SSH for frequent use
Probably many of those who read “Linux for everyone” use SSH. For example, I administer a large number of UNIX systems, and in order to quickly gain access to the right machine, I have to use the capabilities of the protocol at a level other than primitive.
First , we need to wean ourselves to type the password every time. Most likely, many are aware, but just in case: there is a tricky so-called system. Ssh keys Instruction:
1. ssh-keygen -t dsa - here it will be necessary to clarify the paths to the files and passphrase. The second is recommended for security purposes, often do not have to enter. You will have two files: ~ / .ssh / id_dsa and ~ / .ssh / id_dsa.pub. The first one is your secret key, don't show it to anyone! The second is public, which is supposed to be placed on remote machines.
2. On the remote machine, create the folder ~ / .ssh with the rights 700, and in it the authorized_keys file with the rights 600, in which you place the contents of the file ~ / .ssh / id_dsa.pub (your public key).
3. You can log in from the first car to the second without a password. If it fails, check if the remote machine has the string “PubkeyAuthentication no” in the sshd config, as well as the rights to all used files: you need 700 rights for .ssh, 600 for everything in it.
Secondly , we study ssh-agent. It allows you to enter a Passphrase to the key only once (when the key is loaded), and not at each login. Plus some more bonuses.
1. Make sure that ssh-agent is running: "ps -C ssh-agent". If not, run a terminal through it, for example “ssh-agent roxterm”
2. Load the key. "Ssh-add ~ / .ssh / id_dsa", must answer that the key is added. Note: here the file name must be specified only if it is different from the default one.
3. Go to the second car without a password.
3.9. They say that on OpenBSD it is necessary to set a variable pointing to SSH_AUTH_SOCK (whatever that means :)), otherwise the forwarding agent does not work.
4. We leave from the second machine and go back, having given the -A parameter to the ssh command. After this, without a password, go to the third machine, on which the authorization by keys is already configured. We think “YYY, cool!”, Because there are no private keys on the second machine!
Thirdly , we forget about the -A flag, because in the file ~ / .ssh / config (right 600) we write the string "ForwardAgent yes"
If all your SSH adventures end on machines that can be reached in one jump, then you can stop reading. For cases where there is an entry point to the network of administered machines (or even a chain of them), I recommend reading.
Fourth , configure ssh-proxy.
Situation: I have an alpha server with the address alpha.pupkin.net, as well as a beta server with the address 192.168.1.17, located on a network accessible from alpha, but inaccessible from my car. And on the local machine, my user is called david, and on all others - v.pupkin. I write the following street magic in ~ / .ssh / config:
What happens: I gave the aliases to the alpha and beta machines, I go to alpha under the correct user at the correct address, having written only “ssh alpha” in the console. In addition, typing "ssh beta" on the local car, I get to beta via alpha, for this I use netcat as a proxy.
Bonus: if a network with a raised DNS is available on beta, in which there is a .pup domain, I automatically go to the cars in that domain via beta.
UPD: Transferred to "Linux for all"
First , we need to wean ourselves to type the password every time. Most likely, many are aware, but just in case: there is a tricky so-called system. Ssh keys Instruction:
1. ssh-keygen -t dsa - here it will be necessary to clarify the paths to the files and passphrase. The second is recommended for security purposes, often do not have to enter. You will have two files: ~ / .ssh / id_dsa and ~ / .ssh / id_dsa.pub. The first one is your secret key, don't show it to anyone! The second is public, which is supposed to be placed on remote machines.
2. On the remote machine, create the folder ~ / .ssh with the rights 700, and in it the authorized_keys file with the rights 600, in which you place the contents of the file ~ / .ssh / id_dsa.pub (your public key).
3. You can log in from the first car to the second without a password. If it fails, check if the remote machine has the string “PubkeyAuthentication no” in the sshd config, as well as the rights to all used files: you need 700 rights for .ssh, 600 for everything in it.
Secondly , we study ssh-agent. It allows you to enter a Passphrase to the key only once (when the key is loaded), and not at each login. Plus some more bonuses.
1. Make sure that ssh-agent is running: "ps -C ssh-agent". If not, run a terminal through it, for example “ssh-agent roxterm”
2. Load the key. "Ssh-add ~ / .ssh / id_dsa", must answer that the key is added. Note: here the file name must be specified only if it is different from the default one.
3. Go to the second car without a password.
3.9. They say that on OpenBSD it is necessary to set a variable pointing to SSH_AUTH_SOCK (whatever that means :)), otherwise the forwarding agent does not work.
4. We leave from the second machine and go back, having given the -A parameter to the ssh command. After this, without a password, go to the third machine, on which the authorization by keys is already configured. We think “YYY, cool!”, Because there are no private keys on the second machine!
Thirdly , we forget about the -A flag, because in the file ~ / .ssh / config (right 600) we write the string "ForwardAgent yes"
If all your SSH adventures end on machines that can be reached in one jump, then you can stop reading. For cases where there is an entry point to the network of administered machines (or even a chain of them), I recommend reading.
Fourth , configure ssh-proxy.
Situation: I have an alpha server with the address alpha.pupkin.net, as well as a beta server with the address 192.168.1.17, located on a network accessible from alpha, but inaccessible from my car. And on the local machine, my user is called david, and on all others - v.pupkin. I write the following street magic in ~ / .ssh / config:
Host *
ForwardAgent yes
Host alpha
HostName alpha.pupkin.net
User v.pupkin
Host beta
HostName 192.168.1.17
User v.pupkin
ProxyCommand ssh alpha nc %h %p
Host *.pup
User v.pupkin
ProxyCommand ssh beta nc %h %p
What happens: I gave the aliases to the alpha and beta machines, I go to alpha under the correct user at the correct address, having written only “ssh alpha” in the console. In addition, typing "ssh beta" on the local car, I get to beta via alpha, for this I use netcat as a proxy.
Bonus: if a network with a raised DNS is available on beta, in which there is a .pup domain, I automatically go to the cars in that domain via beta.
UPD: Transferred to "Linux for all"
')
Source: https://habr.com/ru/post/39116/
All Articles