dropdown menu

NETWORK - SSH

SSH (SECURE SHELL)

SSH is sensitive to write permissions on home and ssh dirs. (Sometimes the solution can be if group and other write permissions are removed.) 

/etc/ssh/sshd_config                                     <-- at the beginning of the file shows the protocol version (1 or 2)
/usser_home_dir                                          <-- only owner has write permission (700 or 750 or 755)
/usser_home_dir/.ssh                                     <---right should be 700
/usser_home_dir/.ssh/id_dsa                              <-- right should be 600
/usser_home_dir/.ssh/authorized_keys                     <-- rights should be 600

If in sshd_config file: StrictModes yes, then sshd will check ownership of the user's files and home directory before accepting login.
In this case, user home directory should have maximum 755 rights.

ssh-keygen -R hostname 
                                  <--this will remove that host from the known_host file
ssh -t reachable_host ssh unreachable_host               <--if host is available only from another host, you can reach it from local computer
ssh host -l user “`cat cmd.txt`”                         <--run complex remote shell cmds over ssh, without escaping quotes
ssh -o PreferredAuthentications=password -l <user> <host> <--this will try to login with password (it won't use ssh key)

cat file.tar | ssh server_C 'cat > /copy_dir/file.tar'   <--very fast file transfer to server_C (faster than scp)

copy a file from server A to server C through server B  (if copy is not possible directly between A <-> C ):
cat < file | ssh B "ssh C \"cd dir && cat > file\""      <--command from server A: (A-->B-->C)
scp -3 user@A:file uer@B:file                            <--command from server B (not all version has -3 option)
ssh A 'cat path_to_file' | ssh C 'cat > path_to_file'    <--command from server B
(if some output directed into the file (because of cat command), you can use ssh -q or ... >/dev/null 2>&1)
ssh -o StrictHostKeyChecking=no -o "UserKnownHostsFile=/dev/null" -o ConnectTimeout=10 -o LogLevel=ERROR user@host  <--good for scripting

----------------------------------

Generating key pairs

I want to log in from Node A as user bubba, to Node B as user root

1. on Node A as bubba: ssh-keygen -b 1024 -t rsa         <--this will generate private and public keys under .ssh (id_rsa, id_rsa.pub)
    or: ssh-keygen -t dsa                                -b: bit size, -t: rsa or dsa
2. on Node B: copy id_rsa.pub to authorized_keys2        <--the contents should be added to  authorized_keys2 or authorized_keys
3. on Noda A as bubba: ssh root@Node B                   <--now login is possible without password,
                                                         on Node A id_rsa file should be in .ssh, otherwise login will fail.

OpenSSH 7.0 and higher no longer accept DSA keys by default, and for higher security you can use 2048 bits keys:
ssh-keygen -t rsa -b 2048
-----------------------------------

If SSH protocol 1 is needed:


1. in /etc/ssh/sshd_config: Protocol 2,1                 <--this will enable both versions
2. ssh-keygen -t rsa1                                    <--this will create: identity, identity.pub files with protocol version 1
3. identity.pub should be inserted to authorized_keys file
4. ssh -1 corona@10.20.40.34                             <--this will force ssh to use protocol 1

-----------------------------------

ssh -i ~/.ssh/id_dsa.user12 150.200.200.48 -l user123    <--specify which identity you want to use

-----------------------------------

setting a default ssh user for login:

i.e: ssh hmc400                                          <--it will automatically login as hscroot because of the config file

root@aix40: / # cat .ssh/config
Compression     yes
Protocol        2

Host hmc*
        User    hscroot

Host localhost
Port 9999

-----------------------------------

SSH port forwarding (tunneling):
(There are local and remote port forwarding, usually local is needed.)

local port forwarding:
Befor setting up the tunnel make sure sshd_config file is correct. If the AllowTCPIPForward is on "no", then tunnel is not possibe (it should be set to yes)

syntax:
(ssh -L localport:host:hostport user@ssh_server -N)
ssh -L localport:want_to_reach_host:want_to_reach_hostport user@relay_server -N

-L           - specifies local port forwarding
localport    - local port (chose a port that is not in use by other service)
host         - server that has the port (hostport) that you want to forward
hostport     - remote port
-N           - do not execute a remote command, (you will not have the shell, if -N omitted we will get a shell as well)
user         - user that have ssh access to the ssh server (computer)
ssh_server   - the ssh server that will be used for forwarding/tunneling

localport:host:hostport
Specifies that the given localport on the local (client) host is to be forwarded to the given host and port on the remote side.
This works by allocating a socket to listen to the port on the local side. Then, whenever a  connection  is  made to this port, the connection is forwarded over the secure channel and a connection is made to host,hostport from the remote machine (ssh_server, relay server).

example:
- ssh -f -N -L 10080:bb_lpar:22 root@aix31                <--set up tunnel (for ssh session) (-f: puts in background the tunnel)
- ssh root@localhost -p 10080                             <--makes a connection to the given port

-----------------------------------

ssh logging of fingerprints:

/etc/syslog.conf:
    auth.info       /var/security/sshd.log rotate files 7 time 1d
    auth.info       @sys_pmm.domain.com

refresh -s syslogd

/etc/ssh/sshd_config:
    Syslogfacility AUTH
    Loglevel DEBUG

stopsrc -s sshd; startsrc -s sshd

--------------

Fingerprint operation (shows the user):

#!/usr/bin/ksh

f1="./authorized_keys2"
f2="./out"

x=1
while [[ $x -lt 107 ]]; do

cat $f1|head -n $x|tail -1|tr -d '\r' > $f2
cat $f2 | cut -f3 -d" "

ssh-keygen -l -f $f2
(( x += 1 ))
done

-----------------------------

SSH update:
(ssl needed as well)

rpm -qa | grep ssl                 <--checking if ssl is installed as rpm (if yes, remove it :rpm -e ...)
stopsrc -s sshd
cd /mnt/SSH/openssh_openssl_5.0    <--here are both ssh+ssl softwares
smitty update_all                  <--it will update ssh
smitty install                     <--it will install ssl (because rpm has been removed earlier)
(startsrc -s sshd)                 <--usually after update sshd starts automatically, so this step not needed


freeware open ssh:
(old version must be removed)

-make copy of the ssh dir (cd /etc; ls -ld *ssh*; cp -hpr openssh ssh.old)
-smitty remove (ssl+ssh)
-check inittab (lsitab -a | grep -i ssh;rmitab rcossh)
-remove any unnecessary links (ls -l /etc/rc.openssh; unlink ssh)
-copy contents of old ssh to new dir (mkdir ssh; cp -hpr ssh.old/* ssh/; rm -rf openssh)
-smitty install (ssl+ssh)
-restart (kill -9 <sshd pid> ; startsrc -s sshd)

normal ssh:
(because of our hardening script these should be take care)
#MaxAuthTries 3
#RhostsAuthentication no

-make a copy of the ssh dir
-smitty update_all (ssl+ssh)
-stopsrc -s sshd && startsrc -s sshd
-edit sshd_config to set back the old values

-----------------------------------

SSH LOGGING:


in /etc/syslog.conf:
auth.info            /var/security/sshd.log rotate files 7 time 1d

-----------------------------------

Chroot for ssh v.4.8 or above this is needed:

1. create a user
smitty user --> bubba
--------------------

2. create necessary dirs
mkdir /chroot
cd /chroot
mkdir -p dev/pts etc usr/bin usr/sbin usr/lib/ tmp        <--cretes the needed dirs
--------------------

3. copy binaries and libraries
Make sure that the permissions on all the files created inside the chrooted directory are the same as the ones for the original directories.

which ls | xargs ldd                                      <--shows the dependencies
/usr/bin/ls needs:
         /usr/lib/libc.a(shr.o)
         /unix
         /usr/lib/libcrypt.a(shr.o)

cp /usr/bin/ls /chroot/usr/bin                            <--copy the biaries
cp /usr/lib/libc.a /usr/lib/libcrypt.a /chroot/usr/lib/   <--copy the libraries
ln -s /usr/lib/boot/unix_64 /chroot/unix                  <--creates the soft link for /unix

copy all the things what is needed: ksh, mkdir ...
--------------------

4.create necessary devices
(these should have the same major and minor numbers, permissions as in the original AIX)

ls -l /dev/tty /dev/null /dev/zero                        <--just for checking the original settings (major, minor numbers)
mknod /chroot/dev/tty c 1 0; mknod /chroot/dev/null c 2 2; mknod /chroot/dev/zero c 2 3    <--creates the devices
chmod 666 /chroot/dev/null /chroot/dev/tty /chroot/dev/zero

ls -la /dev/pts/0 /dev/pts/1 /dev/pts/2 /dev/pts/3        <--just for checking (also could be check 4 5 6...)
for i in 0 1 2 3 4 5 6 7 8 9; do mknod /chroot/dev/pts/$i c 22 $i; done
chmod go+w /chroot/dev/pts/*
chmod 622 /chroot/dev/pts/0                               <--usually this is needed to e identical with the original
--------------------

5. create user home
mkdir -p /chroot/home/bubba
chown bubba.staff /chroot/home/bubba                     <--home dir should be owned by user,
                                                         (if not this kind of error could be: ksh: /tmp/sh790656.13: cannot create)
cat /etc/passwd | grep bubba >> /chroot/etc/passwd
cat /etc/group | grep bubba >> /chroot/etc/group
--------------------

6. testing the settings
chroot /home/chroot /usr/bin/ksh                         <--this changes to chroot environment
ls                                                       <--the copied commands can be checked
touch bb                                   
exit                                                     <--this will leave chroot environment
--------------------

7. ssh config
vi /etc/ssh/sshd_config


for SSH:
Match User bubba                                         <--these should be added at the end of the config
ChrootDirectory /chroot

for SFTP:
# override default of no subsystems
Subsystem       sftp    internal-sftp                    <--this is needed for this section

Match User bubba
ChrootDirectory /chroot
ForceCommand internal-sftp
--------------------

The ChrootDirctory path, and all its components, must be root-owned directories that are not writable by any other user or group.
(Once this setting was also needed for sftp: UsePrivilegeSeparation no)


---------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------


SCP:

scp source target

root@aix31: /u22/oradata # scp -r * aix40:/u22/oradata/.           <--recursive copy
scp -r -p user123@aix21:/u11/user123/my_scripts .                  <--copy the complete directory with dir itself as well
                                                                   (-r recursive)
                                                                   (-p preserves the modification times and modes of the source file)

---------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------

Commands to check SSL and certificates:

$ openssl s_client -connect bitbucket.lab.domain.org:443 </dev/null
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/postalCode=02451/ST=MA/L=Waltham/street=404 Wyman St/O=Domain LLC/OU=IaS/OU=Enterprise SSL Wildcard/CN=*.lab.domain.org
   i:/C=US/ST=DE/L=Wilmington/O=Corporation Service Company/CN=Trusted Secure Certificate Authority 5
 1 s:/C=US/ST=DE/L=Wilmington/O=Corporation Service Company/CN=Trusted Secure Certificate Authority 5
   i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root



$ ls /etc/ssl/certs/ | grep Add
AddTrust_External_Root.pem
AddTrust_Low-Value_Services_Root.pem
AddTrust_Public_Services_Root.pem
AddTrust_Qualified_Certificates_Root.pem


# openssl x509 -in AddTrust_External_Root.pem -text < /dev/null
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
        Validity
            Not Before: May 30 10:48:38 2000 GMT
            Not After : May 30 10:48:38 2020 GMT
        Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
        Subject Public Key Info:



# curl -i https://bitbucket.lab.domain.org --cacert /etc/ssl/certs/AddTrust_External_Root.pem
HTTP/1.1 302
Server: nginx
Date: Fri, 16 Nov 2018 11:41:23 GMT
Content-Length: 0
Connection: keep-alive
X-OneAgent-JS-Injection: true
Set-Cookie: dtCookie=7F4C27A21B8BC3D9CE60FF9CE183CA87|Yml0YnVja2V0LmxhYi5keW5hdHJhY2Uub3JnfDE; Path=/; Domain=.domain.org
X-AREQUESTID: @17D9P1Tx761x9568458x3
X-ASEN: SEN-6183046
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
Location: https://bitbucket.lab.domain.org/repos?visibility=public
Content-Language: en-US
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST,GET,OPTIONS
Access-Control-Max-Age: 1728000


# curl -i https://bitbucket.lab.domain.org
HTTP/1.1 302
Server: nginx
Date: Mon, 19 Nov 2018 09:42:51 GMT
Content-Length: 0
Connection: keep-alive
X-AREQUESTID: @EGM7WTx642x1013560x0
X-ASEN: SEN-6183046
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff

8 comments:

Anonymous said...

Hi, in my environment its full of password less authentication (ssh-dsa)... from my home server i can login to any server without password, so in this scenario is it possible to scp from Server X24 to server Y42, but im in Home serve. kinldy reply..

aix said...

Hi, if ssh is working correctly (you can login without password), then scp will work as well. So, it is possible :)

Unknown said...

Hi All i have one issue for login server , i have able ping server but i cant able to login server at the same time i have one session
errpt showing RMC deamon stopped ,

Please help to isssu , how can i login to ssh server

aix said...

Hi, if you can login from console, you can check syslog or ssh logs for more info.
And if you try to login with ssh -vvv @, you will get also some info where can be the problem.

rrtrryr said...

hi i generated ssh keys (password less login) now i want to remove them (password login ) plz help to fix this

aix said...

Hi, you can remove public keys from authorized_keys file.

Anonymous said...

What is the possibility to provide scp with password in single line command.

Anonymous said...

you can try sshpass command