The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,994 other followers

Archive for the ‘Internet protocol suite’ Category

ssh_config section order is important: the first setting obtained from a Host/Match section applies

Posted by jpluimers on 2020/06/12

Often, configuration files work like this:

  • global settings are at the top
  • detailed settings are further on, overwriting global settings

Not for ssh_config¬†though, so I was right writing I should read more on it in¬†Good read for starting to intermediate ssh users is ‚ÄúSSH Essentials: Working with SSH Servers, Clients, and Keys | DigitalOcean‚ÄĚ and pointers to more advanced reading material.

So here is how ssh_config¬†does it as per man page at [WayBack] ssh_config(5) – OpenBSD manual pages¬†and¬†[WayBack] ssh_config ‚ÄĒ OpenSSH SSH client configuration files at Linux.org:

     For each parameter, the first obtained value will be used.  The configuration files contain sections separated
     by ‚ÄúHost‚ÄĚ specifications, and that section is only applied for hosts that match one of the patterns given in the
     specification.  The matched host name is the one given on the command line.

     Since the first obtained value for each parameter is used, more host-specific declarations should be given near
     the beginning of the file, and general defaults at the end.

This means a section Host * needs to come at the end.

I got that wrong and it took me the better half of a morning to figure out the cause of a connection problem ending in this:

debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug1: No more authentication methods to try.

Somehow, the identity file was never used to try public key authentication at all because of the ssh_config order in ~/.ssh/config.

I’m not the only one confused, as during the search for the cause with “remaining preferred” “No more authentication methods to try.”:

Maybe now I should step up from manually editing the ssh_config file and use [WayBack] GitHub Рmoul/advanced-ssh-config: make your ssh client smarter to generate it for me.

–jeroen

Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, SSH, ssh/sshd, TCP | Leave a Comment »

Authssh from Windows

Posted by jpluimers on 2020/05/22

Running autossh from Windows is still on my list, so here are a few links:

–jeroen

Posted in Communications Development, Development, Internet protocol suite, Power User, SSH, TCP, Windows | Leave a Comment »

On my list of things to try: GitHub – arthepsy/ssh-audit; SSH server auditing

Posted by jpluimers on 2020/05/18

This looks like an ssh equivalent to testssl.sh: [WayBack] GitHub Рarthepsy/ssh-audit: SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc).

It is on my list of things to try, so I’ve put a watch on the repository changes.

–jeroen

Read the rest of this entry »

Posted in Communications Development, Development, Encryption, Internet protocol suite, Power User, Security, SSH, TCP | Leave a Comment »

Insomnia REST Client

Posted by jpluimers on 2020/05/12

[WayBack] Insomnia REST Client  A powerful REST API Client with cookie management, environment variables, code generation, and authentication for Mac, Window, and Linux.

Source code at¬†[WayBack] GitHub – getinsomnia/insomnia: The most intuitive cross-platform REST API Client ūüėī.

Via:¬†[WayBack] Paw is nice ‚Äď The Isoblog.

–jeroen

 

 

Posted in Communications Development, Development, HTTP, Internet protocol suite, JavaScript/ECMAScript, JSON, REST, Scripting, Software Development, TCP, Web Development | Leave a Comment »

OpenSuSE: keeping an ssh connection alive (convenient for keeping port forwardings up)

Posted by jpluimers on 2020/05/11

Below the steps for ensuring port forwardings are up from an OpenSuSE system to an ssh server using autossh on the client system.

Autossh

Many have written about the benefits of autossh, so I can’t do better than that. A good abbreviated quote is from¬†[WayBack] Autossh for persistent database connectivity – Compose Articles:

Autossh¬†wraps SSH in an application which was designed to monitor the state of the connection. It will also restart SSH if it exits. The idea of the monitoring is that If it sees the packets aren’t going through, it would also restart SSH. …

the developers of OpenSSH added some options ‚ÄstServerAliveInterval¬†and¬†ServerAliveCountMax¬†‚Äď which activate built in connection checking in OpenSSH. Together the options set checking at a set interval and exiting SSH if the count maximum is exceeded. And when SSH exits, autossh will restart it so it serves as much improved replacement as there’s no extra ports needed.

Summary

The scenario is that a client user named autoSshClientUser automatically logs on to a server as user autosshServerUser using autossh from the client system.

The sequence is to first test this manually from the client system using a regular ssh command, then manually with the autossh command from the client system, then automate the starting (and keep alive) of the autossh instance from the client system.

Start configuring the server side first:

  1. Create a user specific for logon (below it is autosshServerUser).
  2. Limit the user to only allow only port forwarding: [WayBack] security РHow to create a restricted SSH user for port forwarding? РAsk Ubuntu

Then finish confiruging the client side:

  1. Install autossh: zypper install autossh
  2. Ensure autoSshClientUser has an ssh key that does not require a password
  3. Transfer the public key to autosshServerUser on the remote system
  4. Test with an autossh command that suits your situation best
  5. Ensure autoSshClientUser runs a job at or shortly after system boot (after the network is up) that will start autossh with the correct parameters

If the autoSshClientUser is root, then you could use a service to start autossh, but be sure that service depends on a functioning network connection.

If the autoSshClientUser is not root, then usually a user based cron job works best.

Naming idea:

  • Assume the client system is Train¬†and the server is Station
  • The server user could be autosshTrainAtStation
  • The client user could be autosshTrainToStation

Server side

  1. [Archive.is] Installing on other OSes (Debian / Ubuntu;  Debian / Ubuntu; CentOS / Fedora / RHEL; ArchLinux; FreeBSD; OSX)
  2. As root, add he user using [Archive.is]useradd:

    # useradd --create-home --shell /bin/false autosshServerUser

  3. As root use su to become autosshServerUser, then create an ssh key without a password (you need to specify the logon shell) using [WayBack] ssh-keygen.
    This generates bot a secure rsa and

    # su --shell /bin/bash autosshServerUser
    > cd ~
    > whoami
    autosshServerUser
    > rm -f ~/.ssh/id_rsa ~/.ssh/id_rsa.pub
    > ssh-keygen -t rsa -b 4096 -o -a 100 -f ~/.ssh/id_rsa -N ''
    Generating public/private rsa key pair.
    Your identification has been saved in /home/autosshServerUser/.ssh/id_rsa.
    Your public key has been saved in /home/autosshServerUser/.ssh/id_rsa.pub.
    The key fingerprint is:
    SHA256:... autossh24@linux
    The key's randomart image is:
    +---[RSA 2048]----+
    ...
    +----[SHA256]-----+
    > rm -f ~/.ssh/id_ed25519 ~/.ssh/id_ed25519.pub
    > ssh-keygen -t ed25519 -o -a 100 -f ~/.ssh/id_ed25519 -N ''
    Generating public/private ed25519 key pair.
    Your identification has been saved in /home/autossh24/.ssh/id_ed25519.
    Your public key has been saved in /home/autossh24/.ssh/id_ed25519.pub.
    The key fingerprint is:
    SHA256:... autossh24@linux
    The key's randomart image is:
    +--[ED25519 256]--+
    ...
    +----[SHA256]-----+
    

Client side

I need to check the below links on killing autossh (including the underlying ssh based connection), as you need to use the kill or pkill parameters signals -3 (SIGQUIT), not -9 (SIGKILL) as explained in [WayBack] ssh РHow to stop/kill an autossh tunnel? РSuper User (thanks mariusmatutiae and dviljoen).

Monitoring the state of the ssh connection needs some parameters (like ClientAliveInterval and ClientAliveCountMax). A good start on that is [WayBack] networking Рautossh does not kill ssh when link down РServer Fault.

Setting up a service so root automatically logs on a remote system:

With non-root, it might actually be possible to do this  as a service too given there is a user= parameter in service files:

Though as non-root, most people seem to use cron [WayBack] ssh – Problems with Autossh: running from cron vs terminal – Super User

Please do not use¬†/etc/init.d/after.local¬†as mentioned often (for instance in [WayBack] TUMBLEWEED run a script a boot): this mechanism has been deprecated and won’t work on more recent systems (like 2012 and younger: [WayBack] openSUSE Forums – systemd and using the after.local script in openSUSE 12.1). The same holds for /etc/init.d/boot.local: don’t use, even though many people indicate it works, for instance [WayBack] Run a command at boot.

An interesting approach is at¬†[WayBack] Autossh Startup Script for Multiple Tunnels | Surnia Ulula, though I will stick with what’s below.

Read:

Downloads:

References

Most of the above comes from these links:

–jeroen

Continuation of:

Read the rest of this entry »

Posted in *nix, Communications Development, Development, Internet protocol suite, Linux, Power User, SSH, TCP | Leave a Comment »

 
%d bloggers like this: