This shows you the differences between two versions of the page.
Next revision | Previous revision Next revision Both sides next revision | ||
сервис_ssh [2018/10/04 10:19] val [Аутентификация по паролю] |
сервис_ssh [2023/06/24 19:30] val [SSH вместо RSH] |
||
---|---|---|---|
Line 4: | Line 4: | ||
* [[https://www.serfish.com/console/|Web-based access to any SSH server]] | * [[https://www.serfish.com/console/|Web-based access to any SSH server]] | ||
* [[http://linux.bolden.ru/ssh-tunnels/|Подробный анализ теории и практики использования SSH-туннелей]] | * [[http://linux.bolden.ru/ssh-tunnels/|Подробный анализ теории и практики использования SSH-туннелей]] | ||
+ | * [[https://m.habr.com/post/435546/|Практические советы, примеры и туннели SSH]] | ||
===== Установка ===== | ===== Установка ===== | ||
Line 9: | Line 10: | ||
==== Windows ==== | ==== Windows ==== | ||
+ | === PuTTY === | ||
* [[http://www.putty.org/|PuTTY]] | * [[http://www.putty.org/|PuTTY]] | ||
+ | * [[https://the.earth.li/~sgtatham/putty/latest/w64/]] | ||
+ | * [[http://val.bmstu.ru/unix/SSH/putty-64bit-0.76-installer.msi]] | ||
<code> | <code> | ||
Line 16: | Line 20: | ||
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys | HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys | ||
</code> | </code> | ||
+ | |||
+ | === WinSCP === | ||
* [[https://winscp.net/eng/docs/lang:ru|WinSCP]] | * [[https://winscp.net/eng/docs/lang:ru|WinSCP]] | ||
+ | * [[http://val.bmstu.ru/unix/SSH/WinSCP-5.19.2-Setup.exe]] | ||
==== Ubuntu/Debian ==== | ==== Ubuntu/Debian ==== | ||
<code> | <code> | ||
Line 28: | Line 35: | ||
</code><code> | </code><code> | ||
... | ... | ||
- | Port 22 | + | Port 2222 |
+ | ... | ||
+ | DenyUsers "user*" | ||
... | ... | ||
PermitRootLogin yes | PermitRootLogin yes | ||
Line 45: | Line 54: | ||
===== Настройка ssh клиента ===== | ===== Настройка ssh клиента ===== | ||
+ | |||
+ | * [[Утилита corkscrew]] | ||
+ | |||
<code> | <code> | ||
+ | $ sftp -P 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user3@localhost | ||
+ | |||
+ | $ mkdir .ssh/ | ||
+ | |||
$ cat .ssh/config | $ cat .ssh/config | ||
</code><code> | </code><code> | ||
Line 55: | Line 71: | ||
# User backup | # User backup | ||
- | #Host 172.16.1.* 192.168.*.* | + | #Host switch* 192.168.X.3 192.168.X.4 192.168.X.5* |
+ | # KexAlgorithms +diffie-hellman-group1-sha1 | ||
+ | # Ciphers +aes128-cbc | ||
# UserKnownHostsFile=/dev/null | # UserKnownHostsFile=/dev/null | ||
# StrictHostKeyChecking=no | # StrictHostKeyChecking=no | ||
+ | # LogLevel ERROR | ||
</code> | </code> | ||
Line 76: | Line 95: | ||
student@hostX$ cd /; sudo tar -cf - etc/ | ssh -l user1 gate "cat > etc.tar" | student@hostX$ cd /; sudo tar -cf - etc/ | ssh -l user1 gate "cat > etc.tar" | ||
+ | |||
+ | server# ssh switch1 "show cdp neighbors" | ||
</code> | </code> | ||
==== SSH вместо RCP (SCP) ==== | ==== SSH вместо RCP (SCP) ==== | ||
<code> | <code> | ||
- | student@hostX$ scp /etc/motd user1@gate:hostX.motd.bak | + | $ scp -P 2222 val@radio.specialist.ru:/usr/local/www/apache22/data/unix/virus.zip . |
+ | |||
+ | server# scp switchN:running-config /srv/tftp/switchN-running-config | ||
- | student@hostX$ scp user1@gate:/etc/motd gate.motd.bak | + | server# sshpass -p cisco scp switchN:running-config /srv/tftp/switchN-running-config |
</code> | </code> | ||
Line 123: | Line 146: | ||
==== SSH вместо VPN (привязка к порту клиента) ==== | ==== SSH вместо VPN (привязка к порту клиента) ==== | ||
<code> | <code> | ||
+ | windows desktop | ||
Putty | Putty | ||
Session | Session | ||
HostNameIP 192.168.X.10 | HostNameIP 192.168.X.10 | ||
Connection->SSH->Tunnels | Connection->SSH->Tunnels | ||
- | Source port 1111 | + | Source port 3101 |
- | Destination 192.168.100+X.201:3389 | + | Destination 192.168.100+X.101:3389 |
- | linux> ssh -L 1111:192.168.100+X.201:3389 192.168.X.10 | + | linux desktop$ ssh -L 3101:192.168.100+X.101:3389 192.168.X.10 |
- | Remote Desktop Connection->127.0.0.1:1111 | + | Remote Desktop Connection->127.0.0.1:3101 |
</code> | </code> | ||
==== SSH вместо VPN (привязка к порту сервера) ==== | ==== SSH вместо VPN (привязка к порту сервера) ==== | ||
- | <code> | ||
- | inside_nat# ssh -N -R 2222:localhost:22 val@val.bmstu.ru | ||
- | val# cat /etc/ssh/sshd_config | + | * [[Управление сервисами в Linux]] |
+ | |||
+ | <code> | ||
+ | server# cat /etc/ssh/sshd_config | ||
</code><code> | </code><code> | ||
... | ... | ||
GatewayPorts yes | GatewayPorts yes | ||
+ | ... | ||
</code><code> | </code><code> | ||
- | nessus# ssh -N -R 1111:10.10.132.50:3389 val@val.bmstu.ru | + | # cat /proc/sys/net/ipv4/ip_local_port_range |
+ | |||
+ | lan# ssh -N -R 61022:localhost:22 user1@server.corpX.un | ||
+ | |||
+ | lan# ssh -N -R 3101:192.168.100+X.101:3389 user1@server.corpX.un | ||
</code> | </code> | ||
Line 158: | Line 188: | ||
</code> | </code> | ||
+ | ==== Управление доступом на основе членства в группе ==== | ||
+ | |||
+ | Пример использования отдельного файла конфигурации | ||
+ | |||
+ | <code> | ||
+ | gate# cat /etc/ssh/sshd_config.d/my.conf | ||
+ | </code><code> | ||
+ | #AllowGroups sudo | ||
+ | |||
+ | #DenyGroups group1 group2 | ||
+ | </code> | ||
+ | ==== Запрет Forwarding портов ==== | ||
+ | |||
+ | <code> | ||
+ | server# cat sshd_config | ||
+ | </code><code> | ||
+ | ... | ||
+ | Match Group *,!sudo | ||
+ | X11Forwarding no | ||
+ | AllowTcpForwarding no | ||
+ | </code> | ||
===== Уменьшение времени создания множества сессий ===== | ===== Уменьшение времени создания множества сессий ===== | ||
Line 184: | Line 235: | ||
==== Парольная аутентификация ==== | ==== Парольная аутентификация ==== | ||
<code> | <code> | ||
- | [gate.isp.un:~] # sshpass -p '123' ssh 192.168.25.30 | + | server# apt install sshpass |
+ | |||
+ | server# sshpass -p 'strongpassword' ssh vagrant@node1 | ||
+ | |||
+ | server# sshpass -p cisco ssh switchN | ||
+ | |||
+ | server# sshpass -p cisco ssh switch1 sh int | grep line | ||
</code> | </code> | ||
Line 191: | Line 248: | ||
=== Настройка sshd на использование ключей === | === Настройка sshd на использование ключей === | ||
<code> | <code> | ||
- | gate# cat /etc/ssh/sshd_config | + | gate# less /etc/ssh/sshd_config |
</code><code> | </code><code> | ||
... | ... | ||
- | PubkeyAuthentication yes | + | #PubkeyAuthentication yes |
#AuthorizedKeysFile %h/.ssh/authorized_keys | #AuthorizedKeysFile %h/.ssh/authorized_keys | ||
... | ... | ||
Line 208: | Line 265: | ||
</code><code> | </code><code> | ||
user1@client1:~$ ls .ssh/ | user1@client1:~$ ls .ssh/ | ||
- | |||
- | user1@client1:~$ chmod 755 . | ||
- | user1@client1:~$ chmod 700 .ssh/ | ||
- | user1@client1:~$ chmod 600 .ssh/authorized_keys | ||
</code> | </code> | ||
Line 220: | Line 273: | ||
<code> | <code> | ||
linux$ ssh-copy-id gate | linux$ ssh-copy-id gate | ||
+ | |||
+ | linux$ ssh-copy-id server | ||
freebsd$ ssh-copy-id -i .ssh/id_rsa.pub gate | freebsd$ ssh-copy-id -i .ssh/id_rsa.pub gate | ||
Line 252: | Line 307: | ||
... | ... | ||
- | gate# ssh-add -l | + | student@client1$ ssh-add -l |
... | ... | ||
user1@client1$ ssh gate | user1@client1$ ssh gate | ||
+ | |||
+ | user1@client1$ ssh server | ||
</code> | </code> | ||
Line 261: | Line 318: | ||
=== Регистрация принципалов сервиса в KDC и перемещение ключа сервиса на сервер === | === Регистрация принципалов сервиса в KDC и перемещение ключа сервиса на сервер === | ||
+ | |||
+ | * [[https://www.altlinux.org/%D0%A1%D0%BE%D0%B7%D0%B4%D0%B0%D0%BD%D0%B8%D0%B5_SPN_%D0%B8_Keytab_%D1%84%D0%B0%D0%B9%D0%BB%D0%B0|Создание SPN и Keytab файла при использовании DC Windows, DC FreeIPA, ...]] | ||
== Debian/Ubuntu (MIT) == | == Debian/Ubuntu (MIT) == | ||
Line 292: | Line 351: | ||
== Microsoft Active Directory == | == Microsoft Active Directory == | ||
+ | |||
+ | * Еще один способ: [[https://blog.it-kb.ru/2017/10/26/adding-spn-entries-in-keytab-on-linux-server-using-ktutil-associated-with-computer-account-in-active-directory-domain/|Добавление SPN записей в keytab-файл (на стороне сервера Linux с помощью утилиты ktutil), связанный с учётной записью Computer в домене Active Directory]] | ||
Добавляем пользователя в AD | Добавляем пользователя в AD | ||
Line 305: | Line 366: | ||
C:\>ktpass -princ host/gate.corpX.un@CORPX.UN -mapuser gatehost -pass 'Pa$$w0rd' -out gatehost.keytab | C:\>ktpass -princ host/gate.corpX.un@CORPX.UN -mapuser gatehost -pass 'Pa$$w0rd' -out gatehost.keytab | ||
- | C:\>setspn -L gatehost | + | C:\>setspn -L -U gatehost |
C:\>pscp gatehost.keytab gate: | C:\>pscp gatehost.keytab gate: | ||
+ | </code> | ||
+ | |||
+ | == Samba4 == | ||
+ | <code> | ||
+ | server# samba-tool user create gatehost | ||
+ | |||
+ | server# samba-tool user setexpiry gatehost --noexpiry | ||
+ | |||
+ | server# samba-tool spn add host/gate.corpX.un gatehost | ||
+ | |||
+ | server# samba-tool spn list gatehost | ||
+ | |||
+ | server# samba-tool domain exportkeytab gatehost.keytab --principal=host/gate.corpX.un | ||
</code> | </code> | ||
Line 344: | Line 418: | ||
=== Настройка unix клиента ssh на использование GSSAPI === | === Настройка unix клиента ssh на использование GSSAPI === | ||
<code> | <code> | ||
- | client1# cat /etc/ssh/ssh_config | + | client1# less /etc/ssh/ssh_config |
</code><code> | </code><code> | ||
... | ... | ||
Line 373: | Line 447: | ||
user1@client1$ ssh -vv gate.corpX.un | user1@client1$ ssh -vv gate.corpX.un | ||
+ | gate# service ssh stop | ||
+ | gate# mkdir /run/sshd | ||
gate# /usr/sbin/sshd -d | gate# /usr/sbin/sshd -d | ||
</code> | </code> |