Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Tomáš Čorej - OpenSSH

1,664 views

Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Tomáš Čorej - OpenSSH

  1. 1. OpenSSHtomas.corej@websupport.sk @tomas_corej
  2. 2. OpenSSH● nastroj pre bezpecne, vzdialene prihlasovanie● prepisana verzia originalneho SSH nastroja● priklad flexibilneho nastroja pouzitelneho na ovela viac nez len vzdialene prihlasovanie● nahrada za telnet, ftp, rlogin●
  3. 3. Od zaciatku pesnik:~$ ssh testor alebopesnik:~$ ln -s /usr/bin/ssh-argv0 $HOME/bin/testor pesnik:~$ testor
  4. 4. Od zaciatkupesnik:~$ ssh testoruser@testor password: ^Cpesnik:~$ ssh-keygenpesnik:~$ ssh-copy-id testorNow try logging into the machine, with "ssh testor", and check in: ~/.ssh/authorized_keysto make sure we havent added extra keys that you werent expecting.
  5. 5. Od zaciatkupesnik:~$ ssh testorWarning: the RSA host key for testor differs from the key for the IPaddress 37.9.170.2Offending key for IP in /home/tomas.corej/.ssh/known_hosts:57Matching host key in /home/tomas.corej/.ssh/known_hosts:875You have mail.Last login: Thu Jul 11 00:12:57 2012 from servicestestor:~$ ^Dpesnik: ~$ ssh-keygen -R 37.9.170.2
  6. 6. Od zaciatkupesnik:~$ ssh testorYou have mail.Last login: Thu Jul 11 00:12:57 2012 from pesniktestor:~$
  7. 7. Od zaciatkupesnik:~$ ssh testorYou have mail.Last login: Thu Jul 11 00:12:57 2012 from servicestestor:~$testor:~$ ~?Supported escape sequences: ~. - terminate connection (and any multiplexed sessions) ~B - send a BREAK to the remote system ~C - open a command line ~R - Request rekey (SSH protocol 2 only) ~^Z - suspend ssh ~# - list forwarded connections ~& - background ssh (when waiting for connections to terminate) ~? - this message ~~ - send the escape character by typing it twice(Note that escapes are only recognized immediately after newline.)
  8. 8. Pouzitelne v skriptochpesnik:~$ ssh testor /bin/true && echo okokif ssh testor prikaz; then...fi
  9. 9. Nechce sa mi pouzit scppesnik:~$ dllllhyyy prikaz | ssh testor "cat >remotefile"pesnik:~$ mysqldump -uroot -p db | ssh testor "gzip -> db.gz"pesnik:~$ mysqldump -uroot -p db |gzip - | ssh testor"cat > db.gz"pesnik:~$ cat zoznam | ssh testor "while read input;do prikaz $input $USER;done"
  10. 10. X11 jednoduchopesnik:~$ ssh -X testor firefoxpesnik:~$ ssh -X testor.vpn gnome-terminalpesnik:~$ ssh -X testor.vpn xeyes
  11. 11. Agent forwardingtomas.corej@pesnik:~$ ssh-add -l2048 f8:c6:6a:f4:ca:ee:0e:57:86:ed:f1:4b:ec:d3:84:ba /home/tomas.corej/.ssh/id_rsa (RSA)tomas.corej@pesnik:~$ ssh -A testortomas.corej@testor:~$ ssh-add -l2048 f8:c6:6a:f4:ca:ee:0e:57:86:ed:f1:4b:ec:d3:84:ba /home/tomas.corej/.ssh/id_rsa (RSA)tomas.corej@pesnik:~$ ssh -A testor2mozne bezpecnostne rizikoadresar s unixovym socketom pristupny v /tmpmoze viest k chybam hlavne pri spustani cron skriptov
  12. 12. SOCKS proxy a tunelovaniepesnikl:~$ ssh -D 3128 testor -L[bind_address:]port:host:hostport Request local forward -R[bind_address:]port:host:hostport Request remote forward -D[bind_address:]port Request dynamic forward1.
  13. 13. Host * User root ForwardAgent yes ForwardX11 yes ConnectTimeout=20 PreferredAuthentications=publickey,password,keyboard-interactive StrictHostKeyChecking=no ControlMaster auto ControlPath ~/.ssh/sockets/%r@%h:%p SendEnv BASH_ENV IdentityFile ~/.ssh/id_rsa IdentityFile ~/.ssh/customers_vps Compression yesHost abcd IdentityFile ~/.ssh/abcd.pub Ulozme si to vsetko do $HOME/.ssh/config
  14. 14. level++
  15. 15. ProxyCommand● moze to byt cokolvek, dolezite je, aby to spracovavalo STDIN a STDOUT ssh -o ProxyCommand="$HOME/.ssh/gateway.sh %h %p" testor● Nahradzuje %h, %p a %r● pristup cez prostrednika ssh -o ProxyCommand="ssh user@testor nc %h %p" user@192. 168.1.2 "uname -a"● parameter -W● riziko DOS
  16. 16. Multiplexovanie SSH spojeni● pri castom generovani SSH spojeni a vo velkom mnozstve● skracuje cas a znizuje overhead (0.2s vs 0.014s)● configControlMaster autoControlPath ~/.ssh/sockets/%r@%h:%p● ovladanie cez -O check,forward,stop,exit
  17. 17. Multiplexovanie SSH spojenipesnik:~$ ssh testorYou have mail.Last login: Thu Jul 11 00:12:57 2012 from pesniktestor:~$testor:~$ ~^Zpesnik:~$ cd ~/.ssh/socketspesnik:~$ ~/.ssh/sockets$ lsuser@testor:22pesnik:~$ ssh -O check user@testorMaster running (pid=22797)pesnik:~$ fgtestor:~$
  18. 18. Subsystemy● ina forma spustania remotnych prikazov● SFTP je subsystem● moze ist aj o internu funkcionalitu (sftp a chroot)● server sshd_config Subsystem backup /root/bin/backupcmd● ssh klient ssh -s backup root@testor
  19. 19. DNS SSHFP● rozsireny sposob verifikacie odtlackov● fingerprinty SSHD je mozne ulozit aj do DNS zaznamov● VerifyHostKeyDNS yes|ask|no
  20. 20. Sukromne kluce● sukromne kluce sa nachadzaju v $HOME/id_rsa (defaulne)● Kluce je mozne dodatocne specifikovat no-port-forwarding,no-user-rc,no-X11-forwarding,no-pty, command="/bin/nc $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB3NzMMAND" ssh-rsa AAAAB3Nza....● $SSH_ORIGINAL_COMMAND obsahuje text prikazu ssh root@testor prikaz
  21. 21. OpenSSH-lpk● OpenSSH-lpk patch ○ sposobuje dotazovanie sa na verejne kluce na LDAP server
  22. 22. factotum● prispevok zo sveta operacneho systemu Plan9

×