ssh

warning: Creating default object from empty value in /data/web/1/000/027/003/273448/htdocs/panticz.de/modules/taxonomy/taxonomy.pages.inc on line 33.

Install SSH VPN server

export CONTAINER=vpn

# create container
# TODO: configure MAC on create container
wget -q --no-check-certificate https://raw.githubusercontent.com/panticz/lxc/master/create.jessie.sh -O - | bash -s -- -f

# configure container MAC address
sed -i 's|lxc.network.hwaddr = .*|lxc.network.hwaddr = 00:11:22:33:44:5e|' /var/lib/lxc/${CONTAINER}/config

# enable autostart
echo "lxc.start.auto = 1" | tee -a /var/lib/lxc/${CONTAINER}/config

# configure container
##echo "lxc.hook.autodev=/var/lib/lxc/vpn/autodev" >> /var/lib/lxc/${CONTAINER}/config

Create a restricted user for SSH tunneling

wget -q --no-check-certificate https://raw.githubusercontent.com/panticz/scripts/master/create_ssh_tunnel_user.sh -O - | bash -

#!/bin/bash

# create new restricted user
useradd tunnel --gid nogroup --create-home --skel /dev/null --shell /bin/rbash

# set random encrypted password to enable login
echo "tunnel:$(openssl rand -base64 32)" | chpasswd

# create authorized_keys
mkdir /home/tunnel/.ssh
chmod 700 /home/tunnel/.ssh
touch /home/tunnel/.ssh/authorized_keys
chmod 600 /home/tunnel/.ssh/authorized_keys

# remove path to programs
echo 'PATH=' > /home/tunnel/.profile
chmod 400 /home/tunnel/.profile

# restrict permissions
chmod 500 /home/tunnel
chown tunnel:nogroup /home/tunnel -R

Add your public key(s)
cat /tmp/authorized_keys > /home/tunnel/.ssh/authorized_keys
sed -i 's|ssh-rsa|command="/bin/false",no-pty,no-X11-forwarding ssh-rsa|g' /home/tunnel/.ssh/authorized_keys

# parameter
command="/bin/false",no-agent-forwarding,no-pty,no-user-rc,no-X11-forwarding,permitopen="127.0.0.1:80"
no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding

Links
http://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html

Rsync SSH backup script

cat <<EOF> ~/privat/scripts/backup.ssh.sh
#!/bin/bash
 
nice -n 20 rsync -avze ssh --delete --exclude-from=/home/pako/.gvfs /home/pako pako@fs:/mnt/pakonb
EOF

SSH authentication with pre-shared key

Create new key on client
#ssh-keygen -t rsa
#(confirm with 3x with enter to leave passphrase empty)
ssh-keygen -q -f ~/.ssh/id_rsa -N ''

Copy public key to server
ssh-copy-id ${USER}@192.168.0.1

Test login
ssh -v ${USER}@192.168.0.1

Login with private key
ssh -i ./backup_ssh_key/id_rsa USER@YOUR_SERVER

Import own ssh key by using previous / master ssh key
cat ~/.ssh/id_rsa.pub | ssh -i ./backup_ssh_key/id_rsa USER@YOUR_SERVER 'cat >> .ssh/authorized_keys'

Syndicate content