OpenSsh: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(16 dazwischenliegende Versionen von 6 Benutzern werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
[[Kategorie:ServerApplikation]] | [[Kategorie:ServerApplikation]] | ||
[[Kategorie:Sicherheit]] | |||
= Konfiguration = | = Konfiguration = | ||
Zeile 13: | Zeile 14: | ||
<pre>chmod 755 .ssh | <pre>chmod 755 .ssh | ||
chmod 600 .ssh/authorized_keys | chmod 600 .ssh/authorized_keys | ||
drwxr-xr-x 2 wk wk 4096 Jul 28 2017 .ssh/ | |||
-rw-r--r-- 1 wk wk 1332 Aug 29 2018 .ssh/known_hosts | |||
-rw------- 1 wk wk 1921 Jun 26 2017 .ssh/authorized_keys | |||
-rw------- 1 wk wk 3326 Jul 28 2017 .ssh/id_rsa | |||
-rw-r--r-- 1 wk wk 735 Jul 28 2017 .ssh/id_rsa.pub | |||
</pre> | </pre> | ||
= Kommandos = | = Kommandos = | ||
< | <syntaxhighlight lang="bash"> | ||
ssh -i /home/jonny/id_rsa jonny@extern.host.de | |||
rsync -e "ssh -i /home/jonny/id_rsa" /home backup@backup.example.com | rsync -e "ssh -i /home/jonny/id_rsa" /home backup@backup.example.com | ||
ssh-copy-id -i ~/.ssh/id_rsa hm@host | ssh-copy-id -p 22 -i ~/.ssh/id_rsa hm@host | ||
ssh-copy-id hm@host | |||
sudo -u extbup scp -P 22 file.txt bupsupply@myhost:. | |||
# Pw ändern: | |||
ssh-keygen -p | |||
ssh-keygen -p -f ~/.ssh/id_dsa | |||
</syntaxhighlight> | |||
== Zertifikate ermitteln, Widerruflisten == | |||
<syntaxhighlight lang="bash"> | |||
# Zertifikat herunterladen: | |||
openssl s_client -showcerts -connect www.bundesdruckerei.de:443 </dev/null > bd.crt | |||
# Menschenlesbar machen: | |||
openssl x509 -in bd.crt -noout -text | |||
# Widerruf-Liste extrahieren: | |||
openssl x509 -in bd.crt -noout -ext crlDistributionPoints | |||
# Widerrufliste herunterladen... | |||
curl -L [CRL-URL] > bd.crl | |||
# ... und anzeigen | |||
openssl crl -in bd.crl -noout -text | |||
</syntaxhighlight> | |||
== Test, ob Zertifikat widerrufen ist == | |||
<syntaxhighlight lang="bash"> | |||
openssl s_client -showcerts -connect www.heise.de:443 </dev/null > h.crt | |||
openssl x509 -in h.crt -noout -ext authorityInfoAccess | |||
</syntaxhighlight> | |||
Ausgabe: | |||
<pre> | |||
Authority Information Access: | |||
OCSP - URI:http://r3.o.lencr.org | |||
CA Issuers - URI:http://r3.i.lencr.org/ | |||
</pre> | |||
<syntaxhighlight lang="bash"> | |||
curl -L [CA-Issuer-URL] > le-r3.crt | |||
openssl ocsp -issuer le-r3.crt -cert h.crt -url [OCSP-URI] | |||
</syntaxhighlight> | |||
Antwort: | |||
<pre> | |||
WARNING: no nonce in response | |||
Response verify OK | |||
h.crt: good | |||
This Update: Feb 25 18:23:00 2024 GMT | |||
Next Update: Mar 3 18:22:58 2024 GMT | |||
</pre> | |||
== Port-Forwarding == | |||
Auf dem Server in /etc/ssh/sshd_config: | |||
<spre> | |||
# allow remote port forwarding: | |||
GatewayPorts yes | |||
</pre> | </pre> | ||
* systemctl reload sshd | |||
Lokal: | |||
<syntaxhighlight lang="bash"> | |||
ssh -nNT -p 10106 -R 6379:localhost:6379 wk@bt | |||
</syntaxhighlight> | |||
== SFTP-chroot-Umgebung == | == SFTP-chroot-Umgebung == | ||
* /etc/ssh/sshd_config | * /etc/ssh/sshd_config | ||
<pre>Match Group sftponly | <pre> | ||
Match Group sftponly | |||
ChrootDirectory /home/%u | ChrootDirectory /home/%u | ||
ForceCommand internal-sftp | ForceCommand internal-sftp | ||
Zeile 31: | Zeile 103: | ||
</pre> | </pre> | ||
oder | oder | ||
<pre>Match User jonny | <pre> | ||
Match User jonny | |||
ChrootDirectory /opt/jail_jonny | ChrootDirectory /opt/jail_jonny | ||
ForceCommand internal-sftp | ForceCommand internal-sftp | ||
Zeile 37: | Zeile 110: | ||
</pre> | </pre> | ||
* Rechte /opt/jail_jonny: | * Rechte /opt/jail_jonny: | ||
< | <syntaxhighlight lang="bash"> | ||
DIR=/opt/jail_jonny | |||
chown root.root $DIR | chown root.root $DIR | ||
chmod 755 $DIR | chmod 755 $DIR | ||
</ | </syntaxhighlight> | ||
* Eintrag in /etc/fstab: | * Eintrag in /etc/fstab: | ||
<pre> | <pre> | ||
/data/dir1 /opt_jail_jonny none bind | /data/dir1 /opt_jail_jonny none bind | ||
</pre> | </pre> | ||
== Zugriff auf RSync beschränken == | |||
* Client | |||
** Benutzer einrichten: adduser extbup | |||
** Keys erzeugen, ohne Passwort | |||
** in /home/extbup/.ssh/id_rsh.pub steht: ssh-rsa AAAAB3NzaC1y...5Ow== extbup@caribou | |||
* Server: | |||
** User einrichten: adduser buptiger | |||
** Benutzer muss in /etc/shadow gelistet sein! | |||
** In /home/buptiger/.ssh/authorized_keys: | |||
<pre> | |||
command="/usr/local/bin/rrsync /opt/extbackup/caribou",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAA...5Ow== extbup@caribou | |||
</pre> | |||
oder mit Nur-Lese-Zugriff (oder -wo für Nur-Schreibzugriff): | |||
<pre> | |||
command="/usr/local/bin/rrsync -ro /opt/extbackup/caribou",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAA...5Ow== extbup@caribou | |||
</pre> | |||
<syntaxhighlight lang="bash"> | |||
FN=/usr/local/bin/rrsync | |||
test -x $FN || gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c > $FN && chmod uog+x $FN | |||
</syntaxhighlight> | |||
* Client: | |||
** Die Zielpfadangabe von rsync ist immer relativ zu dem im Server angegebenen Verzeichnis /opt/extbackup/caribou | |||
** rsync -a /opt/backup/dayly buptiger@server:. | |||
== rsync unter anderem Port erreichen == | |||
<syntaxhighlight lang="bash"> | |||
rsync -a -e 'ssh -p 10106' /home/ bupsrv@bigtoy:/bup-home | |||
</syntaxhighlight> | |||
== Chroot für rsync: == | == Chroot für rsync: == | ||
* /usr/local/bin/MkChroot.pl: | * /usr/local/bin/MkChroot.pl: | ||
< | <syntaxhighlight lang="bash"> | ||
SCRIPT=/usr/local/bin/MkChroot.pl | |||
cat <<'EOS' >$SCRIPT | cat <<'EOS' >$SCRIPT | ||
#! /usr/bin/perl | #! /usr/bin/perl | ||
Zeile 99: | Zeile 208: | ||
EOS | EOS | ||
chmod uog+x $SCRIPT | chmod uog+x $SCRIPT | ||
</ | </syntaxhighlight> | ||
* Erstellen der chroot-Umgebung: | * Erstellen der chroot-Umgebung: | ||
< | <syntaxhighlight lang="bash"> | ||
MkChroot.pl /bin/bash | |||
MkChroot.pl rsync | MkChroot.pl rsync | ||
cd /opt/jail | cd /opt/jail | ||
unzip /tmp/chroot.zip | unzip /tmp/chroot.zip | ||
</ | </syntaxhighlight> | ||
* Mount als /etc/fstab-Eintrag: | * Mount als /etc/fstab-Eintrag: | ||
<pre>/opt/www /opt/jail/www none bind 1 0 | <pre>/opt/www /opt/jail/www none bind 1 0 | ||
</pre> | |||
* /etc/ssh/sshd_config | |||
<pre>Match User jonny | |||
ChrootDirectory /opt/jail_jonny | |||
AllowTcpForwarding no | |||
</pre> | </pre> |
Aktuelle Version vom 12. März 2024, 08:15 Uhr
Konfiguration[Bearbeiten]
Schlüsselgenerierung[Bearbeiten]
ssh-keygen -t rsa -b 4096
ssh-Sitzung mit Schlüssel[Bearbeiten]
- id_rsa.pub auf dem Zielrechner in die Datei authorized_keys eintragen
- Verzeichnis ist das Homeverzeichnis des Users, mit dem angemeldet wird.
chmod 755 .ssh chmod 600 .ssh/authorized_keys drwxr-xr-x 2 wk wk 4096 Jul 28 2017 .ssh/ -rw-r--r-- 1 wk wk 1332 Aug 29 2018 .ssh/known_hosts -rw------- 1 wk wk 1921 Jun 26 2017 .ssh/authorized_keys -rw------- 1 wk wk 3326 Jul 28 2017 .ssh/id_rsa -rw-r--r-- 1 wk wk 735 Jul 28 2017 .ssh/id_rsa.pub
Kommandos[Bearbeiten]
ssh -i /home/jonny/id_rsa jonny@extern.host.de
rsync -e "ssh -i /home/jonny/id_rsa" /home backup@backup.example.com
ssh-copy-id -p 22 -i ~/.ssh/id_rsa hm@host
ssh-copy-id hm@host
sudo -u extbup scp -P 22 file.txt bupsupply@myhost:.
# Pw ändern:
ssh-keygen -p
ssh-keygen -p -f ~/.ssh/id_dsa
Zertifikate ermitteln, Widerruflisten[Bearbeiten]
# Zertifikat herunterladen:
openssl s_client -showcerts -connect www.bundesdruckerei.de:443 </dev/null > bd.crt
# Menschenlesbar machen:
openssl x509 -in bd.crt -noout -text
# Widerruf-Liste extrahieren:
openssl x509 -in bd.crt -noout -ext crlDistributionPoints
# Widerrufliste herunterladen...
curl -L [CRL-URL] > bd.crl
# ... und anzeigen
openssl crl -in bd.crl -noout -text
Test, ob Zertifikat widerrufen ist[Bearbeiten]
openssl s_client -showcerts -connect www.heise.de:443 </dev/null > h.crt
openssl x509 -in h.crt -noout -ext authorityInfoAccess
Ausgabe:
Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/
curl -L [CA-Issuer-URL] > le-r3.crt
openssl ocsp -issuer le-r3.crt -cert h.crt -url [OCSP-URI]
Antwort:
WARNING: no nonce in response Response verify OK h.crt: good This Update: Feb 25 18:23:00 2024 GMT Next Update: Mar 3 18:22:58 2024 GMT
Port-Forwarding[Bearbeiten]
Auf dem Server in /etc/ssh/sshd_config: <spre>
- allow remote port forwarding:
GatewayPorts yes
- systemctl reload sshd
Lokal:
ssh -nNT -p 10106 -R 6379:localhost:6379 wk@bt
SFTP-chroot-Umgebung[Bearbeiten]
- /etc/ssh/sshd_config
Match Group sftponly ChrootDirectory /home/%u ForceCommand internal-sftp AllowTcpForwarding no
oder
Match User jonny ChrootDirectory /opt/jail_jonny ForceCommand internal-sftp AllowTcpForwarding no
- Rechte /opt/jail_jonny:
DIR=/opt/jail_jonny
chown root.root $DIR
chmod 755 $DIR
- Eintrag in /etc/fstab:
/data/dir1 /opt_jail_jonny none bind
Zugriff auf RSync beschränken[Bearbeiten]
- Client
- Benutzer einrichten: adduser extbup
- Keys erzeugen, ohne Passwort
- in /home/extbup/.ssh/id_rsh.pub steht: ssh-rsa AAAAB3NzaC1y...5Ow== extbup@caribou
- Server:
- User einrichten: adduser buptiger
- Benutzer muss in /etc/shadow gelistet sein!
- In /home/buptiger/.ssh/authorized_keys:
command="/usr/local/bin/rrsync /opt/extbackup/caribou",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAA...5Ow== extbup@caribou
oder mit Nur-Lese-Zugriff (oder -wo für Nur-Schreibzugriff):
command="/usr/local/bin/rrsync -ro /opt/extbackup/caribou",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAA...5Ow== extbup@caribou
FN=/usr/local/bin/rrsync
test -x $FN || gunzip /usr/share/doc/rsync/scripts/rrsync.gz -c > $FN && chmod uog+x $FN
- Client:
- Die Zielpfadangabe von rsync ist immer relativ zu dem im Server angegebenen Verzeichnis /opt/extbackup/caribou
- rsync -a /opt/backup/dayly buptiger@server:.
rsync unter anderem Port erreichen[Bearbeiten]
rsync -a -e 'ssh -p 10106' /home/ bupsrv@bigtoy:/bup-home
Chroot für rsync:[Bearbeiten]
- /usr/local/bin/MkChroot.pl:
SCRIPT=/usr/local/bin/MkChroot.pl
cat <<'EOS' >$SCRIPT
#! /usr/bin/perl
use strict;
my $gv_zip = "/tmp/chroot.zip";
my $prog = shift;
my %gv_files;
if ($prog eq ''){
die "usage: MkChroot.pl <program>";
}
if ($prog !~ m!/!){
$prog = qx(which $prog);
}
&Init;
&Add($prog);
exit 0;
sub HandleLibs{
my $prog = shift;
my @lines = qx(ldd $prog);
foreach my $line(@lines){
# => /lib/x86_64-linux-gnu/libdl.so.2
if ($line =~ m!^\s*(/\S+)!){
&Add($1);
} elsif ($line =~ m!=> (/\S+)!){
&Add($1);
} else {
print "ignored: $line";
}
}
}
sub Add {
my $file = shift;
if ($gv_files{$file} eq ''){
my $cmd = "zip -9 $gv_zip $file";
print $cmd, "\n";
system($cmd);
$gv_files{$file} = 1;
&HandleLibs($file);
}
}
sub Init{
foreach(qx(unzip -Z -1 $gv_zip)){
chomp;
$gv_files{"/$_"} = 1;
}
}
EOS
chmod uog+x $SCRIPT
- Erstellen der chroot-Umgebung:
MkChroot.pl /bin/bash
MkChroot.pl rsync
cd /opt/jail
unzip /tmp/chroot.zip
- Mount als /etc/fstab-Eintrag:
/opt/www /opt/jail/www none bind 1 0
- /etc/ssh/sshd_config
Match User jonny ChrootDirectory /opt/jail_jonny AllowTcpForwarding no