zeus
/
SwarmLab-HowTos
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
326 Commits
1 Branch
0 Tags
124 MiB
 
 
Tree: 233d9c6320
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '233d9c6320'
${ noResults }
SwarmLab-HowTos/swarmlab/docs/build/site/swarmlab_sec-ssh-tunneling/docs/index.html

562 lines
22 KiB
Raw Blame History

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<title>SSH Tunneling! :: Swarmlab faq</title>
<link rel="canonical" href="http://docs.swarmlab.io/SwarmLab-HowTos/swarmlab/docs/swarmlab_sec-ssh-tunneling/docs/index.html">
<meta name="generator" content="Antora 2.3.4">
<link rel="stylesheet" href="../../_/css/site.css">
<link rel="stylesheet" href="../../_/css/search.css">
<script>var uiRootPath = '../../_'</script>
</head>
<body class="article">
<header class="header">
<nav class="navbar">
<div class="navbar-brand">
<a class="navbar-item" href="http://docs.swarmlab.io/SwarmLab-HowTos/swarmlab/docs">Swarmlab faq</a>
<button class="navbar-burger" data-target="topbar-nav">
<span></span>
<span></span>
<span></span>
</button>
</div>
<div id="topbar-nav" class="navbar-menu">
<div class="navbar-end">
<a class="navbar-item" href="#">Home</a>
<div class="navbar-item has-dropdown is-hoverable">
<a class="navbar-link" href="#">Products</a>
<div class="navbar-dropdown">
<a class="navbar-item" target ="hybridgit" href="https://git.swarmlab.io:3000/zeus/swarmlab-hybrid">Hybrid</a>
<a class="navbar-item" target ="venusgit" href="https://git.swarmlab.io:3000/swarmlab/venus-client">Venus</a>
</div>
</div>
<div class="navbar-item has-dropdown is-hoverable">
<a class="navbar-link" href="#">Services</a>
<div class="navbar-dropdown">
<a class="navbar-item" target ="hybrid" href="https://api-client.swarmlab.io:8088/">Hybrid</a>
<a class="navbar-item" target ="venus" href="https://api-client.swarmlab.io:8088/">Venus</a>
</div>
</div>
<div class="navbar-item">
<input id="search-input" type="text" placeholder="Search docs">
</div>
</div>
</div>
</nav>
</header>
<div class="body">
<div class="nav-container" data-component="swarmlab_sec-ssh-tunneling" data-version="docs">
<aside class="nav">
<div class="panels">
<div class="nav-panel-menu is-active" data-panel="menu">
<nav class="nav-menu">
<h3 class="title"><a href="index.html">swarmlab_sec-ssh-tunneling</a></h3>
<ul class="nav-list">
<li class="nav-item" data-depth="0">
<ul class="nav-list">
<li class="nav-item is-current-page" data-depth="1">
<a class="nav-link" href="index.html">SSH Tunneling</a>
</li>
</ul>
</li>
</ul>
</nav>
</div>
<div class="nav-panel-explore" data-panel="explore">
<div class="context">
<span class="title">swarmlab_sec-ssh-tunneling</span>
<span class="version">docs</span>
</div>
<ul class="components">
<li class="component">
<a class="title" href="../../CloudComputing_Lab/docs/index.html">CloudComputing_Lab</a>
<ul class="versions">
<li class="version is-latest">
<a href="../../CloudComputing_Lab/docs/index.html">docs</a>
</li>
</ul>
</li>
<li class="component">
<a class="title" href="../../swarmlab_faq/docs/index.html">swarmlab_faq</a>
<ul class="versions">
<li class="version is-latest">
<a href="../../swarmlab_faq/docs/index.html">docs</a>
</li>
</ul>
</li>
<li class="component">
<a class="title" href="../../swarmlab_how-to-build-a-Swarmlab-service/docs/index.html">swarmlab_how-to-build-a-Swarmlab-service</a>
<ul class="versions">
<li class="version is-latest">
<a href="../../swarmlab_how-to-build-a-Swarmlab-service/docs/index.html">docs</a>
</li>
</ul>
</li>
<li class="component">
<a class="title" href="../../swarmlab_infrastructure-as-code/docs/index.html">swarmlab_infrastructure-as-code</a>
<ul class="versions">
<li class="version is-latest">
<a href="../../swarmlab_infrastructure-as-code/docs/index.html">docs</a>
</li>
</ul>
</li>
<li class="component">
<a class="title" href="../../swarmlab_iot-sensor-node/docs/index.html">swarmlab_iot-sensor-node</a>
<ul class="versions">
<li class="version is-latest">
<a href="../../swarmlab_iot-sensor-node/docs/index.html">docs</a>
</li>
</ul>
</li>
<li class="component">
<a class="title" href="../../swarmlab_network-adhoc/docs/index.html">swarmlab_network-adhoc</a>
<ul class="versions">
<li class="version is-latest">
<a href="../../swarmlab_network-adhoc/docs/index.html">docs</a>
</li>
</ul>
</li>
<li class="component">
<a class="title" href="../../swarmlab_poc-datacollector/docs/index.html">swarmlab_poc-datacollector</a>
<ul class="versions">
<li class="version is-latest">
<a href="../../swarmlab_poc-datacollector/docs/index.html">docs</a>
</li>
</ul>
</li>
<li class="component">
<a class="title" href="../../swarmlab_raspi-docker/docs/index.html">swarmlab_raspi-docker</a>
<ul class="versions">
<li class="version is-latest">
<a href="../../swarmlab_raspi-docker/docs/index.html">docs</a>
</li>
</ul>
</li>
<li class="component">
<a class="title" href="../../swarmlab_sec-intro/docs/index.html">swarmlab_sec-intro</a>
<ul class="versions">
<li class="version is-latest">
<a href="../../swarmlab_sec-intro/docs/index.html">docs</a>
</li>
</ul>
</li>
<li class="component">
<a class="title" href="../../swarmlab_sec-iptables/docs/index.html">swarmlab_sec-iptables</a>
<ul class="versions">
<li class="version is-latest">
<a href="../../swarmlab_sec-iptables/docs/index.html">docs</a>
</li>
</ul>
</li>
<li class="component is-current">
<a class="title" href="index.html">swarmlab_sec-ssh-tunneling</a>
<ul class="versions">
<li class="version is-current is-latest">
<a href="index.html">docs</a>
</li>
</ul>
</li>
<li class="component">
<a class="title" href="../../swarmlab_sidecar-firefox/docs/index.html">swarmlab_sidecar-firefox</a>
<ul class="versions">
<li class="version is-latest">
<a href="../../swarmlab_sidecar-firefox/docs/index.html">docs</a>
</li>
</ul>
</li>
<li class="component">
<a class="title" href="../../swarmlab_tech-list/docs/index.html">swarmlab_tech-list</a>
<ul class="versions">
<li class="version is-latest">
<a href="../../swarmlab_tech-list/docs/index.html">docs</a>
</li>
</ul>
</li>
<li class="component">
<a class="title" href="../../swarmlab_xelatex-thesis/docs/index.html">swarmlab_xelatex-thesis</a>
<ul class="versions">
<li class="version is-latest">
<a href="../../swarmlab_xelatex-thesis/docs/index.html">docs</a>
</li>
</ul>
</li>
</ul>
</div>
</div>
</aside>
</div>
<main class="article">
<div class="toolbar" role="navigation">
<button class="nav-toggle"></button>
<a href="../../swarmlab_faq/docs/index.html" class="home-link"></a>
<nav class="breadcrumbs" aria-label="breadcrumbs">
<ul>
<li><a href="index.html">swarmlab_sec-ssh-tunneling</a></li>
<li><a href="index.html">SSH Tunneling</a></li>
</ul>
</nav>
</div>
<div class="content">
<aside class="toc sidebar" data-title="Contents" data-levels="2">
<div class="toc-menu"></div>
</aside>
<article class="doc">
<h1 class="page">SSH Tunneling!</h1>
<div id="preamble">
<div class="sectionbody">
<div class="imageblock right">
<div class="content">
<img src="_images/swarmlab.png" alt="swarmlab" width="150">
</div>
</div>
<div class="paragraph">
<p>This tutorial demonstrates: <strong>a.</strong> howto setup a SSH tunneling <strong>b.</strong> howto use it</p>
</div>
<div class="paragraph">
<p><strong><strong>SSH Tunneling</strong></strong>, is the ability to use ssh to create a bi-directional encrypted network connection between machines over which data can be exchanged, typically TCP/IP.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>SSH is a standard for secure remote logins and file transfers over untrusted networks. It also provides a way to secure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over SSH. This means that the application data traffic is directed to flow inside an encrypted SSH connection so that it cannot be eavesdropped or intercepted while it is in transit. SSH tunneling enables adding network security to legacy applications that do not natively support encryption.</p>
</div>
</td>
</tr>
</table>
</div>
<div class="imageblock">
<div class="content">
<img src="_images/ssh-tunneling-1366x416-WPhEwBvP.png" alt="SSH tunneling">
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_local_port_forwarding"><a class="anchor" href="#_local_port_forwarding"></a>Local Port Forwarding</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="title">local port forwarding</div>
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">ssh -nNT -L 8000:localhost:3306 user@192.168.89.5</code></pre>
</div>
</div>
<div class="paragraph">
<p>The above command sets up an ssh tunnel between your machine and the server, and forwards all traffic from localhost:3306 to localhost:8000 (on your machine).</p>
</div>
<div class="paragraph">
<p>So now you could connect to MySQL running on your server via localhost on port 8000 on your machine.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_remote_port_forwarding"><a class="anchor" href="#_remote_port_forwarding"></a>Remote Port Forwarding</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="title">remote port forwarding</div>
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">ssh -nNT -R 4000:localhost:3000 user@192.168.89.5</code></pre>
</div>
</div>
<div class="paragraph">
<p>The above command sets up an ssh tunnel between your machine and the server, and forwards all traffic from localhost:3000 (on your machine) to localhost:4000 (in the context of the server).</p>
</div>
<div class="paragraph">
<p>So now you can connect to the locally running service on port 3000 on the server on port 4000</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_ssh_command"><a class="anchor" href="#_ssh_command"></a>SSH Command</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Practically every Linux system includes the ssh command. This command is used to start the SSH client program that enables secure connection to the SSH server on a remote machine. The ssh command is used from logging into the remote machine, transferring files between the two machines, and for executing commands on the remote machine.</p>
</div>
<div class="sect2">
<h3 id="_connect_to_server"><a class="anchor" href="#_connect_to_server"></a>Connect to server</h3>
<div class="listingblock">
<div class="title">connect</div>
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">ssh user@192.168.89.5
The authenticity of host '192.168.89.5' cannot be established.
DSA key fingerprint is 04:48:30:31:b0:f3:5a:9b:01:9d:b3:a7:38:e2:b1:0c.
Are you sure you want to continue connecting (yes/no)?</code></pre>
</div>
</div>
<div class="paragraph">
<p>Type yes to continue. This will add the server to your list of known hosts (~/.ssh/known_hosts) as seen in the following message:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">Warning: Permanently added '192.168.89.5' (DSA) to the list of known hosts.</code></pre>
</div>
</div>
<div class="paragraph">
<p>Each server has a host key, and the above question related to verifying and saving the host key, so that next time you connect to the server, it can verify that it actually is the same server.</p>
</div>
</div>
<div class="sect2">
<h3 id="_executing_remote_commands_on_the_server"><a class="anchor" href="#_executing_remote_commands_on_the_server"></a>Executing remote commands on the server</h3>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">ssh user@192.168.89.5 /bin/bash -c "ls -al"</code></pre>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_sshd_config_ssh_server_configuration"><a class="anchor" href="#_sshd_config_ssh_server_configuration"></a>sshd_config - SSH Server Configuration</h2>
<div class="sectionbody">
<div class="paragraph">
<p>The OpenSSH server reads a configuration file when it is started. Usually this file is /etc/ssh/sshd_config, but the location can be changed using the -f command line option when starting sshd.</p>
</div>
<div class="sect2">
<h3 id="_cryptographic_policy"><a class="anchor" href="#_cryptographic_policy"></a>Cryptographic policy</h3>
<div class="ulist">
<ul>
<li>
<p>Symmetric algorithms for encrypting the bulk of transferred data are configured using the Ciphers option. A good value is aes128-ctr,aes192-ctr,aes256-ctr.</p>
</li>
<li>
<p>Host key algorithms are selected by the HostKeyAlgorithms option. A good value is ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss.</p>
</li>
<li>
<p>Key exchange algorithms are selected by the KexAlgorithms option. recommend ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256.</p>
</li>
</ul>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="paragraph">
<p>not recommend allowing diffie-hellman-group1-sha1, unless needed for compatibility. It uses a 768 bit prime number, which is too small by today&#8217;s standards and may be breakable by intelligence agencies in real time. Using it could expose connections to man-in-the-middle attacks when faced with such adversaries.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
<div class="sect2">
<h3 id="_verbose_logging"><a class="anchor" href="#_verbose_logging"></a>Verbose logging</h3>
<div class="paragraph">
<p>It is strongly recommended that LogLevel be set to VERBOSE. This way, the key fingerprint for any SSH key used for login is logged. This information is important for SSH key management, especially in legacy environments.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">LogLevel VERBOSE</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_root_login"><a class="anchor" href="#_root_login"></a>Root login</h3>
<div class="paragraph">
<p>root access should generally go through a privileged access management system</p>
</div>
<div class="paragraph">
<p>To disable passwords for root, but still allow key-based access without forced command, use:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">PermitRootLogin prohibit-password</code></pre>
</div>
</div>
<div class="paragraph">
<p>To disable passwords and only allow key-based access with a forced command, use:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">PermitRootLogin forced-commands-only</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_port_forwarding"><a class="anchor" href="#_port_forwarding"></a>Port forwarding</h3>
<div class="paragraph">
<p>Generally prevent port forwarding on servers, unless expressly needed for tunneling legacy applications.
There is substantial risk that users will use SSH tunneling to open backdoors into the organization through the firewall to get access to work machines from home.</p>
</div>
</div>
<div class="sect2">
<h3 id="_generate_a_key_pair"><a class="anchor" href="#_generate_a_key_pair"></a>Generate a key pair</h3>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">ssh-keygen</code></pre>
</div>
</div>
<div class="paragraph">
<p>Output:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
8c:2a:ed:82:98:6d:12:0a:3a:ba:b2:1c:c0:25:be:5b</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_install_your_public_key"><a class="anchor" href="#_install_your_public_key"></a>Install your public key</h3>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">sh-copy-id -i ~/.ssh/id_rsa.pub UserName@RemoteServer</code></pre>
</div>
</div>
<div class="paragraph">
<p>Output:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">UserName@RemoteServer's password: ********</code></pre>
</div>
</div>
<div class="paragraph">
<p>Now try logging into the machine, with "ssh 'username@remoteserver'", and check in:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">~/.ssh/authorized_keys</code></pre>
</div>
</div>
<div class="sect3">
<h4 id="_ssh_client_config_files"><a class="anchor" href="#_ssh_client_config_files"></a>SSH Client Config Files</h4>
<div class="paragraph">
<p>Config file</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">$HOME/. ssh/config</code></pre>
</div>
</div>
<div class="paragraph">
<p>Config template</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">Host name <i class="conum" data-value="1"></i><b>(1)</b>
HostName [IP] <i class="conum" data-value="2"></i><b>(2)</b>
Preferredauthentications publickey
IdentityFile /path2file-key-private <i class="conum" data-value="3"></i><b>(3)</b>
User user <i class="conum" data-value="4"></i><b>(4)</b>
Port 22 <i class="conum" data-value="5"></i><b>(5)</b></code></pre>
</div>
</div>
<div class="colist arabic">
<table>
<tr>
<td><i class="conum" data-value="1"></i><b>1</b></td>
<td>name4server</td>
</tr>
<tr>
<td><i class="conum" data-value="2"></i><b>2</b></td>
<td>Server ip</td>
</tr>
<tr>
<td><i class="conum" data-value="3"></i><b>3</b></td>
<td>path private key</td>
</tr>
<tr>
<td><i class="conum" data-value="4"></i><b>4</b></td>
<td>user2connect</td>
</tr>
<tr>
<td><i class="conum" data-value="5"></i><b>5</b></td>
<td>port4server</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>connect example</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">ssh name</code></pre>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_run_graphics_applications_remotely"><a class="anchor" href="#_run_graphics_applications_remotely"></a>run graphics applications remotely</h2>
<div class="sectionbody">
<div class="paragraph">
<p>X11 forwarding needs to be enabled on both the client side and the server side.</p>
</div>
<div class="ulist">
<ul>
<li>
<p>On the client side, the -X (capital X) option to ssh enables X11 forwarding</p>
</li>
<li>
<p>On the server side, X11Forwarding yes must specified in /etc/ssh/sshd_config.</p>
</li>
<li>
<p>The xauth program must be installed on the server side.</p>
</li>
</ul>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">ssh -X user@192.168.89.5 gimp</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_copy_files_and_directories_between_two_systems"><a class="anchor" href="#_copy_files_and_directories_between_two_systems"></a>Copy Files and Directories Between Two Systems</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="_copy_a_file_from_a_local_to_a_remote_system"><a class="anchor" href="#_copy_a_file_from_a_local_to_a_remote_system"></a>Copy a file from a local to a remote system</h3>
<div class="paragraph">
<p>To copy a file from a local to a remote system run the following command:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">scp file.txt user@192.168.89.5:/remote/directory</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_copy_a_remote_file_to_a_local_system_using_the_scp_ommand"><a class="anchor" href="#_copy_a_remote_file_to_a_local_system_using_the_scp_ommand"></a>Copy a Remote File to a Local System using the scp ommand</h3>
<div class="paragraph">
<p>To copy a file named file.txt from a remote server with IP 192.168.89.5 run the following command:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-bash hljs" data-lang="bash">scp user@192.168.89.5:/remote/file.txt /local/directory</code></pre>
</div>
</div>
</div>
</div>
</div>
</article>
</div>
</main>
</div>
<footer class="footer">
<p>This page was built using the Antora <a href="https://gitlab.com/antora/antora-ui-default" target="antora">default UI</a> </p>
</footer>
<script src="../../_/js/site.js"></script>
<script src="../../_/js/vendor/lunr.js"></script>
<script src="../../_/js/vendor/search.js" id="search-script" data-base-path="../.." data-page-path="/swarmlab_sec-ssh-tunneling/docs/index.html"></script>
<script async src="../../_/../search-index.js"></script>
<script async src="../../_/js/vendor/highlight.js"></script>
</body>
</html>