OESF | ELSI | pdaXrom | OpenZaurus | Zaurus Themes | Community Links | Ibiblio

IPB

Welcome Guest ( Log In | Register )

5 Pages V  < 1 2 3 4 > »   
Reply to this topicStart new topic
> Best Way To Transfer Files To The Z Over A Netwok
Da_Blitz
post Feb 14 2007, 06:22 PM
Post #16





Group: Members
Posts: 1,565
Joined: 7-April 05
From: Sydney, Australia
Member No.: 6,806



firewalling is your best option if its by ip adress but i use and recomend public key crypto for this

give yourself about 30mins and read up on it, set it up on your ubuntu box and you will find that you will never use the user:pass combo again

i use passwords on my private keys so that i can keep them on a flashdisk so i also use ssh-agent which is greaat once you work out that to exectute it is eval `ssh-keychain`

that wont work on multiple shells, if you want somthing that will allow you to use your ssh keys for every xterm you open then i recomend getting a prog named keychain and using that, gentoo has the best docs on thier page for it (they wrote it) but it helps preserve the settings between shell launches. you might have to add it to your bashrc file

just ignore my rambeleing, the best reason to use it is that i only have to type my password for my private keys once and then every ssh session is password less or can optionally pop up a dialog box asking for permission under X

would anyone like me to start up a therad on ssh, i have found some stuff recentlly that is little used (such as connection sharing which speeds up the login delay to under a second) and proper keymanagment/generation and such + how to disable all authentication methods but public key and optionally krb5 while still using PAM for session managment and accounting (normally you have to leave passphrase authentication on to do this)
Go to the top of the page
 
+Quote Post
Capn_Fish
post Feb 15 2007, 08:10 AM
Post #17





Group: Members
Posts: 2,350
Joined: 30-July 06
Member No.: 10,575



That's exactly what I want to do. You get a new key every time you open a terminal? Or is that just for moving your key around to different computers? I'm assuming that it is, because it seems that the Z only generates a rsa/dsa key pair the first time it boots after flashing.

Could somebody just tell me what file/strings I need to copy from where to where? I sadly haven't really gleaned that info yet.

Thanks.
Go to the top of the page
 
+Quote Post
Da_Blitz
post Feb 16 2007, 03:28 AM
Post #18





Group: Members
Posts: 1,565
Joined: 7-April 05
From: Sydney, Australia
Member No.: 6,806



the rsa/dsa key generation is only for identifing the host. not for logging in

to log in you need to generate a key and put half of it (the public half) on the server you want to log into and the rest (the private part) somewhere safe.

i put my keys on a flashdisk. this is not that safe as anyone can read a flashdisk when its plugged in (unless you tweak /prooc/usb for a multihead setup so that some users get acsess to some usb port, i havent tested that) i do keep them encrypted so that they need to be decrypted in ram so that no one else can just copy them off unlsess they are root. they could do a offline attack however but thats beyond the scope of this post

so you want to genetare a rsa key pair. well go somewhere on your fs thats "clean" or create a folder and change your current dir to there (cmd line here) and run ssh-keygen.

follow the prompts. i recomend you change the name. it isnt a requirement but i dont want to clober my keys in the futre. i also generate a diffrent key for each host i use however the added benifits of this are slight. it dosent cost me however so i do it. ill come back to that latter

well i suppose you entered a name instead of a path for the keyfile which is what you would want if you want the files in the current directory. if not for the rest of this tut the keys are in your .ssh folder it your /home dir

now the fun part. you have to get the <key file>.pub to your Z somehow. eaist way is to log in via ssh like this. cat <path to public key> | ssh <user>@<host> "touch ~/.ssh/authorized_keys | tee !$"

what i did is cat the public key, pipe that as standard input to ssh. on the Z what happens is ssh logs in, creates the authorised keys file if its not been created and takes the standard input from the box you are working on and adds it to the allowed keys for this user list

congratulations you are now half way there

ok now you half to execute "eval `ssh-agent`" (note the backticks, we need a shell for ssh-agent) OR "eval $((ssh-agent))" which is the posix version (its a history lesson kids wink.gif)

this launches a authentication proxy for you. its goal is to collect your ssh keys and store them. not that handy if you didnt put a password on your key (shame on you) but really handy if you did as you only have to type the pass once.

add the private key with ssh-add <path to private key> (the one without .pub).

now ssh into your box smile.gif. it shouldnt ask for a password

this is just stage one. you can take it futher if you want and i am willing to write the guides if someone wants it. as i have stated before it mainly increses security by disabling 3des encryption and using blowfish or AES-256-cbc, adds session sharing (poor mans ssh-agent and faster loging times as well as less conections) and compresion of everything thats goes throgh the link (best on slow WANs, some people like to only do it manually but i fuigure it dosent hurt unless you are doing file transfer to somthing without much cpu grunt like the Z over usb)

also a guide to allowingpublic key logins and hardeneing your ssh server could be written too if i am up to it and there is demand

now back to some issues, i use 1 key per srever. you can use the one id for every server if you wish however i like it my way as when i am on a windows PC i can give it only the certs i need to get the job done so if someone reads its mem they wont get all the keys

the other hand reason is that it makes ssh-agent proxying alot safer, if you create a seperate ssh-keychain instance with only node B and node C (if you are on A and can only see B but B can see C) then you only add 2 keys and you can enable fowarding to your hearts content knowing thatnot every server you can connect to will be comprimised if someone has hacked that box (as only B and Cs keys have been put on the keychain

just aquick word about the proxy thing, that means when you logg into B from A, B can reuse the ssh-keychain and the keys on its keychain to log into C without a password, if the kys to D were on it and the bok got hacked then someone with your privs or root could then tell a ssh session to authenticate to the ssh-agent onA to log into D

confused?, i know i was. it clicks once you have mastered the basics

you might want to try X fowarding, add -X to your ssh prog (ie ssh -X <user>@<host>. now any X app on your Z will run on you PCs monitor, but exectue on the Z. makes editing text files fun and is best used with a usb flashdisk with putty and an X server on it. meaning you can do stuff on your work pc knowing that the progs on the Z (security) or that the data is on your Z (portability). it also means you then get cross platform compatability as you then have an X server for nearly evrey OS on the market (macos, unix and clones, windows)

might tell you about the "revers ssh" that i suggested else where to bypass a firewall, basically its a good use of port fowarding.

you connect the port on a machine A (the Z for eg) that connects to ssh (127.0.0.1:22) to a port on a remote machine (eg 2222), you then ssh into port 2222 on the proxy machine © from your PC (cool.gif. this will mean that you have just ssh'd into the Z (ssh from B to C, then wrap it in another ssh session and onto A)

note that thats cpu intensive as it does 2 ssh sessions. B (your laptop) and C (the proxy) will only do one but A (the Z) will have to do 2 of them. this can kill a Z if transfering files but is fine for ssh work. not sure about X as i never did any bandwidth testing on it but pretend its a 8mbit linx (overhead) with near lan latency (near lan because ssh add latency, even more so when overloaded)
Go to the top of the page
 
+Quote Post
Meanie
post Feb 16 2007, 04:18 AM
Post #19





Group: Members
Posts: 2,808
Joined: 21-March 05
From: Sydney, Australia
Member No.: 6,686



wow, you wrote half an essay smile.gif
Go to the top of the page
 
+Quote Post
Capn_Fish
post Feb 18 2007, 04:00 PM
Post #20





Group: Members
Posts: 2,350
Joined: 30-July 06
Member No.: 10,575



OK, I have this set up, but I want my server to block all SSH requests except from those in the authorized_keys file. I searched, but I can't figure out how to do it. Could somebody help here as well?

Oh, and thanks for the essay! It was very helpful.
Go to the top of the page
 
+Quote Post
speculatrix
post Feb 19 2007, 02:00 AM
Post #21





Group: Admin
Posts: 3,281
Joined: 29-July 04
From: Cambridge, England
Member No.: 4,149



QUOTE(Capn_Fish @ Feb 19 2007, 01:00 AM)
OK, I have this set up, but I want my server to block all SSH requests except from those in the authorized_keys file. I searched, but I can't figure out how to do it. Could somebody help here as well?
*



have a look in your sshd_config file and turn off password encryption like this:
CODE
PasswordAuthentication no


you probably also want
CODE
PermitEmptyPasswords no
Go to the top of the page
 
+Quote Post
Da_Blitz
post Feb 19 2007, 02:44 AM
Post #22





Group: Members
Posts: 1,565
Joined: 7-April 05
From: Sydney, Australia
Member No.: 6,806



that looks about right but my config has:

CODE
UsePAM yes
ChallengeResponseAuthentication no
PermitEmptyPasswords no
PasswordAuthentication no


the challenge response has to do with PAM password authentication, whereas i am using PAM for the session and accounting rather than session, accounting and password.

basically it means you can use the pam rlimits, sourcing a file, login between certin time stuff. the good stuff of pam that dosent deal with passwords (and that many people dont relise it does)
Go to the top of the page
 
+Quote Post
Capn_Fish
post Feb 19 2007, 06:18 AM
Post #23





Group: Members
Posts: 2,350
Joined: 30-July 06
Member No.: 10,575



It's now working, my Ubuntu box will block all computers except my Z, and I don't need a password for that.

Thanks for your help!
Go to the top of the page
 
+Quote Post
Da_Blitz
post Feb 19 2007, 11:17 PM
Post #24





Group: Members
Posts: 1,565
Joined: 7-April 05
From: Sydney, Australia
Member No.: 6,806



dont know if you have your ubuntu box connected to the net but mine gets about 100 attempts to log in via ssh, the usual suspects, root, nobody,mail, ftp, http and such all with no password.

so as you can see it can be a good idea to just use keys as it means if i did accedentially not put a password on an account and you could login localy with it it wouldnt allow ssh to let you in as there is no authorized keys ifle for that account

security always pays off in the end
Go to the top of the page
 
+Quote Post
speculatrix
post Feb 20 2007, 03:29 AM
Post #25





Group: Admin
Posts: 3,281
Joined: 29-July 04
From: Cambridge, England
Member No.: 4,149



Since I tried iptables firewalling more than I trust ssh daemon, I don't allow anything to connect to ssh from world, and then I use "port knocking" to open a hole in the firewall for the IP I am knocking from... I can then connect over ssh and secure-imap.

That means in order to break in there must be a failure in iptables and also sshd.

See my website http://www.zaurus.org.uk/portknocking.html for details
get the download for my fixed "barricade" ping-knocking s/w at http://www.zaurus.org.uk/download/barricad...0.0-PADM.tar.gz
Go to the top of the page
 
+Quote Post
Capn_Fish
post Feb 20 2007, 04:46 AM
Post #26





Group: Members
Posts: 2,350
Joined: 30-July 06
Member No.: 10,575



QUOTE(Da_Blitz @ Feb 20 2007, 02:17 AM)
dont know if you have your ubuntu box connected to the net but mine gets about 100 attempts to log in via ssh, the usual suspects, root, nobody,mail, ftp, http and such all with no password.
*

How do you tell how many times somebody tried to login with SSH?
Go to the top of the page
 
+Quote Post
speculatrix
post Feb 20 2007, 06:26 AM
Post #27





Group: Admin
Posts: 3,281
Joined: 29-July 04
From: Cambridge, England
Member No.: 4,149



QUOTE(Capn_Fish @ Feb 20 2007, 01:46 PM)
How do you tell how many times somebody tried to login with SSH?
*


hmm, let me look at my firewall log, this file active since Jan 30 @21:01
# cd /var/log
# grep EXT-Drop | grep DPT=22 firewall | wc -l
113

so, about five or six times a day someone's probed my sshd (!)

for the same 21 day period I've had 15253 drops logged.
Go to the top of the page
 
+Quote Post
desertrat
post Feb 20 2007, 07:48 AM
Post #28





Group: Members
Posts: 742
Joined: 15-October 05
From: Gulag, Siberia
Member No.: 8,322



One thing worth adding to /etc/ssh/sshd_config is
CODE
AllowUsers sometrusteduser

This will allow only sometrusteduser to login.
Go to the top of the page
 
+Quote Post
speculatrix
post Feb 20 2007, 08:36 AM
Post #29





Group: Admin
Posts: 3,281
Joined: 29-July 04
From: Cambridge, England
Member No.: 4,149



QUOTE(desertrat @ Feb 20 2007, 04:48 PM)
One thing worth adding to /etc/ssh/sshd_config is
CODE
AllowUsers sometrusteduser

This will allow only sometrusteduser to login.
*


also consider running sshd on a different port, e.g. 222, as this cuts down the number of attempted probes very significantly.

on the Z you have to change inetd.conf (for cacko at least) doesn't run sshd as a daemon but only via inetd.
Go to the top of the page
 
+Quote Post
zmiq2
post Feb 20 2007, 09:25 AM
Post #30





Group: Members
Posts: 385
Joined: 3-December 03
Member No.: 1,038



Hi speculatix, in

QUOTE


you mention that


QUOTE
The advantage of using ping is that its much easier to set up the client - nearly every linux x86 PC has the required software already installed. For the Zaurus (Cacko at least) and Windows, the standard ping program doesn't work because they don't support the required options to insert a character string password into the ping datagram; however, just install hping2 on the Zaurus and it works. It also means that if you're using a guest computer, there's a good chance you can run ping!


which doesn't make sense to me: if you need hping2 as a client, because normal ping doesn't work, you cannot use ping on a guest computer

Nice web, btw
Go to the top of the page
 
+Quote Post

5 Pages V  < 1 2 3 4 > » 
Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 19th September 2014 - 10:01 PM