Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Sshstuff

Download as ZIP, PDF
Matt Rae
Matt Rae

This document discusses various SSH techniques including creating SSH tunnels with -L to access services on remote networks, using -D to create a quick web proxy, copying files between remote hosts with -R, generating and managing SSH keys with ssh-keygen and ssh-agent, and configuring SSH forwarding and the ~/.ssh/config file. It also covers best practices for SSH key security and management.

1 of 10
COOL SSH STUFF Yay!
SSH -L • Need to connect to a service on a remote network? Create an ssh tunnel! • sudossh -L 22:10.24.7.4:22 -L 23:10.24.7.4:23 -L 80:10.24.7.4:80 -L 443:10.24.7.4:443 -L 3389:10.24.7.4:3389 -L 17988:10.24.7.4:17988 -L 9300:10.24.7.4:9300 -L 17990:10.24.7.4:17990 -L 3002:10.24.7.4:3002 root@cacti.turn.com • 10.24.7.4 is the ILO address for db4.sjc2
SSH -D • Quick web proxy for access to a remote network • ssh -D 9999 admin1 • Change SOCKS proxy to use localhost:9999
SSH -R • Need to copy a file on a remote host to back to your box? • ssh -R 2222:localhost:22 remote_host • on remote host: scp -p 2222 /path/to/file localhost:/dest/file
SSH KEYS • Host keys - generated on sshd installation /etc/ssh/ • User keys - generated with “ssh-keygen -t dsa” • Give it a password. Passwordless keys generally bad. • Creates ~/.ssh/id_dsa (private key) • Creates ~/.ssh/id_dsa.pub (public key)
SSH AGENT • “ssh-agent is a program to hold private keys used for public key authentication” • ssh-agent bash; ssh-add • Keychain - http://www.gentoo.org/doc/en/keychain-guide.xml • Allows you to start ssh-agent on login once without starting it continually with subsequent logins.
SSH -A • sshkey forwarding. allows you to keep your private keys on a single host yet still authenticate using those keys after you’ve jumped through other hosts. • ssh-agent bash; ssh add; ssh -A hostname
~/.SSH/CONFIG • Host directives Host *.sjc2.turn.com ProxyCommand ssh admin1.sjc2 exec nc %h %p
KEY MANAGEMENT • Host keys • /etc/ssh/known_hosts • Needs to be populated with all known host keys • User keys • Private keys on secure box. We can store private keys on a bastion host. If someone gets your private key you’re screwed, especially if your key is in root’s authorized_keys
KEY SECURITY • Restrict keys to particular commands and hosts • in authorized_keys file prepend keys with • from="backup.turn.com",command="/usr/local/bin/backup.sh" ssh-dss AAAAAB3Nza • Allows for finer grained security when you need to use passwordless keys

More Related Content

Sshstuff

  • 2. SSH -L • Need to connect to a service on a remote network? Create an ssh tunnel! • sudossh -L 22:10.24.7.4:22 -L 23:10.24.7.4:23 -L 80:10.24.7.4:80 -L 443:10.24.7.4:443 -L 3389:10.24.7.4:3389 -L 17988:10.24.7.4:17988 -L 9300:10.24.7.4:9300 -L 17990:10.24.7.4:17990 -L 3002:10.24.7.4:3002 root@cacti.turn.com • 10.24.7.4 is the ILO address for db4.sjc2
  • 3. SSH -D • Quick web proxy for access to a remote network • ssh -D 9999 admin1 • Change SOCKS proxy to use localhost:9999
  • 4. SSH -R • Need to copy a file on a remote host to back to your box? • ssh -R 2222:localhost:22 remote_host • on remote host: scp -p 2222 /path/to/file localhost:/dest/file
  • 5. SSH KEYS • Host keys - generated on sshd installation /etc/ssh/ • User keys - generated with “ssh-keygen -t dsa” • Give it a password. Passwordless keys generally bad. • Creates ~/.ssh/id_dsa (private key) • Creates ~/.ssh/id_dsa.pub (public key)
  • 6. SSH AGENT • “ssh-agent is a program to hold private keys used for public key authentication” • ssh-agent bash; ssh-add • Keychain - http://www.gentoo.org/doc/en/keychain-guide.xml • Allows you to start ssh-agent on login once without starting it continually with subsequent logins.
  • 7. SSH -A • sshkey forwarding. allows you to keep your private keys on a single host yet still authenticate using those keys after you’ve jumped through other hosts. • ssh-agent bash; ssh add; ssh -A hostname
  • 8. ~/.SSH/CONFIG • Host directives Host *.sjc2.turn.com ProxyCommand ssh admin1.sjc2 exec nc %h %p
  • 9. KEY MANAGEMENT • Host keys • /etc/ssh/known_hosts • Needs to be populated with all known host keys • User keys • Private keys on secure box. We can store private keys on a bastion host. If someone gets your private key you’re screwed, especially if your key is in root’s authorized_keys
  • 10. KEY SECURITY • Restrict keys to particular commands and hosts • in authorized_keys file prepend keys with • from="backup.turn.com",command="/usr/local/bin/backup.sh" ssh-dss AAAAAB3Nza • Allows for finer grained security when you need to use passwordless keys

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n