![SOCKS proxy a tunelovanie
pesnikl:~$ ssh -D 3128 testor
-L[bind_address:]port:host:hostport Request local forward
-R[bind_address:]port:host:hostport Request remote forward
-D[bind_address:]port Request dynamic forward
1.](https://image.slidesharecdn.com/openssh-120720022816-phpapp01/85/Tomas-Corej-OpenSSH-12-320.jpg)
Tomáš Čorej - OpenSSH
- 1. OpenSSH tomas.corej@websupport.sk @tomas_corej
- 2. OpenSSH ● nastroj pre bezpecne, vzdialene prihlasovanie ● prepisana verzia originalneho SSH nastroja ● priklad flexibilneho nastroja pouzitelneho na ovela viac nez len vzdialene prihlasovanie ● nahrada za telnet, ftp, rlogin ●
- 3. Od zaciatku pesnik:~$ ssh testor alebo pesnik:~$ ln -s /usr/bin/ssh-argv0 $HOME/bin/testor pesnik:~$ testor
- 4. Od zaciatku pesnik:~$ ssh testor user@testor password: ^C pesnik:~$ ssh-keygen pesnik:~$ ssh-copy-id testor Now try logging into the machine, with "ssh 'testor'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
- 5. Od zaciatku pesnik:~$ ssh testor Warning: the RSA host key for 'testor' differs from the key for the IP address '37.9.170.2' Offending key for IP in /home/tomas.corej/.ssh/known_hosts:57 Matching host key in /home/tomas.corej/.ssh/known_hosts:875 You have mail. Last login: Thu Jul 11 00:12:57 2012 from services testor:~$ ^D pesnik: ~$ ssh-keygen -R 37.9.170.2
- 6. Od zaciatku pesnik:~$ ssh testor You have mail. Last login: Thu Jul 11 00:12:57 2012 from pesnik testor:~$
- 7. Od zaciatku pesnik:~$ ssh testor You have mail. Last login: Thu Jul 11 00:12:57 2012 from services testor:~$ testor:~$ ~? Supported escape sequences: ~. - terminate connection (and any multiplexed sessions) ~B - send a BREAK to the remote system ~C - open a command line ~R - Request rekey (SSH protocol 2 only) ~^Z - suspend ssh ~# - list forwarded connections ~& - background ssh (when waiting for connections to terminate) ~? - this message ~~ - send the escape character by typing it twice (Note that escapes are only recognized immediately after newline.)
- 8. Pouzitelne v skriptoch pesnik:~$ ssh testor /bin/true && echo ok ok if ssh testor prikaz; then ... fi
- 9. Nechce sa mi pouzit scp pesnik:~$ dllllhyyy prikaz | ssh testor "cat > remotefile" pesnik:~$ mysqldump -uroot -p db | ssh testor "gzip - > db.gz" pesnik:~$ mysqldump -uroot -p db |gzip - | ssh testor "cat > db.gz" pesnik:~$ cat zoznam | ssh testor "while read input; do prikaz $input $USER;done"
- 10. X11 jednoducho pesnik:~$ ssh -X testor firefox pesnik:~$ ssh -X testor.vpn gnome-terminal pesnik:~$ ssh -X testor.vpn xeyes
- 11. Agent forwarding tomas.corej@pesnik:~$ ssh-add -l 2048 f8:c6:6a:f4:ca:ee:0e:57:86:ed:f1:4b:ec:d3:84:ba /home/tomas.corej/.ssh/id_rsa (RSA) tomas.corej@pesnik:~$ ssh -A testor tomas.corej@testor:~$ ssh-add -l 2048 f8:c6:6a:f4:ca:ee:0e:57:86:ed:f1:4b:ec:d3:84:ba /home/tomas.corej/.ssh/id_rsa (RSA) tomas.corej@pesnik:~$ ssh -A testor2 mozne bezpecnostne riziko adresar s unixovym socketom pristupny v /tmp moze viest k chybam hlavne pri spustani cron skriptov
- 12. SOCKS proxy a tunelovanie pesnikl:~$ ssh -D 3128 testor -L[bind_address:]port:host:hostport Request local forward -R[bind_address:]port:host:hostport Request remote forward -D[bind_address:]port Request dynamic forward 1.
- 13. Host * User root ForwardAgent yes ForwardX11 yes ConnectTimeout=20 PreferredAuthentications=publickey,password,keyboard- interactive StrictHostKeyChecking=no ControlMaster auto ControlPath ~/.ssh/sockets/%r@%h:%p SendEnv BASH_ENV IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/customers_vps Compression yes Host abcd IdentityFile ~/.ssh/abcd.pub Ulozme si to vsetko do $HOME/.ssh/config
- 14. level++
- 15. ProxyCommand ● moze to byt cokolvek, dolezite je, aby to spracovavalo STDIN a STDOUT ssh -o ProxyCommand="$HOME/.ssh/gateway.sh %h %p" testor ● Nahradzuje %h, %p a %r ● pristup cez prostrednika ssh -o ProxyCommand="ssh user@testor nc %h %p" user@192. 168.1.2 "uname -a" ● parameter -W ● riziko DOS
- 16. Multiplexovanie SSH spojeni ● pri castom generovani SSH spojeni a vo velkom mnozstve ● skracuje cas a znizuje overhead (0.2s vs 0.014s) ● config ControlMaster auto ControlPath ~/.ssh/sockets/%r@%h:%p ● ovladanie cez -O check,forward,stop,exit
- 17. Multiplexovanie SSH spojeni pesnik:~$ ssh testor You have mail. Last login: Thu Jul 11 00:12:57 2012 from pesnik testor:~$ testor:~$ ~^Z pesnik:~$ cd ~/.ssh/sockets pesnik:~$ ~/.ssh/sockets$ ls user@testor:22 pesnik:~$ ssh -O check user@testor Master running (pid=22797) pesnik:~$ fg testor:~$
- 18. Subsystemy ● ina forma spustania remotnych prikazov ● SFTP je subsystem ● moze ist aj o internu funkcionalitu (sftp a chroot) ● server sshd_config Subsystem backup /root/bin/backupcmd ● ssh klient ssh -s backup root@testor
- 19. DNS SSHFP ● rozsireny sposob verifikacie odtlackov ● fingerprinty SSHD je mozne ulozit aj do DNS zaznamov ● VerifyHostKeyDNS yes|ask|no
- 20. Sukromne kluce ● sukromne kluce sa nachadzaju v $HOME/id_rsa (defaulne) ● Kluce je mozne dodatocne specifikovat no-port-forwarding,no-user-rc,no-X11-forwarding,no-pty, command="/bin/nc $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB3NzMMAND" ssh-rsa AAAAB3Nza.... ● $SSH_ORIGINAL_COMMAND obsahuje text prikazu ssh root@testor prikaz
- 21. OpenSSH-lpk ● OpenSSH-lpk patch ○ sposobuje dotazovanie sa na verejne kluce na LDAP server
- 23. factotum ● prispevok zo sveta operacneho systemu Plan9