Dave Horner's Website - Yet another perspective on things...
Home Tech Talk Unix/Linux/BSD/etc SSH stuff
148 guests
Rough Hits : 2773708
moon and stars
how did u find my site?

onomastics (seen in code)

Human beings in their thinking, feeling and acting are not free but are as causally bound as the stars in their motions.
--Albert Einstein
$$e = \sum_{n=0}^\infty \frac{1}{n!}$$

SSH stuff

Monday, 25 April 2005 01:31
Tyblog | SSH Kung Fu - -L tunneling,sshfs,vim scp:// urls,-D SOCKS proxying, and more.
SSH tricks
Play Video/Audio on Remote X Server over SSH - vlc --fullscreen path.avi (X11 Forwarding with SSH X11Forwarding yes)
ssh tips
SSH ControlMaster: The Good, The Bad, The Ugly | Anchor Web Hosting Blog Specify Password Only Once for Multiple SSH Connections
Swish - Easy SFTP for Windows - Swish adds support for SFTP to Windows Explorer so you can access your files on another computer securely via SSH. - cinst swish using Chocolatey

ssh/scp using python with paramiko

paramiko: ssh2 protocol for python
The GITS Blog » Easy SFTP uploading with paramiko
Plumbum: Shell Combinators and More — Plumbum: Shell Combinators

multiplex ssh with other services

ssl/ssh multiplexer
Run Both SSHD and Nginx on Port 80 « Yi Wang's Tech Notes

ssh with python twisted Conch

Twisted Documentation: Writing a client with Twisted Conch
Twisted Documentation: Twisted Conch code examples

Blocking brute force attempts with ssh

There are quite a few tools out there to accomplish the blocking of invalid login attempts using iptables amd tcpwrappers. Most are actually written in python...;-D In fact, you can yum install both fail2ban and denyhosts! Making it quite easy to get on your box. However, I'm partial to closing ports all together and using dynamic rules instead of forming ban lists. Ban lists require additional resources and still expose a service to all for undocumented exploits to occur...(buffer overflows). See IPOpener - Block everything and allow to few (The power of dynamic rules).
But having said that, there are times when it might be interesting to see who's out there attacking my boxes. I've seen some cool network maps.

Main Page - Fail2ban - Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
Packets Consulting - Ssh-faker - This program is called by /etc/hosts.deny whenever someone connects to port 22. Unless they type in a plaintext password or type the wrong password, they get an ssh-compatible error message, and a syslog message is generated. If they type in the right password, they are added to /etc/hosts.allow, and their next connection will reach the real sshd.
Welcome to DenyHosts - DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host. Additionally, upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host. An email report can be sent to a system admin.
BlockHosts | A C Zoom - Automatic blocking of abusive IP hosts, Script to record how many times system services are being probed, using configurable pattern matching to recognize failed accesses (such as for "sshd" or "proftpd" or any service), and when a particular IP address exceeds a certain number of failed attempts, that IP address is blocked by using multiple techniques: using /etc/hosts.allow for services that support TCP_WRAPPERS, or by executing ip route commands to setup null-routing for that source host address, or by executing iptables commands to setup packet filtering to drop packets from a source host address.
Preventing Brute Force Attacks With Fail2ban On Debian Etch | HowtoForge - Linux Howtos and Tutorials
Preventing SSH Dictionary Attacks With DenyHosts | HowtoForge - Linux Howtos and Tutorials

Port forwarding with SSH (Also called SSH tunneling)

(a good command is: ssh -N -R remoteport:localhost:22 config-host-name) Port forwarding allows you to send arbitrary connections through your SSH connection.  This provides secure communication over otherwise insecure networks.

SSH provides two flavors of port forwarding.  LocalForward and RemoteForward.

LocalForward connects a remote server to the local machine.  The ssh client machine actually listens for new connections to be tunneled and sends them through the existing ssh connection.
ssh -L 9999:mailserver:110 sshserver
This would establish a LocalForward using sshserver.  The forward would be from mailserver:110 to the local machine port 9999.

RemoteForward is a tunnel initiated on the server side that goes back through the client machine.

LocalForwards Command Line Option Configuration file entry local_listen_port is on destination_host is contacted from
-L local_listen_port:destination_host:destination_port
LocalForward local_listen_port:destination_host:destination_port
SSH client loopback interface
SSH server host

RemoteForwards Command Line Option Configuration file entry remote_listen_port is on destination_host is contacted from
-R remote_listen_port:destination_host:destination_port
RemoteForward remote_listen_port:destination_host:destination_port
SSH server loopback interface
SSH client host
SSH Port Forwarding
Auto-closing SSH tunnels

Key based auth setup

Use keys instead of passwords
Ok, before you starting banging your head trying to figure out why key auth isn't working...make sure your sshd has the proper settings for it.  Check to make sure you have the following settings in your sshd_config.

# Should we allow Identity (SSH version 1) authentication?
# (NOTE: Not necessary if you only want to use version 2,even if you use rsa keys)
RSAAuthentication yes  
# Should we allow Pubkey (SSH version 2) authentication?
PubkeyAuthentication yes  
# Where do we look for authorized public keys?
# If it doesn't start with a slash, then it is
# relative to the user's home directory
AuthorizedKeysFile    .ssh/authorized_keys

What to try if sshd doesn't accept your key (authorized_keys don't work)

NOTE!Sept-10-2005: You also MUST make sure that the .ssh folder in your home directory is rxw(700) for the user only! In addition, your authorized_keys file must be rw(600) for the user only. If the file modes are incorrect, sshd will reject all attempts to auth with the keys. (this info could have saved me a good half hour of pain)

If you had the correct settings, great.  If you didn't and you changed the config, restart the sshd process.
Now that we have verified the proper settings, lets move on to how to actually add keys!

# Move into your ssh directory for the user
cd $HOME/.ssh
# Generate a key pair, this will create a private key(one you keep on
your local machine) and a public key(one you give to the remote
ssh-keygen -t rsa -f ~/.ssh/remotemachine
# Copy the public key into the authorized keys on the remote machine.
cat remotemachine.pub |ssh user@remotemachine 'sh -c "cat - >>~/.ssh/authorized_keys;
The -t option allows you to choose a cipher but I suggest using rsa.  The -f option specifies the name of the key, replace the remotemachine with the name you'd like.

localmachine$ chmod 600 ~/.ssh/authorized_keys;
This single line will copy the public key to the remote machine and make sure the permissions are read and write only for the user.

Now you can simply login to the remote machine by doing the following:
ssh -i remotemachine user@remotemachine

So maybe you don't like having to specify that you want to use the identity each time.  SSH allows you to define config options for hosts in your ~/.ssh/config file.  You can simply name a session name and the options associated with it.
For example, lets say I connect to remotemachine using the username auser and the identity backup.
I can create a config file with:
host remotemachine
hostname remotemachine.somenetwork.com
user auser
identityfile ~/.ssh/backup
compression yes
cipher blowfish
protocol 2
Now I can just use: ssh remotemachine to login to the system.  SSH will automatically try to find the session name in my config file and use the appropriate settings.

Some extra options:
You can create single use keys by prepending command="<cmd>" to your public key in the authorized_keys file.
This specifies that the command is executed whenever this key is used for authentication.  The command supplied by the user (if any) is ignored.
For added security, you can only allow the key to be used from a certain host using the from option.
Example: from="*.somenetwork.net,!pc.someothernetwork.net"
Other options you might consider turning off include: no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty

command="<cmd>",from="some.host.net",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty <public key here>

Here is a single command that adds options to the beginning of the public key and pushes it to the remote machines authorized_keys.
echo 'command="<cmd>" ' `cat <whatever>.pub`|ssh user@remotemachine 'sh -c "cat - >>~/.ssh/authorized_keys;chmod 600 ~/.ssh/authorized_keys;"'
On some distros, you can use the ssh-copy-id program to install your public key in a remote machine's authorized_keys. It does much the same as above, cat'ing the key to the remote machine. If you don't specify a -i identity, ssh-copy-id will use ~/.ssh/id_rsa.pub. ssh-copy-id does not fix perms so you may still need to chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys; if you're perms aren't correct already.

shfs - mount a filesystem using ssh.

SHFS  is a kernel module for linux that allows a user to mount a filesystem remotely using only ssh.  This is a wonderful module because I love ssh access so much.  It is wonderful because it allows you to access your data remotely but securely.

Once you've installed it, all you've got to do is:
shfsmount --persistent -s user@host:/tmp /mnt/shfs

This mounts the /tmp directory on user@host to the local /mnt/shfs directory.
(-s expands remote symlinks, --persistent makes shfs more tolerant of connection problems)

Embed SSH in Browser

I'm looking into embedding a ssh client in the webbrowser. That would be awesome. Some possible clients are: Mindterm - SSH java client
Using Mindterm - Cambridge uses it.
SSH for Java

keep that ssh connection alive

How to avoid SSH timeouts
TCPKeepAlive yes
KeepAlive yes
ClientAliveInterval 540
ClientAliveCountMax 99999

Fixing SSH login long delay | In just five minutes…


udpproxy allows you to tunnel UDP datagrams into a SSH tunnel with the help of NFQUEUE target from Netfilter. This enables easy selection of flow to be tunneled.
Projects | Vincent Bernat
vincentbernat/udpproxy - a Netfilter powered UDP proxy

Performing UDP tunneling through an SSH connection
Last Updated on Saturday, 17 May 2014 10:29