SSH

Tunneling

Create an SSH tunnel to a webserver on an internal website

ssh -L 1234:192.168.124.231:80 root@41.181.73.102 -v

Create SSH key pair:

vi .ssh/authorized_keys2

ssh-keygen -t rsa

cat .ssh/id_rsa.pub

Do on both machines

Forced SSH

while we need cron/scriptable ssh between machines, for nagios checks, rsync backups etc, i've been reading up on "scponly" and "rshell" - for "restricted shell"

but they didn't sound those were the answer eg. not in base repo's

was checking again today and came across ssh forced commands - woohoo !

http://binblog.info/2008/10/20/openssh-going-flexible-with-forced-commands/

eg. say we want someone (or nagios) to be able to invoke manco_status script on myserver but doesn't need full access

in this case i have configured "nagios" on myserver with the following .ssh/authorized_keys - with the forced command before the key and other restrictions like no port forwarding allowed etc

root@myserver myserver: cat ~nagios/.ssh/authorized_keys

command="/scripts/manco_status",no-port-forwarding,no-X11-forwarding ssh-rsa AAAAB3Nza .... FjIH5ALw== cameronx@myserver.net

now when i ssh (or scp), this is the only command - i don't get a shell :)

[cameronx@myserver.net ~]$ ssh nagios@myserver

DiskSpace OK - 84%

why is this a big deal ?

its a standard mechanism in ssh to allow remote script invocation tightly controlled via ssh keys :)

so its a replacement for nagios-nrpe and more tightly controlled via ssh keys innit - whereas nagios NRPE by default anyone can check commands, althought of course those are restricted to nagios checks in nrpe.cfg

also this "forced command" and be useed to allow rsync and scp without shell, eg. for backups

for example i create this forced command which is a wrapper script - for ssh users or groups eg. scponly

its a rsync/scp wrapper - plus can allow commands like ls and md5sum - but no other commands via ssh

but allows rsync of /backups - will reject other rsync commands we don't like the look of :)

and it customised to allow some restricted commands and/or otherwise rsync

root@myserver myserver: cat /scripts/rsync_command.sh

#!/bin/bash

echo $SSH_ORIGINAL_COMMAND | grep -q "^rsync"

if [ $? -eq 0 ]

then

echo $SSH_ORIGINAL_COMMAND | grep -q "^rsync --server .* /backups"

if [ $? -eq 0 ]

then

exec $SSH_ORIGINAL_COMMAND

exit $?

else

exit 1

fi

else

command=`echo "$SSH_ORIGINAL_COMMAND" | cut -f1 -d' '`

echo $command | grep -q "ls\|md5sum"

if [ $? -eq 0 ]

then

exec $SSH_ORIGINAL_COMMAND

else

echo "Permissed denied"

exit 2

fi

fi

[cameronx@myserver.net ~]$ rsync nagios@myserver:/backups/test .

[cameronx@myserver.net ~]$ rsync nagios@myserver:/etc/passwd .

rsync: connection unexpectedly closed (0 bytes received so far) [receiver]

rsync error: error in rsync protocol data stream (code 12) at io.c(600) [receiver=3.0.6]

[cameronx@myserver.net ~]$ ssh nagios@myserver md5sum /etc/passwd

2d2889941ec91bce7cd8c741858992cb /etc/passwd