openssh.okubeni 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440
  1. Pour lancer le service ssh
  2. - 1. installer soit le port: openssh.service
  3. - 2. La page
  4. http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssh.html
  5. Pour plus d'infos
  6. Astuces diverses:
  7. - Créer une nouvelle paire de clé (privée/publique)
  8. $ ssh-keygen -t dsa
  9. Enter file in which to save the key (/home/thierry/.ssh/id_dsa):
  10. Enter passphrase (empty for no passphrase):
  11. Enter same passphrase again:
  12. Your identification has been saved in /home/thierry/.ssh/id_dsa.
  13. Your public key has been saved in /home/thierry/.ssh/id_dsa.pub.
  14. The key fingerprint is:
  15. 87:66:b7:a0:f6:0e:6a:71:2c:5d:ee:5f:17:2a:b7:2f thierry@nutyx
  16. Pour l'envoyer directement sur le serveur ssh:
  17. $ cat ~/.ssh/id_dsa.pub | ssh user@remotehost "cat - >> ~/.ssh/authorized_keys"
  18. - Une autre façon de l'envoyer:
  19. $ ssh-copy-id -i ~/.ssh/id_dsa.pub user@remotehost
  20. - Eviter le message lastlog:
  21. $ ssh -T user@hostname.com
  22. - Piping
  23. Exemple de serialisation d'un process de sauvegarde au travers ssh:
  24. $ ufsdump 0uf - /dev/md/rdsk/d33 | ssh r280n "dd obs=32k ibs=32k of=/dev/rmt/0n"
  25. - rsync à travers ssh:
  26. $ rsync -avz -e "ssh -i /home/thisuser/cron/thishost-rsync-key" \
  27. remoteuser@remotehost:/remote/dir /this/dir/
  28. - X-forwarding ou lancer le serveur X à distance à travers ssh
  29. $ ssh -X thierry@remotehost
  30. Warning: untrusted X11 forwarding setup failed: xauth key data not generated
  31. Warning: No xauth data; using fake authentication data for X11 forwarding.
  32. - Port forwarding / Redirection de ports entre 2 hosts:
  33. Set up a localforward from the remote machine port 25 to a local port 9025:
  34. Rediriger un locaforward depuis la machine à distance port 25 sur la machine locale port 9025:
  35. $ ssh -L 9025:localhost:25 thierry@remotehost
  36. - No command:
  37. Parfois on souhaite un config avec un forward utilisant un shell
  38. $ ssh -N -L 9025:localhost:25 patrick@remotehost
  39. - KeepAlive:
  40. Getting tired of those timeouts by the firewall? Have ssh send a keepalive
  41. Raz le bol des timeouts des routeurs / parefeu ? ssh peut envoyer un signal "keepalive"
  42. Ajoutez ds votre $HOME/.ssh/ssh_config
  43. KeepAlive yes
  44. ServerAliveInterval 60
  45. - Définir un nouveau socket pour proxy
  46. Sometimes it's interesting to start a socks daemon. You can configure this in your browser to surf as it seems to come from the remote machine.
  47. Il est parfois intéressant de démarrer un démon socket. Vous pouvez configurer cela dans votre navigateur et faire transiter TOUTES les requêtes comme si elles venaient de la
  48. machine à distance.
  49. $ ssh -D 9999 patrick@remotehost
  50. - Passer à travers les proxy http:
  51. Les pares feu des entreprises ne permettent très souvent que l'accès à l'extérieur via le port http. Plus d'info sur http://www.agroman.net/corkscrew/
  52. ProxyCommand /usr/bin/corkscrew proxy-ip 8080 %h %p ~/.ssh/myauth
  53. - Chaining ssh hopping:
  54. Host pc1.example.org pc2.example.org
  55. ForwardAgent yes
  56. ProxyCommand ssh -qax bastion.example.org /usr/bin/nc -w 120 %h %p
  57. - Netcat mode:
  58. Starting from openssh 5.4: we can have ssh act as netcat. (-W) This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a
  59. ProxyCommand to route connections via intermediate servers.”
  60. sh -p 443 -W remotehost2:23 patrick@remotehost
  61. Trying remotehost2...
  62. Connected to remotehost2.
  63. Escape character is '^]'.
  64. User Name : ^]
  65. telnet> close
  66. $
  67. - Mounting over ssh:
  68. Sometimes it's nice to mount a remote directory over ssh. Fuse and sshfs are your friend
  69. Parfois il est très agrèable de pouvoir monter un dossier à distance à travers ssh, les ports fuse et sshfs sont vos amis.
  70. $ sshfs remote-user@remote.server:/remote/directory /mnt/remote-fs/
  71. - VPN Tunneling
  72. Did you know that ssh can do layer 2 and 3 VPN tunneling?
  73. Check out ssh -w. Example from manpage:
  74. $ ssh -f -w 0:1 192.168.1.15 true
  75. $ ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
  76. - SSH http multiplexer:
  77. sslh lets one accept both HTTPS and SSH connections on the same port. It makes it possible to connect to an SSH server on port 443 (e.g. from inside a corporate firewall) while
  78. still serving HTTPS on that port. http://www.rutschle.net/tech/sslh.shtml
  79. - Speed
  80. Compression
  81. If you are working on a slow link, compression (-C) and using a simple cipher (-c blowfish) saves you speed
  82. $ ssh -C -c blowfish patrick@remotehost
  83. - Multiplexing - ControlMaster:
  84. Another great way to speed up ssh is to re-use the same connection when you connect multiple times to the same host
  85. $ mkdir –p ~/.ssh/connections
  86. $ chmod 700 ~/.ssh/connections
  87. Add this to your ~/.ssh/config file:
  88. Host *
  89. ControlMaster auto
  90. ControlPath ~/.ssh/connections/%r_%h_%p
  91. -- Managing keys
  92. - Ignorer les Hostkeys:
  93. Quand vous installez et ré-installez sans arrêt, vous souhaitez certainement vous débarassez de ce message "hostfile key verification":
  94. $ ssh user@host -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
  95. - Vérifier si une clé (hostkey) existe:
  96. $ ssh-keygen -F 192.168.2.152
  97. # Host 192.168.2.152 found: line 31 type RSA
  98. 192.168.2.152 ssh-rsa
  99. AAAAB3NzaC1yc2EAAAABIwAAAQEAwHH15HpeJo21wyqpe2iFM8/0CtoYnE9DDXfCewws7iMhM+vgp7pjnaC83IgAt7G/x/VDHcbnyuI4odrGSEAE5wm7LNuT6uSfQMbXCayE+uoOIrAVhf41ZnAFQrs/+Mutk5LFEjPPNhuriq5ltBT4UwMlYQMa5z/SzmxV0ZAGXks5GMDz0o89yUwRarRfsGudASEtzUxgnxnOo5STBMZOdQ0GNEVdfJDgfJDAOi34T1FidpCqAtm8akYuB+Qsj3/hDQmIT+GsKYaGNZvz8ZNnPBAc9kWlS6VqXXNreyEeu7AmHDWXjMP3NW1tsibmZ8zeOSZdmEVEiuaYCIvERDq3MQ==
  100. - Supprimer une hostkey:
  101. $ ssh-keygen -R 192.168.2.152
  102. /home/thierry/.ssh/known_hosts updated.
  103. Original contents retained as /home/thierry/.ssh/known_hosts.old
  104. - Récupérer la clé publique à distance
  105. $ ssh-keyscan remotehost
  106. # remotehost SSH-2.0-OpenSSH_5.2
  107. remotehost ssh-rsa
  108. AAAAB3NzaC1yc2EAAAABIwAAAQEAyREFGMBB6Qi1uoEYIk4GlqLXdS26moAxmV69UX0icQjp0Rw53xZ/2L0ZQwhsUiFV1vq4QfZNeUO142IzBgSspgsJZ7wJq213tsE7WIJGIBqvWnhU3vJuL9wgYT8f6BAvLoEfapFhLy24TDmn2DXldJAYgo8MnUbRrJlvnhQZPpd5cDWCXkzPGQE8r7REZsAWbWNlVOFRvZioPoGCGYMtsDWSBelBISGkedoNpTSpRkMmBAnsHBfvIzDPoTDYL4PZR0jJ8MaJrDhRtD4caRw4HVyhzSa3/FCpcm09PyBRabH/CyxNSOZjLc2+N9Ph9AKeTNgvmxP70wx668XaGYwCrQ==
  109. - ssh DNS keys
  110. Bridging the gap
  111. Image courtesy by Wouter Horré
  112. Patrick Debois
  113. Independent IT-consultant
  114. Bridging the gap between projects and operations
  115. by using Agile techniques both in development,project management and system administration.
  116. availability: January 2013
  117. Just Enough Developed Infrastructure
  118. ssh tricks - the usual and beyond
  119. SSH is an amazing beast. I nearly use it everyday and I'm amazed every time I learn something new. The following is a list of my tricks in the bag. It starts with the usual
  120. tricks that you find all over the place, but I hope there will be some new tricks for you too.
  121. What's your best trick? Share it in the comments with the world. Nobody can know enough of ssh!
  122. The basics:
  123. Password-less login:
  124. This is usually the first thing start doing when want automation with ssh
  125. #Create a new keypair
  126. $ ssh-keygen -t dsa
  127. Generating public/private dsa key pair.
  128. Enter file in which to save the key (/Users/patrick/.ssh/id_dsa):
  129. Enter passphrase (empty for no passphrase):
  130. Enter same passphrase again:
  131. Your identification has been saved in /Users/patrick/.ssh/id_dsa.
  132. Your public key has been saved in /Users/patrick/.ssh/id_dsa.pub.
  133. The key fingerprint is:
  134. 87:66:b7:a0:f6:0e:6a:71:2c:5d:ee:5f:17:2a:b7:2f patrick@localhost
  135. The key's randomart image is:
  136. +--[ DSA 1024]----+
  137. | |
  138. | |
  139. | |
  140. | .. |
  141. | o oS o . |
  142. | o ++.+ . . . |
  143. | ++. o + . |
  144. | .o o. +Eo |
  145. | .. .o.. .o. |
  146. +-----------------+
  147. $ cat ~/.ssh/id_dsa.pub | ssh user@remotehost "cat - >> ~/.ssh/authorized_keys"
  148. $ ssh user@remotehost
  149. Install your keys on a remote server:
  150. $ ssh-copy-id -i ~/.ssh/id_dsa.pub user@remotehost
  151. #Alternative
  152. $ cat ~/.ssh/id_dsa.pub | ssh user@remotehost "cat - >> ~/.ssh/authorized_keys"
  153. Passphrase automation:
  154. If you have protected your keys with a passphrase (which you should), then it is annoying to re-enter that all the time. You can avoid that by running your environment inside an
  155. ssh-agent and using ssh-add to enter the passphrase once.
  156. $ ssh-add ~/.ssh/id_dsa
  157. Need passphrase for /home/mah/.ssh/id_dsa (you@example.com).
  158. Enter passphrase:
  159. $
  160. Pseudo Terminal :
  161. some commands like sudo require a pseudo terminal to be activated
  162. $ ssh -t patrick@remotehost sudo cat /etc/passwd
  163. Avoid lastlog:
  164. Log in without appearing in lastlog/w and who output.
  165. $ ssh -T user@hostname.com
  166. Piping
  167. Example of using piping to backup over the network
  168. $ ufsdump 0uf - /dev/md/rdsk/d33 | ssh r280n "dd obs=32k ibs=32k of=/dev/rmt/0n"
  169. Rsync over ssh
  170. $ rsync -avz -e "ssh -i /home/thisuser/cron/thishost-rsync-key" remoteuser@remotehost:/remote/dir /this/dir/
  171. Tunnels and firewall-piercings:
  172. X-forwarding:
  173. $ ssh -X patrick@remotehost
  174. Warning: untrusted X11 forwarding setup failed: xauth key data not generated
  175. Warning: No xauth data; using fake authentication data for X11 forwarding.
  176. Last login: Fri Aug 27 20:27:40 2010
  177. Port forwarding:
  178. Set up a localforward from the remote machine port 25 to a local port 9025
  179. $ ssh -L 9025:localhost:25 patrick@remotehost
  180. No command:
  181. Sometimes you just want to setup a forward with having a shell
  182. $ ssh -N -L 9025:localhost:25 patrick@remotehost
  183. KeepAlive:
  184. Getting tired of those timeouts by the firewall? Have ssh send a keepalive/
  185. Put the following options in your $HOME/.ssh/ssh_config
  186. KeepAlive yes
  187. ServerAliveInterval 60
  188. Socks Daemon for proxying: (-D)
  189. Sometimes it's interesting to start a socks daemon. You can configure this in your browser to surf as it seems to come from the remote machine.
  190. $ ssh -D 9999 patrick@remotehost
  191. Tunneling over an http proxy:
  192. Corporate firewalls often only allow http to go outside. See corkscrew
  193. ProxyCommand /usr/bin/corkscrew proxy-ip 8080 %h %p ~/.ssh/myauth
  194. Chaining ssh hopping:
  195. Host pc1.example.org pc2.example.org
  196. ForwardAgent yes
  197. ProxyCommand ssh -qax bastion.example.org /usr/bin/nc -w 120 %h %p
  198. Netcat mode:
  199. Starting from openssh 5.4: we can have ssh act as netcat. (-W) This connects stdio on the client to a single port forward on the server. This allows, for example, using ssh as a
  200. ProxyCommand to route connections via intermediate servers.”
  201. $ ssh -p 443 -W remotehost2:23 patrick@remotehost
  202. Trying remotehost2...
  203. Connected to remotehost2.
  204. Escape character is '^]'.
  205. User Name : ^]
  206. telnet> close
  207. $
  208. Mounting over ssh:
  209. Sometimes it's nice to mount a remote directory over ssh. Fuse and sshfs are your friend
  210. $ sshfs remote-user@remote.server:/remote/directory /mnt/remote-fs/
  211. http://fuse.sourceforge.net/sshfs.html
  212. VPN Tunneling:
  213. Did you know that ssh can do layer 2 and 3 VPN tunneling?
  214. Check out ssh -w. Example from manpage:
  215. $ ssh -f -w 0:1 192.168.1.15 true
  216. $ ifconfig tun0 10.0.50.1 10.0.99.1 netmask 255.255.255.252
  217. SSH http multiplexer:
  218. sslh lets one accept both HTTPS and SSH connections on the same port. It makes it possible to connect to an SSH server on port 443 (e.g. from inside a corporate firewall) while
  219. still serving HTTPS on that port. http://www.rutschle.net/tech/sslh.shtml
  220. Speed
  221. Compression
  222. If you are working on a slow link, compression (-C) and using a simple cipher (-c blowfish) saves you speed
  223. $ ssh -C -c blowfish patrick@remotehost
  224. Multiplexing - ControlMaster:
  225. Another great way to speed up ssh is to re-use the same connection when you connect multiple times to the same host
  226. $ mkdir –p ~/.ssh/connections
  227. $ chmod 700 ~/.ssh/connections
  228. Add this to your ~/.ssh/config file:
  229. Host *
  230. ControlMaster auto
  231. ControlPath ~/.ssh/connections/%r_%h_%p
  232. Managing keys
  233. Ignore Hostkeys:
  234. When you're re-installing a machine over and over again, you often want to get rid of the hostfile key verification. This is what you need:
  235. $ ssh user@host -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
  236. Check if hostkey exists:
  237. k$ ssh-keygen -F 192.168.2.152
  238. # Host 192.168.2.152 found: line 31 type RSA
  239. 192.168.2.152 ssh-rsa
  240. AAAAB3NzaC1yc2EAAAABIwAAAQEAwHH15HpeJo21wyqpe2iFM8/0CtoYnE9DDXfCewws7iMhM+vgp7pjnaC83IgAt7G/x/VDHcbnyuI4odrGSEAE5wm7LNuT6uSfQMbXCayE+uoOIrAVhf41ZnAFQrs/+Mutk5LFEjPPNhuriq5ltBT4UwMlYQMa5z/SzmxV0ZAGXks5GMDz0o89yUwRarRfsGudASEtzUxgnxnOo5STBMZOdQ0GNEVdfJDgfJDAOi34T1FidpCqAtm8akYuB+Qsj3/hDQmIT+GsKYaGNZvz8ZNnPBAc9kWlS6VqXXNreyEeu7AmHDWXjMP3NW1tsibmZ8zeOSZdmEVEiuaYCIvERDq3MQ==
  241. Remove a hostkey:
  242. $ ssh-keygen -R 192.168.2.152
  243. /Users/patrick/.ssh/known_hosts updated.
  244. Original contents retained as /Users/patrick/.ssh/known_hosts.old
  245. Get hostkey of remote server:
  246. $ ssh-keyscan remotehost
  247. # remotehost SSH-2.0-OpenSSH_5.2
  248. remotehost ssh-rsa
  249. AAAAB3NzaC1yc2EAAAABIwAAAQEAyREFGMBB6Qi1uoEYIk4GlqLXdS26moAxmV69UX0icQjp0Rw53xZ/2L0ZQwhsUiFV1vq4QfZNeUO142IzBgSspgsJZ7wJq213tsE7WIJGIBqvWnhU3vJuL9wgYT8f6BAvLoEfapFhLy24TDmn2DXldJAYgo8MnUbRrJlvnhQZPpd5cDWCXkzPGQE8r7REZsAWbWNlVOFRvZioPoGCGYMtsDWSBelBISGkedoNpTSpRkMmBAnsHBfvIzDPoTDYL4PZR0jJ8MaJrDhRtD4caRw4HVyhzSa3/FCpcm09PyBRabH/CyxNSOZjLc2+N9Ph9AKeTNgvmxP70wx668XaGYwCrQ==
  250. - SSH DNS Keys
  251. Instead of using your local hostfile, you can store your keys in DNS. Have a look at http://freshmeat.net/projects/sshfp/ to do the job.
  252. Then you can specify ssh needs to:
  253. $ ssh localhost -o "VerifyHostKeyDNS=yes"
  254. yes authenticity of host 'localhost (127.0.0.1)' can't be established.
  255. RSA key fingerprint is 2d:d3:29:bd:4d:e2:7d:a3:b0:15:96:26:d4:60:13:34.
  256. Matching host key fingerprint found in DNS.
  257. Are you sure you want to continue connecting (yes/no)?
  258. - SSH Escape Sequences:
  259. It often happens to me that I'm working into an ssh shell that used forwarding. I always thought there was no way to change the forwarding rules and that I had to logout. It
  260. seems not! SSh has an internal shell activated by a tilde. Seeing is believing!
  261. Escape sequences are only recognized after a newline and are initiated with a tilde (~) unless you modify it with the -e flag.
  262. Hit ENTER ~? on a running ssh session to see a list of escapes:
  263. ~. – terminate connection
  264. ~B – send a BREAK to the remote system
  265. ~C – open a command line
  266. ~R – Request rekey (SSH protocol 2 only)
  267. ~^Z – suspend ssh
  268. ~# – list forwarded connections
  269. ~& – background ssh (when waiting for connections to terminate)
  270. ~? – this message
  271. ~~ – send the escape character by typing it twice
  272. (Note that escapes are only recognized immediately after newline.)
  273. ~. and ~# are particularly useful.
  274. - Visualiser la clé:
  275. Every host key has it's own visual fingerprint
  276. $ ssh -o VisualHostKey=yes thierry@localhost
  277. Host key fingerprint is 9f:a0:03:c1:63:8b:b8:c6:d6:83:cb:22:33:cb:83:cc
  278. +--[ RSA 2048]----+
  279. | |
  280. | . |
  281. | = |
  282. | . o + |
  283. |. . o S |
  284. |..o . . o . |
  285. |== o o o |
  286. |@E. . . |
  287. |+B. |
  288. +-----------------+