Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
ssh [2015/06/01 17:30] steve |
ssh [2019/01/04 16:07] (current) steve |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| * [[dropbear]] | * [[dropbear]] | ||
| * [[OpenSSH]] | * [[OpenSSH]] | ||
| - | + | * [[ssh-keygen]] | |
| - | ==== Policy ==== | + | |
| - | + | ||
| - | Users need to be in ''ssh-users'' group to be granted SSH access to a server. | + | |
| - | + | ||
| - | Root access through SSH is denied. | + | |
| - | + | ||
| - | Public-key authentication is the only login method. | + | |
| - | + | ||
| - | On systems where we have root access, a ''dtrike'' account will be created. This user will have root access through sudo. The user will also allow anyone with a public key access. | + | |
| - | + | ||
| - | For clients who want to have access without public keys, a second SSH server will be run on port 222 (dropbear) with IP address restriction. | + | |
| === Managing Keys === | === Managing Keys === | ||
| Line 65: | Line 54: | ||
| This would also work with any SFTP clients as well. | This would also work with any SFTP clients as well. | ||
| + | |||
| + | ==== JumpBox ==== | ||
| + | |||
| + | You can jump through another box to SSH into a second one (and third, fourth, etc.): | ||
| + | |||
| + | <code> | ||
| + | ssh -J jumpbox.beandog.org dest.beandog.org | ||
| + | </code> | ||
| ==== Notes ==== | ==== Notes ==== | ||
| Line 77: | Line 74: | ||
| iptables -A rate-limit -j DROP | iptables -A rate-limit -j DROP | ||
| iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit | iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit | ||
| + | </code> | ||
| + | |||
| + | ==== Gotchas ==== | ||
| + | |||
| + | ** Running ''ssh'' in a while loop exits early ** | ||
| + | |||
| + | ''ssh'' may be reading things from stdin, so pipe ''/dev/null'' to it directly: | ||
| + | |||
| + | <code> | ||
| + | ssh < /dev/null | ||
| </code> | </code> | ||
