ivstefn

• ssh: client
• sshd: server daemon
• ssh-keygen: za generiranje privatnih/javnih ključeva
• ssh-add i ssh-agent: za upravljanje autentifikacijskim ključevima
• ssh-keyscan: za preuzimanje javnih ključeva sa servera
• sftp-server: server za prijenos fajlova putem SFTP-a

Common ssh options:

• -v: verbose
• -Y: podrška za GUI aplikacije
• -p XXXX: port
• -i private_key: odabir privatnog kljuca

Permisije na ~/.ssh moraju biti 0700.

PKI

Generiranje i razmjena ključeva:

1. ssh-keygen: kreira ~/.ssh/id_* (i .pub) fajlove s ključevima
2. ssh-copy-id user@server: dodaje id_*.pub na server u userov ~./.ssh/authorized_keys

Alternativno:

localhost:~$ grep user /etc/passwd
user:x:1000:1000:user:/home/user:/bin/sh
localhost:~$ mkdir ~/.ssh && chmod 0700 ~/.ssh
localhost:~$ cat /tmp/pubkey >> ~/.ssh/authorized_keys
localhost:~$ chmod 0600 ~/.ssh/authorized_keys 

ssh-agent

ssh-agent daemon kešira dekriptirane privatne ključeve, i automatski ih nudi ssh-u prilikom procesa spajanja.

• ssh-add ~/.ssh/id_ecdsa: dodavanje ključa
• ssh-all -l: izlist ključeva
• ssh-add -d PATH: brisanje ključa iz agenta
• ssh-add -D: brisanje svih ključeva iz agenta

Da bi maknuo privatni ključ iz agenta, javni ključ mora biti u istom direktoriju, pod istim imenom (i sa .pub ekstenzijom).

Ako je javni kljuc (.pub) izgubljen, mozemo ga rekreirati sa: ssh-keygen -yf id_KEY > id_KEY.pub.

host-aliases

~/.ssh/config:

PasswordAuthentication no
Host host1
    Hostname 1.2.3.4
    User name
    IdentityFile /home/name/.ssh/id_ecdsa
    ForwardAgent yes
    Port 2222
Host centos
    Hostname centos.example.net
    User centosuser
    PasswordAuthentication yes

# Wildcards
Host *
    ServerAliveInterval 30m
    ServerAliveCountMax 1
Host 172.20.*
    User anotherusername

Port forwarding

AllowTCPForwarding yes

ssh -L 8000:webserver:80 server.example.net

sshd server

• systemctl reload sshd: reload config
• sshd -t: test konfiguracije
• sshd -T: test konfiguracije, izlist parsiranih opcija

/etc/ssh/sshd_config:

# inet for IPv4, inet6 for IPv6
AddressFamily any

# Allowed users
AllowUsers user1 user2 user3
AllowGroups admins group1 group2

Banner /etc/banner

# Allow public key auth only
kbdinteractiveauthentication no
ChallengeResponseAuthentication no
PasswordAuthentication no
GSSAPIauthentication no
HostbasedAuthentication no
PubkeyAuthentication yes

# Disconnect inactive clients after 5m
ClientAliveInterval 300
ClientAliveCountMax 1

Compression yes

# Do not allow remote hosts to use forwarded ports
GatewayPorts no

# Record failed login attempts
LogLevel VERBOSE

MaxAuthTries 3

PermitRootLogin no

# Prevent users from setting their environment in an authorized_keys file
PermitUserEnvironment no

SyslogFacility AUTH

# Kill the session if a TCP connection is lost
TCPKeepAlive no

X11Forwarding no

# Anti-DoS
#
# Random early drop can be enabled by specifying the three 
# colon separated values “start:rate:full” (e.g. "10:30:60").
# sshd(8) will refuse connection attempts with a probability
# of “rate/100” (30%) if there are currently “start” (10)
# unauthenticated connections. The probability increases
# linearly and all connection attempts are refused if the
# number of unauthenticated connections reaches “full” (60).
MaxStartups 10:30:60

Host key verification with SSHFP

todo

SSHFP je DNS record koji sadržava serverov ssh pubkey.

scp i sftp

• scp ./file server.example.net:
• scp server.example.net:file ./file
• scp server1.admin.com:file server2.admin.com:file

---

Vidi:

• Mozilla Security/Guidelines/OpenSSH