Ceci est une ancienne révision du document !
Table des matières
SSH
https://github.com/FiloSottile/whosthere
Voir
Voir man ssh_config
~/.ssh/config ou /etc/ssh/ssh_config
- ~/.ssh/config
Host * ServerAliveInterval 300 ServerAliveCountMax 3 ControlMaster auto ControlPath ~/.ssh/master-%r@%h:%p ControlPersist 4h EscapeChar ~ Host srvlnxvm1 User root HostName srvlnxvm1 ProxyCommand ssh -W %h:%p srvlnxrbd Host srvlnxdir1 HostName srvlnxdir1 LocalForward 1389 127.0.0.1:389 LocalForward 1636 127.0.0.1:636 Host srvlnxvm2 192.168.22.42 Hostname srvlnxvm2 ProxyCommand ssh -W %h:%p srvlnxrbd Host * User root Host gtw Hostname 192.168.22.78 PubkeyAuthentication=no Port 6322 #lftp sftp://user:pass@gtw Host 192.168.22.63 Hostname 192.168.22.63 ProxyCommand ssh -W %h:%p srvlnxrbd ForwardAgent yes #ProxyCommand ssh srvlnxrbd nc %h %p Host test1 User root Hostname 192.168.2.41 IdentityFile ~/.ssh/clefs/id_rsa_test1
Pour débugger ssh_config :
ssh -G user@somehost.example.com
Notes
/etc/ssh/sshd_not_to_be_run
-
Réutiliser la connexion existante au lieu de refaire une nouvelle connexion. Accélère
Source http://www.linuxjournal.com/content/speed-multiple-ssh-connections-same-server
- ~/.ssh/config
Host * ControlMaster auto ControlPath ~/.ssh/master-%r@%h:%p ControlPersist 4h
Pour cette connexion (temporairement) ne pas utiliser l'authentification par clef
ssh -o "PreferredAuthentications keyboard-interactive,password" user@192.168.1.18
SSH Escape Sequences (aka Kill Dead SSH Sessions)
- ~/.ssh/config"
Host * EscapeChar ~
Supported escape sequences: ~. - terminate connection (and any multiplexed sessions) ~B - send a BREAK to the remote system ~C - open a command line ~R - request rekey ~V/v - decrease/increase verbosity (LogLevel) ~^Z - suspend ssh ~# - list forwarded connections ~& - background ssh (when waiting for connections to terminate) ~? - this message ~~ - send the escape character by typing it twice (Note that escapes are only recognized immediately after newline.
SSH Proxy
L’intérêt étant de ne pas déposer ailleurs sa clef SSH privée
ssh -t -A serveurBastionRebond ssh serveurPlop118
Ou plus simple :
- ~/.ssh/config
Host serveurPlop118 ProxyCommand ssh -W %h:%p bastion ### Si besion Host bastion Hostname 192.168.2.34
Pb
$ ssh -t -A bastion ssh -o StrictHostKeychecking=no 192.168.1.22 Permission denied (publickey). Shared connection to 171.33.90.69 closed
Solution
ssh -O stop bastion
ou
ssh -o ControlMaster=no 192.168.1.22
Exemple
- ~/.ssh/config
Host rebond Hostname 192.168.89.155 User jean Host old-rhel5 Hostname 192.168.50.20 User root ProxyCommand ssh -W %h:%p rebond KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1 HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa SetEnv TERM=linux Host old-rhel3 Hostname 192.168.50.30 KexAlgorithms +diffie-hellman-group1-sha1,diffie-hellman-group14-sha1 HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa Ciphers +aes256-cbc SetEnv TERM=linux Host centreon Hostname 192.168.50.21 User root ProxyCommand ssh -W %h:%p rebond RemoteForward 3128 192.168.89.221:3128 LocalForward 8081 localhost:80 # SendEnv LANG LC_*
Sécurité
ssh-keygen -G moduli-3072.candidates -b 3072
Voir : https://entropux.net/article/openssh-moduli/
/etc/ssh/moduli
Pb déconnexion
Déconnexion SSH au bout de 30 secondes avec Write Failed: broken pipe
Doublon d'adresses IP
Autres
ssh force password / Ne pas utiliser la clef mais demander le mot de passe
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no 192.168.1.22
A l'inverse, options SSH sans mot de passe, pour script
ssh -o PasswordAuthentication=no -o ChallengeResponseAuthentication=no -o PreferredAuthentications=publickey -o StrictHostKeyChecking=no -o ConnectTimeout=2 -o BatchMode=yes 192.168.1.22