ML
    • Register
    • Login
    • Search
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    1. Home
    2. Tags
    3. ssh
    Log in to post
    • All categories
    • Pete.S

      sudo problems
      IT Discussion • sudo ssh root certificate • • Pete.S

      33
      0
      Votes
      33
      Posts
      452
      Views

      Pete.S

      @jaredbusch said in sudo problems:

      @pete-s said in sudo problems:

      @jaredbusch said in sudo problems:

      @scottalanmiller said in sudo problems:

      @jaredbusch said in sudo problems:

      @scottalanmiller said in sudo problems:

      @pete-s said in sudo problems:

      We want to move to using ssh certificates on our servers and remove all passwords.

      That's what we do.

      Since when? What do you use to manage and generate certificates?

      Generate with ssh-keygen. Manage with a wiki. We are only so big, so it works fine.

      That is not certificates. That is keys. Completely different.

      I don't know what @scottalanmiller uses but ssh-keygen is used to generate ssh certificates as well.

      From the man page:
      ssh-keygen supports signing of keys to produce certificates that may be used for user or host authentication. Certificates consist of a public key, some identity information, zero or more principal (user or host) names and a set of options that are signed by a Certification Authority (CA) key. Clients or servers may then trust only the CA key and verify its signature on a certificate rather than trusting many user/host keys. Note that OpenSSH certificates are a different, and much simpler, format to the X.509 certificates used in ssl(8).

      But if you are automating certificate generation, you need to wrap this in something.

      No, ssh-keygen does not do this (ssh certificate generation).

      As you highlight, it can be used as part of the certificate process. But it cannot, and never will, be the certificate authority. Thus it is not the tool for this this.

      You're actually mistaken because I've done it many times now. A Certification Authority, when it comes to openssh certificates, is really just a key pair that you carefully guard.

      You create certificates by using the CA keys to sign other public keys from users and hosts. The result is a certificate named *-cert.pub

      And you do all of this with the ssh-keygen utility.

      Similar to how you can create CA and everything else for the more complex x509 certificates with just openssl.

    • Pete.S

      Anyone using ssh certificates for logins instead of keys?
      IT Discussion • ssh ssh keys certificate certificate authority • • Pete.S

      13
      0
      Votes
      13
      Posts
      239
      Views

      Pete.S

      OpenSSH can use host certificates to verify the host (like SSL certs on a webserver). OpenSSH can also use user certificates to verify the user (like passwords or ssh keys).

      Both these types of cert to be used independently of each other.

      I've tested using user certificates to authorize user login, since that is what most
      people do with keys. People never really verify the host identity.

      It works great and it's actually very simple. This will be my new SOP going forward.

      Before starting to add hosts and users you need to create a Certificate Authority (CA) - which is actually just a key pair. It's a one-liner.

      Every time you create a new host, you just need to copy the same file to it - the public key of the CA. And change one line in sshd_config to allow ssh certificates.

      Every time you have a new user on your team who need access to servers, you have to generate a certificate for him. It's a one liner. He will copy the certificate to his own machine. And the ssh client will automatically send the certificate when needed.

      Generating certificates is the part that could be automated. You could for instance be given a certificate that expires in 5 minutes. That would allow you to login and stay logged in. But if you need to login again, you need to generate a new certificate.

    • scottalanmiller

      Add Static IP Address on Unifi fro the Command Line on SSH
      IT Discussion • unifi ubiquiti ssh command line cli unifi command reference • • scottalanmiller

      2
      0
      Votes
      2
      Posts
      796
      Views

      JaredBusch

      @scottalanmiller that is edgeos syntax.

    • scottalanmiller

      Add Default Gateway Route to Unifi from the Command Line on SSH
      IT Discussion • ubiquiti unifi cli command line ssh usg unifi command reference • • scottalanmiller

      1
      1
      Votes
      1
      Posts
      2563
      Views

      No one has replied

    • Pete.S

      ssh and international keyboard layouts
      IT Discussion • linux ssh keyboard • • Pete.S

      5
      0
      Votes
      5
      Posts
      279
      Views

      Pete.S

      Thanks, guys. It's actually the most logical solution that the ssh client side decides what keyboard layout to use.

      So maybe I was mistaken then or it was something else that was off. I'll give it try with some different settings to verify how it works.

    • JaredBusch

      Unsolved VitalPBX 3
      IT Discussion • vitalpbx ssh • • JaredBusch

      48
      0
      Votes
      48
      Posts
      662
      Views

      JaredBusch

      @ing-joserivera26 said in VitalPBX 3:

      I will not continue posting on your blog.

      This is not my blog. This is an public community targeting IT professionals.

      I would (and have) posted on the VitalPBX community, but it seems that i'm eternally moderated.

    • scottalanmiller

      Linux Copy a Disk Over SSH with DD
      IT Discussion • linux dd storage ssh • • scottalanmiller

      6
      4
      Votes
      6
      Posts
      626
      Views

      scottalanmiller

      @krisleslie said in Linux Copy a Disk Over SSH with DD:

      @scottalanmiller can this be used while on XCP-NG host?

      Can be used on every non-Windows system.

    • gjacobse

      Termius cross platform sync
      IT Discussion • termius ssh cross platform cross device • • gjacobse

      23
      0
      Votes
      23
      Posts
      366
      Views

      scottalanmiller

      @stacksofplates said in Termius cross platform sync:

      @scottalanmiller said in Termius cross platform sync:

      @stacksofplates said in Termius cross platform sync:

      @scottalanmiller said in Termius cross platform sync:

      @JaredBusch said in Termius cross platform sync:

      @stacksofplates said in Termius cross platform sync:

      @gjacobse said in Termius cross platform sync:

      @stacksofplates said in Termius cross platform sync:

      @IRJ said in Termius cross platform sync:

      Remina is great on Linux platforms, but the question for me is why is this a need?

      This seems like everyone could and should manage this independently. All you need is DNS name or IP to initiate a remote connection. In my opinion, it's better for IT team to know exactly where they are trying to go instead of clicking the wrong button or sending the wrong command

      Yeah I agree. I'm assuming it's for syncing credentials across devices. Which means you'd have to trust their cloud service with your system credentials.

      While yes, it would be nice to sync the entire session - connection and UserID / password. I'm more concerned with the connection itself. Yes, I can keep track of the addresses - but it gets to be a pain.. UserId / Passwords are different. I could care less - I mainly want the address; IP address or dns name..

      I mean, honestly what's the difference between a word document/text file and the syncing at that point?

      Right. An besides, even Windows has native SSH now. So why use anything else anyway?

      Right, I've not used PuTTY in quite some time. Not that it isn't good, I just don't see the point of installing third party software that doesn't do anything any better than the built in tool that is always there and ready to go. And quite frankly, I find PowerShell's terminal to work far better for me.

      I can't stand PuTTY. I'm not sure why, I've just always hated it.

      I hate that it lacks a local shell and you have to launch the damn thing for every connection!

      Maybe that's what it is. Tunnelling is a pain, I just find it awkward.

      That, too. Other than doing a good job rendering fonts and being available back in an era when nothing else was, PuTTY really doesn't offer anything positive.

    • scottalanmiller

      Wiki.js Migration and Import SSH GIT Error
      IT Discussion • wiki wiki.js wiki.js 2 git ssh • • scottalanmiller

      1
      0
      Votes
      1
      Posts
      235
      Views

      No one has replied

    • JaredBusch

      Solved Keep my ssh config file synchronized between two systems
      IT Discussion • ssh ssh client config synchronization sync • • JaredBusch

      9
      0
      Votes
      9
      Posts
      652
      Views

      stacksofplates

      @JaredBusch said in Keep my ssh config file synchronized between two systems:

      @stacksofplates said in Keep my ssh config file synchronized between two systems:

      I use git for this type of stuff. I have all of my dotfiles stored in a git repo and synced between systems.

      I thought about that, but then it gets into git triggers and scheduled jobs.

      I just do it when I open my terminal. It auto downloads when a new window is opened.

      uptodate.png

    • Pete.S

      sftp without ssh shell access?
      IT Discussion • ssh sftp • • Pete.S

      6
      0
      Votes
      6
      Posts
      153
      Views

      dbeato

      @Pete-S said in sftp without ssh shell access?:

      Thanks guys.

      To summarize the link above, it's these lines in sshd_config that does the magic.

      Match User sftpuser ForceCommand internal-sftp <snip>

      The first line will tell sshd what user(s) the rest of the settings apply to.
      The second line tells it to go straight into sftp mode. So this will only apply to the users that match the rule above.

      Just make sure to test SSH after you do the changes ok a new session otherwise you might just have broken SSH access.

    • hobbit666

      Securing SSH
      IT Discussion • ssh ssh keys security • • hobbit666

      60
      1
      Votes
      60
      Posts
      714
      Views

      scottalanmiller

      @stacksofplates said in Securing SSH:

      Another really good option is not letting them log directly into the systems at all and forcing them to use a config management tool. So something like Tower or a Jenkins server that logs all of the commands run and has the permissions set there.

      Right. Just like the best defense is a good offense (or vice versa?) The most secure port, is a closed port. Locking down SSH, no matter how good, isn't as good as completely closing it.

      Or using config management to only open it when necessary, is an "in between" step, too.

    • scottalanmiller

      SSH Tunnel Through a Jump Host for Arbitrary Services
      IT Discussion • ssh ssh tunnel vpn • • scottalanmiller

      7
      5
      Votes
      7
      Posts
      829
      Views

      scottalanmiller

      I've already used this guide again. LOL, boy this is handy.

    • Pete.S

      How to mount remote filesystem over ssh (both Windows & Linux)
      IT Discussion • sshfs windows linux ssh • • Pete.S

      7
      3
      Votes
      7
      Posts
      7110
      Views

      Pete.S

      @dafyre said in How to mount remote filesystem over ssh (both Windows & Linux):

      @black3dynamite said in How to mount remote filesystem over ssh (both Windows & Linux):

      @dafyre Installing sshfs and winfsp via choco is older than the ones from GitHub.

      If you installed them via choco do this to mount at the host root directory or other directories.
      https://github.com/billziss-gh/sshfs-win/issues/102

      Host root directory
      \\sshfs\[email protected]\..\..

      Specific directory like /var/www
      \\sshfs\[email protected]\..\..\var\www

      Thanks for the pointer. I did install using choco. I'm able to make it work now.

      Edit: Just to see if I can, I may go back and do straight installs.

      As I said above with the latest version I mount the root directory with \\sshfs.r\[email protected]

      However, if you want to mount another directory like /var/www you have to do:
      \\sshfs.r\[email protected]\var\www\
      The trailing \ is very important!
      It just doesn't work without it if your path is more than one directory deep. You also need to use backslash and not the forward slash.

    • JaredBusch

      Solved Copy SSH public key to system behind a jump box
      IT Discussion • ssh ssh-copy-id jumpbox ssh keys • • JaredBusch

      6
      2
      Votes
      6
      Posts
      204
      Views

      JaredBusch

      @black3dynamite said in Copy SSH public key to ssem behind a jump box:

      # From your host to your JUMPBOX # Not needed if your public key is already in placed cat ~/.ssh/id_ed25519.pub | ssh jump.domain.com 'umask 0077; mkdir -p .ssh; cat >> .ssh/authorized_keys'

      ssh-copy-id should do this

    • Pete.S

      Unsolved Does Windows 2016 Server have SSH server?
      IT Discussion • ssh windows server 2016 • • Pete.S

      6
      1
      Votes
      6
      Posts
      577
      Views

      Pete.S

      @Romo said in Does Windows 2016 Server have SSH?:

      @Pete-S start and type winver

      Awesome!

      Unfortunately it's a version 1607 build 14393.3243.
      So I can't install with powershell according to the article above.

    • DustinB3403

      SSH Access to Windows 10 Pro Workstations
      IT Discussion • ssh windows 10 server management • • DustinB3403

      11
      0
      Votes
      11
      Posts
      489
      Views

      Obsolesce

      @JaredBusch said in SSH Access to Windows 10 Pro Workstations:

      @DustinB3403 said in SSH Access to Windows 10 Pro Workstations:

      @scottalanmiller said in SSH Access to Windows 10 Pro Workstations:

      On Server, no issue. SSH the same as with Linux. SSH on Windows 10 is "single user" just like anything else on Windows 10.

      So then why would they have the statement about "usually to correct problems" as to me this would be a two person use. One who is using the desktop and the other administrator who is working on fixing an issue via ssh (presumably while the other user is using said system).

      I'm not bothering to reread anything, but MS has long allowed admin connections.

      Yes this has been a known fact for as long as i can remember... Admins are exempt for administrative purposes.

    • Pete.S

      Why does some key combinations not work over ssh?
      IT Discussion • midnight commander ssh • • Pete.S

      32
      1
      Votes
      32
      Posts
      429
      Views

      Pete.S

      @scottalanmiller said in Why does some key combinations not work over ssh?:

      @Pete-S said in Why does some key combinations not work over ssh?:

      @scottalanmiller said in Why does some key combinations not work over ssh?:

      So the issue is that SSH uses the ASCII definitions for what can be passed, and things like Control-Shift aren't defined in the ASCII C0 control set.

      https://en.wikipedia.org/w/index.php?title=C0_and_C1_control_codes&oldid=869654887#C0_controls

      So they aren't passed because they aren't part of the character set of the protocol. So yes, it's SSH not passing it because it doesn't exist to SSH 😞

      That's too bad.

      Do you have any link where it says that ssh uses these definitions? Maybe there is a way around it.

      Can't find one, not with OpenSSH. Tectia supports it, but is crap in general. If you search on it, everyone talks about the ASCII limits of SSH. You'll find SFTP / SCP have the ASCII / Binary option for connections because of the underlying ASCII protocol in use.

      Thanks, I'll dig around and see if I can find something. Otherwise I'll just have accept that it is what it is 🙂

    • scottalanmiller

      Tracking Down Ubuntu BASH Session Closing
      IT Discussion • ssh linux openssh ubuntu ubuntu 16.04 ubuntu 18.04 bash shell zsh • • scottalanmiller

      45
      1
      Votes
      45
      Posts
      782
      Views

      matteo nunziati

      @scottalanmiller said in Tracking Down Ubuntu BASH Session Closing:

      @matteo-nunziati said in Tracking Down Ubuntu BASH Session Closing:

      @scottalanmiller said in Tracking Down Ubuntu BASH Session Closing:

      If I use zsh, I'm good. If I enter BASH from zsh, I get kicked out after several seconds. Definitely is something to do with BASH.

      Stupid tryout: use bash and then enter zsh before being kicked out. Still out?
      To understand if it is the firing of bash itself or the stay in bash...

      No, the underlying bash remains until the ZSH closes. Same as if you were running top from it, for example.

      So basically bash is able to run long running jobs with your user...
      It's the interactivity with the shell to be broken... Meh.

      Sorry the thread is long, did you mention any test from zsh with:

      Bash <-- ok this kills the session
      Bash -i any difference???
      Bash -l ???
      bash --norc
      bash --noprofile

      From bashman page

    • JaredBusch

      VPS injected ssh keys
      IT Discussion • ssh ssh keys vps vps security scripting automation • • JaredBusch

      6
      1
      Votes
      6
      Posts
      306
      Views

      scottalanmiller

      @JaredBusch said in VPS injected ssh keys:

      Under no circumstances do I actually want anyone's key tied to the root user. It negates all accountability.

      It's for pre-production setup. Not for deploying straight to production.