SSH

From Unix Wiki
Jump to: navigation, search

Permissions checklist for configuring public keys

The maximum permissions are listed:

Item Permissions
authorized_keys and authorized_keys2 644 rw- r-- r--
.ssh 700 rwx --- ---
Home Directory 711 rwx --x --x
Keys (id_dsa,id_rsa) 600 rw- --- ---
Public Keys (id_dsa.pub,id_rsa.pub) 644 rw- r-- r--

Redistribute multiple ssh keys

Script will redistribute generated id_rsa.pub files to desired list of users on desired list of servers. Script must be run once on each server.

hosts_list="LIST OF HOSTS SEPARATED BY SPACE"; \
users_to_be_accessed="LIST OF USERS WHICH WILL ACCEPT PUBLIC KEYS" ; \
access_users="LIST OF USERS WHICH WILL PROVIDE id_rsa.pub FILE" ; \
for i in $users_to_be_accessed ; do \
  for j in $access_users ; do \
    su - $j -c "ssh-keyscan -t rsa $i >> .ssh/known_hosts"; \
    for k in $hosts_list ; do \
      echo $i; cat /home/$j/.ssh/id_rsa.pub | ssh $i@$k "cat >> /home/$k/.ssh/authorized_keys" ; \
    done ; \
  done ; \
done ; \
unset -v hosts_list users_to_be_accessed access_users
  • Please note that script only appends data. So if you need to restart this script please clean "GARBAGE" data.


Errors

fatal: buffer_get: trying to get more bytes than in buffer

This happens when you paste the public-key into authorized_keys2 and the single line becomes multiple lines. Use vi to join the lines or just paste from a better-equipped xterm.

Tips and tricks

Restarting daemon on different systems

RedHat, CentOS and Fedora Core Linux

/sbin/service sshd restart

Suse linux

/etc/rc.d/sshd restart

Arch Linux

systemctl restart sshd

Debian/Ubuntu

/etc/init.d/sshd restart

Solaris 9 and below

/etc/init.d/sshd stop
/etc/init.d/sshd start

Solaris 10

svcadm disable ssh
svcadm enable ssh

or...

svcadm refresh ssh (will refresh settings aquired from /etc/ssh/sshd_config)


AIX

stopsrc -s sshd
startsrc -s sshd

HP-UX

/sbin/init.d/secsh stop
/sbin/init.d/secsh start

Anti-brutforce for SSH example with iptables

1. Change login grace time and max auth tries in one session (in /etc/ssh/sshd_config)

LoginGraceTime 42 # 42 sec
MaxAuthTries 3
MaxStartups 5

2. Add iptables rule to decrease count of auth tries for 22 port to 10 in a minute or something else you need.

iptables -A INPUT -p tcp --dport 22 -m recent --name ssh --update --seconds 60 --hitcount 10 -j REJECT
iptables -A INPUT -p tcp --dport 22 -m recent --name ssh --set -j ACCEPT


Automatic logout/disconnect at shell inactivity

This is a classic scenario for this.

Create shell script named like autologout.sh under /etc/profile.d/ with following content:

TMOUT=600
readonly TMOUT
export TMOUT

Don't forget to give it execute rights:

# chmod +x /etc/profile.d/autologout.sh

This script will automatically apply TMOUT variable for shell and bash/sh will automatically logout you at 10 minutes of inactivity.

For ssh you need to edit /etc/ssh/sshd_config with following parameters:

ClientAliveInterval 600
ClientAliveCountMax 0

Then restart ssh daemon

# service sshd restart