Librenix
Headlines | Linux | Apps | Coding | BSD | Admin | News
Information for Linux System Administration 

Restrict users to SCP and SFTP with Chrooted rssh on RHEL

Up
vote
Down

FTP is insecure protocol, but file-transfer is required all time. You can use OpenSSH Server to transfer file using SCP and SFTP (secure ftp) without setting up an FTP server. However, this feature also grants ssh shell access to a user.

In this article series we will help you provide secure restricted file-transfer services to your users without resorting to FTP. It also covers chroot jail setup instructions to lock down users to their own home directories (allow users to transfer files but not browse the entire Linux / UNIX file system of the server) as well as per user configurations. read more...
mail this link | permapage | score:8189 | -nixcraft, January 2, 2008

sshpass: Automate ssh password authentication

Up
vote
Down

SSH’s (secure shell) most common authentication mode is called “interactive keyboard password authentication”, so called both because it is typically done via keyboard, and because openssh takes active measures to make sure that the password is, indeed, typed interactively by the keyboard.

Sometimes, however, it is necessary to fool ssh into accepting an interactive password non-interactively. This is where sshpass comes in. read more...
permapage | score:8187 | -gg234, May 5, 2008

Parallel SSH Sessions

Up
vote
Down

Centrally control multiple SSH sessions to multiple remote hosts simultaneously..
If you want to increase your productivity with SSH, you can try a tool that lets you run commands on more than one remote machine at the same time. Parallel ssh, Cluster SSH, and ClusterIt let you specify commands in a single terminal window and send them to a collection of remote machines where they can be executed.

Why you would need a utility like this when, using openSSH, you can create a file containing your commands and use a bash for loop to run it on a list of remote hosts, one at a time? One advantage of a parallel SSH utility is that commands can be run on several hosts at the same time.
read more...
mail this link | permapage | score:8168 | -Ray, November 11, 2008

Tutorial: Set up RAID1 on a remote Linux system vis SSH

Up
vote
Down

RAID-1 allows to create an exact copy of the original drive. Thus, it results into the increased fault tolerance and easy data recovery option for single server. It is true that the best and easy way to setup a RAID 1 is during installation. But if you forget to setup RAID – 1 during installation or if you have added new hard disk after installation, then this how-to covers setting up a RAID-1 mirroring on a running remote Linux system over ssh session. read more...
permapage | score:8111 | -nixcraft, June 21, 2006

WiFi Hotspot Privacy with SSH Tunnelling

Up
vote
Down

Wish you had some privacy while working from a wireless hotspot?
The problem is that for it to be a good hotspot anyone needs to be able to use it. Now you are really “socializing” with the others around you since they can read your email, instant messaging and see what you are web browsing. To use SSH to protect your traffic you use the concept of port-forwarding. Use an encrypted SSH tunnel to a destination you reasonably trust and direct your activities through it. This encrypts your easy to read traffic over the exposed link of the wireless until it comes out of the SSH server and looks like normal traffic originating from there. Now our friends in the coffee shop cannot read our email, instant messaging or web pages
read more...
mail this link | permapage | score:8097 | -Ray, December 13, 2005

Tutorial: Mount remote directories with SSHFS on Ubuntu 11.10

Up
vote
Down

This tutorial explains how you can mount a directory from a remote server on the local server securely using SSHFS. SSHFS (Secure SHell FileSystem) is a filesystem that serves files/directories securely over SSH, and local users can use them just as if the were local files/directories. On the local computer, the remote share is mounted via FUSE (Filesystem in Userspace). I will use Ubuntu 11.10 for both the local and the remote server. read more...
permapage | score:8012 | -falko, December 6, 2011

OpenSSH Cryptography Tutorial

Up
vote
Down

An introduction to OpenSSH on Unix / Linux...
OpenSSH, an OpenBSD project, is an incredibly secure implementation of the SSH protocol, a way of logging into a remote machine. For users of outdated protocols such as RSH, rlogin, and Telnet, it's an updated, secure replacement. For those who have never used anything like it, SSH can become a very valuable tool.

SSH is usually used to access a remote machine's shell, although there are other uses, such as:
read more...
permapage | score:7984 | -Ray, October 16, 2006

FreeBSD remote install over Linux via SSH

Up
vote
Down

From the not-intended-for-mass-usage dept., the depenguinator will let you turn your Linux box into a FreeBSD box remotely. Imagine the possibilities for insecure Linux systems turning into FreeBSD systems overnight, much to the surprise of the (original) owners...
Many computer systems around the world have been possessed by penguins; some have even been possessed by dead rats. In light of this, it is desireable to exorcize these evil spirits, and replace them with a nice, friendly daemon.

I've put together some code for building a FreeBSD disk image which will boot into memory, configure the network, set a root password, and enable SSH. This can be used to "depenguinate" a Linux box, without requiring any access beyond a network connection.
read more...
mail this link | permapage | score:7961 | -Ray, January 2, 2004

Secure SSH with WiKID two factor authentication

Up
vote
Down

SSH offers a highly secure channel for remote administration of servers. However, if you face an audit for regulatory or business requirements, such as Visa/Mastercard PCI, you need to be aware of some potential authentication related short-comings that may cause headaches in an audit. For example:

  • There is no way to control which users have public key authorization
  • There is no way to enforce passphrase complexity (or even be sure that one is being used)
  • There is no way to expire a public key
In this document we are going to demonstrate how to combine two-factor authentication from WiKID with an SSH gateway server with hosted private keys to create a highly secure, auditable and easy to use remote access solution.

read more...
mail this link | permapage | score:7911 | -nowen, April 30, 2007

Tutorial: Disable SSH, use scponly for file transfer (Debian 6)

Up
vote
Down

scponly is an alternate shell that restricts users to SCP and SFTP logins, but disallows SSH logins. It is a wrapper to the OpenSSH suite of applications. With the help of scponly, you can allow your users to use clients such as WinSCP or FileZilla to upload/download files, but you refuse SSH logins (e.g. with PuTTY) so that your users cannot execute files/programs. This tutorial shows how to install and use scponly on Debian Squeeze. read more...
permapage | score:7904 | -falko, August 24, 2011

SSHFS: Securely Mount Remote Filesystem in RHEL

Up
vote
Down

It is possible to mount your remote filesystem as a local filesystem on your Red hat/CentOS Linux system using sshfs.

FUSE is a Linux kernel module also available for FreeBSD, OpenSolaris and Mac OS X that allows non-privileged users to create their own file systems without the need to write any kernel code. SSHFS command utilizes FUSE to mount a file system using ssh.

This tutorial will describe installing FUSE, and using sshfs to mount your remote filesystem as a local mount point on your Linux system. read more...
mail this link | permapage | score:7864 | -nixcraft, May 10, 2007

Openssh with AIX chroot

Up
vote
Down

This article describes how to set up an IBM AIX chroot environment and use it with ssh, sftp, and scp. You will also learn about the prerequisites for AIX and openssh, and how to configure and use a chroot environment. read more...
permapage | score:7836 | -BlueVoodoo, May 12, 2008

SSH as a SOCKS proxy

Up
vote
Down

Yet another sweet ability of OpenSSH...
The -D arg tells OpenSSH to be a SOCKS proxy. So you simply log in to the endpoint via SSH with the -D arg like:

ssh -D 1234 user@host.example.com

And then tell your web browser to use a SOCKS v5 proxy on localhost at the specified port and bingo, you have a secure connection to your endpoint.
read more...
permapage | score:7835 | -Ray, January 23, 2009

Securing SSH

Up
vote
Down

Yes, even OpenSSH is vulnerable...
Apart from past flaws in the OpenSSH daemon itself that have allowed remote compromise (very rare), most break-ins result from successful brute-force attacks. You can see them in your firewall, system or auth logs, they are an extremely common form of attack. Here is an excerpt from the /var/log/messages file on a CentOS Linux box (the attacking hostname has been obfuscated). You can see multiple attempts to login as users root and ftp. Also note the time between repeated attempts - one second or less, much too quick to be a human. This is an automated attack.
read more...
mail this link | permapage | score:7802 | -Ray, April 25, 2006

Tutorial: SSH Port forwarding

Up
vote
Down

This guide will get you up and tunneling your sessions over encrypted network connections.
SSH stands for Secure SHell, and it works very similar to the other login programs (it's based on Rsh, actually) with one important difference - it encrypts the entire communication session. When you enter your login and password they are encrypted before being sent. Likewise, everything you type and everything that comes back to you is encrypted as long as you're within that SSH session. The concept is very similar to how the military scrambles their radio communications to keep them from being intercepted by the enemy.
[If you still have problems in forwarding sessions over encrypted tunnels after reading the guide in the [read more] link below, try alternate SSH tunneling tutorial. -Ed] read more...
mail this link | permapage | score:7792 | -BluNereid, March 18, 2001 (Updated: April 1, 2005)

Tutorial: SMTP over an SSH tunnel

Up
vote
Down

Make your email a little bit more private with the Secure Shell.
It is widely known that POP3 is a very insecure protocol, since it is a plain text protocol that transmits passwords and usernames with no protection. Anyone on a private network can quickly sniff packets and determine all the passwords used on the network. Although advances in POP3 authentication have surfaced (APOP, SSL, etc.) many servers still use the old plain text format.

SSH tunneling is the process of establishing a secure, encrypted tunnel between you and the mail host. This tunnel can be used for anything, but by using the Precommand feature of KMail, I will show you how to use a tunnel for POP3 and SMTP.
read more...
mail this link | permapage | score:7786 | -Ray, May 20, 2001 (Updated: June 8, 2003)

Tutorial: SFTP chroot user jail with OpenSSH 5.x

Up
vote
Down

The OpenSSH 4.9-5.x updates now include built in jailing. It is still a little confusing, so I have written an update to my former 4.x tutorial.

This tutorial shows how to set up a safe chroot for your users. It offers chroot only and will deny all SSH access. It should only take about thirty minutes from start to finish including package download times if you don't already have them.

This method is safer because it doesn't allow the users access to any commands such as a compiler or the perl interpreter.
You will not need to install any extensive libraries or copy hundreds of files for functional use.

The user will be 'jailed' to any directory you choose which will mean that they will see "/home/username/" as just "/" disabling them from seeing your entire server or others users files while still using SECURE FTP. read more...
mail this link | permapage | score:7739 | -GO ILLINI, May 6, 2008

Compiling OpenSSH on Ubuntu Server

Up
vote
Down

Find out how to compile OpenSSH on the latest version of Ubuntu, Ubuntu 7.04 Feisty Fawn Server, to get safely connected to your remote servers.
Installing the OpenSSH client and server on Ubuntu is as easy as typing "sudo apt-get install openssh" at a terminal prompt. However, this will install Portable OpenSSH version 4.3p2[-8ubuntu1]. Unfortunately for users, this version of Portable OpenSSH does not include the "Match" functionality added to the SSH server in version 4.4p1, that "allows some configuration options to be selectively overridden if specific criteria (based on user, group, hostname and/or address) are met."
read more...
mail this link | permapage | score:7683 | -estride, May 31, 2007

Linux SSH Tutorial

Up
vote
Down

Learn the in's and out's of using SSH on your Linux box from this newly-rewritten tutorial.
This tutorial isn't going to cover how to install SSH, but will cover how to use it for a variety of tasks. Consult your Linux distribution's document for information on how to setup OpenSSH.

Chances are that if you are using a version of Linux that was installed within the last 4 or 5 years that you already have OpenSSH installed. The version of SSH that you will want to use on Linux is called OpenSSH. As of this writing (January 2006), the latest version available is 4.2, but you may encounter versions from 3.6 on up. If you are using anything lower than version 3.9, you should upgrade it.
read more...
mail this link | permapage | score:7656 | -Ray, March 4, 2006

Secure OpenSSH with SSHjail

Up
vote
Down

The one time I had a Linux server cracked, it was through a bug in OpenSSH...
You should run unsecured and sensitive network services in a chroot jail, because if a hacker can break into a vulnerable service he could exploit your whole system. If a service is jailed, the intruder will be able to see only what you want him to see -- that is, nothing useful. Some of the most frequent targets of attack, which therefore should be jailed, are BIND, Apache, FTP, and SSH. SSHjail is a patch for the OpenSSH daemon. It modifies two OpenSSH files (session.c and version.h) and allows you to jail your SSH service without any need for SSH reconfiguration.
read more...
mail this link | permapage | score:7595 | -Ray, April 27, 2007
More articles...
Abstract Art Prints by Ray Yeargin

Recent headlines

Nuvola Player: Enjoy all your Cloud music services from one interface

Beginner Ubuntu Tips

Setup Nginx + php-FPM + apc + MariaDB on Debian: The perfect LEMP server

Linpus Lite 1.9 review

Sagemath in the Cloud and Sagemath 5.11

Using Multiple PHP Versions (PHP-FPM FastCGI) With ISPConfig 3 (Ubuntu 12.04)

Pre-release Ubuntu 12.10 has partial support for manual LVM and disk encryption

Preview: Snapdragon SDK for Android

OpenShift Online: a non-developer guide

Unix: Shell Script Wrapper Examples

Tutorial: Webcam streaming your desktop plus audio with ffmpeg, crtmpserver, Flowplayer

Using OpenVZ on Debian 7 (AMD64)

Tutorial: Create an NFS-like Storage Server with GlusterFS on Ubuntu 12.10

Apache2, mod_rewrite tutorial: Redirect requests by device

Linux Iptables Examples

Install FB4Linux in Eclipse

StartOS 6 GNOME 3 and KDE preview

Migrate Mailboxes between IMAP Servers with imapcopy

Add an entry for a Linux distribution in Windows boot menu

Microsoft Surface RT is an Unmitigated Disaster

Install openQRM 5.1 on Debian 7

Elementary OS 0.2 Luna review

Better Grails apps with CSS

Build a Firebird 2.5.1 and FreeBSD 9 database server

PC-BSD 9.1 preview

The Android-powered MeMO Pad HD 7 is just $149

Customize Linux Mint 15 Cinnamon

Ubuntu is not a community distribution

Encrypt mail with SSL certificates

Reviewing Kali Linux - the distro for security geeks

Tutorial: Install Debian 7 (testing) with debootstrap from a Grml live Linux

Dual-boot Windows 8 and Ubuntu 12.10 on UEFI System

OpenBSD Tutorial: Configure Ralink USB Wireless Adapter

Ubuntu Edge sets crowdfund record

Enable auto-login, create a guest user account on Fedora 14

Tutorial: Build a C/C++ memory manager

Apple DIY Repair

perl1line.txt: A handy Perl script collection

Giada – Audio tool for DJs, live performers and electronic musicians

webOS: The latest Linux distribution

 

Firefox sidebar

Site map

Site info

News feed

Features

Login
(to post)

Search

 
Articles are owned by their authors.   © 2000-2012 Ray Yeargin