ssh
This is an old revision of the document!
Table of Contents
ssh
ssh github
Host github.com HostName github.com User git IdentityFile ~/.ssh/github
ssh chroot
Sources
Make home folder
mkdir /home/chroot
Copy library files
#!/bin/bash
cd /home/chroot
mkdir -p {bin,dev,lib,lib64}
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 0666 dev/{null,zero}
TMPFILE1=./temp1
TMPFILE2=./temp2
APPS="
/usr/bin/whoami
/bin/uname
/usr/bin/groups
/bin/bash
/bin/cp
/bin/ls
/bin/mkdir
/bin/mv
/bin/rm
/bin/rmdir
/usr/bin/id
/usr/bin/rsync
/usr/bin/scp
/usr/bin/wget
/usr/bin/vim
/usr/bin/vi
/bin/cat
/bin/less
/usr/bin/tail
/usr/bin/clear
/bin/chmod
/bin/sh
/bin/grep
/bin/gzip
/bin/gunzip
/bin/more
/bin/pwd
/bin/ping
/bin/ps
/bin/uname
/bin/sed
/usr/bin/env
/usr/bin/host
/usr/bin/less
/usr/bin/nslookup
/usr/bin/dircolors"
for app in $APPS; do
if [ -x $app ]; then
app_path=`dirname $app`
if ! [ -d .$app_path ]; then
mkdir -p .$app_path
fi
cp -p $app .$app
ldd $app >> ${TMPFILE1}
fi
done
for libs in `cat ${TMPFILE1}`; do
frst_char="`echo $libs | cut -c1`"
if [ "$frst_char" = "/" ]; then
echo "$libs" >> ${TMPFILE2}
fi
done
for lib in `cat ${TMPFILE2}`; do
mkdir -p .`dirname $lib` > /dev/null 2>&1
cp $lib .$lib
done
cp -r /lib/terminfo ./lib/
rm -f $TMPFILE1
rm -f $TMPFILE2
Move the user's files to the jail
mv /home/myuser /home/chroot/home/
Link the user's home to stay compatible with the old one
ln -s /home/chroot/home/myuser /home/myuser
Change the perms on this folder
chmod 700 /home/chroot/home/myuser
Set the config in /etc/ssh/sshd_config
Load the internal sftp server
#Subsystem sftp /usr/lib/openssh/sftp-server Subsystem sftp internal-sftpThe difference between both is that the internal sftp server does not need to copy binary files to the jail.
Define a rule for the user (or group)
# we are matching the user but this can be a group also Match User myuser ChrootDirectory /home/chroot AllowTCPForwarding no X11Forwarding no Match
Then we need to define an environment.
to prevent having an invite like : I have no name!@machine, we need to define some environment variables.
ssh tunnels
Local / Remote
- A = 4321
- B = 127.0.0.1
- C = 3306
- D = me@myserver.com
ssh -N -L 4321:127.0.0.1:3306 me@myserver.comThe command is calling on port A the machine B that is connected to machine D that connects to machine B on port C.
- -N = quiet mode (no ssh console)
- -L = local mode (inverse is -R as remote)
Then we can use :
mysql -h 127.0.0.1 -P 4444 -u user -p mybase
Dynamic
ssh -N -D 4321 me@myserver.comThen we can configure the proxy clients to use SOCKS with 127.0.0.1 as host and 4321 as port.
sshfs
# aptitude install fuse fuse-utils sshfs
sshfs login@server:/home/login/ /mnt/tmp/
umount :
fusermount -u /mnt/tmp/
Example scripts
#!/bin/bash
# check if params
if [ $# -lt 2 ];then
echo "Usage : sshmnt <ssh alias> <folder name>"
exit;
fi
if [ ! -d ~/mnt/$2 ]; then
echo "no ~/mnt/$2 folder found. creating it"
mkdir -p ~/mnt/$2
if [ $? -eq 0 ]; then
exit 1;
fi
fi
sshfs $1 ~/mnt/$2
#!/bin/bash # check if params if [ $# -lt 1 ];then echo "Usage : sshmnt <folder name>" exit; fi if [ ! -d ~/mnt/$1 ]; then echo "no ~/mnt/$2 folder found." fi fusermount -u ~/mnt/$1
ssh.1635856725.txt.gz · Last modified: (external edit)