Сервис SSH

• SSH (wikipedia)
• SSH с высоты птичьего полёта, или разгребаем кучи ключей
• Web-based access to any SSH server
• Подробный анализ теории и практики использования SSH-туннелей
• Практические советы, примеры и туннели SSH

• PuTTY
• https://the.earth.li/~sgtatham/putty/latest/w64/
• http://val.bmstu.ru/unix/SSH/putty-64bit-0.76-installer.msi

Terminal->Features->Disable application keypad mode

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys

• MobaXterm
• Weird characters while pasting in terminal

printf "\e[?2004l"

• WinSCP
• http://val.bmstu.ru/unix/SSH/WinSCP-5.19.2-Setup.exe

# apt install ssh

gate# cat /etc/ssh/sshd_config.d/my.conf

Port 2222

DenyUsers "user*"

PermitRootLogin yes

#KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1
#HostkeyAlgorithms +ssh-dss,ssh-rsa

Проверка конфигурации

# /usr/sbin/sshd -t

Печать fingerprint публичного ключа

gate# ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub

• Утилита corkscrew

$ sftp -P 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user3@localhost

$ mkdir .ssh/

$ cat ~/.ssh/config

Host *
  ServerAliveInterval 10

#Host gitlab* 
#        Port 2222
##        User root

#Host switch* 192.168.X.5*
#        KexAlgorithms +diffie-hellman-group1-sha1
#        Ciphers +aes128-cbc
#        UserKnownHostsFile=/dev/null
#        StrictHostKeyChecking=no
#        LogLevel ERROR

###    HostKeyAlgorithms +ssh-rsa
###    PubkeyAcceptedKeyTypes +ssh-rsa

# ssh -l user1 gate

# ssh user1@gate

student@hostX$ ssh -l user1 gate "uname -a"

student@hostX$ cat /etc/hosts | ssh -l user1 gate "cat > hosts.bak"

student@hostX$ cd /; sudo tar -cf - etc/ | ssh -l user1 gate "cat > etc.tar"

server# ssh switch1 "show cdp neighbors"

$ scp -P 2222 val@radio.specialist.ru:/usr/local/www/apache22/data/unix/virus.zip .

server# scp switchN:running-config /srv/tftp/switchN-running-config
deb12_ub24# scp -O switchN:running-config /srv/tftp/switchN-running-config

server# sshpass -p cisco scp switchN:running-config /srv/tftp/switchN-running-config

server# scp -3 192.168.X.101:/etc/docker/daemon.json gate:/etc/docker/daemon.json

# cat /etc/ssh/sshd_config

...
# Subsystem       sftp    /usr/libexec/sftp-server
Subsystem sftp internal-sftp
...
Match group user1
#Match group group1
       ChrootDirectory %h
       ForceCommand internal-sftp

# chown root ~user1/

# mkdir ~user1/public_html && chown user1:user1 ~user1/public_html/

# mkdir ~user1/mail && chown user1:user1 ~user1/mail/

gate# cat /etc/ssh/sshd_config

...
X11Forwarding yes
...

windows desktop
Putty
Session
  HostNameIP 192.168.X.10
Connection->SSH->Tunnels
  Source port 3101
  Destination 192.168.100+X.101:3389

linux desktop$ ssh -L 3101:192.168.100+X.101:3389 192.168.X.10

Remote Desktop Connection->127.0.0.1:3101

• Управление сервисами в Linux

server# cat /etc/ssh/sshd_config

...
GatewayPorts yes
...

# cat /proc/sys/net/ipv4/ip_local_port_range
  или
# sysctl net.ipv4.ip_local_port_range

lan# ssh -N -R 61022:localhost:22 -o ServerAliveInterval=60 student@server.corpX.un

lan# ssh -N -R 61389:192.168.100+X.1NN:3389 student@server.corpX.un

mobaxterm> ssh -N -R 61389:localhost:3389 student@server.corpX.un

mobaxterm> ssh -N -R 0:localhost:5500 student@server.corpX.un

node2# cat sshd_config

...
#AllowUsers root user*@10.5.*.*
...
Match Address 192.168.*.*,172.16.*.*
       PermitRootLogin yes

Пример использования отдельного файла конфигурации

gate# cat /etc/ssh/sshd_config.d/my.conf

#AllowGroups sudo

#DenyGroups group1 group2

server# cat sshd_config

...
Match Group *,!sudo
    X11Forwarding no
    AllowTcpForwarding no

• Speeding up SSH Session Creation

node1:~# cat ~/.ssh/config

Host *
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h-%p
ControlPersist 600

node1# mkdir .ssh/sockets

$ cat ~/.ssh/config

StrictHostKeyChecking no

server# apt install sshpass

server# sshpass -p 'strongpassword' ssh vagrant@node1

server# sshpass -p cisco ssh switchN

server# sshpass -p cisco ssh switch1 sh int | grep line

gate# less /etc/ssh/sshd_config

...
#PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys
...

user1@client1:~$ ssh-keygen

...
Enter passphrase (empty for no passphrase): password1
...

user1@client1:~$ ls .ssh/

• ssh-copy-id

linux$ ssh-copy-id gate

linux$ ssh-copy-id server

freebsd$ ssh-copy-id -i .ssh/id_rsa.pub gate

• вручную

user1@client1$ ssh gate "mkdir .ssh"

user1@client1$ scp .ssh/id_rsa.pub gate:.ssh/authorized_keys
или
user1@client1$ cat .ssh/id_rsa.pub | ssh gate "cat >> .ssh/authorized_keys"

user1@client1$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-JaQgNr4492/agent.4492; export SSH_AUTH_SOCK;
SSH_AGENT_PID=4493; export SSH_AGENT_PID;
echo Agent pid 4493;

user1@client1$ SSH_AUTH_SOCK=/tmp/ssh-JaQgNr4492/agent.4492; export SSH_AUTH_SOCK;
user1@client1$ SSH_AGENT_PID=4493; export SSH_AGENT_PID;

или

user1@client1$ eval `ssh-agent -s`

user1@client1$ ssh-add
Enter passphrase for /root/.ssh/id_rsa:
...

student@client1$ ssh-add -l
...

user1@client1$ ssh gate

user1@client1$ ssh server

• Создание SPN и Keytab файла при использовании DC Windows, DC FreeIPA, ...

root@server:~# kadmin.local

kadmin.local:  addprinc -randkey host/gate.corpX.un
...
kadmin.local:  listprincs

kadmin.local:  ktadd -k gatehost.keytab host/gate.corpX.un
...
kadmin.local:  quit

server# scp gatehost.keytab gate:

server# kadmin -l

kadmin> add -r host/gate.corpX.un
...
kadmin> list *

kadmin> ext -k gatehost.keytab host/gate.corpX.un
kadmin> quit

server# scp gatehost.keytab gate:

• Еще один способ: Добавление SPN записей в keytab-файл (на стороне сервера Linux с помощью утилиты ktutil), связанный с учётной записью Computer в домене Active Directory

Добавляем пользователя в AD

Login: gatehost
Password: Pa$$w0rd

Пароль не меняется и не устаревает

Связываем SPN (Service Principal Name) host/gate.corpX.un@CORPX.UN с учетной записью gatehost

C:\>ktpass -princ host/gate.corpX.un@CORPX.UN -mapuser gatehost -pass 'Pa$$w0rd' -out gatehost.keytab

C:\>setspn -L -U gatehost

C:\>pscp gatehost.keytab gate:

server# samba-tool user create gatehost

server# samba-tool user setexpiry gatehost --noexpiry

server# samba-tool spn add host/gate.corpX.un gatehost

server# samba-tool spn list gatehost

server# samba-tool domain exportkeytab gatehost.keytab --principal=host/gate.corpX.un

root@gate:~# ktutil

ktutil: rkt /root/gatehost.keytab
ktutil: list
ktutil: wkt /etc/krb5.keytab
ktutil: quit

root@gate:~# klist -ek /etc/krb5.keytab

gate# ktutil copy /root/gatehost.keytab /etc/krb5.keytab
gate# touch /etc/srvtab

gate# ktutil list
...

gate# cat /etc/ssh/sshd_config

...
GSSAPIAuthentication yes
...

client1# less /etc/ssh/ssh_config

...
GSSAPIAuthentication yes
...

Hostname: gate.corpX.un
SSH->Auth
  Attempt "keyboard intractive": no
SSH->Kerberos 
  Attempt Kerberos Auth: yes
  User name portion of user principal name: yes

gate# kinit -V -k -t /etc/krb5.keytab host/gate.corpX.un@CORPX.UN

user1@client1$ kinit

user1@client1$ kinit -S host/gate.corpX.un@CORPX.UN
или
user1@client1$ kvno host/gate.corpX.un@CORPX.UN

user1@client1$ ssh -vv gate.corpX.un

gate# service ssh stop
gate# mkdir /run/sshd
gate# /usr/sbin/sshd -d

• https://serverfault.com/questions/8411/what-is-a-good-ssh-server-to-use-on-windows
• https://social.technet.microsoft.com/Forums/ru-RU/f66a25ac-08ba-4131-9316-c681a5f6bf88/ssh-powershell

• How to access ssh terminal in web browser on Linux
• https://server.corpX.un:4200/

# pkg install shellinabox

# service shellinaboxd onestart