This is an old revision of the document!
Terminal->Features->Disable application keypad mode HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\SshHostKeys
# apt install ssh
gate# cat /etc/ssh/sshd_config
... Port 2222 ... DenyUsers "user*" ... PermitRootLogin yes ...
Проверка конфигурации
# /usr/sbin/sshd -t
Печать fingerprint публичного ключа
gate# ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
$ cat .ssh/config
Host * ServerAliveInterval 10 #Host server2* # Port 2222 # User backup #Host 172.16.1.* 192.168.*.* *.corpX.un # UserKnownHostsFile=/dev/null # StrictHostKeyChecking=no
# ssh -l user1 gate # ssh user1@gate
student@hostX$ ssh -l user1 gate "uname -a" student@hostX$ cat /etc/hosts | ssh -l user1 gate "cat > hosts.bak" student@hostX$ cd /; sudo tar -cf - etc/ | ssh -l user1 gate "cat > etc.tar"
student@hostX$ scp /etc/motd user1@gate:hostX.motd.bak student@hostX$ scp user1@gate:/etc/motd gate.motd.bak
www# cat /etc/ssh/sshd_config
... # Subsystem sftp /usr/libexec/sftp-server Subsystem sftp internal-sftp ... Match group user1 ChrootDirectory %h ForceCommand internal-sftp
www# chown root ~user1/ www# mkdir ~user1/public_html www# chown -R user1:user1 ~user1/public_html/
gate# cat /etc/ssh/sshd_config
... X11Forwarding yes ...
Putty Session HostNameIP 192.168.X.10 Connection->SSH->Tunnels Source port 1111 Destination 192.168.100+X.201:3389 linux> ssh -L 1111:192.168.100+X.201:3389 192.168.X.10 Remote Desktop Connection->127.0.0.1:1111
inside_nat# ssh -N -R 2222:localhost:22 val@val.bmstu.ru val# cat /etc/ssh/sshd_config
... GatewayPorts yes
nessus# ssh -N -R 1111:10.10.132.50:3389 val@val.bmstu.ru
node2# cat sshd_config
... Match Address 192.168.X.1 PermitRootLogin yes
server# cat sshd_config
... Match Group *,!sudo X11Forwarding no AllowTcpForwarding no
node1:~# cat .ssh/config
Host * ControlMaster auto ControlPath ~/.ssh/sockets/%r@%h-%p ControlPersist 600 node1# mkdir .ssh/sockets
$ cat ~/.ssh/config
StrictHostKeyChecking no
[gate.isp.un:~] # apt install sshpass [gate.isp.un:~] # sshpass -p '123' ssh 172.16.1.13
gate# cat /etc/ssh/sshd_config
... PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys ...
user1@client1:~$ ssh-keygen
... Enter passphrase (empty for no passphrase): password1 ...
user1@client1:~$ ls .ssh/ user1@client1:~$ chmod 755 . user1@client1:~$ chmod 700 .ssh/ user1@client1:~$ chmod 600 .ssh/authorized_keys
linux$ ssh-copy-id gate freebsd$ ssh-copy-id -i .ssh/id_rsa.pub gate
user1@client1$ ssh gate "mkdir .ssh" user1@client1$ scp .ssh/id_rsa.pub gate:.ssh/authorized_keys или user1@client1$ cat .ssh/id_rsa.pub | ssh gate "cat >> .ssh/authorized_keys"
user1@client1$ ssh-agent SSH_AUTH_SOCK=/tmp/ssh-JaQgNr4492/agent.4492; export SSH_AUTH_SOCK; SSH_AGENT_PID=4493; export SSH_AGENT_PID; echo Agent pid 4493; user1@client1$ SSH_AUTH_SOCK=/tmp/ssh-JaQgNr4492/agent.4492; export SSH_AUTH_SOCK; user1@client1$ SSH_AGENT_PID=4493; export SSH_AGENT_PID;
или
user1@client1$ eval `ssh-agent -s`
user1@client1$ ssh-add Enter passphrase for /root/.ssh/id_rsa: ... gate# ssh-add -l ... user1@client1$ ssh gate
root@server:~# kadmin.local
kadmin.local: addprinc -randkey host/gate.corpX.un ... kadmin.local: listprincs kadmin.local: ktadd -k gatehost.keytab host/gate.corpX.un ... kadmin.local: quit
server# scp gatehost.keytab gate:
server# kadmin -l
kadmin> add -r host/gate.corpX.un ... kadmin> list * kadmin> ext -k gatehost.keytab host/gate.corpX.un kadmin> quit
server# scp gatehost.keytab gate:
Добавляем пользователя в AD
Login: gatehost Password: Pa$$w0rd
Пароль не меняется и не устаревает
Связываем SPN (Service Principal Name) host/gate.corpX.un@CORPX.UN с учетной записью gatehost
C:\>ktpass -princ host/gate.corpX.un@CORPX.UN -mapuser gatehost -pass 'Pa$$w0rd' -out gatehost.keytab C:\>setspn -L gatehost C:\>pscp gatehost.keytab gate:
root@gate:~# ktutil
ktutil: rkt /root/gatehost.keytab ktutil: list ktutil: wkt /etc/krb5.keytab ktutil: quit root@gate:~# klist -ek /etc/krb5.keytab
gate# ktutil copy /root/gatehost.keytab /etc/krb5.keytab gate# touch /etc/srvtab gate# ktutil list ...
gate# cat /etc/ssh/sshd_config
... GSSAPIAuthentication yes ...
client1# cat /etc/ssh/ssh_config
... GSSAPIAuthentication yes ...
Hostname: gate.corpX.un SSH->Auth Attempt "keyboard intractive": no SSH->Kerberos Attempt Kerberos Auth: yes User name portion of user principal name: yes
gate# kinit -V -k -t /etc/krb5.keytab host/gate.corpX.un@CORPX.UN user1@client1$ kinit user1@client1$ kinit -S host/gate.corpX.un@CORPX.UN или user1@client1$ kvno host/gate.corpX.un@CORPX.UN user1@client1$ ssh -vv gate.corpX.un gate# /usr/sbin/sshd -d
# pkg install shellinabox # service shellinaboxd onestart