Difference between revisions of "Talk:Secure Shell"

From ArchWiki
Jump to: navigation, search
(Automatically logout all SSH users when the sshd daemon is shutdown.: new section)
(Grammatical Error: rm closed item)
 
(32 intermediate revisions by 14 users not shown)
Line 1: Line 1:
 +
== X11 forwarding ==
 
regarding X11 forwarding:
 
regarding X11 forwarding:
 
i don't think it is necessary to enable X11Forwarding on the client on a global base:
 
i don't think it is necessary to enable X11Forwarding on the client on a global base:
Line 9: Line 10:
 
I think we should add something about accent/UTF-8/encoding.
 
I think we should add something about accent/UTF-8/encoding.
 
Setting SendEnv LANG LC_*  in /etc/ssh/ssh_config (client side) would be very useful.
 
Setting SendEnv LANG LC_*  in /etc/ssh/ssh_config (client side) would be very useful.
 
+
{{unsigned|22 August 2010|LeCrayonVert}}
== Encrypted Socks Tunnel ==
+
 
+
It would be good to add how to configure chromium to use with the socks tunnel. I recommend this:
+
 
+
Add to your .bashrc the next lines:
+
 
+
    function unblock() {
+
        port=4711
+
        export SOCKS_SERVER=localhost:$port
+
        export SOCKS_VERSION=5
+
        chromium &
+
    }
+
 
+
So, the next time you want to use chromium with the secure tunnel,
+
 
+
  $ unblock
+
  
 
== Automatically logout all SSH users when the sshd daemon is shutdown. ==
 
== Automatically logout all SSH users when the sshd daemon is shutdown. ==
Line 44: Line 29:
  
 
[[User:Artomason|artomason]] ([[User talk:Artomason|talk]]) 20:32, 7 February 2013 (UTC)
 
[[User:Artomason|artomason]] ([[User talk:Artomason|talk]]) 20:32, 7 February 2013 (UTC)
 +
 +
== systemd failed to start sshd ==
 +
 +
It might be good to add, if {{ic|systemctl status sshd}} shows that sshd failed, try and run /usr/sbin/sshd. This way if there is a bad configuration option (ie typo in /etc/ssh/sshd_conf), it is listed with line number.
 +
 +
[[User:Matyilona200|Matyilona200]] ([[User talk:Matyilona200|talk]]) 13:45, 16 May 2013 (UTC)
 +
 +
 +
== follow_symlinks ==
 +
 +
The option 'transform_symlinks' does not work anymore,  'follow_symlinks' is the new one.
 +
 +
1. Should we correct that at the autossh section?
 +
 +
2. Should we write that somewhere?
 +
 +
--[[User:Greenway|Greenway]] ([[User talk:Greenway|talk]]) 17:14, 26 April 2014 (UTC)
 +
 +
:Are you sure? I've just installed {{Pkg|sshfs}} and the man page still mentions both options as separate functions. If {{ic|transform_symlinks}} is really not working anymore, that's more likely a bug that must be reported upstream.
 +
:Anyway I'm just mentioning that also the [[sshfs]] article would be affected.
 +
:-- [[User:Kynikos|Kynikos]] ([[User talk:Kynikos|talk]]) 03:12, 28 April 2014 (UTC)
 +
 +
 +
Sorry for this discussion and thank you for correcting me.
 +
I referred to this question: http://askubuntu.com/questions/75094/sshfs-transform-symlinks-is-broken
 +
Anyway I tested both parameters:
 +
 +
<pre>
 +
1) sshfs bar: foo
 +
 +
-a --> /etc    l
 +
-b --> c/c1    l
 +
-c              d
 +
--c1            f
 +
 +
2) sshfs -o follow_symlinks bar: foo
 +
 +
-a              d
 +
-b              d
 +
-c              d
 +
--c1            f
 +
 +
(works as expected)
 +
 +
3) sshfs -o transform_symlinks bar: foo
 +
 +
(same as without the option.)
 +
</pre>
 +
 +
==== Here' s the wiki explanation ====
 +
 +
===== Following symlinks on the server side =====
 +
 +
The -o follow_symlinks option will enable this.
 +
 +
===== Making absolute symlinks work =====
 +
 +
Use the -o transform_symlinks option, which will transform absolute symlinks (ones which point somewhere inside the mount) into relative ones.
 +
 +
 +
--[[User:Greenway|Greenway]] ([[User talk:Greenway|talk]]) 20:38, 28 April 2014 (UTC)
 +
 +
== Regenerate host keys ==
 +
I am using pre-load arch linux image on Raspberry Pi, which had openssh configured, so I want to regenerate new host keys, which could be archived on Debian with
 +
 +
rm /etc/ssh/ssh_host_* && dpkg-reconfigure openssh-server
 +
 +
Do we have equivalent command on Arch? I can't find them on the wiki
 +
 +
  ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
 +
  ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
 +
  ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
 +
 +
should be enough? Or more setting is required?
 +
 +
Ref:
 +
* [http://answers.oreilly.com/topic/62-how-to-generate-new-host-keys/ How to generate new host keys]
 +
* [https://www.digitalocean.com/company/blog/avoid-duplicate-ssh-host-keys/ Avoid Duplicate SSH Host Keys]
 +
 +
--[[User:Lefthaha|Lefthaha]] ([[User talk:Lefthaha|talk]]) 24 May 2014
 +
 +
== AutoSSH as a Service ==
 +
 +
AutoSSH doesn't like to run as a service without specifying a port.  Using -M 0 and -f parameters in combination will result in the service not starting.  Also, when starting as a service (-f option) SSH will not look in ~/.ssh for public keys.  If you're using key authentication, the public key will need to be specified with the -i parameter.  I assume this limitation would also apply when running as a systemd service.
 +
 +
Running AutoSSH this way worked for me for a Socks 5 proxy:
 +
 +
autossh -f -M 1111 -N -i /home/username/.ssh/id_rsa username@server -D 8080
 +
 +
--[[User:Twofive0|Twofive0]] ([[User talk:Twofive0|talk]]) 18:24, 12 August 2014 (UTC)
 +
 +
:Autossh as a service seems to be a little redundant, since autossh itself is basically just a service to restart ssh when it exits. I was about write a .service file for autossh when I realized I could cut out the middleman entirely:
 +
:{{hc|~/.config/systemd/user/autossh.service|<nowiki>
 +
[Unit]
 +
Description=SSH tunnel
 +
 +
[Service]
 +
Type=simple
 +
Restart=always
 +
RestartSec=1min
 +
ExecStart=/usr/bin/ssh -F %h/.ssh/config -N foo@bar
 +
 +
[Install]
 +
WantedBy=default.target
 +
</nowiki>}}
 +
:This seems a little nicer to me, but I'm not sure how I would edit the article to include it.
 +
:[[User:Silverhammermba|Silverhammermba]] ([[User talk:Silverhammermba|talk]]) 00:32, 12 February 2015 (UTC)
 +
 +
== Additional steps to setup Dropbear ==
 +
 +
Noticed that you need to create some keys before Dropbear will run:
 +
 +
<pre>dropbearkey -t dss -f /etc/dropbear/dropbear.dss
 +
dropbearkey -t rsa -s 4096 -f /etc/dropbear/dropbear.rsa</pre>
 +
Maybe it's a good idea to chmod this to 600 or something?
 +
{{unsigned|5 December 2014|MindTooth}}
 +
 +
:To note: Not relating to dropbear, but generally [[#Regenerate_host_keys]] above suggests the addition of a setup step for that as well. --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 14:19, 5 December 2014 (UTC)
 +
 +
== Allowing SSH Users to Shutdown, Mount, etc. Without Root authentication ==
 +
 +
:Merged from ''Allow users to shut down''. -- [[User:Alad|Alad]] ([[User talk:Alad|talk]]) 20:48, 23 May 2015 (UTC)
 +
The following describes what I did to allow power [EDIT: and mounting] operations on my machine from a SSH login. I'd be very grateful if anyone could tell me if this was correct and if so, I'll add this section to the page and add a link on the polkit examples.
 +
 +
I have a miniature server machine I use at home for automatic backups,  and I used WOL to startup without user intervention, however I found out that issuing {{bc|systemctl poweroff}} and friends works from a tty but from a remote login I get a message starting: {{bc|<nowiki>==== AUTHENTICATING FOR org.freedesktop.login1.power-off ====</nowiki>}} and asking for a root password. After searching online it seemed that the right thing to do (but I'm not sure) was to write a polkit rule overriding the and place this before the defaults in /etc/polkit-1/rules.d/. Below is my rule:
 +
{{bc|<nowiki>
 +
polkit.addRule(function(action, subject) {
 +
if ( action.id == "org.freedesktop.login1.power-off" ||
 +
action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
 +
 +
action.id == "org.freedesktop.login1.reboot" ||
 +
action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
 +
 +
action.id == "org.freedesktop.login1.suspend" ||
 +
action.id == "org.freedesktop.login1.suspend-multiple-sessions" ||
 +
       
 +
action.id == "org.freedesktop.login1.hibernate" ||
 +
action.id == "org.freedesktop.login1.hibernate-multiple-sessions" ) {
 +
 +
if ( subject.isInGroup("mypowergroup") ){
 +
return polkit.Result.YES;
 +
}
 +
}); </nowiki>
 +
}}
 +
 +
There might be a neater way to do this rather than enumerating all the actions but I don't speak JavaScript. EDIT: See below:
 +
 +
https://gist.github.com/wooptoo/4013294/ccacedd69d54de7f2fd5881b546d5192d6a2bddb
 +
 +
Someone somewhere seemed to mention that polkit rules weren't the right way to go and there was something wrong with integration with logind/systemd but I didn't understand what he really meant and it was in a different context.
 +
 +
Thanks in advance for any advice
 +
--[[User:Stellarpower|Stellarpower]] ([[User talk:Stellarpower|talk]]) 12:24, 4 May 2015 (UTC)

Latest revision as of 07:27, 9 April 2016

X11 forwarding

regarding X11 forwarding: i don't think it is necessary to enable X11Forwarding on the client on a global base: "Enable the ForwardX11 option in ssh_config on the client."

simply specifing -X option to ssh works for me. [The preceding unsigned comment was added 2010-01-11T15:41:54 by Uwinkelvos (Talk | contribs).]

SendEnv

I think we should add something about accent/UTF-8/encoding. Setting SendEnv LANG LC_* in /etc/ssh/ssh_config (client side) would be very useful. —This unsigned comment is by LeCrayonVert (talk) 22 August 2010. Please sign your posts with ~~~~!

Automatically logout all SSH users when the sshd daemon is shutdown.

edit /lib/systemd/system/systemd-user-sessions.service and append network.target to the after line.


[Unit] Description = Permit User Sessions

Documentation = man:systemd-user-sessions.service(8)

After = network.target remote-fs.target


then symlink /lib/systemd/system/systemd-user-sessions.service to /etc/systemd/system/


artomason (talk) 20:32, 7 February 2013 (UTC)

systemd failed to start sshd

It might be good to add, if systemctl status sshd shows that sshd failed, try and run /usr/sbin/sshd. This way if there is a bad configuration option (ie typo in /etc/ssh/sshd_conf), it is listed with line number.

Matyilona200 (talk) 13:45, 16 May 2013 (UTC)


follow_symlinks

The option 'transform_symlinks' does not work anymore, 'follow_symlinks' is the new one.

1. Should we correct that at the autossh section?

2. Should we write that somewhere?

--Greenway (talk) 17:14, 26 April 2014 (UTC)

Are you sure? I've just installed sshfs and the man page still mentions both options as separate functions. If transform_symlinks is really not working anymore, that's more likely a bug that must be reported upstream.
Anyway I'm just mentioning that also the sshfs article would be affected.
-- Kynikos (talk) 03:12, 28 April 2014 (UTC)


Sorry for this discussion and thank you for correcting me. I referred to this question: http://askubuntu.com/questions/75094/sshfs-transform-symlinks-is-broken Anyway I tested both parameters:

1) sshfs bar: foo

-a --> /etc     l
-b --> c/c1     l
-c              d 
--c1            f

2) sshfs -o follow_symlinks bar: foo

-a              d
-b              d
-c              d
--c1            f

(works as expected)

3) sshfs -o transform_symlinks bar: foo

(same as without the option.)

Here' s the wiki explanation

Following symlinks on the server side

The -o follow_symlinks option will enable this.

Making absolute symlinks work

Use the -o transform_symlinks option, which will transform absolute symlinks (ones which point somewhere inside the mount) into relative ones.


--Greenway (talk) 20:38, 28 April 2014 (UTC)

Regenerate host keys

I am using pre-load arch linux image on Raspberry Pi, which had openssh configured, so I want to regenerate new host keys, which could be archived on Debian with

rm /etc/ssh/ssh_host_* && dpkg-reconfigure openssh-server

Do we have equivalent command on Arch? I can't find them on the wiki

 ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
 ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
 ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key

should be enough? Or more setting is required?

Ref:

--Lefthaha (talk) 24 May 2014

AutoSSH as a Service

AutoSSH doesn't like to run as a service without specifying a port. Using -M 0 and -f parameters in combination will result in the service not starting. Also, when starting as a service (-f option) SSH will not look in ~/.ssh for public keys. If you're using key authentication, the public key will need to be specified with the -i parameter. I assume this limitation would also apply when running as a systemd service.

Running AutoSSH this way worked for me for a Socks 5 proxy:

autossh -f -M 1111 -N -i /home/username/.ssh/id_rsa username@server -D 8080

--Twofive0 (talk) 18:24, 12 August 2014 (UTC)

Autossh as a service seems to be a little redundant, since autossh itself is basically just a service to restart ssh when it exits. I was about write a .service file for autossh when I realized I could cut out the middleman entirely:
~/.config/systemd/user/autossh.service
[Unit]
Description=SSH tunnel

[Service]
Type=simple
Restart=always
RestartSec=1min
ExecStart=/usr/bin/ssh -F %h/.ssh/config -N foo@bar

[Install]
WantedBy=default.target
This seems a little nicer to me, but I'm not sure how I would edit the article to include it.
Silverhammermba (talk) 00:32, 12 February 2015 (UTC)

Additional steps to setup Dropbear

Noticed that you need to create some keys before Dropbear will run:

dropbearkey -t dss -f /etc/dropbear/dropbear.dss
dropbearkey -t rsa -s 4096 -f /etc/dropbear/dropbear.rsa

Maybe it's a good idea to chmod this to 600 or something? —This unsigned comment is by MindTooth (talk) 5 December 2014. Please sign your posts with ~~~~!

To note: Not relating to dropbear, but generally #Regenerate_host_keys above suggests the addition of a setup step for that as well. --Indigo (talk) 14:19, 5 December 2014 (UTC)

Allowing SSH Users to Shutdown, Mount, etc. Without Root authentication

Merged from Allow users to shut down. -- Alad (talk) 20:48, 23 May 2015 (UTC)

The following describes what I did to allow power [EDIT: and mounting] operations on my machine from a SSH login. I'd be very grateful if anyone could tell me if this was correct and if so, I'll add this section to the page and add a link on the polkit examples.

I have a miniature server machine I use at home for automatic backups, and I used WOL to startup without user intervention, however I found out that issuing
systemctl poweroff
and friends works from a tty but from a remote login I get a message starting:
==== AUTHENTICATING FOR org.freedesktop.login1.power-off ====
and asking for a root password. After searching online it seemed that the right thing to do (but I'm not sure) was to write a polkit rule overriding the and place this before the defaults in /etc/polkit-1/rules.d/. Below is my rule:
polkit.addRule(function(action, subject) {
	if (	action.id == "org.freedesktop.login1.power-off" ||
		action.id == "org.freedesktop.login1.power-off-multiple-sessions" ||
		
		action.id == "org.freedesktop.login1.reboot" ||
		action.id == "org.freedesktop.login1.reboot-multiple-sessions" ||
		
		action.id == "org.freedesktop.login1.suspend" ||
		action.id == "org.freedesktop.login1.suspend-multiple-sessions" ||
        
		action.id == "org.freedesktop.login1.hibernate" ||
		action.id == "org.freedesktop.login1.hibernate-multiple-sessions"	) {

		if ( subject.isInGroup("mypowergroup") ){
			return polkit.Result.YES;
	}
}); 

There might be a neater way to do this rather than enumerating all the actions but I don't speak JavaScript. EDIT: See below:

https://gist.github.com/wooptoo/4013294/ccacedd69d54de7f2fd5881b546d5192d6a2bddb

Someone somewhere seemed to mention that polkit rules weren't the right way to go and there was something wrong with integration with logind/systemd but I didn't understand what he really meant and it was in a different context.

Thanks in advance for any advice --Stellarpower (talk) 12:24, 4 May 2015 (UTC)