Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
ssh [2006/06/23 19:44] a created |
ssh [2016/08/04 09:37] zagi [other SSH stuff] |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== SSH ====== | ||
+ | |||
+ | Links: | ||
+ | * [[http:// | ||
+ | * [[http:// | ||
+ | |||
+ | ===== banner in ssh ===== | ||
+ | |||
+ | / | ||
+ | | ||
+ | |||
+ | / | ||
+ | | ||
+ | * This is a private system. | ||
+ | * Use by unauthorized persons is prohibited.* | ||
+ | * All accesses to this service are logged. | ||
+ | | ||
+ | |||
+ | http:// | ||
+ | |||
+ | |||
+ | |||
+ | ===== SSH and working with keys ===== | ||
+ | |||
+ | create your key | ||
+ | | ||
+ | |||
+ | copy your new key out to all the servers, and make ssh use it. | ||
+ | the mkdir below may fail if the directory exists, ignore the error its harmless | ||
+ | <code bash|> | ||
+ | for i in $(cat servers) ; do | ||
+ | echo SERVER=$; | ||
+ | scp ~/ | ||
+ | ssh $i "mkdir .ssh ; | ||
+ | chmod 700 .ssh ; | ||
+ | cat ~/ | ||
+ | chmod 644 / | ||
+ | done | ||
+ | </ | ||
+ | |||
+ | ===== How to Fix Offering key in ~/ | ||
+ | # ssh -o ' | ||
+ | |||
+ | ==== Remove the offending ssh key ==== | ||
+ | < | ||
+ | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | ||
+ | @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! | ||
+ | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | ||
+ | IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! | ||
+ | Someone could be eavesdropping on you right now (man-in-the-middle attack)! | ||
+ | It is also possible that the RSA host key has just been changed. | ||
+ | The fingerprint for the RSA key sent by the remote host is | ||
+ | a7: | ||
+ | Please contact your system administrator. | ||
+ | Add correct host key in / | ||
+ | Offending key in / | ||
+ | Permission denied (publickey, | ||
+ | </ | ||
+ | |||
+ | # sed -i ' | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | **Perl solution**: | ||
+ | # perl -pi -e ' | ||
+ | |||
+ | |||
====== How to harden your sshd ====== | ====== How to harden your sshd ====== | ||
Joost van Baal, february 2006 | Joost van Baal, february 2006 | ||
Line 91: | Line 158: | ||
This document is free; you can redistribute it and/or modify it under the terms of the GNU GPL, see http:// | This document is free; you can redistribute it and/or modify it under the terms of the GNU GPL, see http:// | ||
+ | |||
+ | |||
+ | ===== Fail2Ban ==== | ||
+ | / | ||
+ | \\ | ||
+ | action = %(action_mw)s\\ | ||
+ | |||
+ | |||
+ | ===== other SSH stuff ====== | ||
+ | |||
+ | use EF DSCP in ssh: | ||
+ | |||
+ | ~/ | ||
+ | IPQoS ef | ||
+ | | ||
+ | use jump host | ||
+ | |||
+ | ~/ | ||
+ | Host finalhost | ||
+ | HostName finalhost | ||
+ | User userfinal | ||
+ | ProxyCommand ssh proxyuser@proxyhost nc %h %p | ||
+ | |||
+ | then one can simply type | ||
+ | |||
+ | ssh finalhost | ||
+ | to ssh via proxyhost to final destination host | ||
+ | |||
+ | |||
+ | using same options for multiple hosts in same domain | ||
+ | |||
+ | Host switch* router* myrouter* cmts* | ||
+ | |||
+ | no need to type FQDN for switch-somethingsomething |