User Tools
сервис_ssh
Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision Next revision Both sides next revision | ||
|
сервис_ssh [2018/10/04 10:19] val [Аутентификация по паролю] |
сервис_ssh [2023/06/24 19:30] val [SSH вместо RSH] |
||
|---|---|---|---|
| Line 4: | Line 4: | ||
| * [[https://www.serfish.com/console/|Web-based access to any SSH server]] | * [[https://www.serfish.com/console/|Web-based access to any SSH server]] | ||
| * [[http://linux.bolden.ru/ssh-tunnels/|Подробный анализ теории и практики использования SSH-туннелей]] | * [[http://linux.bolden.ru/ssh-tunnels/|Подробный анализ теории и практики использования SSH-туннелей]] | ||
| + | * [[https://m.habr.com/post/435546/|Практические советы, примеры и туннели SSH]] | ||
| ===== Установка ===== | ===== Установка ===== | ||
| Line 9: | Line 10: | ||
| ==== Windows ==== | ==== Windows ==== | ||
| + | === PuTTY === | ||
| * [[http://www.putty.org/|PuTTY]] | * [[http://www.putty.org/|PuTTY]] | ||
| + | * [[https://the.earth.li/~sgtatham/putty/latest/w64/]] | ||
| + | * [[http://val.bmstu.ru/unix/SSH/putty-64bit-0.76-installer.msi]] | ||
| <code> | <code> | ||
| Line 16: | Line 20: | ||
| HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys | HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys | ||
| </code> | </code> | ||
| + | |||
| + | === WinSCP === | ||
| * [[https://winscp.net/eng/docs/lang:ru|WinSCP]] | * [[https://winscp.net/eng/docs/lang:ru|WinSCP]] | ||
| + | * [[http://val.bmstu.ru/unix/SSH/WinSCP-5.19.2-Setup.exe]] | ||
| ==== Ubuntu/Debian ==== | ==== Ubuntu/Debian ==== | ||
| <code> | <code> | ||
| Line 28: | Line 35: | ||
| </code><code> | </code><code> | ||
| ... | ... | ||
| - | Port 22 | + | Port 2222 |
| + | ... | ||
| + | DenyUsers "user*" | ||
| ... | ... | ||
| PermitRootLogin yes | PermitRootLogin yes | ||
| Line 45: | Line 54: | ||
| ===== Настройка ssh клиента ===== | ===== Настройка ssh клиента ===== | ||
| + | |||
| + | * [[Утилита corkscrew]] | ||
| + | |||
| <code> | <code> | ||
| + | $ sftp -P 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user3@localhost | ||
| + | |||
| + | $ mkdir .ssh/ | ||
| + | |||
| $ cat .ssh/config | $ cat .ssh/config | ||
| </code><code> | </code><code> | ||
| Line 55: | Line 71: | ||
| # User backup | # User backup | ||
| - | #Host 172.16.1.* 192.168.*.* | + | #Host switch* 192.168.X.3 192.168.X.4 192.168.X.5* |
| + | # KexAlgorithms +diffie-hellman-group1-sha1 | ||
| + | # Ciphers +aes128-cbc | ||
| # UserKnownHostsFile=/dev/null | # UserKnownHostsFile=/dev/null | ||
| # StrictHostKeyChecking=no | # StrictHostKeyChecking=no | ||
| + | # LogLevel ERROR | ||
| </code> | </code> | ||
| Line 76: | Line 95: | ||
| student@hostX$ cd /; sudo tar -cf - etc/ | ssh -l user1 gate "cat > etc.tar" | student@hostX$ cd /; sudo tar -cf - etc/ | ssh -l user1 gate "cat > etc.tar" | ||
| + | |||
| + | server# ssh switch1 "show cdp neighbors" | ||
| </code> | </code> | ||
| ==== SSH вместо RCP (SCP) ==== | ==== SSH вместо RCP (SCP) ==== | ||
| <code> | <code> | ||
| - | student@hostX$ scp /etc/motd user1@gate:hostX.motd.bak | + | $ scp -P 2222 val@radio.specialist.ru:/usr/local/www/apache22/data/unix/virus.zip . |
| + | |||
| + | server# scp switchN:running-config /srv/tftp/switchN-running-config | ||
| - | student@hostX$ scp user1@gate:/etc/motd gate.motd.bak | + | server# sshpass -p cisco scp switchN:running-config /srv/tftp/switchN-running-config |
| </code> | </code> | ||
| Line 123: | Line 146: | ||
| ==== SSH вместо VPN (привязка к порту клиента) ==== | ==== SSH вместо VPN (привязка к порту клиента) ==== | ||
| <code> | <code> | ||
| + | windows desktop | ||
| Putty | Putty | ||
| Session | Session | ||
| HostNameIP 192.168.X.10 | HostNameIP 192.168.X.10 | ||
| Connection->SSH->Tunnels | Connection->SSH->Tunnels | ||
| - | Source port 1111 | + | Source port 3101 |
| - | Destination 192.168.100+X.201:3389 | + | Destination 192.168.100+X.101:3389 |
| - | linux> ssh -L 1111:192.168.100+X.201:3389 192.168.X.10 | + | linux desktop$ ssh -L 3101:192.168.100+X.101:3389 192.168.X.10 |
| - | Remote Desktop Connection->127.0.0.1:1111 | + | Remote Desktop Connection->127.0.0.1:3101 |
| </code> | </code> | ||
| ==== SSH вместо VPN (привязка к порту сервера) ==== | ==== SSH вместо VPN (привязка к порту сервера) ==== | ||
| - | <code> | ||
| - | inside_nat# ssh -N -R 2222:localhost:22 val@val.bmstu.ru | ||
| - | val# cat /etc/ssh/sshd_config | + | * [[Управление сервисами в Linux]] |
| + | |||
| + | <code> | ||
| + | server# cat /etc/ssh/sshd_config | ||
| </code><code> | </code><code> | ||
| ... | ... | ||
| GatewayPorts yes | GatewayPorts yes | ||
| + | ... | ||
| </code><code> | </code><code> | ||
| - | nessus# ssh -N -R 1111:10.10.132.50:3389 val@val.bmstu.ru | + | # cat /proc/sys/net/ipv4/ip_local_port_range |
| + | |||
| + | lan# ssh -N -R 61022:localhost:22 user1@server.corpX.un | ||
| + | |||
| + | lan# ssh -N -R 3101:192.168.100+X.101:3389 user1@server.corpX.un | ||
| </code> | </code> | ||
| Line 158: | Line 188: | ||
| </code> | </code> | ||
| + | ==== Управление доступом на основе членства в группе ==== | ||
| + | |||
| + | Пример использования отдельного файла конфигурации | ||
| + | |||
| + | <code> | ||
| + | gate# cat /etc/ssh/sshd_config.d/my.conf | ||
| + | </code><code> | ||
| + | #AllowGroups sudo | ||
| + | |||
| + | #DenyGroups group1 group2 | ||
| + | </code> | ||
| + | ==== Запрет Forwarding портов ==== | ||
| + | |||
| + | <code> | ||
| + | server# cat sshd_config | ||
| + | </code><code> | ||
| + | ... | ||
| + | Match Group *,!sudo | ||
| + | X11Forwarding no | ||
| + | AllowTcpForwarding no | ||
| + | </code> | ||
| ===== Уменьшение времени создания множества сессий ===== | ===== Уменьшение времени создания множества сессий ===== | ||
| Line 184: | Line 235: | ||
| ==== Парольная аутентификация ==== | ==== Парольная аутентификация ==== | ||
| <code> | <code> | ||
| - | [gate.isp.un:~] # sshpass -p '123' ssh 192.168.25.30 | + | server# apt install sshpass |
| + | |||
| + | server# sshpass -p 'strongpassword' ssh vagrant@node1 | ||
| + | |||
| + | server# sshpass -p cisco ssh switchN | ||
| + | |||
| + | server# sshpass -p cisco ssh switch1 sh int | grep line | ||
| </code> | </code> | ||
| Line 191: | Line 248: | ||
| === Настройка sshd на использование ключей === | === Настройка sshd на использование ключей === | ||
| <code> | <code> | ||
| - | gate# cat /etc/ssh/sshd_config | + | gate# less /etc/ssh/sshd_config |
| </code><code> | </code><code> | ||
| ... | ... | ||
| - | PubkeyAuthentication yes | + | #PubkeyAuthentication yes |
| #AuthorizedKeysFile %h/.ssh/authorized_keys | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
| ... | ... | ||
| Line 208: | Line 265: | ||
| </code><code> | </code><code> | ||
| user1@client1:~$ ls .ssh/ | user1@client1:~$ ls .ssh/ | ||
| - | |||
| - | user1@client1:~$ chmod 755 . | ||
| - | user1@client1:~$ chmod 700 .ssh/ | ||
| - | user1@client1:~$ chmod 600 .ssh/authorized_keys | ||
| </code> | </code> | ||
| Line 220: | Line 273: | ||
| <code> | <code> | ||
| linux$ ssh-copy-id gate | linux$ ssh-copy-id gate | ||
| + | |||
| + | linux$ ssh-copy-id server | ||
| freebsd$ ssh-copy-id -i .ssh/id_rsa.pub gate | freebsd$ ssh-copy-id -i .ssh/id_rsa.pub gate | ||
| Line 252: | Line 307: | ||
| ... | ... | ||
| - | gate# ssh-add -l | + | student@client1$ ssh-add -l |
| ... | ... | ||
| user1@client1$ ssh gate | user1@client1$ ssh gate | ||
| + | |||
| + | user1@client1$ ssh server | ||
| </code> | </code> | ||
| Line 261: | Line 318: | ||
| === Регистрация принципалов сервиса в KDC и перемещение ключа сервиса на сервер === | === Регистрация принципалов сервиса в KDC и перемещение ключа сервиса на сервер === | ||
| + | |||
| + | * [[https://www.altlinux.org/%D0%A1%D0%BE%D0%B7%D0%B4%D0%B0%D0%BD%D0%B8%D0%B5_SPN_%D0%B8_Keytab_%D1%84%D0%B0%D0%B9%D0%BB%D0%B0|Создание SPN и Keytab файла при использовании DC Windows, DC FreeIPA, ...]] | ||
| == Debian/Ubuntu (MIT) == | == Debian/Ubuntu (MIT) == | ||
| Line 292: | Line 351: | ||
| == Microsoft Active Directory == | == Microsoft Active Directory == | ||
| + | |||
| + | * Еще один способ: [[https://blog.it-kb.ru/2017/10/26/adding-spn-entries-in-keytab-on-linux-server-using-ktutil-associated-with-computer-account-in-active-directory-domain/|Добавление SPN записей в keytab-файл (на стороне сервера Linux с помощью утилиты ktutil), связанный с учётной записью Computer в домене Active Directory]] | ||
| Добавляем пользователя в AD | Добавляем пользователя в AD | ||
| Line 305: | Line 366: | ||
| C:\>ktpass -princ host/gate.corpX.un@CORPX.UN -mapuser gatehost -pass 'Pa$$w0rd' -out gatehost.keytab | C:\>ktpass -princ host/gate.corpX.un@CORPX.UN -mapuser gatehost -pass 'Pa$$w0rd' -out gatehost.keytab | ||
| - | C:\>setspn -L gatehost | + | C:\>setspn -L -U gatehost |
| C:\>pscp gatehost.keytab gate: | C:\>pscp gatehost.keytab gate: | ||
| + | </code> | ||
| + | |||
| + | == Samba4 == | ||
| + | <code> | ||
| + | server# samba-tool user create gatehost | ||
| + | |||
| + | server# samba-tool user setexpiry gatehost --noexpiry | ||
| + | |||
| + | server# samba-tool spn add host/gate.corpX.un gatehost | ||
| + | |||
| + | server# samba-tool spn list gatehost | ||
| + | |||
| + | server# samba-tool domain exportkeytab gatehost.keytab --principal=host/gate.corpX.un | ||
| </code> | </code> | ||
| Line 344: | Line 418: | ||
| === Настройка unix клиента ssh на использование GSSAPI === | === Настройка unix клиента ssh на использование GSSAPI === | ||
| <code> | <code> | ||
| - | client1# cat /etc/ssh/ssh_config | + | client1# less /etc/ssh/ssh_config |
| </code><code> | </code><code> | ||
| ... | ... | ||
| Line 373: | Line 447: | ||
| user1@client1$ ssh -vv gate.corpX.un | user1@client1$ ssh -vv gate.corpX.un | ||
| + | gate# service ssh stop | ||
| + | gate# mkdir /run/sshd | ||
| gate# /usr/sbin/sshd -d | gate# /usr/sbin/sshd -d | ||
| </code> | </code> | ||
сервис_ssh.txt · Last modified: 2024/09/15 12:15 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
