The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers

Archive for the ‘SSH’ Category

« Previous Entries
Next Entries »

autossh on Windows from a service: automatically starting a tunnel no matter anyone being logged on

Posted by jpluimers on 2021/08/09

There is an autossh binary for Windows available on GitHub: [WayBack] GitHub – jazzl0ver/autossh: Windows binary for autossh v1.4c.

Combined with NSSM (which for instance you can install through [WayBack] Chocolatey Software | NSSM – the Non-Sucking Service Manager) you can not only automatically build and maintain an SSH connection, but also ensure the autossh process is up and running as a service without the need for an active logon.

This allows for SSH based tunnels from and to your Windows system.

For this usage scenario, there is no need for these tools any more:

Future research:

One time steps

These are in part based on:

1. Download autoSSH

Download the most recent [WayBack] Releases · jazzl0ver/autossh · GitHub  (see below for updates).

I used the 1.4g version: [WayBack] autossh.exe, then put on my Windows PATH.

2. Install NSSM

Since it is on chocolatey ([WayBack] Chocolatey Software | NSSM – the Non-Sucking Service Manager 2.24.101.20180116), this will suffice:

choco install --yes nssm

3 .Prepare remote computer so it allows enough SSH retries

Check the value of MaxAuthTries in /etc/ssh/sshd_config.

# grep MaxAuthTries /etc/ssh/sshd_config MaxAuthTries 1

The value needs to be at least 3 or higher for ssh-copy-id to work properly.

When changing the value, be sure to restart the sshd daemon.

Without a low value of MaxAuthTries in /etc/ssh/sshd_config, ssh-copy-id will give an error ERROR: Received disconnect from myRemoteComputer port 2222:2: Too many authentication failures.

See also these link via [WayBack ]“INFO: attempting to log in with the new key(s), to filter out any that are already installed” “Too many authentication failures” – Google Search:

4. Temporarily allow the remote account to perform interctive logon

Temporarily change the user shell to /bin/bash to allow [WayBack] ssh-copy-id to work at all.

This is explained in more detail by [WayBack] shell – ssh dissable login, but allow copy-id – Server Fault.

5. Generate public and private key pairs

You need an ssh public and private key, then transfer this to your Windows client. You can for instance use these as a base:

For instance (where myLocalUser is the local user generate the key-pair for for, and myRemoteUser plus myRemoteComputer is the remote user and computer you want to autossh to):

  • ssh-keygen -t rsa -b 4096 -f %UserProfile%\.ssh\id_rsa_myLocalUser@%ComputerName%_autossh_myRemoteUser@myRemoteComputer
  • ssh-keygen -t ed25519 -f %UserProfile%\.ssh\id_ed25519_myLocalUser@%ComputerName%_autossh_myRemoteUser@myRemoteComputer

6. install git (for ssh-copy-id and bash)

Since git includes ssh-copy-id (which you need in the next step, it is at %Program Files%\Git\usr\bin\ssh-copy-id) and git is on chocolatey ([WayBack] Chocolatey Software | Git (Install) 2.23.0):

choco install --yes git.install --params "/GitAndUnixToolsOnPath /NoGitLfs /SChannel /NoAutoCrlf /WindowsTerminal"

7. Copy the public parts of the generated key pairs to the remote account on the remote machine

Use bash with ssh-copy-id to transfer the generated public keys to a remote system (replace 2222 with the SSH port number on the remote computer; often it is just 22):

pushd %UserProfile%\.ssh
bash -c "ssh-copy-id -i %UserProfile%\.ssh\id_rsa_myLocalUser@%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputer"
bash -c "ssh-copy-id -i %UserProfile%\.ssh\id_ed25519_myLocalUser_%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputer"
popd

This sounds overly complicated, but is the only way to incorporate the environment variables.

8. Test with ssh, then with autossh

These two ssh commands should succeed; choose the one for which you prefer the rsa or ed25519 algorithm.

  • ssh -i %UserProfile%\.ssh\id_rsa_myLocalUser@%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputer
  • ssh -i %UserProfile%\.ssh\id_ed25519_myLocalUser_%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputer

After this, try with autossh:

  • autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -i %UserProfile%\.ssh\id_rsa_myLocalUser@%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputer
  • autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -i %UserProfile%\.ssh\id_ed25519_myLocalUser_%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputer

This disables the autossh port monitoring (the -M 0 option, but uses a combination of interval/count-max from ssh itself to monitor the connection (the -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" options).

Note that there is no default monitoring port, as it can be any one: [WayBack] linux – What is the default monitoring port for autossh? – Super User

9. Install autossh as a service

a

Steps

  1. a
  2. b
  3. c
  4. d
  5. e

SSH logon

Depending on which algorithm you like most, use either of the below 2 (replace 2222 with the SSH port number on the remote computer; often it is just 22):

  • ssh -i %UserProfile%\.ssh\id_rsa_myLocalUser@%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputer
  • ssh -i %UserProfile%\.ssh\id_ed25519_myLocalUser_%ComputerName%_autossh_myRemoteUser@myRemoteComputer -p 2222 myRemoteUser@myRemoteComputer

 

C:\Users\jeroenp>ssh-keygen -t ed25519 -f %UserProfile%\.ssh\id_ed25519_myUser_%ComputerName%_autossh_revue
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\jeroenp\.ssh\id_ed25519_myUser_D10U003_autossh_revue.
Your public key has been saved in C:\Users\jeroenp\.ssh\id_ed25519_myUser_D10U003_autossh_revue.pub.
The key fingerprint is:
SHA256:6qjzXhQtZpTzU6aryHMYuwVs5b4a/2COKxFGFQj0Eg4 jeroenp@D10U003
The key's randomart image is:
+--[ED25519 256]--+
|E+ oo...         |
|o =  .o.  o      |
| + .  *o.+       |
|  +. = o+        |
| . .+ o So       |
|  ...+ ..        |
|   o.=B.         |
|  o *@oo         |
|  .*O*=..        |
+----[SHA256]-----+

C:\Users\jeroenp>ssh-keygen -t rsa -b 4096 -f %UserProfile%\.ssh\id_rsa_myUser_%ComputerName%_autossh_revue
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\jeroenp\.ssh\id_rsa_myUser_D10U003_autossh_revue.
Your public key has been saved in C:\Users\jeroenp\.ssh\id_rsa_myUser_D10U003_autossh_revue.pub.
The key fingerprint is:
SHA256:WaWRoAnr4OuXAnc+MekpbdnNto71SgdMykp7XqylQr8 jeroenp@D10U003
The key's randomart image is:
+---[RSA 4096]----+
|    .   .....    |
|     o o  .+     |
|  . . o . o      |
| . o . + o       |
|  . o.o S        |
|. .o*o . .       |
| o.*oO.o* .      |
| .o %ooO+o       |
|  .= oE++o.      |
+----[SHA256]-----+

NSSM

NSSM is really cool to run any application as a service: [WayBack] NSSM – the Non-Sucking Service Manager

nssm is a service helper which doesn’t suck. srvany and other service helper programs suck because they don’t handle failure of the application running as a service. If you use such a program you may see a service listed as started when in fact the application has died. nssm monitors the running service and will restart it if it dies. With nssm you know that if a service says it’s running, it really is. Alternatively, if your application is well-behaved you can configure nssm to absolve all responsibility for restarting it and let Windows take care of recovery actions.

nssm logs its progress to the system Event Log so you can get some idea of why an application isn’t behaving as it should.

nssm also features a graphical service installation and removal facility. Prior to version 2.19 it did suck. Now it’s quite a bit better.

After installing, everything is command-line based (I cut away some blank lines for readability):

C:\bin\bin>nssm --help
NSSM: The non-sucking service manager
Version 2.24-101-g897c7ad 64-bit, 2017-04-26
Usage: nssm [ ...]

To show service installation GUI:

        nssm install []

To install a service without confirmation:

        nssm install   [ ...]

To show service editing GUI:

        nssm edit 

To retrieve or edit service parameters directly:

        nssm dump 
        nssm get   []
        nssm set   [] 
        nssm reset   []

To show service removal GUI:

        nssm remove []

To remove a service without confirmation:

        nssm remove  confirm

To manage a service:

        nssm start 
        nssm stop 
        nssm restart 
        nssm status 
        nssm statuscode 
        nssm rotate 
        nssm processes

Windows binary autossh version

If it is behind on [WayBack] autossh (see version history at [WayBack] autossh/CHANGES.txt), then just ask for a new version; usually it gets built and released quickly: [WayBack] Any plans for 1.4g? · Issue #3 · jazzl0ver/autossh · GitHub

[WayBack] Releases · jazzl0ver/autossh · GitHub  at the time of writing:

–jeroen

Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, SSH, TCP | Leave a Comment »

Filezilla: figuring out the cause of “Connection timed out after 20 seconds of inactivity”

Posted by jpluimers on 2021/07/21

On one of my Raspberry Pi boxes, somehow I could not access files over SFTP (SSH File Transfer Protocol) via FileZilla.

I would consistently get this error:

"Connection timed out after 20 seconds of inactivity"

Figuring the exact cause took a while.

TL;DR: SFTP uses an interactive non-login shell, then interprets the output from that shell. For that kind of shell, ensure few or none scripts run that output text.

These links finally got me to the cause

Read the rest of this entry »

Posted in *nix, *nix-tools, bash, bash, Communications Development, Conference Topics, Conferences, Development, Event, Internet protocol suite, Power User, Scripting, SFTP, Software Development, SSH, TCP | Leave a Comment »

🔎Julia Evans🔍 on Twitter: “ssh tips… “

Posted by jpluimers on 2021/01/08

Great work by [WayBack]  🔎Julia Evans🔍 on Twitter: “ssh tips… “

[WayBackssh tips JPG

Via:

Some more tips:

Read the rest of this entry »

Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, SSH, ssh/sshd | Leave a Comment »

Remote access to the Embarcadero License Center via SSH tunnel – twm’s blog

Posted by jpluimers on 2020/08/10

Thomas basically did all the research on the forwarding needed for ELC (formerly Belise/Elise), then showed the PuTTY equivalent to ssh user@remote -L5567:192.168.1.200:5567:

[WayBackRemote access to the Embarcadero License Center via SSH tunnel – twm’s blog

Via: [WayBack] Once you have set up an Embarcadero License Center (ELC) for your company (with network named user or concurrent licenses) you will need network access … – Thomas Mueller (dummzeuch) – Google+

Related: [WayBack] Introducing the Embarcadero License Center – ELC

–jeroen

 

Posted in *nix, Communications Development, Delphi, Development, Internet protocol suite, Licensing, Power User, Software Development, SSH, ssh/sshd | Leave a Comment »

ssh_config section order is important: the first setting obtained from a Host/Match section applies

Posted by jpluimers on 2020/06/12

Often, configuration files work like this:

  • global settings are at the top
  • detailed settings are further on, overwriting global settings

Not for ssh_config though, so I was right writing I should read more on it in Good read for starting to intermediate ssh users is “SSH Essentials: Working with SSH Servers, Clients, and Keys | DigitalOcean” and pointers to more advanced reading material.

So here is how ssh_config does it as per man page at [WayBack] ssh_config(5) – OpenBSD manual pages and [WayBack] ssh_config — OpenSSH SSH client configuration files at Linux.org:

     For each parameter, the first obtained value will be used.  The configuration files contain sections separated
     by “Host” specifications, and that section is only applied for hosts that match one of the patterns given in the
     specification.  The matched host name is the one given on the command line.

     Since the first obtained value for each parameter is used, more host-specific declarations should be given near
     the beginning of the file, and general defaults at the end.

This means a section Host * needs to come at the end.

I got that wrong and it took me the better half of a morning to figure out the cause of a connection problem ending in this:

debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey
debug3: authmethod_lookup publickey
debug3: remaining preferred:
debug1: No more authentication methods to try.

Somehow, the identity file was never used to try public key authentication at all because of the ssh_config order in ~/.ssh/config.

I’m not the only one confused, as during the search for the cause with “remaining preferred” “No more authentication methods to try.”:

Maybe now I should step up from manually editing the ssh_config file and use [WayBack] GitHub – moul/advanced-ssh-config: make your ssh client smarter to generate it for me.

–jeroen

Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, SSH, ssh/sshd, TCP | Leave a Comment »

Authssh from Windows

Posted by jpluimers on 2020/05/22

Running autossh from Windows is still on my list, so here are a few links:

–jeroen

Posted in Communications Development, Development, Internet protocol suite, Power User, SSH, TCP, Windows | Leave a Comment »

On my list of things to try: GitHub – arthepsy/ssh-audit; SSH server auditing

Posted by jpluimers on 2020/05/18

This looks like an ssh equivalent to testssl.sh: [WayBack] GitHub – arthepsy/ssh-audit: SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc).

It is on my list of things to try, so I’ve put a watch on the repository changes.

–jeroen

Read the rest of this entry »

Posted in Communications Development, Development, Encryption, Internet protocol suite, Power User, Security, SSH, TCP | Leave a Comment »

OpenSuSE: keeping an ssh connection alive (convenient for keeping port forwardings up)

Posted by jpluimers on 2020/05/11

Below the steps for ensuring port forwardings are up from an OpenSuSE system to an ssh server using autossh on the client system.

Autossh

Many have written about the benefits of autossh, so I can’t do better than that. A good abbreviated quote is from [WayBack] Autossh for persistent database connectivity – Compose Articles:

Autossh wraps SSH in an application which was designed to monitor the state of the connection. It will also restart SSH if it exits. The idea of the monitoring is that If it sees the packets aren’t going through, it would also restart SSH. …

the developers of OpenSSH added some options – ServerAliveInterval and ServerAliveCountMax – which activate built in connection checking in OpenSSH. Together the options set checking at a set interval and exiting SSH if the count maximum is exceeded. And when SSH exits, autossh will restart it so it serves as much improved replacement as there’s no extra ports needed.

Summary

The scenario is that a client user named autoSshClientUser automatically logs on to a server as user autosshServerUser using autossh from the client system.

The sequence is to first test this manually from the client system using a regular ssh command, then manually with the autossh command from the client system, then automate the starting (and keep alive) of the autossh instance from the client system.

Start configuring the server side first:

  1. Create a user specific for logon (below it is autosshServerUser).
  2. Limit the user to only allow only port forwarding: [WayBacksecurity – How to create a restricted SSH user for port forwarding? – Ask Ubuntu

Then finish confiruging the client side:

  1. Install autossh: zypper install autossh
  2. Ensure autoSshClientUser has an ssh key that does not require a password
  3. Transfer the public key to autosshServerUser on the remote system
  4. Test with an autossh command that suits your situation best
  5. Ensure autoSshClientUser runs a job at or shortly after system boot (after the network is up) that will start autossh with the correct parameters

If the autoSshClientUser is root, then you could use a service to start autossh, but be sure that service depends on a functioning network connection.

If the autoSshClientUser is not root, then usually a user based cron job works best.

Naming idea:

  • Assume the client system is Train and the server is Station
  • The server user could be autosshTrainAtStation
  • The client user could be autosshTrainToStation

Server side

  1. [Archive.is] Installing on other OSes (Debian / Ubuntu;  Debian / Ubuntu; CentOS / Fedora / RHEL; ArchLinux; FreeBSD; OSX)
  2. As root, add he user using [Archive.is]useradd:

    # useradd --create-home --shell /bin/false autosshServerUser

  3. As root use su to become autosshServerUser, then create an ssh key without a password (you need to specify the logon shell) using [WayBackssh-keygen.
    This generates bot a secure rsa and

    # su --shell /bin/bash autosshServerUser
> cd ~
> whoami
autosshServerUser
> rm -f ~/.ssh/id_rsa ~/.ssh/id_rsa.pub
> ssh-keygen -t rsa -b 4096 -o -a 100 -f ~/.ssh/id_rsa -N ''
Generating public/private rsa key pair.
Your identification has been saved in /home/autosshServerUser/.ssh/id_rsa.
Your public key has been saved in /home/autosshServerUser/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:... autossh24@linux
The key's randomart image is:
+---[RSA 2048]----+
...
+----[SHA256]-----+
> rm -f ~/.ssh/id_ed25519 ~/.ssh/id_ed25519.pub
> ssh-keygen -t ed25519 -o -a 100 -f ~/.ssh/id_ed25519 -N ''
Generating public/private ed25519 key pair.
Your identification has been saved in /home/autossh24/.ssh/id_ed25519.
Your public key has been saved in /home/autossh24/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:... autossh24@linux
The key's randomart image is:
+--[ED25519 256]--+
...
+----[SHA256]-----+

Client side

I need to check the below links on killing autossh (including the underlying ssh based connection), as you need to use the kill or pkill parameters signals -3 (SIGQUIT), not -9 (SIGKILL) as explained in [WayBack] ssh – How to stop/kill an autossh tunnel? – Super User (thanks mariusmatutiae and dviljoen).

Monitoring the state of the ssh connection needs some parameters (like ClientAliveInterval and ClientAliveCountMax). A good start on that is [WayBack] networking – autossh does not kill ssh when link down – Server Fault.

Setting up a service so root automatically logs on a remote system:

With non-root, it might actually be possible to do this  as a service too given there is a user= parameter in service files:

Though as non-root, most people seem to use cron [WayBack] ssh – Problems with Autossh: running from cron vs terminal – Super User

Please do not use /etc/init.d/after.local as mentioned often (for instance in [WayBack] TUMBLEWEED run a script a boot): this mechanism has been deprecated and won’t work on more recent systems (like 2012 and younger: [WayBack] openSUSE Forums – systemd and using the after.local script in openSUSE 12.1). The same holds for /etc/init.d/boot.local: don’t use, even though many people indicate it works, for instance [WayBack] Run a command at boot.

An interesting approach is at [WayBack] Autossh Startup Script for Multiple Tunnels | Surnia Ulula, though I will stick with what’s below.

Read:

Downloads:

References

Most of the above comes from these links:

–jeroen

Continuation of:

Read the rest of this entry »

Posted in *nix, Communications Development, Development, Internet protocol suite, Linux, Power User, SSH, TCP | Leave a Comment »

SSH through HTTPS

Posted by jpluimers on 2020/05/04

Often, hotspots only allow http/https traffic. Other traffic – like SSH – is blocked. Nowadays, fewer hotspots block that, but too many still do.

So it can be worth a while to route your SSH server through HTTPS (I don’t like Web-based SSH that much as terminal emulation in browsers isn’t that well yet, but that seems to change rapidly, more on that in the “Further reading” section below).

After some background reading at apache – Tunnel over HTTPS – Stack Overflow, here are a few links that help you do it:

Server side: DAG: Tunneling SSH over HTTP(S).

You need:

  • An internet connected Apache server (eg. with IP address 10.1.2.3)
  • A FQDN that points to this IP address (eg. ssh.yourdomain.com)
  • A virtual host configuration in Apache for this domain (eg. /etc/httpd/conf.d/ssh.yourdomain.com.conf)
  • A configuration to adapt ssh to use the HTTP tunnel

Read more at DAG: Tunneling SSH over HTTP(S) and SSH over SSL, a quick and minimal config..

Client side: Using SSH over the HTTPS port · GitHub Help.

Steps:

  1. Test of it works at all
  2. Edit your local ~/.ssh/config file to redirect SSH to HTTPS

Read more at Using SSH over the HTTPS port · GitHub Help.

Using Putty and an HTTP proxy to ssh anywhere through firewalls | Me in IT.

the Digital me: SSH Tunneling Proxy using Putty on Windows and Linux (Unblock YouTube / Orkut / Facebook).

Tunneling SSH through HTTP proxies using HTTP Connect – ArchWiki.

HTTP Tunneling – ArchWiki.

Running SSHD on port 443.

Not all proxy configurations and hotspots support this. But it might be worth a look: SSH Over Proxy.

Further reading: Web-based SSH.

SSH plugins for browsers:

Web based SSH:

–jeroen

Posted in Communications Development, Development, Encryption, HTTP, https, HTTPS/TLS security, Internet protocol suite, Power User, Security, SSH, TCP | Leave a Comment »

SFTP (SSH file transfer protocol) server on Windows

Posted by jpluimers on 2020/04/10

A few links for my archive:

–jeroen

Posted in Communications Development, Development, Internet protocol suite, Security, SSH, TCP | Leave a Comment »

« Previous Entries
Next Entries »