===== ssh =====
==== ssh github ====
Host github.com
HostName github.com
User git
IdentityFile ~/.ssh/github
==== ssh chroot ====
=== Sources ===
* [[http://root-lab.fr/2012/01/25/creer-chroot-ssh-limite-simplement/]]
* [[http://www.prometee-creation.com/tutoriels/openssh-server-avec-chroot-jail.html]]
* [[http://www.syl21.org/wp-content/uploads/2011/05/mkchroot_ssh]]
* [[http://www.fuschlberger.net/programs/ssh-scp-sftp-chroot-jail/make_chroot_jail.sh.html]]
=== Make home folder ===
mkdir /home/chroot
=== Copy library files ===
#!/bin/bash
cd /home/chroot
mkdir -p {bin,dev,lib,lib64}
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 0666 dev/{null,zero}
TMPFILE1=./temp1
TMPFILE2=./temp2
APPS="
/usr/bin/whoami
/bin/uname
/usr/bin/groups
/bin/bash
/bin/cp
/bin/ls
/bin/mkdir
/bin/mv
/bin/rm
/bin/rmdir
/usr/bin/id
/usr/bin/rsync
/usr/bin/scp
/usr/bin/wget
/usr/bin/vim
/usr/bin/vi
/bin/cat
/bin/less
/usr/bin/tail
/usr/bin/clear
/bin/chmod
/bin/sh
/bin/grep
/bin/gzip
/bin/gunzip
/bin/more
/bin/pwd
/bin/ping
/bin/ps
/bin/uname
/bin/sed
/usr/bin/env
/usr/bin/host
/usr/bin/less
/usr/bin/nslookup
/usr/bin/dircolors"
for app in $APPS; do
if [ -x $app ]; then
app_path=`dirname $app`
if ! [ -d .$app_path ]; then
mkdir -p .$app_path
fi
cp -p $app .$app
ldd $app >> ${TMPFILE1}
fi
done
for libs in `cat ${TMPFILE1}`; do
frst_char="`echo $libs | cut -c1`"
if [ "$frst_char" = "/" ]; then
echo "$libs" >> ${TMPFILE2}
fi
done
for lib in `cat ${TMPFILE2}`; do
mkdir -p .`dirname $lib` > /dev/null 2>&1
cp $lib .$lib
done
cp -r /lib/terminfo ./lib/
rm -f $TMPFILE1
rm -f $TMPFILE2
=== Move the user's files to the jail ===
mv /home/myuser /home/chroot/home/
=== Link the user's home to stay compatible with the old one ===
ln -s /home/chroot/home/myuser /home/myuser
=== Change the perms on this folder ===
chmod 700 /home/chroot/home/myuser
=== Set the config in /etc/ssh/sshd_config ===
== Load the internal sftp server ==
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
The difference between both is that the internal sftp server does not need to copy binary files to the jail.
== Define a rule for the user (or group) ==
# we are matching the user but this can be a group also
Match User myuser
ChrootDirectory /home/chroot
AllowTCPForwarding no
X11Forwarding no
Match
== Then we need to define an environment. ==
to prevent having an invite like : I have no name!@machine, we need to define some environment variables.
==== ssh tunnels ====
=== Local / Remote ===
* A = 4321
* B = 127.0.0.1
* C = 3306
* D = me@myserver.com
ssh -N -L 4321:127.0.0.1:3306 me@myserver.com
The command is calling on port A the machine B that is connected to machine D that connects to machine B on port C.
* -N = quiet mode (no ssh console)
* -L = local mode (inverse is -R as remote)
Then we can use :
mysql -h 127.0.0.1 -P 4444 -u user -p mybase
=== Dynamic ===
ssh -N -D 4321 me@myserver.com
Then we can configure the proxy clients to use SOCKS with 127.0.0.1 as host and 4321 as port.
==== sshfs ====
[[http://www.debian-fr.org/utiliser-geany-sur-un-serveur-distant-t20449.html#p201969|Source]]
# aptitude install fuse fuse-utils sshfs
sshfs login@server:/home/login/ /mnt/tmp/
umount :
fusermount -u /mnt/tmp/
== Example scripts ==
#!/bin/bash
# check if params
if [ $# -lt 2 ];then
echo "Usage : sshmnt "
exit;
fi
if [ ! -d ~/mnt/$2 ]; then
echo "no ~/mnt/$2 folder found. creating it"
mkdir -p ~/mnt/$2
if [ $? -eq 0 ]; then
exit 1;
fi
fi
sshfs $1 ~/mnt/$2
#!/bin/bash
# check if params
if [ $# -lt 1 ];then
echo "Usage : sshmnt "
exit;
fi
if [ ! -d ~/mnt/$1 ]; then
echo "no ~/mnt/$2 folder found."
fi
fusermount -u ~/mnt/$1
{{tag>ssh}}