Herramientas de usuario
wiki2:ssh
Diferencias
Muestra las diferencias entre dos versiones de la página.
| Ambos lados, revisión anterior Revisión previa Próxima revisión | Revisión previa | ||
|
wiki2:ssh [2020/12/10 18:52] alfred [Tunel reverso] |
wiki2:ssh [2022/05/25 07:38] (actual) |
||
|---|---|---|---|
| Línea 54: | Línea 54: | ||
| Duplicate the file ''hetzner'' with the name ''hetzner.pem''. Change its permisons: ''chmod 600 hetzner.pem''. Another (better) option is.... | Duplicate the file ''hetzner'' with the name ''hetzner.pem''. Change its permisons: ''chmod 600 hetzner.pem''. Another (better) option is.... | ||
| <code> | <code> | ||
| - | openssl rsa -inform pem -in hetzner -outform pem -out hetzner.pem | + | ssh-keygen -f hetzner -e -m pem > hetzner.pem |
| + | Otra opción (pedirá passphrase): | ||
| + | openssl rsa -in ./key -outform pem > key.pem | ||
| </code> | </code> | ||
| ==== Upload and allow access to that key ==== | ==== Upload and allow access to that key ==== | ||
| Línea 96: | Línea 98: | ||
| The final pub_dsa.pem is the file you're looking for. | The final pub_dsa.pem is the file you're looking for. | ||
| + | ===== Usuario con home encriptado ===== | ||
| + | |||
| + | ⚠️ Si intentas acceder con un usuario que tiene el home encriptado mediante clave privada no vas a poder, ya que la clave estará guardada en el directorio home del usuario. Has de cambiar la ubicación de la clave. Para ello, crea un directorio ''/home/.ssh'' y allí pon tu clave (estará en tu directorio home, ruta ''.ssh/authorized_keys''). | ||
| + | |||
| + | Ahora has de cambiar la config de ssh editando ''/etc/ssh/sshd_config''. Añade la siguiente línea: | ||
| + | <code> | ||
| + | AuthorizedKeysFile /home/.ssh/%u | ||
| + | </code> | ||
| + | |||
| + | También será importante tener esta línea: | ||
| + | <code> | ||
| + | UsePAM yes | ||
| + | </code> | ||
| + | |||
| + | Añade un fichero ''.profile'' a /home/alfred no encriptado con el siguiente contenido: | ||
| + | <code> | ||
| + | /usr/bin/ecryptfs-mount-private | ||
| + | cd | ||
| + | source .profile | ||
| + | </code> | ||
| + | |||
| + | De esta forma te pedirá el password para desencriptar el directorio home, pero podrás acceder a él. Si no lo haces, piensa que tu clave está encriptada, se ha de tener una sesión abierta incluso para poder montarlo. | ||
| + | |||
| + | ==== Opción alternativa ==== | ||
| + | * https://superuser.com/a/312878 | ||
| + | |||
| + | <code> | ||
| + | # Make your public key accessible | ||
| + | mkdir -m 700 /home/.ecryptfs/$USER/.ssh | ||
| + | echo $YOUR_PUBLIC_KEY > /home/.ecryptfs/$USER/.ssh/authorized_keys | ||
| + | ln -s /home/.ecryptfs/$USER/.ssh/authorized_keys ~/.ssh/authorized_keys | ||
| + | ecryptfs-umount-private | ||
| + | chmod 700 $HOME | ||
| + | mkdir -m 700 ~/.ssh | ||
| + | ln -s /home/.ecryptfs/$USER/.ssh/authorized_keys ~/.ssh/authorized_keys | ||
| + | |||
| + | # Make it auto-mount with first login. | ||
| + | # Note: it can cause problems with automated login. | ||
| + | echo /usr/bin/ecryptfs-mount-private > ~/.profile | ||
| + | echo cd >> ~/.profile | ||
| + | echo source .profile >> ~/.profile | ||
| + | ecryptfs-mount-private | ||
| + | </code> | ||
| ===== SSH Tunel ===== | ===== SSH Tunel ===== | ||
| Línea 121: | Línea 166: | ||
| ssh -R "0.0.0.0:81:0.0.0.0:8000" webapps | ssh -R "0.0.0.0:81:0.0.0.0:8000" webapps | ||
| </code> | </code> | ||
| - | Este ejemplo sirve el puerto 81 de la interface 0.0.0.0 en webapps, redirigido a la interface local 0.0.0.0:8000. | + | Este ejemplo sirve el puerto 81 de la interface 0.0.0.0 en webapps, redirigido a la interface local 0.0.0.0:8000. Es decir, cualquier petición que llegue por la 81 a webapps será mapeada al puerto local 8000 donde una app puede estar escuchando. Se puede escribir así también: ''ssh -R 81:0.0.0.0:8000 webapps'' (tengo dudas de si el 0.0.0.0 es necesario). |
| - | Para que pueda funcionar directamente necesitarás cambiar la configuración por defecto de ''/etc/sshd_config'', concretamente el valor: | + | 📌 Para que pueda funcionar directamente necesitarás cambiar la configuración por defecto de ''/etc/sshd_config'', concretamente el valor: |
| <code> | <code> | ||
| GatewayPorts no | GatewayPorts no | ||
| Línea 155: | Línea 200: | ||
| the same as myserver. To make that transparent you should add an entry to the hosts file. If you don't | the same as myserver. To make that transparent you should add an entry to the hosts file. If you don't | ||
| do that vhosts will not work. If you want a SOCKS-proxy connection you could also use | do that vhosts will not work. If you want a SOCKS-proxy connection you could also use | ||
| + | |||
| $ ssh -D 5000 user@myserver | $ ssh -D 5000 user@myserver | ||
| This will create a SOCKS-proxy on localhost port 5000 which routes all requests through myserver. | This will create a SOCKS-proxy on localhost port 5000 which routes all requests through myserver. | ||
| Línea 183: | Línea 229: | ||
| </code> | </code> | ||
| + | |||
| + | ==== Tunnels, port mapping table ==== | ||
| + | |||
| + | ^ Command ^ Meaning ^ | ||
| + | | ssh -L 8000:127.0.0.1:8000 dev | You are mapping the port 8000 from the ''dev'' host to localhost, port 8000. Now you can connect to ''localhost:8000'' and ''dev:8000'' will respond. | | ||
| + | | ssh -L 8000:127.0.0.1:8000 -L 5432:127.0.0.1:5432 dev | You are mapping the port 8000 and 5432 from the ''dev'' host to localhost, both on the same portport 8000. As previous but two. | | ||
| + | | ssh -R 8000:127.0.0.1:8000 shappsrv | You are mapping the port 8000 from ''localhost'' to the ''shappsrv'' host. When a request arrives to ''shappsrv:8000'' it will be redirected to ''localhost:8000''. | | ||
| + | | ssh -D 1337 -q -C -N webapps | You are creating a SOCKS5 proxy in local host to ''webapps'', port 1337. It will make any connection done to this port to outside as it was from webapps. | | ||
| + | |||
| + | Parameters: | ||
| + | |||
| + | * ''-q'' Quiet mode. No errors or warnings will be shown. | ||
| + | * ''-C'' Compress communication. | ||
| + | * ''-N'' Do not execute a command. | ||
| Línea 330: | Línea 390: | ||
| ssh -J gtdsir@wiki.sir.gtd,root@10.1.80.101 -L 6379:127.0.0.1:6379 -L 27017:127.0.0.1:27017 root@10.1.80.111 | ssh -J gtdsir@wiki.sir.gtd,root@10.1.80.101 -L 6379:127.0.0.1:6379 -L 27017:127.0.0.1:27017 root@10.1.80.111 | ||
| </code> | </code> | ||
| + | |||
| + | ==== Create port mapping from config ==== | ||
| + | |||
| + | <code> | ||
| + | Host <hostname> | ||
| + | HostName <Hostname IP> | ||
| + | User <User> | ||
| + | IdentityFile <Identity File Path> | ||
| + | LocalForward 127.0.0.1:8000 127.0.0.1:8000 | ||
| + | LocalForward 127.0.0.1:7000 127.0.0.1:7000 | ||
| + | </code> | ||
| + | The LocalForwards are key in setting up any tunnels I need working locally - you can tunnel as many ports as you need. | ||
| ===== Problems ===== | ===== Problems ===== | ||
wiki2/ssh.1607626357.txt.gz · Última modificación: 2020/12/10 19:52 (editor externo)
Herramientas de la página
Excepto donde se indique lo contrario, el contenido de este wiki esta bajo la siguiente licencia: CC Attribution-Noncommercial-Share Alike 4.0 International
