Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
ssh [2015/06/01 17:30] steve |
ssh [2019/01/04 16:07] steve |
||
---|---|---|---|
Line 3: | Line 3: | ||
* [[dropbear]] | * [[dropbear]] | ||
* [[OpenSSH]] | * [[OpenSSH]] | ||
- | + | * [[ssh-keygen]] | |
- | ==== Policy ==== | + | |
- | + | ||
- | Users need to be in ''ssh-users'' group to be granted SSH access to a server. | + | |
- | + | ||
- | Root access through SSH is denied. | + | |
- | + | ||
- | Public-key authentication is the only login method. | + | |
- | + | ||
- | On systems where we have root access, a ''dtrike'' account will be created. This user will have root access through sudo. The user will also allow anyone with a public key access. | + | |
- | + | ||
- | For clients who want to have access without public keys, a second SSH server will be run on port 222 (dropbear) with IP address restriction. | + | |
=== Managing Keys === | === Managing Keys === | ||
Line 65: | Line 54: | ||
This would also work with any SFTP clients as well. | This would also work with any SFTP clients as well. | ||
+ | |||
+ | ==== JumpBox ==== | ||
+ | |||
+ | You can jump through another box to SSH into a second one (and third, fourth, etc.): | ||
+ | |||
+ | <code> | ||
+ | ssh -J jumpbox.beandog.org dest.beandog.org | ||
+ | </code> | ||
==== Notes ==== | ==== Notes ==== | ||
Line 77: | Line 74: | ||
iptables -A rate-limit -j DROP | iptables -A rate-limit -j DROP | ||
iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit | iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit | ||
+ | </code> | ||
+ | |||
+ | ==== Gotchas ==== | ||
+ | |||
+ | ** Running ''ssh'' in a while loop exits early ** | ||
+ | |||
+ | ''ssh'' may be reading things from stdin, so pipe ''/dev/null'' to it directly: | ||
+ | |||
+ | <code> | ||
+ | ssh < /dev/null | ||
</code> | </code> |