Category: SSH

Oct 12

SFTP Containment Solaris 10

Using the SSH match directive it is possible to contain a user to an isolated folder.

This article is how to get this done on Solaris 10. Of course using a more up to date version of Solaris is preferable but in this case Solaris 10 is required for the application workload.

Your mileage may vary and you could probably simplify this slightly. For us our /apps tree can't be owned by root and also we have several apps nodes so we did it this way so all apps nodes see the uploaded files.

For containing end users to an isolated folder the following must be true.

1. SSH version new enough to allow "match" configs. Solaris 10 needs patching for new enough SSHD.

2. In our case SFTP containment to a path under our /apps tree is not possible since the top level need to be root user owned.

3. To accommodate above we create /opt/svcaccxfr and then lofs/bind mount /opt/svcaccxfr -> /apps/ebs11i/appltop/xxnp/11.5.0/interfaces/svcaccxfr

4. Ensure the permissions is correct under the svcaccxfr folder. The uploads folder need to be set correct for user and group and chowned 775. In our case this was set from a DB node which mounts the whole /apps folder as NFSv3. When /apps is NSFv4 like we use on the apps nodes you may have issues setting perms.

5. We also needed to se an exception in our clone process to flag /apps/ebs11i/appltop/xxnp/11.5.0/interfaces/svcaccxfr as root:root. Our clone process was setting the whole /apps recursively to the apps user and group. root ownership is a requirement for SFTP match.

# ssh -V
Sun_SSH_1.1.7, SSH protocols 1.5/2.0, OpenSSL 0x1000113f

# grep svcaccxfr /etc/passwd 
svcaccxfr:x:403:340:Accounting xfr sftp account:/opt/svcaccxfr:/bin/false

# tail -10 /etc/ssh/sshd_config
Match User svcaccxfr
  #ChrootDirectory /apps/ebs11i/appltop/xxnp/11.5.0/interfaces/svcaccxfr
  ChrootDirectory /opt/svcaccxfr
  AllowTCPForwarding no
  X11Forwarding no
  ForceCommand internal-sftp -u 017 -l info

# ls -l /apps/ebs11i/appltop/xxnp/11.5.0/interfaces/svcaccxfr
total 3
drwxrwxr-x   2 ebsppe_a ebsppe         4 Oct 11 14:14 uploads

# ls -l /apps/ebs11i/appltop/xxnp/11.5.0/interfaces/ | grep svcaccxfr
drwxr-xr-x   3 root     root           3 Oct 11 12:38 svcaccxfr

# grep svcacc /etc/vfstab
## Special lofs/bind mount for SFTP containment svcaccxfr
/apps/ebs11i/appltop/xxnp/11.5.0/interfaces/svcaccxfr - /opt/svcaccxfr  lofs    -       yes      -

# ls -l /opt | grep svcaccxfr
drwxr-xr-x   3 root     root           3 Oct 11 12:38 svcaccxfr

# ls -l /opt/svcaccxfr
total 3
drwxrwxr-x   2 ebsppe_a ebsppe         4 Oct 11 14:14 uploads

Comments Off on SFTP Containment Solaris 10
comments

Posted in Solaris, SSH

Aug 15

PAC Manager Double Click Selection

I have been very happy with PAC as a terminal/SSH manager but the selection always bugged me. Just noticed it has a configuration option that I am going to try.

https://sourceforge.net/p/pacmanager/discussion/1076054/thread/5bed3904/

Select-by-word characters:
From: \.:_\/-A-Za-z0-9
To: -_.:\/A-Za-z0-9

Update: 12/12/16
Changed to: -_.:\/A-Za-z0-9

Comments Off on PAC Manager Double Click Selection
comments

Posted in SSH

Jun 21

SSH Connection Manager

I previously wrote a quick post on using a connection manager in Linux. Link here:

Linux tabbed SSH connection manager

I have used for the most part something called the Gnome Connection Manager. However it is poorly maintained and had a few small annoyances also.

I revisited a utility called PAC Manager (link here https://sourceforge.net/projects/pacmanager/).

So far it does pretty much everything I need as far as maintaining details for server names and SSH login information. It does have tabbed windows, organize in groups and an amazing number of customization features. It also integrates pretty nicely with KeePass to maintain passwords with.

It would be better if the main distros include this tool but it does at least have .deb and .rpm packages.

I also gave a current version of Remmina another try as it seems best maintained of the bunch but it still gave me unexpected behavior. Like a SSH window just disappearing etc.

Comments Off on SSH Connection Manager
comments

Posted in Gnome, Linux, Putty, SSH

Dec 01

Linux tabbed SSH connection manager

I like to work in a tabbed SSH connection manager. Especially when I have hundred's or thousands of machines to connect to. A connection manager like putty keeps track of machine names and login info. Using a tabbed interface like MTPutty can make your life a whole lot easier with treeview/groups and side by side terminals. And additionally if you can cluster the terminal commands it can be an added bonus.

So far I have not really liked anything in the Linux world as far as a SSH connection manager. Ubuntu does come with putty which seems to work the same as in the Windows world. Best I could find is an application written in Python called Gnome Connection Manager (gcm). In the Ubuntu 15.10 repos the package is called gnome-connection-manager. Be warned of a few things:

1. Seems the code is at least a few years old and the website does not seem to have documentation or any kind of discussion. The code is all python so you can look at fixing and emailing the owner.
2. Be sure to check the paste-right-click in ~/.gcm/gcm.conf. This can be a nasty setting if you did not expect it. I copy and paste a lot between a Windows desktop and a Linux guest and almost accidentally pasted garbage into a critical device.
3. Also check auto-copy-selection if you like putty style behavior where anything selected in your SSH terminal should be in the copy buffer.

I think if the developer put a little bit more love into gnome-connection-manager it would definitely be a keeper and first rate gnome app. I have looked at some other options like hotssh but worth checking out is Remmina. Unfortunately for me Remmina was very buggy.

Comments Off on Linux tabbed SSH connection manager
comments

Posted in Linux, SSH

Nov 07

SSH Key Authentication insist on password

I recently spent a lot of time trying to figure out why a private key I exported from putty was not working right on Linux. My issue was I kept getting prompted for a password no matter what.

One clue that may or may not show the issue in the SSHD logs I was NOT seeing "debug1: ssh_rsa_verify: signature correct" when keyed authentication failed and switched to password.

I fixed my problem by deleting the public key in the Linux client .ssh folder. So most likely while copying keys from Windows and putty I must have gotten a mismatch on private/public pair.

If you need it you can re-create it as follow:
rosso@rrosso-VirtualBox:~/.ssh$ ssh-keygen -y -f id_rsa > id_rsa.pub

$ ssh root@usli-utility.mgmt.asg.ad
Last login: Sat Nov 7 14:14:08 2015 from 192.168.38.104
Oracle Corporation SunOS 5.11 11.3 September 2015
You have new mail.

Comments Off on SSH Key Authentication insist on password
comments

Posted in SSH

May 28

SSH Through Intermediate Using Putty

Most of the time when you are forced to access a system through an intermediate hop it is fairly trivial either manually or automating it with ssh config.  That is assuming you are using *nix.  When using putty this is also possible and here is a quick note on what I did.

First off ensure you have a working ssh key to the intermediate host you will be using.

Next setup and save your new putty session as you would for any other connection.

Under Connection -> Proxy pick Local and set the Proxy hostname to your intermediate host (I set port to 0 but port does not matter).

Under local proxy command set something like this:

plink.exe %proxyhost -l root -agent -nc %host:%port

Comments Off on SSH Through Intermediate Using Putty
comments

Posted in Putty, SSH

Oct 16

PHP SSH2 Bindings

PHP can use the bindings to the  libssh2 library which provide access to resources (shell, remote exec, tunneling, file transfer) on a remote machine using a secure cryptographic transport.   I documented some code snippets for future reference.

You can use ssh keys but for simplicity here making the call with a password:

$conn_id = ssh2_connect('server', 22);
ssh2_auth_password($conn_id, 'user', 'pwd');

echo("SOLARIS SERVER SNAPSHOTS - CREATION);
$stream=ssh2_exec($conn_id,"/usr/sbin/zfs list -t snapshot -o name,creation | grep $share | grep -v tank");
$outS="";
stream_set_blocking($stream, true);
while($o=fgets($stream)){
$outS = $outS . $o;
}
fclose($stream);
print_snaps_sorted($outS);

Slightly more complicated to make up the built-in javascript "command" you are passing when using a ZFS appliance. 

$chk_snaps_cmd="
run('select DBF');
run('snapshots');
snapshots = list();
for (i = 0; i < snapshots.length; i++) {
run('select ' + snapshots[i]);
creation = run('get creation');
printf('%s %s', snapshots[i],creation);
run('cd ..');
}";

$share = $_GET['share'];
$conn_id = ssh2_connect('server', 22);
ssh2_auth_password($conn_id, 'user', 'pwd');
echo('ZFS STORAGE APPLIANCE SNAPSHOTS - CREATION');
$stream=ssh2_exec($conn_id,"script run('shares select $share');" . $chk_snaps_cmd);
stream_set_blocking($stream, true);
while($o=fgets($stream)){
  $outS = $outS . $o;
}
fclose($stream);
print_snaps_sorted($outS);

Note:  I had an issues using ssh calls not returning results when using a non-privileged user whereas a root user worked.   Thanks Matt M for pointing out the obvious.  I needed to use the full path to the binary in this case /usr/sbin/zfs so most likely some path issue in the user shell.

1
comments

Posted in PHP, SSH

Jul 01

Solaris 11 enable root user

Solaris use Role Based Access which is a better way to allow system access to defined users and only escalate permissions through roles.  Kind of like sudo.

If you have an environment where you just don't care and want users to access the system like in a traditional root manner you can do the following:

# rolemod -K type=normal root
# grep PermitRoot /etc/ssh/sshd_config
PermitRootLogin yes
# svcadm refresh svc:/network/ssh:default

Comments Off on Solaris 11 enable root user
comments

Posted in Solaris, SSH

Jun 16

Ssh tunnelling via intermediate host

I recently needed to copy files using scp, while not able to copy directly to the target host.  I had to use an intermediate firewall host.  There is a few ways to get this done and most requires netcat (nc) on the intermediate host for copying.

Keep in mind using -t for just a ssh shell connection will work:

$ ssh -t rrosso@backoffice.domain.com ssh admin@10.24.0.200

If needing scp below is a way to get this done when netcat is not a possibility.

In a new terminal do this (command won't return a prompt and leave the terminal open):

$ ssh rrosso@backoffice.domain.com -L 2000:10.24.0.200:22 -N

In a new terminal ssh as follow:

$ ssh -p 2000 admin@localhost

Scp as follow:

$ scp -P 2000 testfile admin@localhost:/tmp

Sftp also possible:

$ sftp -P 2000 admin@localhost

Update 1:  Above will work fine but you can also consider the following to make things more transparent.

$ vi .ssh/config
Host *
 ServerAliveCountMax 4
 #Note default is 3
 ServerAliveInterval 15
 #Note default is 0
#snip
host work-tunnel
 hostname backoffice.domain.com
 port 22

 # SSH Server
 LocalForward localhost:2000 10.24.0.200:22
 user rrosso

# Aliases as follow
host myhost.domain.com
 hostname localhost
 port 2000
 user admin

Then run the tunnel connect first (use ssh -v while still troubleshooting):

$ ssh work-tunnel

Leave above terminal open to leave tunnel going. And now you can run commands in new terminals with syntax as if no tunnel required.

$ scp testfile myhost.domain.com:/tmp
$ ssh myhost.domain.com

That should do it for a ssh shells.

Example for other ports:

Note you can do a lot of other ports also in similar fashion.  Here is an example you could play with.

Host workTunnel
    Host ssh.domain.com
    Port 5001
    # SMTP Server
    LocalForward localhost:2525 smtp.domain.com:25
    # Corporate Wiki.  Using IP address to show that you can.
    LocalForward localhost:8080 192.168.0.110:8080
    # IMAP Mail Server
    LocalForward locahost:1430  imap.pretendco.com:143
    # Subversion Server
    LocalForward locahost:2222  svn.pretendco.com:22
    # NFS Server
    LocalForward locahost:2049  nfs.pretendco.com:2049
    # SMB/CIFS Server
    LocalForward locahost:3020  smb.pretendco.com:3020
    # SSH Server
    LocalForward locahost:2220  dev.pretendco.com:22
    # VNC Server
    LocalForward locahost:5900  dev.pretendco.com:5900

### Hostname aliases ###
### These allow you to mimic hostnames as they appear at work.
### Note that you don't need to use a FQDN; you can use a short name.
Host smtp.domain.com
    HostName localhost
    Port 2525
Host wiki.domain.com
    HostName localhost
    Port 8080
Host imap.domain.com
    HostName localhost
    Port 1430
Host svn.domain.com
    HostName localhost
    Port 2222
Host nfs.domain.com
    HostName localhost
    Port 2049
Host smb.domain.com
    HostName localhost
    Port 3020
Host dev.domain.com
    HostName localhost
    Port 2220
Host vnc.domain.com
    HostName localhost
    Port 5900

Comments Off on Ssh tunnelling via intermediate host
comments

Posted in Linux, SSH

Feb 06

SSH Forced Commands

If for whatever reason you have to use root for ssh authorized key access, but at least want to restrict severely the commands that can be executed.

Create a wrapper script and make it executable.

# cat /root/scripts/sshwrapper.sh
#!/bin/sh
# Script: /root/scripts/sshwrapper.sh

case "$SSH_ORIGINAL_COMMAND" in
"uname -r")
uname -r
;;
"lxc-version")
lxc-version
;;
"vserver-info")
vserver-info - SYSYINFO | grep VS-API
;;
"lxc-ls")
lxc-ls
;;
"vserver-stat")
vserver-stat
;;
*)
echo "Sorry. Only these commands are available to you:"
echo "uname, lxc-version, vserver-info, lxc-ls, vserver-stat"
exit 1
;;
esac

Tailor the key as follow:

# tail -1 /root/.ssh/authorized_keys
command="/root/scripts/sshwrapper.sh",no-port-forwarding,no-X11-forwarding,no-pty ssh-dss
...
ZkDBHoTWqskb4OXlWnV/ILBgn0HuWTPyjNS5ABjZRkxVvEeAXc= root@server.domain.com

Test:

# ssh ebsr12testdb uptime
Sorry. Only these commands are available to you:
uname, lxc-version, vserver-info, lxc-ls, vserver-stat

# ssh ebsr12testdb uname
Sorry. Only these commands are available to you:
uname, lxc-version, vserver-info, lxc-ls, vserver-stat

# ssh ebsr12testdb uname -r
2.6.18-194.32.1.el5

** Note another nice thing about this.  If we would set it up in the wrapper that “uname” is allowed as opposed to “uname –r” you can still have the command be whatever.  So we could potentially allow “vmstat” in the wrapper but the actual command executed will be “vmstat 1 100”.

Comments Off on SSH Forced Commands
comments

Posted in SSH

« Older Entries
Newer Entries »