Convenient and safe work with ssh servers
Since the work has a lot to work remotely with unix servers, we had to figure out how to do it comfortably and safely and over time there was a desire to share. This article does not pretend to the novelty of the information, but it seemed to me that there was no complete manual anywhere, something similar is only in English .
The description has been tested under Debian GNU / Linux with KDE, but it should fit the bulk of unix systems / distributions / window managers and graphical environments.
I use yakuake - very convenient to quickly call the console on the key (by default F12)
')
An important principle of security systems is that they must be convenient, otherwise they will not be used, regarding ssh, this means that for security you need to use authorization by keys with a passphrase, and for convenience you need to store the passphrase from the key in the computer’s memory to reboot (i.e., you need to enter it once when you start the machine, and you will not have to enter anything until the next reboot).
Initial position:
1. It is understood that the remote ssh server is already configured for key authorization (this is usually the case)
2. It is understood that the ssh-agent is started automatically (this is usually the case, you can check it with the command
3. The ssh-askpass package is installed (you can install it with
Algorithm
1. generate key
Be sure to enter the passphrase, otherwise losing the key will mean giving the attacker all your
access
2. Copy the key to the server
if the users on the local machine and the remote server are different, then you must specify the user name -
3. For KDE users to add keys when logging in to the ~ / .kde / Autostart folder, add the script add-keys.sh with the following contents
For GNOME users, there is a description .
You can also use keychain to store keys in memory.
Finish the session, enter and see the password phrase request window, enter it and try to log in to the server.
or execute the command
In normal Internet browsing or downloading files with the appropriate software breaks, you may not notice, but when working with a remote server via ssh, if you disconnect, you lose the connection, all running programs are stopped, for example, the running script is terminated, unsaved changes in the text editor are lost, and .P.
To solve this problem, there is a program screen , it remains running even when the connection is broken and keeps open / running all applications that run in it.
Algorithm
1. run the screen, it may not change anything, but
2. using keyboard shortcuts
create the necessary number of windows, run the necessary programs in them, it is logical to develop a unified system for assigning windows to all servers (for example, in window number 1, have a connection to the database, in window number 2, logs, etc.).
3. For some reason, the connection is terminated.
4. Go to the server, perform:
and we are again in the same screen with all the applications in the same state.
In addition, we read about screen:
and many articles online, for example this one .
To copy files to / from / between machines, there is the scp utility, the utility is simple, everything should be clear, like copying from the current machine to a remote server
from remote server to current server (to current folder)
For sufferers on MS Windows ®
There is PuTTY :
An analogue of the GNU screen is probably here .
I hope someone will be useful.
The description has been tested under Debian GNU / Linux with KDE, but it should fit the bulk of unix systems / distributions / window managers and graphical environments.
Terminal
I use yakuake - very convenient to quickly call the console on the key (by default F12)
Authorization
')
An important principle of security systems is that they must be convenient, otherwise they will not be used, regarding ssh, this means that for security you need to use authorization by keys with a passphrase, and for convenience you need to store the passphrase from the key in the computer’s memory to reboot (i.e., you need to enter it once when you start the machine, and you will not have to enter anything until the next reboot).
Initial position:
1. It is understood that the remote ssh server is already configured for key authorization (this is usually the case)
2. It is understood that the ssh-agent is started automatically (this is usually the case, you can check it with the command
ps aux | grep 'ssh' )3. The ssh-askpass package is installed (you can install it with
sudo aptitude install ssh-askpass )Algorithm
1. generate key
ssh-keygen -b 4096 -t rsaBe sure to enter the passphrase, otherwise losing the key will mean giving the attacker all your
access
2. Copy the key to the server
ssh-copy-id -i ~/.ssh/id_rsa.pub server.tldif the users on the local machine and the remote server are different, then you must specify the user name -
ssh-copy-id user@server.tld3. For KDE users to add keys when logging in to the ~ / .kde / Autostart folder, add the script add-keys.sh with the following contents
#!/bin/bash
/usr/bin/ssh-addFor GNOME users, there is a description .
You can also use keychain to store keys in memory.
Finish the session, enter and see the password phrase request window, enter it and try to log in to the server.
ssh user@server.tldor execute the command
ssh user@server.tld uname -aWork with unstable communication
In normal Internet browsing or downloading files with the appropriate software breaks, you may not notice, but when working with a remote server via ssh, if you disconnect, you lose the connection, all running programs are stopped, for example, the running script is terminated, unsaved changes in the text editor are lost, and .P.
To solve this problem, there is a program screen , it remains running even when the connection is broken and keeps open / running all applications that run in it.
Algorithm
1. run the screen, it may not change anything, but
echo $TERM will say that we are in the screenshot2. using keyboard shortcuts
Ctrl+A «c» – screen
Ctrl+A «K» – screen
Ctrl+A «p» – screen
Ctrl+A «n» – screen
Ctrl+A «"» –
Ctrl+A «number» – , 0create the necessary number of windows, run the necessary programs in them, it is logical to develop a unified system for assigning windows to all servers (for example, in window number 1, have a connection to the database, in window number 2, logs, etc.).
3. For some reason, the connection is terminated.
4. Go to the server, perform:
screen -d -RRand we are again in the same screen with all the applications in the same state.
In addition, we read about screen:
man screenand many articles online, for example this one .
File sharing
To copy files to / from / between machines, there is the scp utility, the utility is simple, everything should be clear, like copying from the current machine to a remote server
scp backdoor.sh user@server.tld:/home/user/from remote server to current server (to current folder)
scp user@server.tld:/etc/passwd .For sufferers on MS Windows ®
There is PuTTY :
- PuTTY (ssh client)
- PSCP (SCP client)
- Pageant (similar to ssh-agent)
- PuTTYgen (key generator)
An analogue of the GNU screen is probably here .
I hope someone will be useful.
Source: https://habr.com/ru/post/98771/
All Articles