Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Sshstuff

Download as ZIP, PDF
Matt Rae
Matt Rae

This document discusses various SSH techniques including creating SSH tunnels with -L to access services on remote networks, using -D to create a quick web proxy, copying files between remote hosts with -R, generating and managing SSH keys with ssh-keygen and ssh-agent, and configuring SSH forwarding and the ~/.ssh/config file. It also covers best practices for SSH key security and management.

1 of 10
Download to read offline
COOL SSH STUFF Yay!
SSH -L • Need to connect to a service on a remote network? Create an ssh tunnel! • sudossh -L 22:10.24.7.4:22 -L 23:10.24.7.4:23 -L 80:10.24.7.4:80 -L 443:10.24.7.4:443 -L 3389:10.24.7.4:3389 -L 17988:10.24.7.4:17988 -L 9300:10.24.7.4:9300 -L 17990:10.24.7.4:17990 -L 3002:10.24.7.4:3002 root@cacti.turn.com • 10.24.7.4 is the ILO address for db4.sjc2
SSH -D • Quick web proxy for access to a remote network • ssh -D 9999 admin1 • Change SOCKS proxy to use localhost:9999
SSH -R • Need to copy a file on a remote host to back to your box? • ssh -R 2222:localhost:22 remote_host • on remote host: scp -p 2222 /path/to/file localhost:/dest/file
SSH KEYS • Host keys - generated on sshd installation /etc/ssh/ • User keys - generated with “ssh-keygen -t dsa” • Give it a password. Passwordless keys generally bad. • Creates ~/.ssh/id_dsa (private key) • Creates ~/.ssh/id_dsa.pub (public key)
SSH AGENT • “ssh-agent is a program to hold private keys used for public key authentication” • ssh-agent bash; ssh-add • Keychain - http://www.gentoo.org/doc/en/keychain-guide.xml • Allows you to start ssh-agent on login once without starting it continually with subsequent logins.
SSH -A • sshkey forwarding. allows you to keep your private keys on a single host yet still authenticate using those keys after you’ve jumped through other hosts. • ssh-agent bash; ssh add; ssh -A hostname
~/.SSH/CONFIG • Host directives Host *.sjc2.turn.com ProxyCommand ssh admin1.sjc2 exec nc %h %p
KEY MANAGEMENT • Host keys • /etc/ssh/known_hosts • Needs to be populated with all known host keys • User keys • Private keys on secure box. We can store private keys on a bastion host. If someone gets your private key you’re screwed, especially if your key is in root’s authorized_keys
KEY SECURITY • Restrict keys to particular commands and hosts • in authorized_keys file prepend keys with • from="backup.turn.com",command="/usr/local/bin/backup.sh" ssh-dss AAAAAB3Nza • Allows for finer grained security when you need to use passwordless keys

More Related Content

Sshstuff

  • 2. SSH -L • Need to connect to a service on a remote network? Create an ssh tunnel! • sudossh -L 22:10.24.7.4:22 -L 23:10.24.7.4:23 -L 80:10.24.7.4:80 -L 443:10.24.7.4:443 -L 3389:10.24.7.4:3389 -L 17988:10.24.7.4:17988 -L 9300:10.24.7.4:9300 -L 17990:10.24.7.4:17990 -L 3002:10.24.7.4:3002 root@cacti.turn.com • 10.24.7.4 is the ILO address for db4.sjc2
  • 3. SSH -D • Quick web proxy for access to a remote network • ssh -D 9999 admin1 • Change SOCKS proxy to use localhost:9999
  • 4. SSH -R • Need to copy a file on a remote host to back to your box? • ssh -R 2222:localhost:22 remote_host • on remote host: scp -p 2222 /path/to/file localhost:/dest/file
  • 5. SSH KEYS • Host keys - generated on sshd installation /etc/ssh/ • User keys - generated with “ssh-keygen -t dsa” • Give it a password. Passwordless keys generally bad. • Creates ~/.ssh/id_dsa (private key) • Creates ~/.ssh/id_dsa.pub (public key)
  • 6. SSH AGENT • “ssh-agent is a program to hold private keys used for public key authentication” • ssh-agent bash; ssh-add • Keychain - http://www.gentoo.org/doc/en/keychain-guide.xml • Allows you to start ssh-agent on login once without starting it continually with subsequent logins.
  • 7. SSH -A • sshkey forwarding. allows you to keep your private keys on a single host yet still authenticate using those keys after you’ve jumped through other hosts. • ssh-agent bash; ssh add; ssh -A hostname
  • 8. ~/.SSH/CONFIG • Host directives Host *.sjc2.turn.com ProxyCommand ssh admin1.sjc2 exec nc %h %p
  • 9. KEY MANAGEMENT • Host keys • /etc/ssh/known_hosts • Needs to be populated with all known host keys • User keys • Private keys on secure box. We can store private keys on a bastion host. If someone gets your private key you’re screwed, especially if your key is in root’s authorized_keys
  • 10. KEY SECURITY • Restrict keys to particular commands and hosts • in authorized_keys file prepend keys with • from="backup.turn.com",command="/usr/local/bin/backup.sh" ssh-dss AAAAAB3Nza • Allows for finer grained security when you need to use passwordless keys

Editor's Notes