Différences
Ci-dessous, les différences entre deux révisions de la page.
systemes:linux:ssh [2016/01/28 18:44] pam [3. Utilisation de clés] |
systemes:linux:ssh [2019/02/06 14:03] |
||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
- | ====== SSH ====== | ||
- | ===== Introduction ===== | ||
- | Dans ce document, je vous explique quelques possibilités d' | ||
- | |||
- | |||
- | ====== 1. Configuration de base et modifications de sécurité ====== | ||
- | La configuration du serveur se trouve dans / | ||
- | La configuration du client se trouve dans / | ||
- | |||
- | |||
- | |||
- | =====1.Pour éviter les attaques par brute force il faut changer le port d' | ||
- | Pour modifier le port d' | ||
- | |||
- | <code bash> | ||
- | #Package generated configuration file | ||
- | #See the sshd_config(5)manpage for details | ||
- | #What ports, IPs and protocols we listen for | ||
- | |||
- | Port 22222 | ||
- | …</ | ||
- | |||
- | Tentative de connexion au serveur : | ||
- | |||
- | <code bash> | ||
- | OpenSSH_6.2p2, | ||
- | debug1: Reading configuration data / | ||
- | debug1: / | ||
- | debug1: / | ||
- | debug1: Connecting to10.203.22.220 [10.203.22.220] port 22222. | ||
- | debug1: Connection established. | ||
- | … | ||
- | </ | ||
- | |||
- | |||
- | =====2.Le compte root est présent sur tous les systèmes dignes de ce nom ce qui en fait une proie facile.===== | ||
- | Pour interdire la connexion root, il faut mettre le paramètre **PermitRootLogin** à no | ||
- | |||
- | Tentative de connexion au serveur : | ||
- | |||
- | <code bash> | ||
- | … | ||
- | root@10.203.22.220' | ||
- | debug1: Authentications that can continue: public key, | ||
- | Permission denied, please try again. | ||
- | </ | ||
- | |||
- | =====3.Enlever la possibilité de se connecter sans mot de passe.===== | ||
- | Pour interdire la connexion root, il faut mettre le paramètre**PermitEmptyPasswords** à no | ||
- | |||
- | =====4.Limiter le temps d' | ||
- | Pour modifier le temps d' | ||
- | |||
- | =====5.Limiter le nombre de tentatives de mot de passe à 2.===== | ||
- | Pour modifier le nombre de tentatives, il faut changer la valeur du paramètre **MaxAuthTries **à 3 | ||
- | |||
- | <code bash> | ||
- | root@10.203.22.220' | ||
- | debug1: Authentications that can continue: public key, | ||
- | Permission denied, please try again. | ||
- | root@10.203.22.220' | ||
- | Received disconnect from 10.203.22.220: | ||
- | </ | ||
- | |||
- | =====6.Isoler un utilisateur dans un chroot.===== | ||
- | Je crée un dossier pour l' | ||
- | |||
- | <code bash> | ||
- | |||
- | <code bash> | ||
- | 17:24:19 root@sshtp: | ||
- | </ | ||
- | |||
- | Copie des fichiers suivants dans le chroot : | ||
- | |||
- | / | ||
- | /etc/passwd | ||
- | /etc/group | ||
- | |||
- | Connexion : | ||
- | |||
- | <code bash> | ||
- | Password: | ||
- | |||
- | Linux sshtp 3.2.0-4-amd64 #1SMP Debian 3.2.63-2+deb7u1 x86_64 | ||
- | The programs included with theDebian GNU/Linux system are free software; | ||
- | the exact distribution terms for each program are described in the | ||
- | individual files in/ | ||
- | |||
- | Debian GNU/Linux comes withABSOLUTELY NO WARRANTY, to the extent | ||
- | permitted by applicable law. | ||
- | |||
- | Last login: Mon Feb 917:29:08 2015 from 10.203.22.6 | ||
- | $ ls | ||
- | bin boot dev etc home lib lib64 media mnt opt proc root run sbin selinux srv sys tmp usr var | ||
- | $ pwd | ||
- | / | ||
- | $ uname -a | ||
- | Linux sshtp 3.2.0-4-amd64 #1SMP Debian 3.2.63-2+deb7u1 x86_64 GNU/Linux | ||
- | </ | ||
- | |||
- | |||
- | ======2. Empreintes====== | ||
- | Ssh vérifie que l' | ||
- | |||
- | =====1.Sur le client, le fichier d' | ||
- | A chaque connexion, nous avons ce message | ||
- | |||
- | <code bash> | ||
- | ... | ||
- | The authenticity of host' | ||
- | ECDSA key fingerprint isb0: | ||
- | Are you sure you want to continue connecting (yes/no)? | ||
- | </ | ||
- | |||
- | L' | ||
- | |||
- | ======3. Utilisation de clés====== | ||
- | Les clés sont certainement la meilleure solution de connexion à ce jour. Cela fonctionne par paire (1clé privée et 1 clé publique) | ||
- | |||
- | =====1.Générer un couple de clés avec ssh-keygen sans passphrase.===== | ||
- | <code bash> | ||
- | Generating public/ | ||
- | Enter file in which to savethe key (/ | ||
- | Enter passphrase (empty for nopassphrase): | ||
- | Enter same passphrase again: | ||
- | Your identification has beensaved in / | ||
- | Your public key has been savedin / | ||
- | The key fingerprint is: | ||
- | df: | ||
- | The key's random art image is: | ||
- | |||
- | +--[ RSA 2048]----+ | ||
- | | | | ||
- | | | | ||
- | | | | ||
- | | .o | | ||
- | | .Soo | | ||
- | | .o=+.. | | ||
- | | .ooO=o.. | | ||
- | | == =o. | | ||
- | | =+E | | ||
- | +-----------------+ | ||
- | </ | ||
- | |||
- | Nous avons désormais dans le home directory, les fichiers contenant clé publique et clé privée. | ||
- | |||
- | |||
- | |||
- | =====2.Transférer la clé sur le serveur par la méthode ssh.===== | ||
- | <code bash> | ||
- | The authenticity of host' | ||
- | ECDSA key fingerprint is b0: | ||
- | Are you sure you want to continue connecting (yes/no)? yes | ||
- | Warning: Permanently added' | ||
- | root@10.203.22.220' | ||
- | Now try logging into the machine, with "ssh ' | ||
- | ~/ | ||
- | to make sure we haven' | ||
- | </ | ||
- | |||
- | |||
- | =====3.Restreindre le serveur pour qu'il n' | ||
- | Pour n' | ||
- | |||
- | | ||
- | | ||
- | | ||
- | |||
- | |||
- | =====4.Modifier la clé privée afin qu' | ||
- | <code bash> | ||
- | Key has comment ' | ||
- | Enter new passphrase (emptyfor no passphrase): | ||
- | Enter same passphrase again: | ||
- | Your identification has beensaved with the new passphrase.</ | ||
- | |||
- | |||
- | Tentative de connexion : | ||
- | <code bash> | ||
- | ... | ||
- | debug1: key_parse_private_pem: | ||
- | debug1: read PEM private keydone: type | ||
- | Enter passphrase for key'/ | ||
- | debug1: read PEM private keydone: type RSA | ||
- | debug1: Authentication succeeded (publickey). | ||
- | Authenticated to 10.203.22.220([10.203.22.220]: | ||
- | debug1: channel 0: new[client-session] | ||
- | debug1: Requestingno-more-sessions@openssh.com | ||
- | debug1: Entering interactive session. | ||
- | debug1: Sending environment. | ||
- | debug1: Sending env LANGfr_FR.UTF-8 | ||
- | Last login: Mon Feb 911:20:32 2015 from 10.203.22.204 | ||
- | </ | ||
- | |||
- | |||
- | ======4. Utilisation du shell====== | ||
- | =====1.Afficher le hostname du serveur sans ouvrir de shell distant.===== | ||
- | <code bash> | ||
- | Enter passphrase for key'/ | ||
- | sshtp | ||
- | </ | ||
- | |||
- | =====2.Trois exemples différents d' | ||
- | <code bash> | ||
- | Enter passphrase for key'/ | ||
- | 127.0.1.1 sshtp | ||
- | 12:46:14 root@lisa: | ||
- | Enter passphrase for key'/ | ||
- | PING 127.0.1.1 (127.0.1.1)56(84) bytes of data. | ||
- | 64 bytes from 127.0.1.1: | ||
- | |||
- | 13:13:27 root@lisa root@lisa: | ||
- | </ | ||
- | |||
- | |||
- | ======5. Transferts de fichiers====== | ||
- | =====1.Transférer un fichier par le biais de SCP.===== | ||
- | <code bash> | ||
- | Enter passphrase for key'/ | ||
- | testSCP 100% 2470 2.4KB/s 00:00 | ||
- | </ | ||
- | |||
- | =====2.Transférer un fichier entre deux machines distantes via SCP.===== | ||
- | Deux commandes possibles | ||
- | |||
- | <code bash> | ||
- | </ | ||
- | ou | ||
- | |||
- | <code bash> | ||
- | </ | ||
- | |||
- | =====3.Transférer un fichier par le biais de SFTP.===== | ||
- | <code bash> | ||
- | Connected to 10.203.22.220. | ||
- | sftp> ls | ||
- | bck_02-09-15.tar.gz fileTest fileTiti fileToto testSCP | ||
- | sftp> get fileTiti | ||
- | Fetching / | ||
- | sftp> ^D | ||
- | |||
- | 13:32:27 root@lisa: | ||
- | total 52 | ||
- | drwx------ 5 root root 4096févr. 9 13:32 . | ||
- | drwxr-xr-x 23 root root 4096nov. 18 15:19 .. | ||
- | drwx------ 2 root root 4096nov. 18 15:27 .aptitude | ||
- | -rw------- 1 root root 11106févr. 9 13:24 .bash_history | ||
- | -rw-r--r-- 1 root root 3114déc. 1 11:25 .bashrc | ||
- | drwx------ 3 root root 4096févr. 4 14:10 .config | ||
- | -rw-r--r-- 1 root root 0févr. 9 13:32 fileTiti | ||
- | -rw-r--r-- 1 root root 140nov. 19 2007 .profile | ||
- | drwxr-xr-x 2 root root 4096févr. 9 11:09 .ssh | ||
- | -rw-r--r-- 1 root root 2470févr. 9 13:16 testSCP | ||
- | -rw------- 1 root root 6170févr. 9 13:16 .viminfo | ||
- | </ | ||
- | |||
- | |||
- | =====4.Mettre en place un point de montage SSHFS.===== | ||
- | Sur le serveur : | ||
- | |||
- | <code bash> | ||
- | </ | ||
- | |||
- | |||
- | Sur le client | ||
- | |||
- | <code bash> | ||
- | 13:35:04 root@lisa: | ||
- | 13:35:36 root@lisa: | ||
- | 13:36:18 root@lisa: | ||
- | </ | ||
- | |||
- | |||
- | Contenu sur le serveur : | ||
- | |||
- | <code bash> | ||
- | total 8 | ||
- | drwxr-xr-x 2 root root 4096févr. 9 13:36 . | ||
- | drwxr-xr-x 4 root root 4096févr. 9 13:33 .. | ||
- | -rw-r--r-- 1 root root 0févr. 9 13:36 grosTest | ||
- | </ | ||
- | |||
- | |||
- | |||
- | |||
- | =====5.Effectuer des transferts de fichiers avec l' | ||
- | Avec rsync, on peut facilement faire des backup, cela permet de ne pas télécharger quotidiennement tout le contenu de la sauvegarde, il fait un check de l' | ||
- | |||
- | Il faut installer rsync sur les deux hôtes. | ||
- | |||
- | <code bash> | ||
- | </ | ||
- | |||
- | |||
- | <code bash> | ||
- | sending incremental file list | ||
- | ./ | ||
- | .bash_logout | ||
- | .bashrc | ||
- | .profile | ||
- | |||
- | sent 2254 bytes received 72bytes 4652.00 bytes/sec | ||
- | total size is 4287 speedup is1.84 | ||
- | </ | ||
- | |||
- | <code bash> | ||
- | total 20 | ||
- | drwxr-xr-x 2 test test 4096nov. 18 15:41 . | ||
- | drwxr-xr-x 3 root root 4096févr. 9 13:41 .. | ||
- | -rw-r--r-- 1 test test 220nov. 18 15:41 .bash_logout | ||
- | -rw-r--r-- 1 test test 3392nov. 18 15:41 .bashrc | ||
- | -rw-r--r-- 1 test test 675nov. 18 15:41 .profile | ||
- | </ | ||
- | |||
- | |||
- | |||
- | |||
- | ======6. Tunneling====== | ||
- | |||
- | Il est possible de faire du tunneling over ssh | ||
- | On ouvre un shell sur le client | ||
- | |||
- | <code bash> | ||
- | |||
- | =====1.Monter un proxy SOCKS via le client SSH et l' | ||
- | |||
- | <code bash> | ||
- | … | ||
- | debug1: Authentication succeeded (public key). | ||
- | Authenticated to 10.203.22.204([10.203.22.204]: | ||
- | debug1: Local connections toLOCALHOST: | ||
- | debug1: Local forwarding listening on 127.0.0.1 port 1080. | ||
- | debug1: channel 0: new [portlistener] | ||
- | debug1: Local forwarding listening on ::1 port 1080. | ||
- | debug1: channel 1: new [portlistener] | ||
- | debug1: Requestingno-more-sessions@openssh.com | ||
- | debug1: Entering interactive session. | ||
- | </ | ||
- | |||
- | |||
- | Sur le navigateur firefox proxy socks 127.0.0.1 : | ||
- | |||
- | |||
- | |||
- | Log ssh : | ||
- | |||
- | <code bash> | ||
- | debug1: channel 2: new[dynamic-tcpip] | ||
- | debug1: Connection to port1080 forwarding to socks port 0 requested. | ||
- | debug1: channel 3: new[dynamic-tcpip] | ||
- | debug1: channel 2: free: | ||
- | debug1: Connection to port1080 forwarding to socks port 0 requested. | ||
- | debug1: channel 2: new[dynamic-tcpip] | ||
- | debug1: Connection to port1080 forwarding to socks port 0 requested. | ||
- | debug1: channel 4: new[dynamic-tcpip] | ||
- | debug1: Connection to port1080 forwarding to socks port 0 requested. | ||
- | debug1: channel 5: new[dynamic-tcpip] | ||
- | debug1: Connection to port1080 forwarding to socks port 0 requested. | ||
- | debug1: channel 6: new[dynamic-tcpip] | ||
- | debug1: Connection to port1080 forwarding to socks port 0 requested. | ||
- | debug1: channel 7: new[dynamic-tcpip] | ||
- | </ | ||
- | |||
- | |||
- | ==2.Monter une interface de type tun entre le client et le serveur SSH.== | ||
- | Il faut activer l'ip forwarding et PermitTunnel | ||
- | |||
- | |||
- | **Machine 1 :** | ||
- | |||
- | <code bash> | ||
- | Last login: Mon Feb 914:47:09 2015 from 10.203.22.204 | ||
- | 14:48:24 root@sshtp: | ||
- | 1: lo: < | ||
- | link/ | ||
- | 2: eth0:< | ||
- | link/ | ||
- | 3: tun0:< | ||
- | link/none | ||
- | |||
- | 14:48:26 root@sshtp: | ||
- | 14:49:27 root@sshtp: | ||
- | 14:49:48 root@sshtp: | ||
- | 14:50:30 root@sshtp: | ||
- | |||
- | 14:51:43 root@sshtp: | ||
- | 1: lo: < | ||
- | link/ | ||
- | inet 127.0.0.1/8 scopehost lo | ||
- | inet6 ::1/128 scope host | ||
- | valid_lft foreverpreferred_lft forever | ||
- | 2: eth0:< | ||
- | link/ | ||
- | inet 10.203.22.220/ | ||
- | inet6fe80:: | ||
- | valid_lft foreverpreferred_lft forever | ||
- | 3: tun0:< | ||
- | link/none | ||
- | inet 192.168.22.220/ | ||
- | |||
- | 14:52:16 root@sshtp: | ||
- | default via 10.203.255.254 deveth0 | ||
- | 10.203.0.0/ | ||
- | 192.168.22.0/ | ||
- | </ | ||
- | **Machine 2 :** | ||
- | |||
- | <code bash> | ||
- | 14:53:18 root@lisa: | ||
- | 14:53:56 root@lisa: | ||
- | 14:54:29 root@lisa: | ||
- | PING 192.168.22.220(192.168.22.220) 56(84) bytes of data. | ||
- | 64 bytes from 192.168.22.220: | ||
- | </ | ||
- | |||
- | |||
- | |||
- | |||
- | ======7. X-Forwarding ( 10min )====== | ||
- | =====1.Utiliser OpenSSH pour afficher sur votre machine une application distante.===== | ||
- | Installation du paquet x11-apps pour les tests (xeyes, xman, xload..) | ||
- | |||
- | <code bash> | ||
- | |||
- | 15:01:24 root@lisa: | ||
- | </ | ||
- | |||
- | Pour info sur mon mac, X11 s' | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | [[systemes: |