Welcome - 10/28/17

ALE - Atlanta Linux Enthusiasts

• http://ale.org/ - sign up for our email lists
  • General email list - ale
  • ALE Study Group list - ale-study
• Meetup.com Group (google "ale linux")
  https://www.meetup.com/ALE-Atlanta-Linux-Enthusiasts/

This is Our Last Session in 2017 @ KSU

Thanks for sticking around.

• ALE-NW Meets every Sunday @ 3pm - @ Harry's Pizza (Powers Ferry & I-285)
• ALE email lists
• Distro Forums

ssh is Amazing

ssh is enough for:

• secure remote CLI/shell access to systems with plain ssh
• secure remote access to files via sftp
• secure remote filesystem access via sshfs
• secure remote desktops via x2go - NX protocols

ssh is Amazing - more

ssh is enough for:

• secure remote file replication/backups - rsync/duplicity/rdiff-backup and many others (ssh is the default rsync protocol)
• secure port forwarding of selected ports (SOCKS5 proxy)
• secure remote editing with vim/gvim and other editors
• pseudo-VPN with sshuttle

ssh really is a Swiss Army knife for system to system connectivity and access.

Keeping ssh Simple Today

• Don't want to complicate things too much.
• The manpages go into more methods.
• K.I.S.S. will work.

ssh is a client/server system

• Clients - openssh-client, scp, sftp, rsync, most backup tools, sshfs, ssh-tunnel
• Server - openssh-server, openssh-sftp-server
• ssh meta-package includes clients for ssh, scp, sftp, and servers

You are the Key-Master

• ssh-keygen
• makes that default keys - many more options are possible
• ~/.ssh/ is where all things end-user for ssh are located
• set a password for end-user keys
• do not set a password for automatic processes (backups)

Push that Key to a Remote System

• ssh-copy-id userid@remotesrv
• More

Never type a password to access that system again.

ssh is Picky About Permissions

• ~/.ssh/ must be 700
• Most files inside ~/.ssh/ - 600
• ~/.ssh/id_rsa.pub can be 644

Files in ~/.ssh/

$ ll .ssh
total 1140
drwx------  2 jp jp    4096 Sep 18 15:09 ./
drwxr-xr-x 60 jp jp 1126400 Oct 28 02:21 ../
-rw-------  1 jp jp    2734 May 29  2016 authorized_keys
-rw-------  1 jp jp    1845 Sep 18 15:06 config
-rw-------  1 jp jp    1675 Aug 16  2012 id_rsa
-rw-r--r--  1 jp jp     390 Aug 16  2012 id_rsa.pub
-rw-------  1 jp jp    6088 Sep 18 15:09 known_hosts
-rw-------  1 jp jp    5866 Aug 10  2015 known_hosts.old

ssh into a Server

• ssh -p 64022 userid@server
• ssh -p 64022 userid@IP
• ssh might be picky about hostnames
  • ensure client and host know the hostname

Typing Different Userids, Ports, Odd Server Names / IP

• All those options get old, quick
• ~/.ssh/config - put the options in there!

host osmc
  hostname osmc
  user osmc
  port 22
host petes
  hostname 123.254.21.1
  user my435663
  port 2222

• $ ssh petes

Break!

Break - 5 minutes

Securing ssh Access

• NEVER use passwords over internet
• Non-standard port - keep logs cleaner
• sudo apt install fail2ban - more
• Block all access to ssh, except from specific places/IPs you KNOW need access
• tcp-wrappers
• Prevent remote root ssh access - PermitRootLogin no

Other ssh Commands

• scp - like rcp
• sftp - like ftp - Linux File Managers
• rsync - uses ssh by default for system-to-system
• rdiff-backup - and many other backup tools
• sshfs - remote mount storage
• WinSCP / FileZilla - other platforms
• Every networked OS has ssh/sftp clients

More on Rsync

• rsync [options] {source} {target}

$ rsync -avz --progress /etc/  remotesrv:/Backups/etc/

Non-trival rsync script to mirror directories:

#!/bin/bash 
EXCLUDES="--exclude .Trash-1000 --exclude lost+found --exclude ZCS-2012"
ionice rsync -av --stats --progress $EXCLUDES --delete /D/ /misc/b-D3/

sshfs

• Good for running scripts
• Good for music files
• sshfs {remote-location} {local-mount}
• sshfs userid@server ~/remote_mnt
• fusermount -u ~/remote_mnt
• Don't forget to exclude/umount before backups

tcp-wrappers for ssh/scp/sftp

• Many daemons support tcp-wrappers
• Old-school, still works well
• /etc/hosts.allow
• /etc/hosts.deny

tcp-wrappers examples

$ more /etc/hosts.deny
# by default, block everything except ssh
ALL: EXCEPT sshd 172.22.22.1-99




$ more /etc/hosts.allow
# Allow ssh and NFS stuff from subnet
sshd rpcbind mountd nfsd statd lockd rquotad : 172.22.22.1-99

GUIs for sftp / rsync

• Nautilus, Thunar, Caja
• WinSCP / FileZilla
• grsync - like synctool

Troubleshooting ssh

• Verify Server is running - ps -eaf | grep sshd
• Verify firewall isn't blocking it - sudo ufw status
• Verify ping works
• Check file permissions in ~/.ssh/ on Client AND Srv
• Check the Logs
  • ssh - vvvv - client-side verbosity
  • server-side logs

more

Remote Applications

• ssh -X userid@server "xterm -sb" &
• Not practical over WAN/Internet
• A better solutions for WAN ...

Remote Desktop - x2go

• NX protocol - Uses ssh tunnel
• Efficient remote desktop - 2-3x better than VNC or RDP
• Only works with Linux servers
• Clients for Windows, Linux, OSX - no iOS/Android
• Use the PPA for installing

x2go - Server Install

Setup ssh-server first.

sudo add-apt-repository ppa:x2go/stable
sudo apt-get update
sudo apt-get install x2goserver x2goserver-xsession

x2go - Client Install

More detailed instructions
Setup ssh-client first.

sudo add-apt-repository ppa:x2go/stable
sudo apt-get update
sudo apt-get install x2goclient

Windows needs the normal setup.exe stuff. Be certain to install the extra Fonts on Windows.

Tuning x2go

• Use Light DE - LXDE, XFCE, Mate
• Disable printing, audio at first
• Tweak the Bandwidth - ISDN if unsure
• Use higher image compression
• Should get good performance even from different continents.
• No video off the LAN. Poor video performance on LAN.

SOCKS Proxy

• Poor man's VPN
• Access internal-only Services
• Plex Media Server is a good example
  • Remote desktops not good for video
  • File access for local playback

SOCKS Proxy Script

$ more ~/bin/fireproxy-home.sh 
#!/bin/bash

# Only start SOCKS proxy if necessary
if  [ $(ps -eaf |grep ssh |grep -c 64000) = 0 ] ; then
   # Setup SOCKS proxy through home server
   echo "Starting ssh SOCKS Proxy"
   ssh -f -C -D 64000 your-server.example.com -NT 
fi 

# Star private firejail with chromium, going through 
# just setup SOCKS proxy
echo "Starting Firejail chromium with private & proxy "
export http_proxy="socks5://localhost:64000"; 
firejail --private chromium-browser \
         --proxy-server="socks5://localhost:64000" &

Thanks / Feedback

• Thanks for coming.
• Please let us know how we are doing.
• Slides are here:
• lpi.jdpfu.com/2017-Fall/
• Email - DJPfulio - at - jdpfu.com

blog.jdpfu.com