## page was renamed from SSH/Keys ||<>|| Parent page: [[InternetAndNetworking| Internet and Networking]] >> [[SSH | SSH]] = Introduction = This page discusses a collection of advanced uses for SSH. This list is far from complete - it should only serve to get you thinking about possible uses. = Tunneling VNC connections through ssh = Virtual Network Computing ("VNC") is a cross-platform way of sharing a desktop. Once you've set your SSH server up, see [[VNC]] for more information. = Mounting a remote directory = The SSH protocol includes [[http://en.wikipedia.org/wiki/SSH_file_transfer_protocol|SFTP]] (the Secure File Transfer Protocol). Ubuntu can use SFTP to treat your SSH server rather like a removable drive. For example, if your Ubuntu computer has an SSH account on a computer called `alpha-centauri`, you could create a folder `alpha-centauri` in your home folder, then do the following: {{{ sshfs -o idmap=user alpha-centuari: ~/alpha-centauri/ }}} Now when you look in your `alpha-centuari` folder, you will see your home folder on `alpha-centauri`. You can safely remove this device by doing: {{{ fusermount -u ~/alpha-centauri/ }}} Although this SSH filesystem is extremely useful, it's not what the SFTP protocol was designed for. As such, some ordinary operations might not behave the way you'd expect - for example, you can't unmount an SSHFS directory from the file browser. = Running from (x)inetd = The OpenSSH server can also be called into service as needed by the Internet Daemon, `inetd`, or its modern replacement, [[http://en.wikipedia.org/wiki/Xinetd|xinetd]]. xinetd can be used for additional logging such as successful or unsuccessful login, access restriction even including time of day, cpu priority, and number of connections. There are many more possibilities. See the manual pages for xinetd.conf(5) or inetd.conf(5) for a full overview of inetd configuration options. To configure sshd to be launched from xinetd, you must configure xinetd to listen on TCP port 22, and to run `/usr/sbin/sshd -i` when a connection is established. This is done by adding a file, `/etc/xinetd.d/ssh`, with the following contents: {{{ service ssh { socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/sshd server_args = -i per_source = UNLIMITED log_on_failure = USERID HOST banner = /etc/banner.inetd.connection.txt banner_success = /etc/banner.inetd.welcome.txt banner_fail = /etc/banner.inetd.takeahike.txt # access_times = 08:00-16:25 # log_on_success = PID HOST DURATION TRAFFIC EXIT # instances = 10 # nice = 10 # bind = 192.168.100.100 # only_from = 192.168.100.0 # no_access = 192.168.154.0 # no_access += 192.168.133.0 } }}} Two main disadvantages with inetd are that there can be a slight increase in the delay during the start of the connection and that sshd must be configured to allow launching from xinetd. `inetd` has far fewer options and needs a change in the file `inetd.conf` {{{ ssh stream tcp nowait root /usr/sbin/sshd -i ssh stream tcp6 nowait root /usr/sbin/sshd -i }}} = Logging in with Kerberos = [[Kerberos|Kerberos]] is a security system used in some large organizations. It allows a user to have a single company-wide password, that they use to log in to all their services. [[http://www.visolve.com/security/ssh_kerberos.php]] has a detailed guide for configuring OpenSSH to leverage Kerberos as an authentication mechanism. = Limiting the number of connections = If you allow passwords on your SSH server, you can use Ubuntu's firewall ([[IptablesHowTo|iptables]]) to limit the rate at which passwords can be guessed. This forces an attacker to probe your computer slowly, so it might take weeks or months to guess your password. But it also allows an attacker to stop anybody from logging in, by flooding the server with bogus connection attempts. You should only try this if you fully understand how `iptables` works. As root, you can do this: {{{ iptables -N rate-limit iptables -A rate-limit -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j RETURN iptables -A rate-limit -j DROP iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit }}} This will limit you computer to 3 SSH connection attempts per minute. To make this change permanent, you will need to save these rules in whatever way you normally do. Note that if you are using UFW to manage your firewall, the above may be accomplished by a command that can be as simple as (in the case of a default configuration with ssh on port 22) "ufw limit ssh". For details see the corresponding section on the [[http://manpages.ubuntu.com/manpages/lucid/en/man8/ufw.8.html|ufw manpage]]. (This section was based in part on [[http://www.dd-wrt.com/wiki/index.php/Preventing_Brute_Force_Attacks|DD-WRT's guide]]) = Resources = Additional resources pertaining to the advanced configuration of OpenSSH for enhanced security appear below. == Local System Resources == ||{{{man sshd}}}|| System manual page for the {{{sshd}}} server daemon|| ||{{{man sshd_config}}}|| System manual page for the {{{/etc/ssh/sshd_config}}} configuration file|| ||{{{man ssh-copy-id}}}|| System manual page for the {{{ssh-copy-id}}} application|| ||{{{man ssh-keygen}}}|| System manual page for the {{{ssh-keygen}}} application|| ||{{{~/.ssh/authorized_keys}}}|| List of "authorized" public keys (with limiting options)|| ||{{{/etc/ssh/sshd_config}}}|| The OpenSSH Secure Shell Daemon ({{{sshd}}}) configuration file|| == Ubuntu Wiki Resources == * [[SSH_VPN|OpenSSH 4.3 VPNs]] describes how to create a Virtual Private Network with recent versions of SSH. * [[GPGsigningforSSHHowTo|GPG & OpenSSH]] describes how to use GPG to sign SSH keys. == WWW Resources == [[http://www.debian-administration.org/articles/87|Keeping SSH access secure]] [[http://www.openssh.org/|OpenSSH Website]] [[http://www.debian-administration.org/articles/152|Password-less logins with OpenSSH]] [[http://en.wikibooks.org/wiki/OpenSSH/Server#sshd_under_inetd_.2F_xinetd|sshd under inetd / xinetd]]