Tomáš Čorej - OpenSSH
Upcoming SlideShare
Loading in...5
×
 

Tomáš Čorej - OpenSSH

on

  • 1,102 views

 

Statistics

Views

Total Views
1,102
Slideshare-icon Views on SlideShare
835
Embed Views
267

Actions

Likes
0
Downloads
5
Comments
0

5 Embeds 267

http://www.webelement.sk 184
http://webelement.sk 58
http://webelement.loc 22
http://localhost 2
http://lanyrd.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Tomáš Čorej - OpenSSH Tomáš Čorej - OpenSSH Presentation Transcript

    • OpenSSHtomas.corej@websupport.sk @tomas_corej
    • OpenSSH● nastroj pre bezpecne, vzdialene prihlasovanie● prepisana verzia originalneho SSH nastroja● priklad flexibilneho nastroja pouzitelneho na ovela viac nez len vzdialene prihlasovanie● nahrada za telnet, ftp, rlogin●
    • Od zaciatku pesnik:~$ ssh testor alebopesnik:~$ ln -s /usr/bin/ssh-argv0 $HOME/bin/testor pesnik:~$ testor
    • Od zaciatkupesnik:~$ ssh testoruser@testor password: ^Cpesnik:~$ ssh-keygenpesnik:~$ ssh-copy-id testorNow try logging into the machine, with "ssh testor", and check in: ~/.ssh/authorized_keysto make sure we havent added extra keys that you werent expecting.
    • Od zaciatkupesnik:~$ ssh testorWarning: the RSA host key for testor differs from the key for the IPaddress 37.9.170.2Offending key for IP in /home/tomas.corej/.ssh/known_hosts:57Matching host key in /home/tomas.corej/.ssh/known_hosts:875You have mail.Last login: Thu Jul 11 00:12:57 2012 from servicestestor:~$ ^Dpesnik: ~$ ssh-keygen -R 37.9.170.2
    • Od zaciatkupesnik:~$ ssh testorYou have mail.Last login: Thu Jul 11 00:12:57 2012 from pesniktestor:~$
    • Od zaciatkupesnik:~$ ssh testorYou have mail.Last login: Thu Jul 11 00:12:57 2012 from servicestestor:~$testor:~$ ~?Supported escape sequences: ~. - terminate connection (and any multiplexed sessions) ~B - send a BREAK to the remote system ~C - open a command line ~R - Request rekey (SSH protocol 2 only) ~^Z - suspend ssh ~# - list forwarded connections ~& - background ssh (when waiting for connections to terminate) ~? - this message ~~ - send the escape character by typing it twice(Note that escapes are only recognized immediately after newline.)
    • Pouzitelne v skriptochpesnik:~$ ssh testor /bin/true && echo okokif ssh testor prikaz; then...fi
    • Nechce sa mi pouzit scppesnik:~$ dllllhyyy prikaz | ssh testor "cat >remotefile"pesnik:~$ mysqldump -uroot -p db | ssh testor "gzip -> db.gz"pesnik:~$ mysqldump -uroot -p db |gzip - | ssh testor"cat > db.gz"pesnik:~$ cat zoznam | ssh testor "while read input;do prikaz $input $USER;done"
    • X11 jednoduchopesnik:~$ ssh -X testor firefoxpesnik:~$ ssh -X testor.vpn gnome-terminalpesnik:~$ ssh -X testor.vpn xeyes
    • Agent forwardingtomas.corej@pesnik:~$ ssh-add -l2048 f8:c6:6a:f4:ca:ee:0e:57:86:ed:f1:4b:ec:d3:84:ba /home/tomas.corej/.ssh/id_rsa (RSA)tomas.corej@pesnik:~$ ssh -A testortomas.corej@testor:~$ ssh-add -l2048 f8:c6:6a:f4:ca:ee:0e:57:86:ed:f1:4b:ec:d3:84:ba /home/tomas.corej/.ssh/id_rsa (RSA)tomas.corej@pesnik:~$ ssh -A testor2mozne bezpecnostne rizikoadresar s unixovym socketom pristupny v /tmpmoze viest k chybam hlavne pri spustani cron skriptov
    • SOCKS proxy a tunelovaniepesnikl:~$ ssh -D 3128 testor -L[bind_address:]port:host:hostport Request local forward -R[bind_address:]port:host:hostport Request remote forward -D[bind_address:]port Request dynamic forward1.
    • Host * User root ForwardAgent yes ForwardX11 yes ConnectTimeout=20 PreferredAuthentications=publickey,password,keyboard-interactive StrictHostKeyChecking=no ControlMaster auto ControlPath ~/.ssh/sockets/%r@%h:%p SendEnv BASH_ENV IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/customers_vps Compression yesHost abcd IdentityFile ~/.ssh/abcd.pub Ulozme si to vsetko do $HOME/.ssh/config
    • level++
    • ProxyCommand● moze to byt cokolvek, dolezite je, aby to spracovavalo STDIN a STDOUT ssh -o ProxyCommand="$HOME/.ssh/gateway.sh %h %p" testor● Nahradzuje %h, %p a %r● pristup cez prostrednika ssh -o ProxyCommand="ssh user@testor nc %h %p" user@192. 168.1.2 "uname -a"● parameter -W● riziko DOS
    • Multiplexovanie SSH spojeni● pri castom generovani SSH spojeni a vo velkom mnozstve● skracuje cas a znizuje overhead (0.2s vs 0.014s)● configControlMaster autoControlPath ~/.ssh/sockets/%r@%h:%p● ovladanie cez -O check,forward,stop,exit
    • Multiplexovanie SSH spojenipesnik:~$ ssh testorYou have mail.Last login: Thu Jul 11 00:12:57 2012 from pesniktestor:~$testor:~$ ~^Zpesnik:~$ cd ~/.ssh/socketspesnik:~$ ~/.ssh/sockets$ lsuser@testor:22pesnik:~$ ssh -O check user@testorMaster running (pid=22797)pesnik:~$ fgtestor:~$
    • Subsystemy● ina forma spustania remotnych prikazov● SFTP je subsystem● moze ist aj o internu funkcionalitu (sftp a chroot)● server sshd_config Subsystem backup /root/bin/backupcmd● ssh klient ssh -s backup root@testor
    • DNS SSHFP● rozsireny sposob verifikacie odtlackov● fingerprinty SSHD je mozne ulozit aj do DNS zaznamov● VerifyHostKeyDNS yes|ask|no
    • Sukromne kluce● sukromne kluce sa nachadzaju v $HOME/id_rsa (defaulne)● Kluce je mozne dodatocne specifikovat no-port-forwarding,no-user-rc,no-X11-forwarding,no-pty, command="/bin/nc $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB3NzMMAND" ssh-rsa AAAAB3Nza....● $SSH_ORIGINAL_COMMAND obsahuje text prikazu ssh root@testor prikaz
    • OpenSSH-lpk● OpenSSH-lpk patch ○ sposobuje dotazovanie sa na verejne kluce na LDAP server
    • factotum● prispevok zo sveta operacneho systemu Plan9