE | FUSERMOUNT
$ fusermount -u /dir
SSHFS FUSE | Denied root access to user mounted FUSE file system
This is by design in fuse as a security measure. Pass the -o allow_root or -o allow_other option when mounting the filesystem with sshfs. https://serverfault.com
SSHFS TIMEOUT
1) In der Datei .ssh/config folgende Zeile hinzufügen (liegt im Homeverzeichnis des Anwenders, bzw. wenn man Automount beim Systemstart macht, ist die Datei /root/.ssh/config zu ändern): $ sshfs -o ServerAliveInterval=15 $ sshfs-o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3 SSHFS mount that survives disconnect| keep connection alive The options ServerAliveInterval=5,ServerAliveCountMax=3 say that ssh checks every 5 seconds to see whether the remote server is still responding. If it does not receive a response after 3 of these checks, then it disconnects automatically. Thus any process waiting on this mount should hang about 15 seconds max. The options ConnectTimeout=3,ConnectionAttempts=1 are necessary because otherwise ssh will wait a very long time when attempting to reestablish connections, which again causes other processes to hang if they try to access the mount during this time.
SSHFS SYSTEMSTART | /etc/fstab
$ sshfs#Benutzername@irgendEinRechner:/pfad_auf_dem_server/ ~/fusessh fuse uid=1003,gid=100,umask=0,allow_other,_netdev 0 0 $ sshfs#user@server:/remote/folder /local/mount/dir fuse IdentityFile=sshkeyfile,Port=XXX,allow_other,_netdev,ServerAliveInterval=45,ServerAliveCountMax=2,reconnect,noatime,auto 0 0
$ sshfs#user@server:/remote/folder /local/mount/dir fuse IdentityFile=sshkeyfile,Port=XXX,uid=1000,gid=1000,allow_other,_netdev,ServerAliveInterval=45,ServerAliveCountMax=2,reconnect,noatime,auto 0 0
$ sshfs#user@server:/remote/folder /local/mount/dir fuse delay_connect,IdentityFile=sshkeyfile,Port=XXX,uid=1000,gid=1000,allow_other,_netdev,ServerAliveInterval=45,ServerAliveCountMax=2,reconnect,noatime,auto 0 0
SSHFS SHOW MOUNTS/CHECK MOUNTED | /etc/mtab
$ mount $ cat /proc/mounts $ cat /etc/mtab $ cat /etc/mtab | grep fuse $ cat /etc/mtab | grep ssh $ findmnt $ findmnt | grep fuse $ findmnt | grep ssh $ df -h $ lsblk -f
SSH Port-Tunneling
Local Forwarding
$ ssh -i ~/.ssh/KEY -L 80:IP:80 user@IP -p 2000
Remote Forwarding
Port Forwarding
Reverse SSH Tunnel
Check for: 1. ServerAliveInterval(sshd_config) 2. autossh
ssh -R 5001:localhost:22 -fN IP
AutoSSH SSH Tunnel
$ autossh -NT -o "ExitOnForwardFailure=yes" -R 5001:localhost:6001 -l USER IP -p 7001 -i /home/USER/.ssh/KEY
$ autossh -N -f -i /home/<user>/.ssh/id_rsa -R 22222:localhost:22 <user>@<remote_host> -N: tell ssh to not execute any command, since we only use it for tunneling. -f: tell autossh to fall into background on start. -i: tell ssh to use the proper identity. -R 22222:localhost:22: reverse tunnel remote host's 22222 port to localhost's 22 port. So that we can use ssh -p 22222 localhost on remote host to ssh into local machine.
nano /etc/systemd/system/sshtunnel.service
sshtunnel.service
[Unit] Description=AutoSSH tunnel service #After=network.target After=network-online.target ssh.service [Service] User=USER Environment="AUTOSSH_GATETIME=0" RestartSec=30 Restart=always ExecStart=/usr/bin/autossh -NT -o "ExitOnForwardFailure=yes" -R 5001:localhost:6000 -l USER IP -p 6001 -i /home/USER/.ssh/KEY ExecStop=pkill -s KILL autossh TimeoutStopSec=10 [Install] WantedBy=multi-user.target
systemctl status sshtunnel.service systemctl daemon-reload systemctl restart sshtunnel.service When using ssh multiplexing, killing the ssh process is often undesirable (it kills all open connections with that host), and you cannot easily access the escape because "escape not available to multiplexed sessions". The right way is then to run the analogue of the forwarding command that you want to cancel, but adding -O cancel. For instance:
ssh -O cancel -L 5002:192.168.0.10:5002 192.168.178.100
This will disable this port forwarding without terminating the session. Again, this will only work if ssh multiplexing is in use for the connection to 192.168.178.100
$ ssh -luser 192.xx.xxx.xx
ssh commands
$ ssh user@192.168.188.2 '[command]' $ ssh user@192.168.188.2 'ls -la /home/user' $ put
ssh execute command
$ ssh user@ip 'ls -la'
ssh execute script
$ ssh user@ip < script.sh $ ssh user@ip "bash -s" < script.sh
secure file transfer
SCP file
$ pscp
# scp [source][destination] # destination ip:/path/
$ scp /test user@192.168.188.2:/home/user/test $ scp *.txt user@192.168.188.2:/home/user/txt
$ scp user@192.168.188.2:/home/user/txt.txt .
How to copy files from one machine to another using ssh
SCP folder
$ scp -r /dir user@192.168.188.2:/home/user/dir $ scp -r /dir/* user@192.168.188.2:/home/user/dir $ scp -r user@192.168.188.2:/home/user/dir /home/dir $ scp -r user@192.168.188.2:/home/user/dir .
sftp
psftp
ssh Jumphost
- ssh jumphost
PC->Junphost->IntServer PC->Firewall->IntServer ssh -J user@ip user@ip
ssh Multi-hop Tunnel
ssh -L8080:localhost:8080 user@host1 SSH Tunnel with -t and -v (verbose)
ssh X11 Forwarding
$ ssh -X user@ip firefox &
ssh config file
- ssh config file in .ssh/config
Host *
User user
Host linuxhost
HostName 192.168.188.2
User user
Port 2000
IdentityFile ~/.ssh/mykey
ssh config file in /etc/ssh/ssh_config
debug modus $ ssh debianvm -v
ssh VNC|DISPLAY
ssh user @<ipadresse> "DISPLAY =:0 nohup firefox" ssh -i KEY -p XXXX user@x.x.x.x "DIS1PLAY =:0 nohup firefox" ssh -i KEY -p XXXX -X user@x.x.x.x ssh -i KEY -L 5901:127.0.0.1:5901 -C -N -l -p XXXX user@x.x.x.x ssh -i KEY -p XXXX -L 5901:127.0.0.1:5901 -C -N -l user x.x.x.x
socks proxy with google-authenticator!?
# in SSHD FILE $ AuthenticationMethods publickey,keyboard-interactive $ nano /etc/pam.d/sshd
# google auth $auth required pam_google_authenticator.so $auth required pam_google_authenticator.so nullok
ssh socks reverse