Kenneth: /* Allow Reverse Tunnel */

2024-12-23T22:12:26Z

Allow Reverse Tunnel

← Older revision		Revision as of 22:12, 23 December 2024
Line 21:		Line 21:

	/etc/ssh/sshd_config:		/etc/ssh/sshd_config:
	Match User oli		# Allow reverse tunnel
			# Ref: https://askubuntu.com/questions/50064/reverse-port-tunnelling
			Match User oli,kpx
	GatewayPorts yes		GatewayPorts yes

Kenneth: /* Secure Linux */

2021-02-16T16:01:45Z

Secure Linux

New page

== sshd ==

SSH Daemon

== Configuration Options ==

More information:
man sshd_config

== Allow Tunneling ==

Allow Tunneling (/etc/ssh/sshd_config):
AllowTcpForwarding yes

== Allow Reverse Tunnel ==

Reverse:
ssh -R 8000:localhost:80 oli@remote-machine

Allow this with:

/etc/ssh/sshd_config:
Match User oli
GatewayPorts yes

ref: https://askubuntu.com/questions/50064/reverse-port-tunnelling

keywords reverse tunnel reverse proxy

== SFTP ==

To provide SFTP access to linux accounts only (no shell access) change user's shell to:
/usr/libexec/openssh/sftp-server
test:x:501:50::/ftp:/usr/libexec/openssh/sftp-server

See [[vsftpd]]

/etc/ssh/sshd_config:
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server

== chroot ==

/etc/ssh/sshd_config
<pre>
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Match User ezra
ChrootDirectory /home/%u
#ForceCommand internal-sftp
AllowTcpForwarding no
</pre>

If you want to use 'sftp-server' in the chroot, you have to copy it and add the appropriate libraries, but why bother when internal-sftp works just fine.

Setup chroot home directory:
<pre>
NEWUSER=ezra
adduser $NEWUSER

chown root:root /home/$NEWUSER
chmod 755 /home/$NEWUSER

cd /home/$NEWUSER

mkdir home/$NEWUSER
mv .bash* home/$NEWUSER/

# ssh keys
mkdir -p home/$NEWUSER/.ssh
chown $NEWUSER:$NEWUSER home/$NEWUSER
touch home/$NEWUSER/.ssh/authorized_keys
chmod 600 home/$NEWUSER/.ssh/authorized_keys
chmod 700 home/$NEWUSER/.ssh
chmod 755 home/$NEWUSER
ln -s home/$NEWUSER/.ssh .ssh # sshd still tries to access the real /home/user/.ssh path

# libs for shell apps and ssh access
mkdir {bin,dev,dev/pts,lib64,home,home/$NEWUSER}
cp -p /bin/{bash,cat,cp,ls,mv} bin/
cp -p /lib64/{ld-linux-x86-64.so.2,libacl.so.1,libattr.so.1,libcap.so.2,libc.so.6,libdl.so.2,libpthread.so.0,librt.so.1,libselinux.so.1,libtinfo.so.5} lib64/
mknod dev/null c 1 3
mknod dev/zero c 1 5
chmod 0666 dev/{null,zero}
mknod -m 666 dev/tty c 5 0
mknod -m 666 dev/ptmx c 5 2
chmod 755 dev/pts
</pre>

find missing libraries (eg. ldd /bin/bash)

=== chroot sftp only ===

/etc/ssh/sshd_config
<pre>
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp

Match User ezra
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
</pre>

/etc/passwd:
<pre>
ezra:x:507:507::/home/ezra:/bin/false
</pre>

Setup chroot home directory:
<pre>
NEWUSER=ezra
adduser $NEWUSER
cd /home/$NEWUSER

chown root:root /home/$NEWUSER
chmod 755 /home/$NEWUSER

mkdir -p home/$NEWUSER
chown $NEWUSER:$NEWUSER home/$NEWUSER
mv .bash* home/$NEWUSER/

# ssh keys
mkdir home/$NEWUSER/.ssh
touch home/$NEWUSER/.ssh/authorized_keys
chmod 600 home/$NEWUSER/.ssh/authorized_keys
chmod 700 home/$NEWUSER/.ssh
chmod 755 home/$NEWUSER
chown $NEWUSER:$NEWUSER home/$NEWUSER/.ssh -R
ln -s home/$NEWUSER/.ssh .ssh # sshd still tries to access the real /home/user/.ssh path

# pub directory
mkdir pub
chmod 775 pub
chown $NEWUSER:$NEWUSER pub
</pre>

== Allow and Deny Users ==

/etc/ssh/sshd_config:

DenyUsers user1 user2 user3
DenyGroups group1 group2
AllowUsers user1 user2
AllowGroups group1 group2

== no reverse dns lookup ==

If you are having delays due to DNS lookups, these can be disabled:

/etc/ssh/sshd_config:
#UseDNS yes
UseDNS no

man sshd_config:
UseDNS Specifies whether sshd should look up the remote host name and check that the resolved host name for the remote IP
address maps back to the very same IP address. The default is “yes”.

== Banner ==

/etc/ssh/sshd_config:
Banner /etc/sshd/sshd-banner

sample /etc/sshd/sshd-banner:
<pre>
*****************************************************************************

NOTICE TO USERS

WARNING! The use of this system is restricted to authorized users,
unauthorized access is forbidden and will be prosecuted by law.

All information and communications on this system are subject
to review, monitoring and recording at any time,
without notice or permission. Users should have no
expectation of privacy.

*****************************************************************************
</pre>

* How to force sshd server to display login banner before login (change the ssh server login banner) - http://www.cyberciti.biz/tips/change-openssh-sshd-server-login-banner.html
* Login Banner | SSH Banner Howto - http://www.review-ninja.com/2009/05/login-banner-ssh-banner-howto.html

== Allow Public Key Authentication ==

/etc/ssh/sshd_config:
<pre>
# enable public-key authentication
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
</pre>

Fancy key location:
AuthorizedKeysFile /etc/ssh/keys-%u/authorized_keys

Additional Details:

Configuring OpenSSH to accept public-key authentication - http://linux-sxs.org/networking/openssh.putty.html

To enable your OpenSSH to accept version 2 public key, you would need to modify /etc/ssh/sshd_config. You could use vi editor (or whatever editor you are familiar with) to uncomment/add/modify the following lines to /etc/ssh/sshd_config:

<pre>

# the default SSH port is 22, you could alter it if necessary
Port 22

# accept version 2 keys only
Protocol 2

# NEVER allow root to login directly over the net
PermitRootLogin no
StrictModes yes
MaxAuthTries 3

# enable public-key authentication
RSAAuthentication no
PubkeyAuthentication yes

# securing your OpenSSH
# do not use host-based authentication for security reason
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreUserKnownHosts yes
PermitEmptyPassword no

# do not allow telnet-type login for security reason
ChallengeResponseAuthentication no
PasswordAuthentication no

X11Forwarding yes
X11DisplayOffset 10
</pre>

== Setup SSHD ==

mkdir -p /etc/ssh
touch /etc/ssh/sshd_config

# you only have to have one of these to start sshd, but might as well have all
ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key # rsa v1
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key # rsa v2 default
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key # dsa v2

/sbin/sshd

== Secure Linux ==

If you have copied keys using ssh-copy-id, you may need to fix the Secure Linux permissions:
restorecon -r -v ~/.ssh

== Regenerate Host Keys ==

If you try to connect, but it immediately returns without error, your host keys might be corrupted. Syslog:
sshd[2697]: Error loading host key "/etc/ssh/ssh_host_rsa_key": invalid format
sshd[2697]: Error loading host key "/etc/ssh/ssh_host_rsa_key": invalid format
sshd[2697]: Could not load host key: /etc/ssh/ssh_host_rsa_key

To regenerate your host keys:
ssh-keygen -A

== keywords ==

ssh sshd secure shell

[[Category:Linux]]

Linux/sshd - Revision history

Kenneth: /* Allow Reverse Tunnel */

Kenneth: /* Secure Linux */