Here are some ssh things I've jotted down.
Add ssh key based auth to remote server
cat /home/user/.ssh/id_rsa.pub | ssh [email protected] 'cat >> ~/.ssh/authorized_keys'
~/.ssh/authorized_keys must have the correct permissions otherwise it will be ignored by ssh:
chmod 0700 ~/.ssh chmod 0600 ~/.ssh/authorized_keys
Simple reverse shell
From the initializing system run something like:
# Initialzing System ssh -R 12345:localhost:22 [email protected]_system
This will forward the ssh tunnel to port 12345 on the receiver to the local port 22 proving ssh access.
On the receiver the connection can be completed by connecting locally
# Receiver connecting back through tunnel ssh [email protected] -p 12345
Setting up SSH Agent forwarding
Note from Crunchbang Client w/ agent + Ubuntu server with forwarding.
On the machine with the key to be forwarded
vi ~/.ssh/config and add
Host machine.to.forward.through.com ForwardAgent yes
At the command line add an identity the ssh agent:
# check identities with ssh-add -L ssh-add id_rsa
Seems like there is probably a different way to permanently add identities, but for now this seems to work.
On the system which will be forwarded through go into
Confirm on both systems that this command returns something like this once an SSH connection has been established.:
[email protected]:~$ echo "$SSH_AUTH_SOCK" /tmp/ssh-EJjvLb2203/agent.2203
Note: if this isn't working make sure that
overriding these settings
Limiting a user to ssh portforwarding only
This is useful if you want to let someone pivot through you or portfward but not to have them get a shell on your receiver box. This setup was done on an ubuntu server running openssh, should work anywhere openssh is found...
setup user on server
sudo useradd no-access-user sudo mkdir -p /home/no-access-user/.ssh
For that user create
.ssh/authorized_keys with the users public key and some
command="/bin/false",no-agent-forwarding,no-X11-forwarding,port-forwarding,permitopen="localhost:3000" ssh-rsa PUBLIC_KEY_HERE PUBLIC_KEY_HERE PUBLIC_KEY_HERE PUBLIC_KEY_HERE PUBLIC_KEY_HERE PUBLIC_KEY_HERE PUBLIC_KEY_HERE PUBLIC_KEY_HERE PUBLIC_KEY_HERE PUBLIC_KEY_HERE
These flags serve the following purposes:
command="/bin/false": limit the user to a single command if not port forwarding, this command wont do much
no-agent-forwarding: disallow agent forwarding
no-X11-forwarding: disallow X11 forwarding
port-forwarding: enable portforwarding
* `permitopen="localhost:3000": restrict port forwarding to localhost 3000
Any additional flags are in the
ssh man page under the authorized keys info.
connect to server
if you attempt to do a normal connection it will fail but these flags will allow the connection to work and the Port to forward happily :)
ssh -L 3000:localhost:3000 [email protected] -i ~/.ssh/id_rsa -o ExitOnForwardFailure=yes -N