Herramientas de usuario
¡Esta es una revisión vieja del documento!
Tabla de Contenidos
SSH and similars
SSH use
Conectar con un .pem
ssh -i keyhindoor.pem ubuntu@54.217.224.44
SFTP
sftp -o IdentityFile=keyhindoor.pem ubuntu@54.217.224.44
SCP
Para hacer copia de ficheros: scp [[user@]from-host:]source-file [[user@]to-host:][destination-file]
Para hacerla con un pem: scp -i mykey.pem somefile.txt root@ec2-184-73-72-150.compute-1.amazonaws.com:/
Fichero de configuración
Configurar el host, en ~/.ssh/config:
Host live_frontend HostName aws.amazon.255-255-255-255.dns.stupidlylong.domain.amazon.com User ubuntu IdentityFile ~/.ssh/aws-eu-april2012.pem
Luego: ssh live_frontend
Para montar directorio: sshfs live_frontend:/home/ubuntu /home/alfred/tmp/test/
Clave pem
Crear clave pem
Enter this command to generate 2,048 bit RSA key using verbose (questions asked during) mode, and a public .pem X.509 certificate:
$ ssh-keygen -t rsa -b 2048 -v Generating public/private rsa key pair. Enter file in which to save the key (/home/anonymouse/.ssh/id_rsa): hetzner Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in hetzner. Your public key has been saved in hetzner.pub. The key fingerprint is: bb:c6:9c:ee:6b:c0:67:58:b2:bb:4b:44:72:d3:cc:a5 localhost@localhost The key's randomart image is:
Duplicate the file hetzner with the name hetzner.pem. Change its permisons: chmod 600 hetzner.pem. Another (better) option is….
ssh-keygen -f hetzner -e -m pem > hetzner.pem Otra opción (pedirá passphrase): openssl rsa -in ./key -outform pem > key.pem
Upload and allow access to that key
$ ssh-copy-id -i ~/hetzner.pub root@12.34.56.78
Grant access to another .pem key
… In the current system:
ssh-keygen -f YOURKEY.pem -y >> ~/.ssh/authorized_keys
Revoke user keys
Just remove <user home>/.ssh/authorized_keys file.
Configure to reject password login
To disable this setting, you can do the following: $ sudo nano /etc/ssh/sshd_config
ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no
And: $ service ssh restart
Old method to create a key
cd .ssh/
Generate the file id_dsa from which we will create the PEM file:
ssh-keygen -t dsa -b 2048
Generate the private key PEM file:
openssl dsa -in id_dsa -outform pem > pk_dsa.pem
Generate the public key PEM file for distribution to the users:
openssl dsa -in pk_dsa.pem -pubout -out pub_dsa.pem
The final pub_dsa.pem is the file you're looking for.
Usuario con home encriptado
⚠️ Si intentas acceder con un usuario que tiene el home encriptado mediante clave privada no vas a poder, ya que la clave estará guardada en el directorio home del usuario. Has de cambiar la ubicación de la clave. Para ello, crea un directorio /home/.ssh y allí pon tu clave (estará en tu directorio home, ruta .ssh/authorized_keys).
Ahora has de cambiar la config de ssh editando /etc/ssh/sshd_config. Añade la siguiente línea:
AuthorizedKeysFile /home/.ssh/%u
También será importante tener esta línea:
UsePAM yes
Añade un fichero .profile a /home/alfred no encriptado con el siguiente contenido:
/usr/bin/ecryptfs-mount-private cd source .profile
De esta forma te pedirá el password para desencriptar el directorio home, pero podrás acceder a él. Si no lo haces, piensa que tu clave está encriptada, se ha de tener una sesión abierta incluso para poder montarlo.
Opción alternativa
# Make your public key accessible mkdir -m 700 /home/.ecryptfs/$USER/.ssh echo $YOUR_PUBLIC_KEY > /home/.ecryptfs/$USER/.ssh/authorized_keys ln -s /home/.ecryptfs/$USER/.ssh/authorized_keys ~/.ssh/authorized_keys ecryptfs-umount-private chmod 700 $HOME mkdir -m 700 ~/.ssh ln -s /home/.ecryptfs/$USER/.ssh/authorized_keys ~/.ssh/authorized_keys # Make it auto-mount with first login. # Note: it can cause problems with automated login. echo /usr/bin/ecryptfs-mount-private > ~/.profile echo cd >> ~/.profile echo source .profile >> ~/.profile ecryptfs-mount-private
SSH Tunel
ssh -L puerto_local:ip_enlace:puerto_servidor servidor
Es decir, si queremos conectar al servidor local en webapps desde el puerto 5432 haremos
ssh -L 5432:127.0.0.1:5432 webapps
O enlazar el puerto 5433 localmente al puerto 5432 del servidor 182.198.5.5 que tiene un usuario denominado exploit:
ssh -L 5433:127.0.0.1:5432 exploit@182.198.5.5
Several ports:
ssh -L 5433:127.0.0.1:5432 -L 5432:127.0.0.1:5432 exploit@182.198.5.5
He visto cosas como ssh -L *:127.0.0.1:* host. No sé si funcionaría.
Tunel reverso
ssh -R interface_remota:puerto_remoto:interface_local:puerto_local user@host
ssh -R "0.0.0.0:81:0.0.0.0:8000" webapps
Este ejemplo sirve el puerto 81 de la interface 0.0.0.0 en webapps, redirigido a la interface local 0.0.0.0:8000. Es decir, cualquier petición que llegue por la 81 a webapps será mapeada al puerto local 8000 donde una app puede estar escuchando. Se puede escribir así también: ssh -R 81:0.0.0.0:8000 webapps (tengo dudas de si el 0.0.0.0 es necesario).
📌 Para que pueda funcionar directamente necesitarás cambiar la configuración por defecto de /etc/sshd_config, concretamente el valor:
GatewayPorts no
Ha de cambiarse por:
GatewayPorts yes
Si esto no estuvise configurado en el servidor remoto entonces no podrás acceder desde fuera a ese puerto, solo desde local. Si quieres realizar el puente entonces necesitarás un programa que sirva por un puerto externo y lo redirija al local. socat por ejemplo, en el siguiente comando se redirije todo lo del puerto 80 al 5000:
socat TCP-LISTEN:80,fork TCP:127.0.0.1:5000
Proxy
For example, let’s say the database server at your office is located at 192.168.1.111 on the office network. You have access to the office’s SSH server at ssh.youroffice.com , and your user account on the SSH server is bob . In that case, your command would look like this:
ssh -L 8888:192.168.1.111:1234 bob@ssh.youroffice.com
After running that command, you’d be able to access the database server at port 8888 at localhost (127.0.0.1).
Another example is a postgres docker container running on 5432 of the 172.18.0.2 (thanks to docker inspect postgres, property IPAddress). You access to the ssh server webapps with this that also allows you to connect to that container on localhost:
ssh -L 5432:172.18.0.2:5432 webapps
You can do this using ssh $ ssh -L 80:remotehost:80 user@myserver You will have a tunnel from your local port 80 to the remotehost port 80 then. This does not have to be the same as myserver. To make that transparent you should add an entry to the hosts file. If you don't do that vhosts will not work. If you want a SOCKS-proxy connection you could also use $ ssh -D 5000 user@myserver This will create a SOCKS-proxy on localhost port 5000 which routes all requests through myserver. ssh -D 4000 user@example.com The SSH client creates a SOCKS proxy at port 4000 on your local computer. Any traffic sent to this port is sent to its destination through the SSH server.
Old
For example, if you ssh'ed into the remote machine using
ssh hal@remote.machine.com -i ~/.ssh/hal.key
Then you could set up the port forwarding like this:
ssh -L 54321:127.0.0.1:3306 hal@remote.machine.com -i ~/.ssh/hal.key -f -N -M -S ~/.ssh/tunnel_54321_remote_machine_mysql
Then you can connect to the database as if you were connecting to the database locally (using the commanline mysql client as example):
mysql -h 127.0.0.1 -P 54321 -u my_user -p my_database
This should then prompt for your password.
To close the tunnel:
ssh -S ~/.ssh/tunnel_54321_remote_machine_mysql hal@remote.machine.com -i ~/.ssh/hal.key
Tunnels, port mapping table
| Command | Meaning |
|---|---|
| ssh -L 8000:127.0.0.1:8000 dev | You are mapping the port 8000 from the dev host to localhost, port 8000. Now you can connect to localhost:8000 and dev:8000 will respond. |
| ssh -R 8000:127.0.0.1:8000 shappsrv |
Error Could not open a connection to your authentication agent
eval "$(ssh-agent -s)" eval `ssh-agent -s`
Herramientas de la página
