systemes:linux:ssh

Ceci est une ancienne révision du document !


SSH

Dans ce document, je vous explique quelques possibilités d'utilisation de SSH tel que l'environnement utilisateur, le tunneling, les différentes méthodes de transfert de fichiers.

1. Configuration de base et modifications de sécurité

La configuration du serveur se trouve dans /etc/ssh/sshd_config La configuration du client se trouve dans /etc/ssh/ssh_config

Pour modifier le port d'écoute, il faut modifier le paramètre port avec la valeur souhaitée du fichier sshd_config

10:01:23 root@sshtp:/etc/ssh#cat sshd_config
#Package generated configuration file
#See the sshd_config(5)manpage for details
#What ports, IPs and protocols we listen for
 
Port 22222

Tentative de connexion au serveur :

10:02:45 William@MBPWx:~# ssh-vp 22222 root@10.203.22.220
OpenSSH_6.2p2, OSSLShim 0.9.8r8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line20: Applying options for *
debug1: /etc/ssh_config line53: Applying options for *
debug1: Connecting to10.203.22.220 [10.203.22.220] port 22222.
debug1: Connection established.
…

Pour interdire la connexion root, il faut mettre le paramètre PermitRootLogin à no

Tentative de connexion au serveur :

10:04:45 William@MBPWx:~# ssh-vp 22222 root@10.203.22.220 root@10.203.22.220
…
root@10.203.22.220's password:
debug1: Authentications that can continue: public key,password
Permission denied, please try again.

Pour interdire la connexion root, il faut mettre le paramètrePermitEmptyPasswords à no

Pour modifier le temps d'attente, il faut changer la valeur du parametre LoginGraceTime

Pour modifier le nombre de tentatives, il faut changer la valeur du parametre MaxAuthTries à 3

debug1: Next authentication method: password
root@10.203.22.220's password:
debug1: Authentications that can continue: public key,password
Permission denied, please try again.
root@10.203.22.220's password:
Received disconnect from 10.203.22.220: 2: Too many authentication failures for root

Je crée un dossier pour l'utilisateur :

10:38:38 root@sshtp:/etc/ssh# mkdir -p /data/ssh/share/test/
17:24:06 root@sshtp:~# apt-get install debootstrap
17:24:19 root@sshtp:~#debootstrap wheezy /data/ssh/share/test/ http://http.debian.net/debian/

Copie des fichiers suivant dans le chroot :

/etc/apt/sources.list /etc/passwd /etc/group

Connexion :

17:31:10 William@MBPWx:~# ssh test@10.203.22.220
Password:
 
Linux sshtp 3.2.0-4-amd64 #1SMP Debian 3.2.63-2+deb7u1 x86_64
The programs included with theDebian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in/usr/share/doc/*/copyright.
 
Debian GNU/Linux comes withABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
 
Last login: Mon Feb 917:29:08 2015 from 10.203.22.6
$ ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin selinux srv sys tmp usr var
$ pwd
/
$ uname -a
Linux sshtp 3.2.0-4-amd64 #1SMP Debian 3.2.63-2+deb7u1 x86_64 GNU/Linux

2. Empreintes

Ssh vérifie que l'empreinte du serveur distant n'a pas changé entre deux connexions

A chaque connexion, nous avons ce message

11:03:00 root@lisa:~# ssh -vp22222 root@10.203.22.220
...
The authenticity of host'[10.203.22.220]:22222 ([10.203.22.220]:22222)' can't be established.
ECDSA key fingerprint isb0:e0:76:9d:c8:15:91:88:99:02:e9:cf:0c:4e:fb:c2.
Are you sure you want to continue connecting (yes/no)?

L'empreinte n'est pas connue, le client nous demande donc si on est sûr de cette connexion, si l'on est sur, le fingerprint sera enregistré dans le fichier known_hosts. Cela permet, lors d'un changement de fingerprint sur serveur, que le client se rende compte et nous informe, cela protège aussi de la connexion à un mauvais serveur.

3. Utilisation de clés

Les clés sont certainement la meilleure solution de connexion àce jour. Ceci fonctionne avec une paire de clé ( privée etpublique)

11:07:20 root@lisa:~#ssh-keygen
Generating public/private rsakey pair.
Enter file in which to savethe key (/root/.ssh/id_rsa):
Enter passphrase (empty for nopassphrase):
Enter same passphrase again:
Your identification has beensaved in /root/.ssh/id_rsa.
Your public key has been savedin /root/.ssh/id_rsa.pub.
The key fingerprint is:
df:42:d8:3e:e8:84:3f:dd:21:c6:e0:9e:49:cf:ac:fcroot@lisa
The key's random art image is:
 
+--[ RSA 2048]----+
| |
| |
| |
| .o |
| .Soo |
| .o=+.. |
| .ooO=o.. |
| == =o. |
| =+E |
+-----------------+

Nous avons désormais dans le home directory, les fichiers contenant clé publique et clé privé

11:15:09 root@lisa:~#ssh-copy-id -i .ssh/id_rsa.pub root@10.203.22.220
The authenticity of host'10.203.22.220 (10.203.22.220)' can't be established.
ECDSA key fingerprint is b0:e0:76:9d:c8:15:91:88:99:02:e9:cf:0c:4e:fb:c2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added'10.203.22.220' (ECDSA) to the list of known hosts.
root@10.203.22.220's password:
Now try logging into the machine, with "ssh 'root@10.203.22.220'", and check in:
~/.ssh/authorized_keys
to make sure we haven't addedextra keys that you weren't expecting.

Pour n'utiliser que les clés, il faut mettre les 3 paramètres suivants :

ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no

11:21:59 root@lisa:~# ssh-keygen -p -f .ssh/id_rsa
Key has comment '.ssh/id_rsa'
Enter new passphrase (emptyfor no passphrase):
Enter same passphrase again:
Your identification has beensaved with the new passphrase.

Tentative de connexion :

11:22:25 root@lisa:~# ssh -v root@10.203.22.220 root@10.203.22.220
...
debug1: key_parse_private_pem:PEM_read_PrivateKey failed
debug1: read PEM private keydone: type
Enter passphrase for key'/root/.ssh/id_rsa':
debug1: read PEM private keydone: type RSA
debug1: Authentication succeeded (publickey).
Authenticated to 10.203.22.220([10.203.22.220]:22).
debug1: channel 0: new[client-session]
debug1: Requestingno-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANGfr_FR.UTF-8
Last login: Mon Feb 911:20:32 2015 from 10.203.22.204

4. Utilisation du shell

11:26:39 root@lisa:~# ssh root@10.203.22.220 hostname
Enter passphrase for key'/root/.ssh/id_rsa':
sshtp
12:37:47 root@lisa:~# ssh root@10.203.22.220 '(cat /etc/hosts | sed -s s/sshtop/sshtp/g >/tmp/testCMD); cat /tmp/testCMD' | grep sshtp
Enter passphrase for key'/root/.ssh/id_rsa':
127.0.1.1 sshtp
12:46:14 root@lisa:~# ssh root@10.203.22.220 '(cat /etc/hosts | grep ssh > /tmp/testCMD);cat /tmp/testCMD' | ping ` awk '{print $1}'`
Enter passphrase for key'/root/.ssh/id_rsa':
PING 127.0.1.1 (127.0.1.1)56(84) bytes of data.
64 bytes from 127.0.1.1:icmp_req=1 ttl=64 time=0.045 ms
 
13:13:27 root@lisa root@lisa:~#DATE=`date +"%m-%d-%y"` ; ssh root@10.203.22.220 '(tar -zcvf bck_$DATE.tar.gz /data/ssh/ )' | scproot@10.203.22.220:/root/bck_$DATE.tar.gz ./

5. Transferts de fichier

13:16:53 root@lisa:~# scp./testSCP root@10.203.22.220:/root
Enter passphrase for key'/root/.ssh/id_rsa':
testSCP 100% 2470 2.4KB/s 00:00

Deux commandes possible

13:26:51 William@MBPWx:~# scp-3 root@10.203.22.204:/root/testSCP root@10.203.22.220 root@10.203.22.220:/root/

ou

13:27:06 William@MBPWx:~# sshroot@10.203.22.204 '(scp ./testSCP root@10.203.22.220:/root/)'
13:31:49 root@lisa:~# sftp root@10.203.22.220
Connected to 10.203.22.220.
sftp> ls
bck_02-09-15.tar.gz fileTest fileTiti fileToto testSCP
sftp> get fileTiti
Fetching /root/fileTiti to fileTiti
sftp> ^D
 
13:32:27 root@lisa:~# ll
total 52
drwx------ 5 root root 4096févr. 9 13:32 .
drwxr-xr-x 23 root root 4096nov. 18 15:19 ..
drwx------ 2 root root 4096nov. 18 15:27 .aptitude
-rw------- 1 root root 11106févr. 9 13:24 .bash_history
-rw-r--r-- 1 root root 3114déc. 1 11:25 .bashrc
drwx------ 3 root root 4096févr. 4 14:10 .config
-rw-r--r-- 1 root root 0févr. 9 13:32 fileTiti
-rw-r--r-- 1 root root 140nov. 19 2007 .profile
drwxr-xr-x 2 root root 4096févr. 9 11:09 .ssh
-rw-r--r-- 1 root root 2470févr. 9 13:16 testSCP
-rw------- 1 root root 6170févr. 9 13:16 .viminfo

Sur le serveur :

13:32:00 root@sshtp:~# mkdir /data/ssh/mount

Sur le client

13:33:27 root@lisa:~# mkdir /mnt/sshfs/
13:35:04 root@lisa:~# apt-get install sshfs
13:35:36 root@lisa:~# sshfs root@10.203.22.220:/data/ssh/mount /mnt/sshfs/
13:36:18 root@lisa:~# touch /mnt/sshfs/grosTest

Contenu sur le serveur :

13:36:49 root@sshtp:~# ll/data/ssh/mount
total 8
drwxr-xr-x 2 root root 4096févr. 9 13:36 .
drwxr-xr-x 4 root root 4096févr. 9 13:33 ..
-rw-r--r-- 1 root root 0févr. 9 13:36 grosTest

Avec rsync, on peut facilement faire des backup, cela permet de ne pas télécharger tous les jours tout le contenu de la sauvegarde, il fait un check de l'ensemble et ne sauvegarde que les modifications.

Il faut installer rsync sur les deux hôtes

13:42:14 root@lisa:~# apt-get install rsync
13:43:27 root@lisa:~# rsync -avz -e ssh /home/test/ root@10.203.22.220:/data/bck/test/
sending incremental file list
./
.bash_logout
.bashrc
.profile
 
sent 2254 bytes received 72bytes 4652.00 bytes/sec
total size is 4287 speedup is1.84
13:43:43 root@sshtp:~# ll /data/bck/test
total 20
drwxr-xr-x 2 test test 4096nov. 18 15:41 .
drwxr-xr-x 3 root root 4096févr. 9 13:41 ..
-rw-r--r-- 1 test test 220nov. 18 15:41 .bash_logout
-rw-r--r-- 1 test test 3392nov. 18 15:41 .bashrc
-rw-r--r-- 1 test test 675nov. 18 15:41 .profile

6. Tunneling

Il est possible de faire du tunneling over ssh On ouvre un shell sur le client

13:57:13 root@sshtp:~# ssh -L 2080:10.203.22.204:80 root@10.203.22.204
14:15:50 William@MBPWx:~# ssh-nvNT -C -D 1080 root@10.203.22.204
…
debug1: Authentication succeeded (public key).
Authenticated to 10.203.22.204([10.203.22.204]:22).
debug1: Local connections toLOCALHOST:1080 forwarded to remote address socks:0
debug1: Local forwarding listening on 127.0.0.1 port 1080.
debug1: channel 0: new [portlistener]
debug1: Local forwarding listening on ::1 port 1080.
debug1: channel 1: new [portlistener]
debug1: Requestingno-more-sessions@openssh.com
debug1: Entering interactive session.

Sur le navigateur firefox proxy socks 127.0.0.1 : 1080

Log ssh :

debug1: Connection to port1080 forwarding to socks port 0 requested.
debug1: channel 2: new[dynamic-tcpip]
debug1: Connection to port1080 forwarding to socks port 0 requested.
debug1: channel 3: new[dynamic-tcpip]
debug1: channel 2: free:direct-tcpip: listening port 1080 for 176.34.131.233 port 443,connect from ::1 port 56416, nchannels 4
debug1: Connection to port1080 forwarding to socks port 0 requested.
debug1: channel 2: new[dynamic-tcpip]
debug1: Connection to port1080 forwarding to socks port 0 requested.
debug1: channel 4: new[dynamic-tcpip]
debug1: Connection to port1080 forwarding to socks port 0 requested.
debug1: channel 5: new[dynamic-tcpip]
debug1: Connection to port1080 forwarding to socks port 0 requested.
debug1: channel 6: new[dynamic-tcpip]
debug1: Connection to port1080 forwarding to socks port 0 requested.
debug1: channel 7: new[dynamic-tcpip]
2.Montez une interface de type tun entre le client et le serveur SSH.

Il faut activé l'ip forwarding et PermitTunnel

Machine 1 :

14:48:23 root@lisa:~# ssh -w 0:0 root@10.203.22.220
Last login: Mon Feb 914:47:09 2015 from 10.203.22.204
14:48:24 root@sshtp:~# ip l
1: lo: <LOOPBACK,UP,LOWER_UP>mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0:<brOADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_faststate UP mode DEFAULT qlen 1000
link/etherae:44:27:2b:0e:c6 brd ff:ff:ff:ff:ff:ff
3: tun0:<POINTOPOINT,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWNmode DEFAULT qlen 500
link/none
 
14:48:26 root@sshtp:~# ip lset up tun0 up
14:49:27 root@sshtp:~# ip a a192.168.22.220/24 dev tun0
14:49:48 root@sshtp:~# ip r a192.168.22.0/24 via 10.203.22.220 dev tun0
14:50:30 root@sshtp:~# ip lset up tun0 up
 
14:51:43 root@sshtp:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP>mtu 16436 qdisc noqueue state UNKNOWN
link/loopback00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scopehost lo
inet6 ::1/128 scope host
valid_lft foreverpreferred_lft forever
2: eth0:<brOADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_faststate UP qlen 1000
link/etherae:44:27:2b:0e:c6 brd ff:ff:ff:ff:ff:ff
inet 10.203.22.220/16 brd10.203.255.255 scope global eth0
inet6fe80::ac44:27ff:fe2b:ec6/64 scope link
valid_lft foreverpreferred_lft forever
3: tun0:<POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdiscpfifo_fast state UNKNOWN qlen 500
link/none
inet 192.168.22.220/24scope global tun0
 
14:52:16 root@sshtp:~# ip r
default via 10.203.255.254 deveth0
10.203.0.0/16 dev eth0 protokernel scope link src 10.203.22.220
192.168.22.0/24 dev tun0 proto kernel scope link src 192.168.22.220

Machine 2 :

14:52:57 root@lisa:~# ip l setup dev tun0
14:53:18 root@lisa:~# ip a a 192.168.22.204 dev tun0
14:53:56 root@lisa:~# ip r a 192.168.22.0/24 via 192.168.22.204 dev tun0
14:54:29 root@lisa:~# ping 192.168.22.220
PING 192.168.22.220(192.168.22.220) 56(84) bytes of data.
64 bytes from 192.168.22.220:icmp_req=1 ttl=64 time=0.872 ms

7. X-Forwarding ( 10min )

Installation du paquet x11-apps pour les tests (xeyes, xman, xload..)

14:37:02 William@MBPWx:~# ssh -X root@10.203.22.204 root@10.203.22.204
 
15:01:24 root@lisa:~# xeyes

Et sur mon mac, X11 s'ouvre correctement sans autre configuration

Retour

Vous pourriez laisser un commentaire si vous étiez connecté.
  • systemes/linux/ssh.1452958528.txt.gz
  • Dernière modification: 2019/02/06 14:02
  • (modification externe)