usePAM yes

google

How To Protect SSH With Two-Factor Authentication | DigitalOcean

• sshd
  The OpenSSH server daemon.
• ssh
  Stands for secure shell, though it doesn’t really include a shell, but provides a secure channel to the command shell on the remote system.
• scp
  Secure copy; this provides encrypted file transfer.
• sftp
  Secure file transfer protocol.
• ssh-copy-id
  Nice little program for installing your personal identity key to a remote machine’s authorized_keys file.
• ssh-keyscan
  Finds and collects public host keys on a network, saving you the trouble of hunting them down manually.
• ssh-keygen
  Generates and manages RSA and DSA authentication keys.
• ssh-add
  Add RSA or DSA identities to the authentication agent, ssh-agent.
• ssh-agent
  Remembers your passphrases over multiple SSH logins for automatic authentication. ssh-agent binds to a single login session, so logging out, opening another terminal, or rebooting means starting over. A better utility for this is keychain, which remembers your passphrases for as long you don’t reboot.

There are two different uses for authentication keys: host keys, which authenticate computers, and identity keys, which authenticate users.

rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that. For a list of platforms on which rssh is known to work, see the Platform Support Page.

linux - Allow SCP but not actual login using SSH - Server Fault

# To use it just set it as a shell for a new user like this:
$ useradd -m -d /home/scpuser1 -s /usr/bin/rssh scpuser1
$ passwd scpuser1
 
# ..or change the shell for an existing one like this:
$ chsh -s /usr/bin/rssh scpuser1
 
# ..and edit /etc/rssh.conf to configure rssh shell - especially uncomment allowscp line to enable SCP access for all rssh users.
$ vi /etc/rssh.conf

启动 sshd 必须用绝对路径 $ /usr/sbin/sshd -d, d for debug

TODO:

• DenyHosts
• http://os.51cto.com/art/200803/68174.htm

linux 101 hacks 2ed p.79

• 我的文档
• What is a Chroot Jail?
• Jailkit - chroot jail utilities
• chroot jail - Linux Howto

• 推荐该文档: DebootstrapChroot - Community Ubuntu Documentation
• 或者看更 raw 的 debian 文档: Debootstrap - Debian Wiki
• 怎么到这儿的(为了找用 puppet 建立 chroot 的方法, 而发现了 debootstrap, 建立 chroot 是为了让 backup 用户只能对指定目录做 rsync): https://github.com/berndmweber/copperfrog-chroot/blob/master/manifests/init.pp

详见: Using ssh agent forwarding · GitHub Help

步骤:

1. 保证本地 ssh-agent (用来缓存 ssh key) 在运行

   # 检查目前缓存了那些 key
   $ ssh-add -L
   # 添加 key
   $ ssh-add ~/.ssh/id_rsa

2. 确保本地不会阻止 forwarding

   # 本地的 /etc/ssh_config 中 **不能** 有
     ForwardAgent no

3. 确保服务器允许 forwarding

   # 服务器的 /etc/sshd_config 中需要有 
     AllowAgentForwarding yes

4. 使用下面的两种办法, 在 ssh 到某服务器上时 forward agent
   • 方法 1: ssh -A example.com, 手动指定 ssh 某服务器时, 用 agent forwarding
   • 方法 2: 配置 ssh 某些服务器时用 agent forwarding:

     ~/.ssh/config

     # Host *
     Host example.com
       ForwardAgent yes

SSH 的 Escape Char 和 telnet 里面ctrl + ]键可以进入命令模式类似. 系统默认的 Escape Char 可通过如下方式查看:

$ grep -i escape /etc/ssh/ssh_config 
#   EscapeChar ~

使用ssh -e '?' use@host可临时更改 Escape Char.

Escape Char 的作用如下:

myhost# ~?
Supported escape sequences:
~.  - terminate connection
~^Z - suspend ssh
~B  - send a BREAK to the remote system
~C  - open a command line
~R  - Request rekey (SSH protocol 2 only)
~#  - list forwarded connections
~&  - background ssh (when waiting for connections to terminate)
~?  - this message
~~  - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

其中常用的有 ~^Z.

問題來了，假設你從 HOST1 先 SSH 到 HOST2，然後再從 HOST2 SSH 到 HOST3

HOST1 ===1===> HOST2 ===2===> HOST3

如果你在 HOST3 的 terminal 下輸入 ~. 的話，你會直接切斷上面的第一段連線回到 HOST1 的 terminal，當然這樣的話第二段連線也一併 bye-bye 了！如果只是想切斷第二段連線回到 HOST2 該怎麼作呢？

這時候 ~~ 就發揮作用了，你只要輸入 ~~. 就可以切斷第二段連線了

以此累推，輸入 N 個 Escape Character 代表對第 N 段連線送出 Escape Character.

• 在远程机器上运行一段脚本。这条命令最大的好处就是不用把脚本拷到远程机器上

  ssh user@server bash < /path/to/local/script.sh

• 比较一个远程文件和一个本地文件

  ssh user@host cat /path/to/remotefile | diff /path/to/localfile -

• scp -r 会跟踪 symlink, 无选项让 scp 不跟踪 symlink, 所以如果想保留 symlink 应 tar 后再 scp
• 不允许密码登陆：`vi /etc/ssh/sshd_config` `PasswordAuthentication no`
• 只允许 scp，不允许登陆：rssh linux - Allow SCP but not actual login using SSH - Server Fault

http://blog.urdada.net/2008/01/02/73

ssh -ND 8080 user@111.111.111.111

about key: c3q → 3cq

1. 切换到root用户

   sudo -H -s

2. 本地设置ssh key, 方便 SSH 在不需要密码的情况下直接连接中继服务器

   ssh-keygen

3. 安装autossh

   apt-get install autossh

4. 设置upstart脚本

   /etc/init/autossh.conf

   # autossh
   description	"AutoSSH Tunnel"
    
   start on (net-device-up and local-filesystems and runlevel [2345])
   stop on runlevel [016]
    
   # REMOTE_PORT 为中继服务器在本地服务器上的对应端口
   # 如 9628 是 gin 的端口
   respawn
   exec autossh -nNT -o ServerAliveInterval=15 -R :REMOTE_PORT:localhost:22 autossh@remote.server.com 
    
   # -nNT 都是安全设置
   # -N      Do not execute a remote command.  This is useful for just forwarding ports (protocol version 2 only).
   # -n      Redirects stdin from /dev/null (actually, prevents reading from stdin).
   # -T      Disable pseudo-tty allocation.

$ man ssh
     -R [bind_address:]port:host:hostport
             Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side.  This works by allocating a
             socket to listen to port on the remote side, and whenever a connection is made to this port, the connection is forwarded over the secure channel, and a
             connection is made to host port hostport from the local machine.

             Port forwardings can also be specified in the configuration file.  Privileged ports can be forwarded only when logging in as root on the remote machine.
             IPv6 addresses can be specified by enclosing the address in square braces.

             By default, the listening socket on the server will be bound to the loopback interface only.  This may be overridden by specifying a bind_address.  An
             empty bind_address, or the address ‘*’, indicates that the remote socket should listen on all interfaces.  Specifying a remote bind_address will only suc‐
             ceed if the server's GatewayPorts option is enabled (see sshd_config(5)).

             If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported to the client at run time.  When used together with
             -O forward the allocated port will be printed to the standard output.


$ man 5 sshd_config
     GatewayPorts
             Specifies whether remote hosts are allowed to connect to ports forwarded for the client.  By default, sshd(8) binds remote port forwardings to the loopback
             address.  This prevents other remote hosts from connecting to forwarded ports.  GatewayPorts can be used to specify that sshd should allow remote port for‐
             wardings to bind to non-loopback addresses, thus allowing other hosts to connect.  The argument may be “no” to force remote port forwardings to be avail‐
             able to the local host only, “yes” to force remote port forwardings to bind to the wildcard address, or “clientspecified” to allow the client to select the
             address to which the forwarding is bound.  The default is “no”.

1. 载入启动脚本

   start autossh

putty 中的设置

将/root/.ssh/id_rsa.pub的内容添加到公网服务器的autossh账号的~autossh/.ssh/authorized_keys中. 在该行行首加 no-pty 可阻止使用autossh登录, 让它只可用作端口转发.