In a linux-based system¹, I would like to be able to log on using ssh. I need to launch two (or possibly three) different executables, ideally by connecting to different ports.
Ideally I would like to open a couple of different ports, and have sshd launch different executables² depending on which port. How do I set this up? I have looked through the sshd_config, but without finding anything that looks applicable.
Another alternative that came up was to set up different users, and set up the different applications I want to launch as their respective shells.
(What I do not want to do is to have the remote user specify the executable, as in ssh user#host executable.)
Or have I missed any obvious solution?
¹It's a BuildRoot-based embedded system, running on fairly meager resources, but it's a fully-fledged recent Linux kernel and I have a working ssh connection.
²They are interactive CLI-based programs.
Most linux systems use the OpenSSH server. It looks like you can get this behavior using the Match directive. Documentation for the SSH server configuration file is here.
First, you have to make sshd listen for connections on the additional ports that you want to use. You can do this through either the Port or ListenAddress directives.
Port 22 -- Listen on the normal port 22
Port 42 -- Also listen on port 42
ListenAddress 1.2.3.4:62 -- Also listen on address 1.2.3.4, port 62
Then, you can use the Match and ForceCommand directives to take special actions for users connecting to a particular port:
Match LocalPort 42
ForceCommand /usr/local/bin/the-42-app
Match LocalPort 62
ForceCommand /usr/local/bin/the-62-app
For people who don't want to set the ssh server to listen on multiple ports, there are two other ways to make the server run "canned" apps depending on how the the user connects.
Subsystems
A subsystem is a command that's pre-configured into the server. Clients request to run the subsystem by name, and the server runs the command associated with the subsystem. This avoids the client having to know the exact command to run.
You configure subsystems in sshd by adding a line like this to sshd_config:
Subsystem someApp /usr/local/bin/someApp
Then the client calls it like this:
ssh user#host -s someApp -- "-s" means to request a subsystem
Forced Commands on Keys
For key-based authentication, sshd permits you to force a particular command to run when a particular key is used. This is done in the authorized_keys file which is documented here.
Each line of an authorized_keys file normally starts like this:
ssh-rsa AAAAB3N...
You can prepend an options field to the line. One of the options you can specify is a command to run when the key is used to authenticate:
command="/usr/local/bin/someApp" ssh-rsa AAAAB3N...
When that key is used to authenticate, the server will ignore whatever command the client requests to run, and run the specified command instead.
You can configure SSH server to listen on multiple ports. Just add additional ports in sshd_config like this:
Port 22
Port 1111
Port 2222
Related
I'm writing a short script to put as a cronjob. The function of the script should be kicking all ssh-entries (all hosts that are connected via ssh on a machine), except a special host (mostly localhost or the host where I'm sitting at). My idea was:
kill -9 $(pgrep -f ssh)
But this kicks all ssh-entries (including the host where I'm sitting at). How can I change the script so that it won't kick the localhost ?
What you can do is deny all ssh connections that are not coming from localhost. Go to /etc/ssh/sshd_config and add a line that says AllowUsers *#localhost, then restart the ssh server. This will allow only users that come from localhost to connect via ssh. You can also use DenyUsers youruser#yourdomain if you want to blacklist specific users or domains. If users that you blacklisted/that are not on your whitelist try to connect, they'll get a Permission denied message.
I am here because I've found different problems setting up SSH using this guide proposed in this other question.
First of all I've a computer (I want to use it as master) called: timmy#timmy-Lenovo-G50-80. My other computer is a Virtual Machine always with linux mint called: test#test-VirtualBox and I'd like to use it as a slave.
What I've done until now is:
install needed packets (both PC):
sudo apt-get install openssh-server openssh-client
Change inside the file /etc/ssh/sshd_config: (Only master)
the port of server from 22 to 2222
set PubkeyAuthentication yes (so no change)
remove comment at line: Banner /etc/issue.net
STOP
I am stuck when I've to execute this command:
ssh-copy-id username#remotehost
I imagine, reading what's written, that I've to execute something like:
ssh-copy-id timmy#timmy-Lenovo-G50-80
but:
from timmy#timmy-Lenovo-G50-80 everything goes OK, I can connect to myself (not what I actually want)
from test#test-VirtualBox it tells me ERROR: ssh: Could not resolve hostname timmy#timmy-Lenovo-G50-80: Name or service not known
Finally, what I've to do in order to connect these 2 PC?
You need to enable port forwarding into your VirtualBox'ed machine. Simply right click on the virtual machine, then go into Network. Then click on advance which will expand the Network window, and then on the button that appeared labeled Port forwarding.
A table will appear with several columns (Name, Protocol, Host IP, Host Port, ...). Simply add a new entry for protocol TCP, host port = X and guest port = 22 (see the list of well-known ports here https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers#Well-known_ports). The screenshot below is from my cloudera quickstart VM. Notice the outlined entry in the port forwarding rules, which is about setting up the SSH port in the guest OS.
Once you reboot the virtual machine, you can simply connect to it through
# ssh -p X localhost
the -p parameter tells to connect through the port X. Notice that if you want to use scp then you have to use the uppercase -P option rather than the lowercase -p.
# scp -P X localfile localhost:remote-dir/
I started a new SSH daemon with a config file with a non-standard port number. Now if I start the SSHD as sudo I can SSH onto the host but if i start as a different system account, the daemon starts but the connections fail. Does the SSHD always need to be started as root ?
I made sure the SSHD is running, it just doesnt accept connections.
It is not practical to run sshd as non-root. sshd needs root privileges for
password authentication (only root can access /etc/shadow)
binding to a port that is below 1024
calling setuid() in order to obtain the privileges of the user that has connected
If you use an unprivileged port and key-based only auth, you may be able to make it work, but you'll be restricted to connections with the user that is running sshd.
There is a relevant discussion here: http://seclists.org/basics/2003/Aug/564
Which port did you use? Ports below 1024 are privileged to Root only.
I am using agent forwarding, it works fine. But the ssh client is sharing all registered (ssh-add) keys with the remote server. I have personal keys that I don't want to share with the remote server. Is there a way to restrict with keys are being forwarded?
I have multiple github accounts and aws accounts. I don't want to share all the ssh-keys.
Looks like it is possible with OpenSSH 6.7 - it supports unix socket forwarding. We could start secondary ssh-agent with specific keys and forward it's socket to remote host. Unfortunately this version is not available for my server/client systems at the time of writing.
I have found another possible solution, using socat and standard SSH TCP forwarding.
Idea
On local host we run secondary ssh-agent with only keys we want to see on remote host.
On local host we set up forwarding of TCP connections on some port (portXXX) to secondary ssh-agent's socket.
On remote host we set up forwarding from some socket to some TCP port (portYYY).
Then we establish ssh connection with port forwarding from remote's portYYY to local portXXX.
Requests to ssh agent go like this:
local ssh-agent (secondary)
^
|
v
/tmp/ssh-.../agent.ZZZZZ - agent's socket
^
| (socat local)
v
localhost:portXXX
^
| (ssh port forwarding)
v
remote's localhost:portYYY
^
| (socat remote)
v
$HOME/tmp/agent.socket
^
| (requests for auth via agent)
v
SSH_AUTH_SOCK=$HOME/tmp/agent.socket
^
| (uses SSH_AUTH_SOCK variable to find agent socket)
v
ssh
Drawbacks
It is not completely secure, because ssh-agent becomes partially available through TCP: users of remote host can connect to your local agent on 127.0.0.1:portYYY, and other users of your local host can connect on 127.0.0.1:portXXX. But they will see only limited set of keys you manually added to this agent. And, as AllenLuce mentioned, they can't grab it, they only could use it for authentication while agent is running.
socat must be installed on remote host. But looks like it is possible to simply upload precompiled binary (I tested it on FreeBSD and it works).
No automation: keys must be added manually via ssh-add, forwarding requires 2 extra processes (socat) to be run, multiple ssh connections must be managed manually.
So, this answer is probably just a proof of concept and not a production solution.
Let's see how it can be done.
Instruction
Client side (where ssh-agent is running)
Run new ssh-agent. It will be used for keys you want to see on remote host only.
$ ssh-agent # below is ssh-agent output, DO NOT ACTUALLY RUN THESE COMMANDS BELOW
SSH_AUTH_SOCK=/tmp/ssh-qVnT0UsgV6yO/agent.22982; export SSH_AUTH_SOCK;
SSH_AGENT_PID=22983; export SSH_AGENT_PID;
It prints some variables. Do not set them: you will loose your main ssh agent. Set another variable with suggested value of SSH_AUTH_SOCK:
SSH_AUTH_SECONDARY_SOCK=/tmp/ssh-qVnT0UsgV6yO/agent.22982
Then establish forwarding from some TCP port to our ssh-agent socket locally:
PORT=9898
socat TCP4-LISTEN:$PORT,bind=127.0.0.1,fork UNIX-CONNECT:$SSH_AUTH_SECONDARY_SOCK &
socat will run in background. Do not forget to kill it when you're done.
Add some keys using ssh-add, but run it with modified enviromnent variable SSH_AUTH_SOCK:
SSH_AUTH_SOCK=$SSH_AUTH_SECONDARY_SOCK ssh-add
Server side (remote host)
Connect to remote host with port forwarding. Your main (not secondary) ssh agent will be used for auth on hostA (but will not be available from it, as we do not forward it).
home-host$ PORT=9898 # same port as above
home-host$ ssh -R $PORT:localhost:$PORT userA#hostA
On remote host establish forwarding from ssh-agent socket to same TCP port as on your home host:
remote-host$ PORT=9898 # same port as on home host
remote-host$ mkdir -p $HOME/tmp
remote-host$ SOCKET=$HOME/tmp/ssh-agent.socket
remote-host$ socat UNIX-LISTEN:$SOCKET,fork TCP4:localhost:$PORT &
socat will run in background. Do not forget to kill it when you're done. It does not automatically exit when you close ssh connection.
Connection
On remote host set enviromnent variable for ssh to know where agent socket (from previous step) is. It can be done in same ssh session or in parallel one.
remote-host$ export SSH_AUTH_SOCK=$HOME/tmp/ssh-agent.socket
Now it is possible to use secondary agent's keys on remote host:
remote-host$ ssh userB#hostB # uses secondary ssh agent
Welcome to hostB!
The keys themselves are not shared by forwarding your agent. What's forwarded is the ability to contact the ssh-agent on your local host. Remote systems send challenge requests through the forwarding tunnel. They do not request the keys themselves.
See http://www.unixwiz.net/techtips/ssh-agent-forwarding.html#fwd for a graphical explanation.
I have a list of IPs for server on my network, I need to check if they are running ssh or not from within node. How can I go about this?
Depends how deep you want this check to run. You could simply check if the port 22 is open, if you want to see if something is running there, or perhaps you have to try to connect to establish it's really ssh protocol, and maybe portscan all ports for it or whatever.
There are ssh client libs like ssh or more general network scanners like netty.
Do npm search ssh client or npm search port scanning or npm search nmap for extended selection of libs that can do that.