I have an Ubuntu box with no monitor that control with VNC with my Zaurus. I would like to be able to easily transfer files from there to my Z in a secure manner. What would be the best way of doing this?

Thanks.

The most convenient way is IMHO to use Samba directory sharing.

daniel

My tool of choice is rsync + ssh. Works like a charm and no need to mount.

(Btw: Are there fuse and sshfs for the Z?)

Any good how-tos for ssh & rsync? Or can you provide one?

Thanks!

EDIT: I've tried to set up Samba in the past, and it seems to be difficult (or I was just being stupid), so I'm not really looking at that.

EDIT2: How does using rsync and ssh work?

yes, I used it just recently on OpenZaurus. To mount connections on the Z should just work OOTB IIRC. To mount your Z on another box you need to "enhance" dropbear with the openssh-sftp package.

"ipkg install rsync"

then on desktop

rsync -r -v -z /dir/dir/ 192.168.129.201:/dir2/dir2

stick in a "-n" to not actually do the copy beforehand just to make sure nothing's going to go wrong.

"man rsync" or "rsync --help" is your friend.

whats the diffrence apart from only uploading the changes to using rsync over scp or sftp in this type of enviroment. we are talking about high bandwidth links here so there is really no need to upload changes, a dumb copy would be fine

or am i missing somthing here

Use ssh, and if you use KDE it's as simple as typing:

into konqueror to browse your Z filesystem.

What do I need to set up on Ubuntu? I set up the /etc/rsyncd.conf.

you don't need to set anything up on the PC side... ok, quick tutorial. rsync is a bit like "scp -prd", only it's a lot more intelligent - it can be told to ignore existing files (by checking size and date or using a checksum /slower/)

When invoked, it talks to rsync on the remote host either because the remote host is running rsync as a daemon OR by ssh'ing to it and running it.

So, on the ubuntu side, no need to run rsync as daemon. So long as when you ssh into zaurus rsync is in the path it will work. Or vice versa. Generally rsync is in /bin or /usr/bin and is virtually guaranteed to work.

So, use the "-n" /dryrun/ option just to be sure.

rsync has a HUGE number of options but they are fairly clearly explained.

personally, i think scp is the easiest and most secure.

er, rsync uses ssh as the default connection channel, so it's as secure as scp but more powerful.

you can use rsync as a daemon. you could also do rsync over plain telnet. both would be unencrypted.

you can also use tar, e.g. use compression to copy a directory from one machine to another using an ssh secure channel



the advantages of tar and rsync is they understand symlinks better, tar also preserves ownership and protection but doesn't know not to copy an existing file.


--edit--
oops, I forgot the gunzip on the target, added explanatory comment

To be honest, I don't need power or the ability to preserve symlinks. All I want is the ability to simply copy one file over a LAN from Ubuntu to my Z with minimal set-up time.

Is SCP or RSync easier to set up for this?

scp... just

example... scp test.txt root@192.168.1.45:/home/root/

or scp test.txt 192.168.1.45:

if you want to just copy that file, you are already an equal user name to the one on the destination, and you want it just to go to the users home dir.

Late

I've got an ssh connection working as well as scp. I'm now trying to figure out how to block all attempts to ssh into my Ubuntu box except from my Zaurus. All of the documentation I've found seems to be a bit vague, but it seems to indicate that all that is involved is moving some authentication keys around. What exactly do I need to do (starting from getting the connection working)? If it's too much to explain, could you point me to some good documentation?

Thanks!

firewalling is your best option if its by ip adress but i use and recomend public key crypto for this

give yourself about 30mins and read up on it, set it up on your ubuntu box and you will find that you will never use the user:pass combo again

i use passwords on my private keys so that i can keep them on a flashdisk so i also use ssh-agent which is greaat once you work out that to exectute it is eval `ssh-keychain`

that wont work on multiple shells, if you want somthing that will allow you to use your ssh keys for every xterm you open then i recomend getting a prog named keychain and using that, gentoo has the best docs on thier page for it (they wrote it) but it helps preserve the settings between shell launches. you might have to add it to your bashrc file

just ignore my rambeleing, the best reason to use it is that i only have to type my password for my private keys once and then every ssh session is password less or can optionally pop up a dialog box asking for permission under X

would anyone like me to start up a therad on ssh, i have found some stuff recentlly that is little used (such as connection sharing which speeds up the login delay to under a second) and proper keymanagment/generation and such + how to disable all authentication methods but public key and optionally krb5 while still using PAM for session managment and accounting (normally you have to leave passphrase authentication on to do this)

That's exactly what I want to do. You get a new key every time you open a terminal? Or is that just for moving your key around to different computers? I'm assuming that it is, because it seems that the Z only generates a rsa/dsa key pair the first time it boots after flashing.

Could somebody just tell me what file/strings I need to copy from where to where? I sadly haven't really gleaned that info yet.

Thanks.

the rsa/dsa key generation is only for identifing the host. not for logging in

to log in you need to generate a key and put half of it (the public half) on the server you want to log into and the rest (the private part) somewhere safe.

i put my keys on a flashdisk. this is not that safe as anyone can read a flashdisk when its plugged in (unless you tweak /prooc/usb for a multihead setup so that some users get acsess to some usb port, i havent tested that) i do keep them encrypted so that they need to be decrypted in ram so that no one else can just copy them off unlsess they are root. they could do a offline attack however but thats beyond the scope of this post

so you want to genetare a rsa key pair. well go somewhere on your fs thats "clean" or create a folder and change your current dir to there (cmd line here) and run ssh-keygen.

follow the prompts. i recomend you change the name. it isnt a requirement but i dont want to clober my keys in the futre. i also generate a diffrent key for each host i use however the added benifits of this are slight. it dosent cost me however so i do it. ill come back to that latter

well i suppose you entered a name instead of a path for the keyfile which is what you would want if you want the files in the current directory. if not for the rest of this tut the keys are in your .ssh folder it your /home dir

now the fun part. you have to get the <key file>.pub to your Z somehow. eaist way is to log in via ssh like this. cat <path to public key> | ssh <user>@<host> "touch ~/.ssh/authorized_keys | tee !$"

what i did is cat the public key, pipe that as standard input to ssh. on the Z what happens is ssh logs in, creates the authorised keys file if its not been created and takes the standard input from the box you are working on and adds it to the allowed keys for this user list

congratulations you are now half way there

ok now you half to execute "eval `ssh-agent`" (note the backticks, we need a shell for ssh-agent) OR "eval $((ssh-agent))" which is the posix version (its a history lesson kids )

this launches a authentication proxy for you. its goal is to collect your ssh keys and store them. not that handy if you didnt put a password on your key (shame on you) but really handy if you did as you only have to type the pass once.

add the private key with ssh-add <path to private key> (the one without .pub).

now ssh into your box . it shouldnt ask for a password

this is just stage one. you can take it futher if you want and i am willing to write the guides if someone wants it. as i have stated before it mainly increses security by disabling 3des encryption and using blowfish or AES-256-cbc, adds session sharing (poor mans ssh-agent and faster loging times as well as less conections) and compresion of everything thats goes throgh the link (best on slow WANs, some people like to only do it manually but i fuigure it dosent hurt unless you are doing file transfer to somthing without much cpu grunt like the Z over usb)

also a guide to allowingpublic key logins and hardeneing your ssh server could be written too if i am up to it and there is demand

now back to some issues, i use 1 key per srever. you can use the one id for every server if you wish however i like it my way as when i am on a windows PC i can give it only the certs i need to get the job done so if someone reads its mem they wont get all the keys

the other hand reason is that it makes ssh-agent proxying alot safer, if you create a seperate ssh-keychain instance with only node B and node C (if you are on A and can only see B but B can see C) then you only add 2 keys and you can enable fowarding to your hearts content knowing thatnot every server you can connect to will be comprimised if someone has hacked that box (as only B and Cs keys have been put on the keychain

just aquick word about the proxy thing, that means when you logg into B from A, B can reuse the ssh-keychain and the keys on its keychain to log into C without a password, if the kys to D were on it and the bok got hacked then someone with your privs or root could then tell a ssh session to authenticate to the ssh-agent onA to log into D

confused?, i know i was. it clicks once you have mastered the basics

you might want to try X fowarding, add -X to your ssh prog (ie ssh -X <user>@<host>. now any X app on your Z will run on you PCs monitor, but exectue on the Z. makes editing text files fun and is best used with a usb flashdisk with putty and an X server on it. meaning you can do stuff on your work pc knowing that the progs on the Z (security) or that the data is on your Z (portability). it also means you then get cross platform compatability as you then have an X server for nearly evrey OS on the market (macos, unix and clones, windows)

might tell you about the "revers ssh" that i suggested else where to bypass a firewall, basically its a good use of port fowarding.

you connect the port on a machine A (the Z for eg) that connects to ssh (127.0.0.1:22) to a port on a remote machine (eg 2222), you then ssh into port 2222 on the proxy machine © from your PC (. this will mean that you have just ssh'd into the Z (ssh from B to C, then wrap it in another ssh session and onto A)

note that thats cpu intensive as it does 2 ssh sessions. B (your laptop) and C (the proxy) will only do one but A (the Z) will have to do 2 of them. this can kill a Z if transfering files but is fine for ssh work. not sure about X as i never did any bandwidth testing on it but pretend its a 8mbit linx (overhead) with near lan latency (near lan because ssh add latency, even more so when overloaded)

wow, you wrote half an essay

OK, I have this set up, but I want my server to block all SSH requests except from those in the authorized_keys file. I searched, but I can't figure out how to do it. Could somebody help here as well?

Oh, and thanks for the essay! It was very helpful.

have a look in your sshd_config file and turn off password encryption like this:

you probably also want

that looks about right but my config has:



the challenge response has to do with PAM password authentication, whereas i am using PAM for the session and accounting rather than session, accounting and password.

basically it means you can use the pam rlimits, sourcing a file, login between certin time stuff. the good stuff of pam that dosent deal with passwords (and that many people dont relise it does)

It's now working, my Ubuntu box will block all computers except my Z, and I don't need a password for that.

Thanks for your help!

dont know if you have your ubuntu box connected to the net but mine gets about 100 attempts to log in via ssh, the usual suspects, root, nobody,mail, ftp, http and such all with no password.

so as you can see it can be a good idea to just use keys as it means if i did accedentially not put a password on an account and you could login localy with it it wouldnt allow ssh to let you in as there is no authorized keys ifle for that account

security always pays off in the end

Since I tried iptables firewalling more than I trust ssh daemon, I don't allow anything to connect to ssh from world, and then I use "port knocking" to open a hole in the firewall for the IP I am knocking from... I can then connect over ssh and secure-imap.

That means in order to break in there must be a failure in iptables and also sshd.

See my website http://www.zaurus.org.uk/portknocking.html for details
get the download for my fixed "barricade" ping-knocking s/w at http://www.zaurus.org.uk/download/barricad...0.0-PADM.tar.gz

How do you tell how many times somebody tried to login with SSH?

hmm, let me look at my firewall log, this file active since Jan 30 @21:01
# cd /var/log
# grep EXT-Drop | grep DPT=22 firewall | wc -l
113

so, about five or six times a day someone's probed my sshd (!)

for the same 21 day period I've had 15253 drops logged.

One thing worth adding to /etc/ssh/sshd_config is

This will allow only sometrusteduser to login.

also consider running sshd on a different port, e.g. 222, as this cuts down the number of attempted probes very significantly.

on the Z you have to change inetd.conf (for cacko at least) doesn't run sshd as a daemon but only via inetd.

Hi speculatix, in



you mention that




which doesn't make sense to me: if you need hping2 as a client, because normal ping doesn't work, you cannot use ping on a guest computer

Nice web, btw

yeah, reading it now it's not 100% clear, I will clarify, thanks for that. I could say "surely all your friends computers will be running linux by now"

thanks for +ve feedback.

i dont belive that running ssh on a diffrent port is worth the hassle, at the moment i am only getting ssh logins with no password attempts, i have max attempts set to 3. if i was really paranoid (basically i dont have the time at the moment) i would set up deny hosts but i have a feeling my public key login with 2048 bit keys should stand up to a bit of punisment

allow root logins = no of course

And for the real paranoid, like me:

I have an SMS modem attached, so when receiving a SMS with a special SMS content then ssh is activated for a certain eriod and, if noone logs in, it deactivates itself again.

Of course, all other measures also apply: pblic keys only with passhphrased enabled keys, no root, ...

I'm able to ssh in my servers using the Z and a nokia E61 (3G with qwerty keyboard), using the symbiam putty, which makes it very nice !

well, it's a pretty trivial change to sshd_config, and you only need to add "-p" to the ssh command when connecting. Most importantly, there are occasional vulnerabilities found in openssl, libz and openssh, so although it's security by obscurity it can help but should not be relied apon.



that's a neat idea!

I notice noone seems to be running a VPN server. We have one at work, and all the "suits" use it for access to outlook/exchange, and all the techies use an ssh jump box with key-only auth. Speaks volumes

actually i have a comercial sms sender (basically a mobile phone in a box with a serial cable attached) that i could put to good use

sms everytime someone logs in

actually i signed up for that paypal key program and looked into hacking it so i could use the OTP it generates as an aditonal requirement (ie usb flashdisk with ssh keys and otp needed to log in) but even though the crypto stuff is documented it cannot be used without paypals secret key (which they wont give up) and the timer value (hard to guess)

basically its sha1 used as a hmac then ascii encoded and stripped of digits at the frount and back to give you a 6 digit number

its a shame as it would then make a cheap otp device

well i said i would write some more stuff so here it is

create a file called config in your .ssh folder in your /home dir and put the following in it



what this does (if you didnt work it out already) is sets up the global options for every ssh connection (ie everything that has a hostname that matches *, see host *) if you want to create a config for a specific machine you connect to copy and paste this code again but rewrite the "host *" line to "host <yourhost addr>", this can be handy to seperate local and remote connections

a good example of this is


there is some more info in "man ssh_config"

anyway back to the topic, control master is what allows resharing of an exsisting ssh connection, if you typed in a password and didnt set up public keys then this will automatically reuse an exsisting connection so you dont have to retype the password, ssh was designed to tunnel more than one connection over the one link, its how the shell and port fowarding are implemented at the same time

so now thatt we have the reusable connections bieng built and torn down on demand (the "auto" option) the next line is to tell ssh where to look for the connections, i belive it defaults to /tmp but i put it in my .ssh folder as i know its permissions are secure (only i can read and write) so i dont have to worry about permissions. may have problems with nfs but YMMV

i think compression=yes explains itself, requests compresion if the server supports it

and finally its tightening of the ciphers used by ssh, these are universial algorithms that every morden kernel ships with, i belive that if you had problems it would be with a comercial ssh server that dosent implement the cipehr or a windows ssh server (i am not sure what cipher spec they support)

for those intrested here is the default cipher spec in order of prefrence (letft to right)


note the 3des and other lower security settings .

basically its free security by turning on the harder to crack ciphers

thats all for today, next time it will be port fowarding with ssh and if i get it working "poor mans vpn: what to do with ssh and tap/tun or PPP"

if i ever get the server up i will show you how to set up openvpn as well

hmm sorry to spam but how intrested is anyone in a hosted openvpn solution thats mantince free (ssl certs and everything handeled by someone else), you get your own private subnet to connect a few devices together from anyware on the net and quite posibly a dns subdomain so you dont have to remeber ip addresss to connect back to home

i have been thinking about it for awhile and now have most of the infrastructure in place to offer it, bulk transfers are not allowed, ie dont use it to pull down a DVD from your house to your pda but ssh, getting files and email from home in a secure manner or cvs would be fine

if you want bulk transfers thats what the dns subdomain is for, just point it back to your house (dynamic ip OK) and trasfer without going through me

Hi,

I've been looking for free encripted proxy, so when connected over open wifi, I would always like to have all my connections go to the proxy encrypted, avoiding at least kismet sniffing.

The idea would be:

zaurus-wifi <-> secure tunnel for http, pop3, ssh <-> secure proxy <-> plain http pop3 ssh <-> server http, pop3, ssh

Would that fit into your scheme? What needs to be running on the Z ?

All the software needed for SSHing comes installed with pdaXrom, I don't know about proxys.

tunnel ports using ssh thus...

zaurus$ ssh -L80:mypc:80 -L 110:mypc:110 -L 8080:mypc:8080 mypc

the -L means listen on local port. then you can see your home PC website on http://127.0.0.1, its pop3 server on 127.0.0.1:110 and set your proxy to be http://127.0.0.1:8080 (asssuming your pc runs proxy on 8080!)

it'd be more efficient to use pop3-ssl if you can. I have imap-ssl running at home, so I can do my email from anywhere.

HTH
Paul

another useful addition to your $HOME/.ssh/config file:

to automatically connect to your Z as user zaurus and not your current username, saves having to type "ssh zaurus@myzaurus".

it would be openvpn, so you would need an openvpn client, its an ssl bassed vpn so you would see anoether interface (tap0) with an ip and a routing table

if you want all gcomms to go over it you would have to change the default route to the vpn connection

ill reveal more details latter, basically i have a serverwith bandwidth and i am not going to be using all o it so i thought that someone here might like some resources

that hosts trick is a neta idea, there are a couple of machines i need to try that on

Ok todays tutorial is for advanced cyber elite hacker ninja monkey admins, what is it?

well this should show you how to store your ssh servers host key in its dns record so that ssh can auotomatically verify the authenticity of the machine, not so useful after the inital connection (where you type yes) but its handy if you use machines that dont have your servers fingerprint alot (eg tech support guys, contractor, student)

scince this i a 10 minute hack its worth it (10 minutes for you, i spent half a day getting it to work) so i thought i would pass on my knowlage to you. note that you can also put your pgp keys in your dns record and have openpgp pull them from dns rather than a keyserver , eg peter.yourdomain.com with your pgp public key would be the ekey for the email adress peter@yourdomain.com

anyway onto the howto

prerequisetes:
A dns server that you control the zone files on (the godaddy interface dosent count, you really need to run your own dns server orbe able to hack the zone files by hand)
idealy the dns server on a diffrent machine and ip to the ssh server (its a trust/hack thing)

anyway, locate the ssh server you wish to publish the keys for, ill use my zone ifles to show off



the reson for the differing code is that the older bind dosent have direct support for it (record type 44) but you can hack it to work by entering the packet type, then the raw payload in hex which is mostly aoutgenerated, i only had to add 2 0's

the program to generate the keys, or more acurattly format the exsisting keys into dns records is ssh-keygen -r <hostname>

first go to /etc/ssh, the entere ssh-keygen <hostname> where hostname matches the dns name of the PC, when prompted for a keyfile enter ssh_host_dsa_key.pub
and repeat for the rsa key (ssh_host_rsa_key.pub). this should have spat out a line of code that looks like the second example i gave, if you use bind >=9.3 then copy it to the zone file in the line below the hosts A record

if you are using the older bind then it needs a bit of massaging see the following steps
pocketnix.org IN SSHFP 2 1 3f4bd588c6146610bc2c3d70e6adc6de2bad8fa5
remove pocketnix.org IN SSHFP so it becomes

add a 0 to the 2 and the one at the beggining (or both 1s for the rsa key

remove spaces

wrap in barackets with spaces

add TYPE44 \# 22 to the front


and finally add underneath the hosts A record, the reson for adding it underneath the hosts A record is because we did not specify the host the key belongs to, by placing it under the A record it uses the last A record to work out who it belongs to

hope this helped, its not your standard feature but for some peopel it adds a bit of security.

when you now login to the server for the first time it will say


see the matching host in dns bit?, it comes in handy if you dont want to remeber the fingerprints of every host

i also added this to my .ssh/config file
VerifyHostKeyDNS yes
this makes ssh check the dns entry by default, otherwise you have ot do ssd -o "VerifyHostKeyDNS yes" <hostname> to get it to verify the keys (i suppose i should mention that at an earlier point)

sorry to spam but i might change my ssh port address aafter all

I think that what is most important is to have your ssh port down, or act as being down when not in use, so you escape from all those internet scanners.

You can do that by either moving to another port, installing port-knocking, or / and any other measure that hides as mush as possible your IP from those scanners. Once you are on the list, you'll always have probes for new user/passwords or exploits as new versions are coming along, to check that you have upgraded.

Mi 0.02: avoid being included in the list of internet -servers running ssh, even all other ssh settings must be properly setup.

Note.. being "down" means dropping the request, not rejecting - rejecting will imply to hacker that there is something there but protected as they will get a response to their probe. Dropping means there'll be no response at all, so it will require them to sit and wait for timeout, and much harder to "fingerprint" the host.

i have been fidiling with my config file to auto connect ot a diffrent port bassed on the host and it seems to work well, next is to set up a port knock approch, anyone know how to gett ssh to automate this or do i have to manually launch it every time i want to ssh in?

in your system firewall scripts, e.g. /etc/init.d/firewall, DONT permit ssh from everywhere, only from places you can always trust; simply DROP all ssh incoming... e.g.
iptables -A INPUT -s 0/0 -p tcp --dport 22 -j LOG --log-prefix=" drop all ssh inbound"
iptables -A INPUT -s 0/0 -j DROP

in the download tar.gz, there's scripts for opening up ssh when the appropriate ping is received; basically it looks like this
iptables -I INPUT -s $PINGORIGIN -p tcp --dport 22 -j ACCEPT

when the daemon times out the connection
iptables -D INPUT -s $PINGORIGIN -p tcp --dport 22 -j ACCEPT

you can add what you want to this script; e.g. to allow in http, proxy, imap-ssl or pop3-ssl. NOTE! this doesn't provide connectivity security, it's not a VPN (ok, you know this, but I wanted to remind you), so you still need to guard against someone on the local lan (especially wireless) sniffing for passwords and cookies!

the daemon writes to syslog too so you can see what's going on.

p.s. you also need to add the barricade startup script to /etc/init.d and put links in /etc/rc3.d and /etc/rc5.d
p.p.s. I would do an rpm but it's not really my package, I simply fixed up an existing program, and also it's really a one-off thing you'd set up, and to be useful requires so much customisation it'd be hard work to make an all-encompassing feature set!

ne rpm is fine as its a debain server however i was thinking more along the lines of the port knocker program that requires a port combonation to unlock and update the firewall for your host only