Welcome - 10/28/17 [] SSH - START TO FINISH ALE - Atlanta Linux Enthusiasts - http://ale.org/ - sign up for our email lists - General email list - ale - ALE Study Group list - ale-study - Meetup.com Group (google "_ale linux_") https://www.meetup.com/ALE-Atlanta-Linux-Enthusiasts/ THANKS FOR COMING OUT! We are volunteers. Just some guys trying to spread Linux knowledge. This is Our Last Session in 2017 @ KSU Thanks for sticking around. - ALE-NW Meets every Sunday @ 3pm - @ Harry's Pizza (Powers Ferry & I-285) - ALE email lists - Distro Forums ssh is Amazing ssh is enough for: - secure remote CLI/shell access to systems with plain SSH - secure remote access to files via SFTP - secure remote filesystem access via SSHFS - secure remote desktops via X2GO - NX protocols ssh is Amazing - more ssh is enough for: - secure remote file replication/backups - rsync/duplicity/rdiff-backup and many others (ssh is the default rsync protocol) - secure port forwarding of selected ports (SOCKS5 proxy) - secure remote editing with vim/gvim and other editors - pseudo-VPN with sshuttle ssh really is a Swiss Army knife for system to system connectivity and access. Keeping ssh Simple Today - Don't want to complicate things too much. - The manpages go into more methods. - K.I.S.S. will work. ssh is a client/server system - Clients - openssh-client, scp, sftp, rsync, most backup tools, sshfs, ssh-tunnel - Server - openssh-server, openssh-sftp-server - ssh _meta-package_ includes clients for ssh, scp, sftp, and servers You are the Key-Master - ssh-keygen or - ssh-keygen -t ed25519 - makes that default keys - many more options are possible - ~/.ssh/ is where all things end-user for ssh are located - set a password for end-user keys - do not set a password for automatic processes (backups) Push that Key to a Remote System - ssh-copy-id userid@remotesrv or - ssh-copy-id -i ~/.ssh/id_ed25519.pub userid@remotesrv - More Never type a password to access that system again. ssh is Picky About Permissions - ~/.ssh/ must be 700 - Most files inside ~/.ssh/ - 600 - ~/.ssh/id_rsa.pub can be 644 Files in ~/.ssh/ $ ll .ssh total 1140 drwx------ 2 jp jp 4096 Sep 18 15:09 ./ drwxr-xr-x 60 jp jp 1126400 Oct 28 02:21 ../ -rw------- 1 jp jp 2734 May 29 2016 authorized_keys -rw------- 1 jp jp 1845 Sep 18 15:06 config -rw------- 1 jp jp 1675 Aug 16 2012 id_rsa -rw-r--r-- 1 jp jp 390 Aug 16 2012 id_rsa.pub -rw------- 1 jp jp 6088 Sep 18 15:09 known_hosts -rw------- 1 jp jp 5866 Aug 10 2015 known_hosts.old ssh into a Server - ssh -p 64022 userid@server - ssh -p 64022 userid@IP - ssh might be picky about hostnames - ensure client and host know the hostname Typing Different Userids, Ports, Odd Server Names / IP - All those options get old, quick - ~/.ssh/config - put the options in there! host osmc hostname osmc user osmc port 22 host petes hostname 123.254.21.1 user my435663 port 2222 - $ ssh petes Break! Break - 5 minutes Securing ssh Access - NEVER use passwords over internet - Non-standard port - keep logs cleaner - sudo apt install fail2ban - more - Block all access to ssh, except from specific places/IPs you KNOW need access - tcp-wrappers - Prevent remote root ssh access - PermitRootLogin no Other ssh Commands - scp - like rcp - sftp - like ftp - Linux File Managers - rsync - uses ssh by default for system-to-system - rdiff-backup - and many other backup tools - sshfs - remote mount storage - WinSCP / FileZilla - other platforms - Every networked OS has ssh/sftp clients More on Rsync - rsync [options] {source} {target} $ rsync -avz --progress /etc/ remotesrv:/Backups/etc/ Non-trival rsync script to mirror directories: #!/bin/bash EXCLUDES="--exclude .Trash-1000 --exclude lost+found --exclude ZCS-2012" ionice rsync -av --stats --progress $EXCLUDES --delete /D/ /misc/b-D3/ sshfs - Good for running scripts - Good for music files - sshfs {remote-location} {local-mount} - sshfs userid@server ~/remote_mnt - fusermount -u ~/remote_mnt - Don't forget to exclude/umount before backups tcp-wrappers for ssh/scp/sftp - Many daemons support tcp-wrappers - Old-school, still works well - /etc/hosts.allow - /etc/hosts.deny tcp-wrappers examples $ more /etc/hosts.deny # by default, block everything except ssh ALL: EXCEPT sshd 172.22.22.1-99 $ more /etc/hosts.allow # Allow ssh and NFS stuff from subnet sshd rpcbind mountd nfsd statd lockd rquotad : 172.22.22.1-99 GUIs for sftp / rsync - Nautilus, Thunar, Caja - WinSCP / FileZilla - grsync - like synctool Troubleshooting ssh - Verify Server is running - ps -eaf | grep sshd - Verify firewall isn't blocking it - sudo ufw status - Verify ping works - Check file permissions in ~/.ssh/ on Client AND Srv - Check the Logs - ssh - vvvv - client-side verbosity - server-side logs more Remote Applications - ssh -X userid@server "xterm -sb" & - Not practical over WAN/Internet - A better solutions for WAN ... Remote Desktop - x2go - NX protocol - Uses ssh tunnel - Efficient remote desktop - 2-3x better than VNC or RDP - Only works with Linux servers - Clients for Windows, Linux, OSX - no iOS/Android - Use the PPA for installing x2go - Server Install Setup ssh-server first. sudo add-apt-repository ppa:x2go/stable sudo apt-get update sudo apt-get install x2goserver x2goserver-xsession x2go - Client Install More detailed instructions Setup ssh-client first. sudo add-apt-repository ppa:x2go/stable sudo apt-get update sudo apt-get install x2goclient Windows needs the normal setup.exe stuff. Be certain to install the extra Fonts on Windows. Tuning x2go - Use Light DE - LXDE, XFCE, Mate - Disable printing, audio at first - Tweak the Bandwidth - ISDN if unsure - Use higher image compression - Should get good performance even from different continents. - No video off the LAN. Poor video performance on LAN. SOCKS Proxy - Poor man's VPN - Access internal-only Services - Plex Media Server is a good example - Remote desktops not good for video - File access for local playback SOCKS Proxy Script $ more ~/bin/fireproxy-home.sh #!/bin/bash # Only start SOCKS proxy if necessary if [ $(ps -eaf |grep ssh |grep -c 64000) = 0 ] ; then # Setup SOCKS proxy through home server echo "Starting ssh SOCKS Proxy" ssh -f -C -D 64000 your-server.example.com -NT fi # Star private firejail with chromium, going through # just setup SOCKS proxy echo "Starting Firejail chromium with private & proxy " export http_proxy="socks5://localhost:64000"; firejail --private chromium-browser \ --proxy-server="socks5://localhost:64000" & Thanks / Feedback - Thanks for coming. - Please let us know how we are doing. - Slides are here: - lpi.jdpfu.com/2017-Fall/ - Email - DJPfulio - at - jdpfu.com blog.jdpfu.com