Difference between revisions of "Category:SSH"
(New page: Category:Engineering) |
|||
Line 1: | Line 1: | ||
[[Category:Engineering]] | [[Category:Engineering]] | ||
+ | |||
+ | == External OpenSSL Command-line FAQ == | ||
+ | This [http://www.madboa.com/geek/openssl/ OpenSSL HowTo/FAQ] deals with the command-line openssl. | ||
+ | |||
+ | == sshd_conf tweaks == | ||
+ | These are changes I always make to /etc/ssh/sshd_config. | ||
+ | See [http://www.fail2ban.org/ fail2ban] for | ||
+ | protecting against bots doing dictionary attacks. | ||
+ | |||
+ | <pre> | ||
+ | # this speeds up logins. | ||
+ | UseDNS no | ||
+ | # bots often check these accounts for weak passwords: | ||
+ | DenyUsers root test admin guest nobody | ||
+ | # for extra security, limit access to only these users: | ||
+ | AllowUsers user1 user2 user3 | ||
+ | </pre> | ||
+ | |||
+ | Use the following to support SSH1. I no longer use this. | ||
+ | <pre> | ||
+ | # this is required if you want to support SSH1 | ||
+ | Protocol 2,1 | ||
+ | # this is required if you want to support SSH1 | ||
+ | PasswordAuthentication yes | ||
+ | </pre> | ||
+ | |||
+ | == simple port forwarding (SSH tunnel) == | ||
+ | This example creates a tunnel for IMAP. Here we forward port 1143 on localhost to 143 (IMAP) on imap.example.com. | ||
+ | <pre> | ||
+ | ssh -f -N -q -L 1143:localhost:143 username@imap.example.com | ||
+ | </pre> | ||
+ | |||
+ | -f tells ssh to go into the background (daemonize). | ||
+ | |||
+ | -N tells ssh that you don't want to run a remote command. That is, you only want to forward ports. | ||
+ | |||
+ | -q tells ssh to be quiet | ||
+ | |||
+ | -L specifies the port forwarding | ||
+ | |||
+ | == reverse port forwarding == | ||
+ | Sometimes I need to make an internal LAN machine expose a service to the outside WAN. | ||
+ | For example, I have a database server that will only accept connections from a | ||
+ | specific development box. That dev box is inside the firewall. I want to connect to | ||
+ | the database from outside the firewall. | ||
+ | <pre>ssh -t -L 5432:localhost:1999 my_name@firewall.example.com ssh -t db_server ssh -t -R 1999:127.0.0.1:5432 my_name@firewall | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | == SSH for Windows == | ||
+ | [http://www.chiark.greenend.org.uk/~sgtatham/putty/ Putty] is the best free SSH client for Windows. You can also use [http://www.cygwin.com Cygwin], but the ANSI terminal emulation isn't as good unless you start the X11 server and run xterm. | ||
+ | |||
+ | == MindTerm SSH client Java Applet == | ||
+ | MindTerm_2.1 (non-commercial). This was the last free version of MindTerm. | ||
+ | |||
+ | [http://www.noah.org/ssh/mindterm.jar mindterm.jar] | ||
+ | |||
+ | Put this applet on a web page and point the <applet> "archive" attribute to the URL of the JAR file: | ||
+ | <small><pre> | ||
+ | <applet archive="mindterm.jar" code="com.mindbright.application.MindTerm.class" width="580" height="400"> | ||
+ | <param name="te" value="xterm-color"> <!-- "vt102" --> | ||
+ | <param name="fs" value="18"> | ||
+ | <param name="gm" value="80x32+0+0"> | ||
+ | <param name="port" value="22"> | ||
+ | <param name="cipher" value="blowfish"> <!-- "des" --> | ||
+ | <param name="usrname" value=""> | ||
+ | <param name="sepframe" value="false"> | ||
+ | <param name="quiet" value="false"> | ||
+ | <param name="cmdsh" value="false"> | ||
+ | <param name="verbose" value="true"> | ||
+ | <pa ram name="autoprops" value="none"> | ||
+ | <param name="idhost" value="false"> | ||
+ | <param name="alive" value="10"> | ||
+ | <param name="appletbg" value="white"> | ||
+ | </applet> | ||
+ | </pre></small> |
Revision as of 04:14, 7 June 2007
Contents
External OpenSSL Command-line FAQ
This OpenSSL HowTo/FAQ deals with the command-line openssl.
sshd_conf tweaks
These are changes I always make to /etc/ssh/sshd_config. See fail2ban for protecting against bots doing dictionary attacks.
# this speeds up logins. UseDNS no # bots often check these accounts for weak passwords: DenyUsers root test admin guest nobody # for extra security, limit access to only these users: AllowUsers user1 user2 user3
Use the following to support SSH1. I no longer use this.
# this is required if you want to support SSH1 Protocol 2,1 # this is required if you want to support SSH1 PasswordAuthentication yes
simple port forwarding (SSH tunnel)
This example creates a tunnel for IMAP. Here we forward port 1143 on localhost to 143 (IMAP) on imap.example.com.
ssh -f -N -q -L 1143:localhost:143 username@imap.example.com
-f tells ssh to go into the background (daemonize).
-N tells ssh that you don't want to run a remote command. That is, you only want to forward ports.
-q tells ssh to be quiet
-L specifies the port forwarding
reverse port forwarding
Sometimes I need to make an internal LAN machine expose a service to the outside WAN. For example, I have a database server that will only accept connections from a specific development box. That dev box is inside the firewall. I want to connect to the database from outside the firewall.
ssh -t -L 5432:localhost:1999 my_name@firewall.example.com ssh -t db_server ssh -t -R 1999:127.0.0.1:5432 my_name@firewall
SSH for Windows
Putty is the best free SSH client for Windows. You can also use Cygwin, but the ANSI terminal emulation isn't as good unless you start the X11 server and run xterm.
MindTerm SSH client Java Applet
MindTerm_2.1 (non-commercial). This was the last free version of MindTerm.
mindterm.jar
Put this applet on a web page and point the <applet> "archive" attribute to the URL of the JAR file:
<applet archive="mindterm.jar" code="com.mindbright.application.MindTerm.class" width="580" height="400"> <param name="te" value="xterm-color"> <!-- "vt102" --> <param name="fs" value="18"> <param name="gm" value="80x32+0+0"> <param name="port" value="22"> <param name="cipher" value="blowfish"> <!-- "des" --> <param name="usrname" value=""> <param name="sepframe" value="false"> <param name="quiet" value="false"> <param name="cmdsh" value="false"> <param name="verbose" value="true"> <pa ram name="autoprops" value="none"> <param name="idhost" value="false"> <param name="alive" value="10"> <param name="appletbg" value="white"> </applet>
Pages in category "SSH"
The following 7 pages are in this category, out of 7 total.