I want to read log files in many linux hosts.
But don't have all the ssh permisson on all the hosts.
Instead, I can install a agent on all the hosts.
So, Is there any fuse server/client software like sshfs but don't have any ssh authentication?
Then I can mount all the log dir to one host, and easy to access them.
if it is about logs, you should instead configure syslog or any other logging facility you are using to send a copy of the logs directly to a remote machine.
Related
I have been using Bitwise SSH client to transfer files etc on a Linux server.
I now have a new Linux server, and need to change my level of access via SUDO. I'm not sure how to do that with this client.
Is there a config I can use that automatically elevates my access using SUDO?
I have created an Azure Function to connect to an SFTP server via SSH. The only problem appears to be that needed SSH ciphers are not supported by SSH on the Ubuntu 20.04.4 LTS operating system that the Azure Function is running on. So I'd like to know if there's a way to update the SSH ciphers to the ones I need for the Azure Function on that operating system (without using Docker Hub)?
I read somewhere that you can edit /etc/ssh/sshd_config to get this done, but if that's the way forward, then how is it done (bear in mind that I don't think I have direct access to the operating system in the context of the Azure Function unless I'm mistaken)?
Yes you heard it correct you need to edit edit /etc/ssh/sshd_config to get this done.You can configure encryption algorithms in the configuration file using the Ciphers keyword; the default is 'AnyStdCipher'.
Perform the following steps:
1.In /etc/ssh/sshd_config (server) and /etc/ssh/ssh_config (client), search for Ciphers. The following is the default configuration:
Copy
#Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
2.Uncomment this line and replace it with the following value:
Copy
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
3.Restart SSH by running the service sshd restart command.
reference : https://www.netiq.com/documentation/access-manager-45/security-guide/data/ssh-ciphers.html
Up to now we use several linux users:
system_foo#server
system_bar#server
...
We want to put the system users into docker container.
linux user system_foo --> container system_foo
The changes inside the servers are not problem, but remote systems use these users to send us data.
We need to make ssh system_foo#server work. The remote systems can't be changed.
I would be very easy if there would be just one system per linux operating system (pass port 22 to the container). But there are several.
How can we change from the old scheme to docker containers and keep the service ssh system_foo#server available without changes at the remote site?
Please leave a comment if you don't understand the question. Thank you.
Let's remember however that having ssh support in a container is typically an anti-pattern (unless it's your container only 'concern' but then what would be the point of being able to ssh in. Refer to http://techblog.constantcontact.com/devops/a-tale-of-three-docker-anti-patterns/ for information about that anti-pattern
nsenter could work for you. First ssh to the host and then nsenter to the container.
PID=$(docker inspect --format {{.State.Pid}} <container_name_or_ID>)`
nsenter --target $PID --mount --uts --ipc --net --pid
source http://jpetazzo.github.io/2014/06/23/docker-ssh-considered-evil/
Judging by the comments, you might be looking for a solution like dockersh. dockersh is used as a login shell, and lets you place every user that logins to your instance into an isolated container.
This probably won't let you use sftp though.
Note that dockersh includes security warnings in their README, which you'll certainly want to review:
WARNING: Whilst this project tries to make users inside containers
have lowered privileges and drops capabilities to limit users ability
to escalate their privilege level, it is not certain to be completely
secure. Notably when Docker adds user namespace support, this can be
used to further lock down privileges.
Some months ago, I helped my like this. It's not nice, but works. But
pub-key auth needs to be used.
Script which gets called via command in .ssh/authorized_keys
#!/usr/bin/python
import os
import sys
import subprocess
cmd=['ssh', 'user#localhost:2222']
if not 'SSH_ORIGINAL_COMMAND' in os.environ:
cmd.extend(sys.argv[1:])
else:
cmd.append(os.environ['SSH_ORIGINAL_COMMAND'])
sys.exit(subprocess.call(cmd))
file system_foo#server: .ssh/authorized_keys
command="/home/modwork/bin/ssh-wrapper.py" ssh-rsa AAAAB3NzaC1yc2EAAAAB...
If the remote system does ssh system_foo#server the SSH-Daemon at server executes the comand given in .ssh/authorized_keys. This command does a ssh to a different ssh-daemon.
In the docker container, there needs to run ssh-daemon which listens on port 2222.
System environment :
Server: Centos 6.2
Client: Windows + TortoiseSVN + putty
I have installed subversion in centos, created repository on server, and configured svn+ssh access way using key authentication. Everything works fine.
But I have a question about svn user using svn+ssh mode.
The svn user have a ssh key, so he can access subversion server and of course he can also access Centos server by SSH using the key authentication. Further, he can copy subversion repository files(Specifically /db files) from centos server using like WinSCP tool base on SSH.
So, I wanna know if there is a way that let the svn user just can access svn repository via svn+ssh and can't copy repository files from centos directly via ssh accessing?
If he can copy repository files from centos server via ssh, I think the svn access control realized by conf/authz file doesn't make any sense and svn repository isn't safe.
I just learn how to create a svn+ssh subversion server, so maybe my knowledge isn't enough, please give me a idea or just tell me whether a solution exists.
If can't prohibit copying files from Linux server via SSH, I will use svn or http(s) access mode.
Thank you!
I found a way to solve this problem.
add command into authorized_keys file to disable ssh shell login and scp, but enable svn+ssh, like this:
"/usr/bin/svnserve -t -r /svn/test/",no-port-forwarding,no-pty,no-agent-forwarding,no-X11-forwarding
after add your authorized_keys file will like this:
command="/usr/bin/svnserve -t -r /svn/test/",no-port-forwarding,no-pty,no-agent-forwarding,no-X11-forwarding ssh-rsa A......................................................................
I think this is one solution, do your have others? Please let me know.
I am trying to execute a bat file on remote windows machine on cloud from my Linux. The bat files starts selenium server and then my selenium tests are run. I am not able to start selenium RC server on that machine. I tried with Telnet but the problem with it is when telnet session is closed the RC server port is also closed. As my code my code has to start the server so I tried with ANT telnet task and also executed shell script of telnet in both ways the port was closed.
I read about Open SSH, psexec for linux and cygwin. But i am not getting how to use these and will they will solve my problem.
I have tried to start a service which will start the server but in this method i am not getting browser visible all tests are running in background as my script takes screen shot browser visibility is must.
Now my Question is what to use and which will be preferable for my job.
and what ever i choose should be executed by code it may be by shell, ant or php.
Thanks in advance.
Let's go through the various options you mentioned:
psexec: This is pretty much a PC only thing. Plus, you must make sure that newer Windows machines can get through the UAC that are setup by default. UAC is the thing you see all the time on Vista and Windows 7 when you try to do something that requires administrator's privileges. You can try something called winexe which is a Linux program that can do the psexec protocol, but I've had problems getting it to work.
OpenSSH: There are two main flavors of SSH, and Open SSH is the one used by the vast majority of sites. SSH has several advantages over other methods:
SSH is secure: Your network traffic is encrypted.
SSH can be password independent: You can setup SSH to use private/public keys. This way, you don't even have to know the password on the remote server. This makes it more secure since you don't have passwords being stored on various systems. And, in many Windows sites, passwords have to be changed every month or so or the account is locked.
SSH can do more than just execute remote commands: There are two sub-protocols on SSH called SCP and SFTP. These allow you to transfer files between two machines. Since they work over SSH, you get all of the advantages of SSH including encrypted packets, and public/private key protection.
SSH is well implemented in the Unix World: You'll find SSH clients built into Ant, Maven, and other build tools. Programs like CVS, Subversion, and Git can work over SSH connections too. Unfortunately, the Windows World operates in a different space time dimension. To use SSH on a Windows system requires third party software like Cygwin.
Cygwin: Cygwin is sort of an odd beast. It's a layer on top of Windows that allows many of the Unix/GNU libraries to work over Windows. It was originally developed to allow Unix developers to run their software on Windows DOS systems. However, Cygwin now contains a complete Unix like system including tools such as Perl and Python, BASH shell, and many utilities such as an SSH server. Since Cygwin is open source, you can download it for free and run SSH server. Unfortunately, I've had problems with Cygwin's SSH server. Another issue: If you're running programs remotely, you probably want to run them in a Windows environment and not the Cygwin environment.
I recommend that you look at WinSSHD from Bitvise. It's an OpenSSH implementation of the SSH Server, but it's not open source. It's about $100 per license and you need a license on each server. However, it's a robust implementation and has all of the features SSH has to offer.
You can look at CoSSH which is a package of Cygwin utilities and OpenSSH server. This is free and all open source, but if you want an easy way of setting it up, you have to pay for the Advanced Administrator Console. You don't need the Advanced Administrator Console since you can use Cygwin to set everything up, and it comes with a basic console to help.
I prefer to use cygwin and use SSH to then log in to the windows machine to execute commands. Be aware that, by default, cygwin doesn't have OpenSSH installed.
Once you have SSH working on the windows machine you can run a command on it from the Linux machine like this:
ssh user#windowsmachine 'mycommand.exe'
You can also set up ssh authentication keys so that you don't need to enter a password each time.
I've succeeded to run remote command on W2K3 via EXPECT on Debian Buster. Here is the script of mine:
#!/usr/bin/expect
#
# execute the script in the following manner:
#
# <script> <vindoze> <user> <password> <command>
#
#
set timeout 200
set hostname [lindex $argv 0]
set username [lindex $argv 1]
set password [lindex $argv 2]
set command [lindex $argv 3]
spawn telnet $hostname
expect "login:"
send "$username\r"
expect "password:"
send "$password\r"
expect "C:*"
send "dir c:\\tasks\\logs \r"
# send $command
expect "C:*"
send "exit\r\r\r"
Bear in mind that you need to enable TELNET service of the Win machine and also the user which you are authenticated with must be member of TelnetClients built-in Win group. Or as most of the Win LazyMins do - authenticate with Admin user ;)
I use similar "expect" script for automated collecting & backup configuration of CLI enabled network devices like Allied Telesyn, Cisco, Planet etc.
Cheers,
LAZA
Not a very secure way, but if you have a running webserver you can use PHP or ASP to trigger a system command. Just hide thgat script under www.myserver.com/02124309c9867a7616972f52a55db1b4.php or something. And make sure the command are fixed written in the code, not open via parameter ...