Ssh

From The World according to Vissie
Jump to navigation Jump to search

Setup

sudo apt-get install openssh-server openssh-client

Configure

Configure reverse ssh

https://www.howtogeek.com/428413/what-is-reverse-ssh-tunneling-and-how-to-use-it/

start:

/usr/bin/ssh -R 19999:localhost:22 vissie@hosta.vis.ac

connect:

ssh -p19999 root@localhost

Configure reverse ssh as a service

vim: /etc/systemd/system/ssh_remote.service
 
[Unit]                                                                                                                                                        
Description=SSH Tunnel
After=network.target

[Service]
Restart=always
RestartSec=20
User=vissie
ExecStart=/usr/bin/ssh -p1234  -NT -o ServerAliveInterval=60 -R 999:localhost:22 user@remote.com

[Install]
WantedBy=multi-user.target

Configure SSHD

Some good strong options to consider when setting up sshd.

vim: /etc/ssh/sshd_config
...
Protocol 2

ClientAliveInterval 900
ClientAliveCountMax 3

MaxAuthTries 3

IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no

UsePrivilegeSeparation yes
StrcitModes yes
UsePam yes

AllowUsers user1 user2
PermitRootLogin no
PermitEmptyPasswords no

X11Forwarding no
...

Keys

If you get:

# ssh-copy-id root@192.168.1.11
/usr/bin/ssh-copy-id: ERROR: No identities found

Solution: You will have to manually define the path of the public key using -i switch as shown below

# ssh-copy-id -i .ssh/id_rsa.pub 192.168.1.11

You can tehn create a alias to use that key in your bash.bashrc file

alias name='ssh -i ~/.ssh/some_other.key my.host.com

Copy keys without ssh-copy-id

https://openelec.tv/documentation/configuration/ssh-public-keys
ssh-keygen
scp -P 22 ~/.ssh/id_rsa.pub username@198.168.1.122:~/Downloads/id_rsa_localbox.pub

on the remote end:

cat ~/Downloads/id_rsa_localbox.pub >> ~/.ssh/authorized_keys

File share with ssh

If you are a Gnome user, this is possible in Nautilus as well.

Instead of

fish://username@192.168.1.20

you have to enter

ssh://username@192.168.1.20

in the address bar – protocol is ssh:// instead of fish://.

or you could try sshfs http://fuse.sourceforge.net/sshfs.html

Before attempting to mount a directory, make sure the file permissions on the target directory allow your user correct access. To mount, invoke sshfs to mount a remote directory:

sshfs USERNAME@HOSTNAME_OR_IP:/REMOTE_PATH LOCAL_MOUNT_POINT SSH_OPTIONS

For example:

sshfs sessy@mycomputer:/remote/path /local/path -C -p 9876 -o allow_other

Where -p 9876 stands for the port number, -C use compression and -o allow_other to allow non-rooted users have read/write access.

Send email on ssh login

http://askubuntu.com/questions/179889/how-do-i-set-up-an-email-alert-when-a-ssh-login-is-successful

First you need to be able to send mail from the command line. There are other questions about this. On a mail server it's probably easiest to install mailx (which is probably already installed anyway).

Mail

Then you need an executable script file login-notify.sh (I put it in /etc/ssh/ for example) with the following content. You can change the variables to change the subject and content of the e-mail notification.

vim: /etc/ssh/login-notify.sh
#!/bin/bash

# Change these two lines:
sender="sender-address@example.com"
recepient="notify-address@example.org"

if [ "$PAM_TYPE" != "close_session" ]; then
    host="`hostname`"
    subject="SSH Login: $PAM_USER from $PAM_RHOST on $host"
    # Message to send, e.g. the current environment variables.
    message="`env`"
    echo "$message" | mailx -a "From: Foo Bar <$sender>" -s "$subject" "$recepient"
fi
chmod +x login-notify.sh

Once you have that, you can add the following line to /etc/pam.d/sshd:

session optional pam_exec.so seteuid /path/to/login-notify.sh

For testing purposes, the module is included as optional, so that you can still log in if the execution fails. After you made sure that it works, you can change optional to required. Then login won't be possible unless the execution of your hook script is successful (if that is what you want).

How To Set Up SSH Keys

The first step is to create the key pair on the client machine (there is a good chance that this will just be your computer):

ssh-keygen -t rsa

You can copy the public key into the new machine's authorized_keys file with the ssh-copy-id command. Make sure to replace the example username and IP address below.

ssh-copy-id -p22 user@123.45.56.78

Two-factor authentication using Google Authenticator

https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-14-04

https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04

sudo apt-get install libpam-google-authenticator

Next, execute google-authenticator as the user you want to protect with MFA:

google-authenticator

There are a number of questions to answer, but generally speaking y will be a good choice for all of them. A configuration file is then written to ~/.google-authenticator.

Next, root needs to enable Google Authenticator in PAM. Add this to your auth list in /etc/pam.d/sshd:

Debian

Next up, open your SSH configuration file /etc/ssh/sshd_config

vim: /etc/ssh/sshd_config
 ChallengeResponseAuthentication no
 (change it to)
 ChallengeResponseAuthentication yes
and add
 AuthenticationMethods publickey,keyboard-interactive

And in /etc/pam.d/sshd remove the standard authentication:

vim: /etc/pam.d/sshd
 #@include common-auth
and add google-authenticator
 auth required pam_google_authenticator.so

and restart sshd

/etc/init.d/ssh restart

Arch Linux

yay -S libpam-google-authenticator
google-authenticator

vim /etc/pam.d/sshd

vim: /etc/pam.d/sshd
#%PAM-1.0
#auth     required  pam_securetty.so     #disable remote root
auth      include   system-remote-login
account   include   system-remote-login
password  include   system-remote-login
session   include   system-remote-login
auth      required  pam_google_authenticator.so

Next up, open your SSH configuration file /etc/ssh/sshd_config

vim: /etc/ssh/sshd_config
 ChallengeResponseAuthentication no
 (change it to)
 ChallengeResponseAuthentication yes

And in /etc/pam.d/sshd add the following:

vim: /etc/pam.d/sshd
auth	  required  pam_unix.so
auth	  required  pam_google_authenticator.so
auth	  required  pam_env.so

and restart sshd

sudo systemctl restart sshd

Happy days...

CentOS

https://www.vultr.com/docs/how-to-setup-two-factor-authentication-for-ssh-on-centos-6-using-google-authenticator

sudo yum install pam pam-devel google-authenticator

to contunue one day -----

google-authenticator

vim /etc/pam.d/sshd

#auth     required  pam_securetty.so     #disable remote root
auth	  required  pam_unix.so
auth	  required  pam_google_authenticator.so
auth	  required  pam_env.so


Next up, open your SSH configuration file /etc/ssh/sshd_config

vim: /etc/ssh/sshd_config
 ChallengeResponseAuthentication no
 (change it to)
 ChallengeResponseAuthentication yes

And in /etc/pam.d/sshd add the following:

vim: /etc/pam.d/sshd
auth	  required  pam_unix.so
auth	  required  pam_google_authenticator.so
auth	  required  pam_env.so

and restart sshd

sudo systemctl restart sshd

Happy days...

Reverse proxy

ssh -R 5901:localhost:5901 -p 1234 remote.server.com

I like to think of it this way:

ssh -R 7000:localhost:5901 -p 1234 remote.server.com

Remote port 7000 will be created from localhost on port 5901 into remote server that has ssh on 1234