OpenSSH is a free software suite that implements secure, remote login and file transfer capabilities using the SSH protocol. It provides a secure replacement for older protocols like telnet, FTP, and rlogin. OpenSSH allows for remote login, file transfer, port forwarding, X11 forwarding, and more. It offers strong security features like public-key authentication and encrypted connections.
2. OpenSSH
● nastroj pre bezpecne, vzdialene
prihlasovanie
● prepisana verzia originalneho SSH
nastroja
● priklad flexibilneho nastroja pouzitelneho
na ovela viac nez len vzdialene
prihlasovanie
● nahrada za telnet, ftp, rlogin
●
3. Od zaciatku
pesnik:~$ ssh testor
alebo
pesnik:~$ ln -s /usr/bin/ssh-argv0 $HOME/bin/testor
pesnik:~$ testor
4. Od zaciatku
pesnik:~$ ssh testor
user@testor password: ^C
pesnik:~$ ssh-keygen
pesnik:~$ ssh-copy-id testor
Now try logging into the machine, with "ssh 'testor'", and check in:
~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
5. Od zaciatku
pesnik:~$ ssh testor
Warning: the RSA host key for 'testor' differs from the key for the IP
address '37.9.170.2'
Offending key for IP in /home/tomas.corej/.ssh/known_hosts:57
Matching host key in /home/tomas.corej/.ssh/known_hosts:875
You have mail.
Last login: Thu Jul 11 00:12:57 2012 from services
testor:~$ ^D
pesnik: ~$ ssh-keygen -R 37.9.170.2
6. Od zaciatku
pesnik:~$ ssh testor
You have mail.
Last login: Thu Jul 11 00:12:57 2012 from pesnik
testor:~$
7. Od zaciatku
pesnik:~$ ssh testor
You have mail.
Last login: Thu Jul 11 00:12:57 2012 from services
testor:~$
testor:~$ ~?
Supported escape sequences:
~. - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - Request rekey (SSH protocol 2 only)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)
15. ProxyCommand
● moze to byt cokolvek, dolezite je, aby to
spracovavalo STDIN a STDOUT
ssh -o ProxyCommand="$HOME/.ssh/gateway.sh %h %p" testor
● Nahradzuje %h, %p a %r
● pristup cez prostrednika
ssh -o ProxyCommand="ssh user@testor nc %h %p" user@192.
168.1.2 "uname -a"
● parameter -W
● riziko DOS
16. Multiplexovanie SSH spojeni
● pri castom generovani SSH spojeni a vo
velkom mnozstve
● skracuje cas a znizuje overhead (0.2s vs
0.014s)
● config
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h:%p
● ovladanie cez -O check,forward,stop,exit
17. Multiplexovanie SSH spojeni
pesnik:~$ ssh testor
You have mail.
Last login: Thu Jul 11 00:12:57 2012 from pesnik
testor:~$
testor:~$ ~^Z
pesnik:~$ cd ~/.ssh/sockets
pesnik:~$ ~/.ssh/sockets$ ls
user@testor:22
pesnik:~$ ssh -O check user@testor
Master running (pid=22797)
pesnik:~$ fg
testor:~$
18. Subsystemy
● ina forma spustania remotnych prikazov
● SFTP je subsystem
● moze ist aj o internu funkcionalitu (sftp a
chroot)
● server sshd_config
Subsystem backup /root/bin/backupcmd
● ssh klient
ssh -s backup root@testor
19. DNS SSHFP
● rozsireny sposob verifikacie odtlackov
● fingerprinty SSHD je mozne ulozit aj do
DNS zaznamov
● VerifyHostKeyDNS yes|ask|no
20. Sukromne kluce
● sukromne kluce sa nachadzaju v
$HOME/id_rsa (defaulne)
● Kluce je mozne dodatocne specifikovat
no-port-forwarding,no-user-rc,no-X11-forwarding,no-pty,
command="/bin/nc $SSH_ORIGINAL_COMMAND" ssh-rsa
AAAAB3NzMMAND" ssh-rsa AAAAB3Nza....
● $SSH_ORIGINAL_COMMAND obsahuje
text prikazu
ssh root@testor prikaz