Table des matières
- 2026:
- 2025:
8 billet(s) pour mars 2026
| Notes conteneurs oras artifact OCI | 2026/03/23 21:13 | Jean-Baptiste |
| Notes podman secret | 2026/03/23 15:10 | Jean-Baptiste |
| Notes ansible podman | 2026/03/23 14:08 | Jean-Baptiste |
| Notes podman volume | 2026/03/23 14:00 | Jean-Baptiste |
| Find list - Trouver des fichiers à partir d'une liste | 2026/03/18 14:32 | Jean-Baptiste |
| AWX inventaire vault | 2026/03/17 18:04 | Jean-Baptiste |
| AWX - Configuration git en local (sans serveur web) | 2026/03/05 16:24 | Jean-Baptiste |
| OpenSMTP | 2026/03/03 16:58 | Jean-Baptiste |
ssh -R binds to 127.0.0.1 only on remote
Voir aussi :
A tester : GatewayPorts clientspecified
ssh -R "61027:db1.acme.local:61027" admin@app1.acme.local
Le binding n'est que sur 127.0.0.1
# ss -tlnp |grep 610
LISTEN 0 128 127.0.0.1:61027 0.0.0.0:* users:(("sshd",pid=3983617,fd=15))
Essayons
ssh -g -R "0.0.0.0:61027:db1.acme.local:61027" admin@app1.acme.local
Ca ne marche pas
Idem avec -o GatewayPorts=true
Sur notre machine en écoute sur 127.0.0.1:61027
ssh -g -L 61028:0.0.0.0:61027 localhost
Mais comme nous n'avons pas la clef SSH sur la cible nous faisons :
ssh -A -t admin@app1.acme.local ssh -g -L 61028:0.0.0.0:61027 admin@localhost
Et voilà :
# ss -tlnp |grep 610
LISTEN 0 128 127.0.0.1:61027 0.0.0.0:* users:(("sshd",pid=3983617,fd=15))
LISTEN 0 128 0.0.0.0:61028 0.0.0.0:* users:(("ssh",pid=3987404,fd=6))
Autres
Erreurs après un certain temps lors de la connexion
$ ssh -R "61027:db1.acme.local:61027" admin@app1.acme.local connect_to db1.acme.local port 61027: failed. connect_to db1.acme.local port 61027: failed. connect_to db1.acme.local port 61027: failed. connect_to db1.acme.local port 61027: failed.
SSH - l'homme du milieu man-in-the-middle attack - MITM
Voir http://www.phcomp.co.uk/Tutorials/Unix-And-Linux/ssh-check-server-fingerprint.html
- /var/log/auth.log
Jan 13 18:08:07 ACME sshd[19573]: Invalid user from 10.227.01.32 Jan 13 18:08:07 ACME sshd[19573]: input_userauth_request: invalid user [preauth] Jan 13 18:08:07 ACME sshd[19573]: Failed none for invalid user from 10.227.01.32 port 38493 ssh2
Pb
Au début tout commence avec une connexion impossible et une erreur dans /var/log/auth.log Le nom de l'utilisateur n’apparaît pas.
Serveur
for file in *sa_key.pub do ssh-keygen -lf $file done
1024 82:45:ef:2d:a7:c1:38:30:64:3d:27:5f:07:2d:49:bb ssh_host_dsa_key.pub (DSA) 256 60:1d:11:ae:14:13:91:a6:d6:0c:0b:19:ff:ae:38:50 ssh_host_ecdsa_key.pub (ECDSA) 2048 42:51:fd:3f:d8:5e:ff:0f:7b:b4:ec:00:2b:4f:41:af ssh_host_rsa_key.pub (RSA)
Client
ssh localhost
The authenticity of host 'localhost (::1)' can't be established. ECDSA key fingerprint is 60:1d:11:ae:14:13:91:a6:d6:0c:0b:19:ff:ae:38:50. Are you sure you want to continue connecting (yes/no)?
- ~/.ssh/known_hosts
|1|L/bOL2nijC7tH8OmD3g4wDylRDk=|w2fAVJ4hqgexkcNn1kcQWkWJMwY= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBgwV9MaQTOLDDCtn0hRMZQN9398Z4ciwN+mCKN+ZQ47FgXO/ObM5JRUIdZ68th9whxhaGItdAXjFUTpxhUHgyk=
- /etc/ssh/ssh_host_ecdsa_key.pub
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBgwV9MaQTOLDDCtn0hRMZQN9398Z4ciwN+mCKN+ZQ47FgXO/ObM5JRUIdZ68th9whxhaGItdAXjFUTpxhUHgyk= root@debian2
Avec WinScp
Sur le serveur
#ssh-keygen -E md5 -lf /etc/ssh/ssh_host_ed25519_key.pub awk '{print $2}' /etc/ssh/ssh_host_ed25519_key.pub | base64 -d | md5sum -b
3284028e26ac8b5eec88ce6d978d8e14 *-
Sur le client
Voir : winscp-mitm.png (
)
: info manquante
Snap snapd le gestionnaire de paquet multi distro
Voir :
Voir aussi :
Install de Snap
sudo apt update sudo apt install snapd ## get the latest snapd # sudo snap install snapd sudo snap install core
Test
snap install hello-world
Config proxy
sudo -E snap set system proxy.http="$http_proxy" sudo -E snap set system proxy.https="$https_proxy"
Sous Ubuntu 18.04
# snap list Name Version Rev Tracking Publisher Notes core 16-2.35.5 5742 stable canonical✓ core gnome-3-26-1604 3.26.0 74 stable/… canonical✓ - gnome-calculator 3.30.1 260 stable/… canonical✓ - gnome-characters 3.30.0 139 stable/… canonical✓ - gnome-logs 3.30.0 45 stable/… canonical✓ - gnome-system-monitor 3.30.0 57 stable/… canonical✓ - gtk-common-themes 0.1-4-g88bc1b2 818 stable/… canonical✓ - rocketchat-desktop 2.7.0 4 stable rocketchat✓ -
Install un paquet
sudo snap find notepad # snap info notepad-plus-plus sudo snap install notepad-plus-plus sudo snap install --classic notepadqq
Mise à jour
sudo snap refresh --list sudo snap refresh
Lancer une application
$ snap list Name Version Rev Tracking Publisher Notes core 16-2.48 10444 latest/stable canonical✓ core pycharm-community 2020.3 222 latest/stable jetbrains✓ classic $ snap run pycharm-community &
Redémarrer un service
snap stop multipass snap start multipass
Logs
journalctl --unit 'snap.multipass*'
Autres
Autre
snap install core sudo snap refresh core
Remove
apt-get -y autoremove --purge snapd snap-confine snapd ubuntu-core-launcher squashfs-tools
Accès à /etc /var … (mais toujours pas /tmp)
snap install --devmode gedit
snap connect vlc:removable-media
signify-openbsd
Liens :
Une alternative à GPG (que pour signer).
C'est fait pour signer des petits fichiers/paquets
Pour des grands fichiers l'idée et de faire un sha256sum et de signer ce fichier de hash.
Dans le dépôt testing
apt-get install signify-openbsd
-p : Public key -s : Secret key -m : Message -x : Signature -G : Generate key pair -S : Sign -V : Verify
Générer une paire de clef
signify-openbsd -G -n -p key.pub -s key.sec
Signer
signify-openbsd -S -s key.sec -m message.txt
Vérifier la signature
signify-openbsd -V -p key.pub -m message.txt
Exemple
find . -type f -exec sha512sum {} \; > sha512sum signify-openbsd -S -s ../key.sec -m sha512sum
Serveur NFS v3 et montage client
Sur le serveur
- /etc/exports
/data/plop machine1(async,rw,no_root_squash)
exportfs -rv
Si besion
chmod 1777 /data/plop
Sur le client
- /etc/fstab
serveurnfs:/data/plop /import/plop nfs defaults,_netdev,nfsvers=3 0 0
rw,bg,hard,rsize=32768,wsize=32768,tcp,vers=3,timeo=600
mkdir -p /import/plop mount /import/plop
Mount options
nocto: Suppress the retrieval of new attributes when creating a file. noac: Disable all forms of attribute caching entirely. This extracts a significant performance penalty but it allows two different NFS clients to get reasonable results when both clients are actively writing to a common export on the server. noacl: Disables Access Control List (ACL) processing. vers=4.1: NFS v4.1 should be used instead of v4.0 because there is a Linux NFS client bug in v4.0 that can cause significant problems due to stale data. nofail: Don't halt boot process waiting for this mount to become available lookupcache=positive: Tells the NFS client to honor positive cache results but invalidates any negative cache results. Negative cache results cause problems with Git. Specifically, a git push can fail to register uniformly across all NFS clients. The negative cache causes the clients to 'remember' that the files did not exist previously.
Test
Supervision
Voir aussi :
- check_mk
- fsfreeze (Linux Ext3/4, ReiserFS, JFS, XFS)
Le plus simple pour monitorer NFS étant de créer un fichier de le l'effacer https://docs.netapp.com/us-en/ontap/nfs-config/test-access-client-systems-task.html
stat -f (system call statfs(2)
If the NFS mount is “stale”, then stat -f returns immediately but with a size of -1. The check detects that and results in a warning state.
mount -l | grep nfs grep nfs /proc/mounts nfsstat nfsstat --mounts mountpoint -q /mnt/foo findmnt -rno SOURCE,TARGET "$1" lsof -b ss -a|grep :nfs
mountpoint="/mnt/testnfs" #read -t1 < <(stat -t "$mountpoint" 2>&-) read -r -t1 < <(stat -t "$mountpoint" 2>&-) if [ -z "$REPLY" ] ; then echo "NFS mount stale. Removing..." fi