Geekblok

Time for the sixth parth of the ssh guide. This time I’ll dig a bit deeper into using a command in your authorized_keys file. That way you will be able to remotely run a command, about the same way you would like: ssh b10m.example.net uptime, which would return the uptime of the server. If you want to restrict the commands that can be used in the remote command, simply put them into the ~/.ssh/authorized_keys file:

bq. command=”/usr/bin/uptime” ssh-dss AAAAB3NzaC1kc3M…[ rest of key ]…ED8s Comment

If you try to login to the other server now, you only get the output of uptime back:

bq. $ ssh joffie@b10m.example.net
9:24PM up 162 days, 3:45, 5 users, load averages: 0.03, 0.14, 0.12

Make sure that you have got the full command you want to run in the authorized_keys and nothing that could be used by hackers. If you, for example, have a command like command="/usr/bin/vi /tmp/file.txt", the user could exit this vi session with a command like :!/usr/local/bin/bash. Though this example might not seem too “real world”, it shows that you always need to think on what a hacker can do. (In this case starting vi with the -S option would disallow external program calls).

Other interesting features are the use of SSH_ORIGINAL_COMMAND, which is given to the remote environment.

Read more »

It has been a while, but it is time for the next guide. In this guide I will dig a bit deeper into the ssh-agent. In the previous guide I noticed the passwordless logins that can be accomplished with ssh keys. I suppose you have still got the dsa key that you generated via that guide (or another one) around.
Remember that you will need to have it passphrase proteced. If you haven’t done that, please do so via:

bq. ssh-keygen -p -f ~/.ssh/id_dsa

Also copy the public key to the server you want to login to

bq. ssh b10m.example.net cat < ~/.ssh/id_dsa.pub “>>” ~/.ssh/authorized_keys

In theory everything should now be set up right to use key authentication, but there might be some caveats..

Read more »

This guide is the fourth part of the ssh guides. This time I’ll dig deeper into ssh-keygen. Most people use this program only for generating DSA or RSA keys for password less logins. But ssh-keygen can do a lot more (like most unix commands).

First I will have a look at generating those RSA and DSA keys, for we need that in following guides too. I suppose most people use it even for ‘empty-passphrase-logins’. Empty passphrases are killing your security, so please fill out some passphrase when generating your keys. I willl show that you only have to type it once every X-session that you login to your computer in a later guide.

So first of all generate a key if you haven’t done that allready: ssh-keygen -t dsa. Enter through de defaults, though do type in some passphrase you’ll remember.

Read more »

For the third part in the guide, I’ll show the use of the escape_char and where it can come in handy. The default escape character in a openssh session is the tilde: ~. This might not be the best escape character together with your own keyboard layout. On some setups you must also use the space to get the tilde be a real tilde. Just test this in a xterm what you need to do to see an actual tilde. Otherwise, use the -e escape_char option, for example ssh -e '&' joffie.example.net.

After you have logged into the joffie.example.net machine, you can use the keystrokes & and . (dot), to close the connection. But there is more.

Read more »

The next trick I am going to show is how to build a localforward tunnel with ssh.

To be clear, the machines that I am using in my guides are example servers for this blog, so you should set up your own test servers to play around with. Check wikipedia for more background info on the example.net domain.

Ok, now for the example. Imagine you have something like tomato running on your home router joffie.example.net.Imagine the router has a ssh shell enabled that allows you to log into the router from the evil Internet using ssh on, the non default, port 666. All of the other ports are filtered, including the webinterface of the router. The webinterface can be viewed only from the local network of the router. But what if you want to view it from the Internet?

Read more »