IT notes

Git SSH

To create a git repository and access to it via ssh: $ ssh your.host $ mkdir my-new-repo $ cd my-new-repo $ git --bare init To access your repo (clone it): $ git clone ssh://[email protected]:2222/~user/my-new-repo

ssh CanonicalDomains

SSH Canonicalization CanonicalDomains example.com example.net example.org # CanonicalizeFallbackLocal no CanonicalizeHostname yes Host *.example.com IdentityFile ~/.ssh/exampleCOM User foo Host *.example.net IdentityFile ~/.ssh/exampleNET User foo Host *.example.org User foo IdentityFile ~/.ssh/exampleORG more info: https://dotfiles.tnetconsulting.net/articles/2016/0109/ssh-canonicalization.html

ssh permissions are too open

To set mode 0400 to all your ssh keys: $ find ~/.ssh/* -type f -name "id*" -not -iname "*.pub" -exec chmod 0400 {} \+

UseKeychain

To save SSH keys in macOS Sierra keychain add this to ~/.ssh/config: Host * AddKeysToAgent yes UseKeychain yes Keychain changes Prior to macOS Sierra, ssh would present a dialog asking for your passphrase and would offer the option to store it into the keychain. This UI was deprecated some time ago and has been removed. Instead, a new UseKeychain option was introduced in macOS Sierra allowing users to specify whether they would like for the passphrase to be stored in the keychain.

ssh update Host Keys

To create new ssh keys on the server: ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa -b 521 To check the fingerprint: ssh-keygen -lf ssh_host_ecdsa_key On the client side: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed.

two factor authentication with ssh

Two-Factor-Authentication “2FA” with SSH Install google authenticator and libqrencode: pkg install pam_google_authenticator pkg install libqrencode Edit /etc/pam.d/sshd an add the following line to the auth section: # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass auth required /usr/local/lib/pam_google_authenticator.so Add this to/etc/ssh/sshd_config: CallengeResponseAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive This setup will do a “publickey + verification code”, without password, in case you require password edit the /etc/pam.

pdsh

pdsh - issue commands to groups of hosts in parallel Install: brew install pdsh Usage: pdsh -R ssh -w ^servers.txt "<command>" In where servers.txt is something like: 10.8.4.2 10.8.4.3 10.8.4.4 one-liner: pdsh -b -w "10.8.4.2, 10.8.4.3, 10.8.4.4" "<command>" -b Disable ctrl-C status feature so that a single ctrl-C kills parallel job. (Batch Mode)

haproxy ssh

HTTPS and SSH on the same port Using HAProxy to server SSH and SSL available on the same port: global maxconn 1000000 spread-checks 3 log /var/run/log local0 notice daemon tune.ssl.default-dh-param 2048 defaults mode http balance roundrobin option http-server-close option abortonclose option dontlognull option redispatch timeout check 3s timeout client 30s # Client and server timeout must match the longest timeout connect 5s timeout http-keep-alive 5s timeout http-request 10s # A complete request may never take that long.

tmux ssh

Tmux multiple ssh connections with synchronized panels If need to debug/check in real-time multiple servers via ssh, this can be used. tmux script #!/bin/sh TARGET="tmux-ssh" SSH_USER="devops" i=0 while read line do if [ $i == 0 ] then tmux new-window -a -n ${TARGET} "ssh -l ${SSH_USER} ${line}" else tmux split-window -t "${TARGET}" "ssh -l ${SSH_USER} ${line}" && \ tmux select-layout -t "${TARGET}" tiled fi let i++ done < "${1:-/dev/stdin}" tmux set-window-option -t ${TARGET} synchronize-panes on hosts If the input is json, jq can be used to extract hosts, assuming your output is similar to:

bastion ssh

ProxyJump This is the easiest (new) way: Host 10.* ProxyJump [email protected]:2222 Using ProxyCommand Replace your.bastion.tld with your bastion server and set your bastion username in the ProxyCommand: Host bastion Hostname your.bastion.tld ForwardAgent yes Host 10.10.* ProxyCommand ssh <your-username>@bastion -W %h:%p example To login with user devops to server 10.10.3.4: $ ssh -l devops 10.10.3.4 or $ ssh [email protected] SSH sockets To speed up more when using the bastion host things this can be added at the top of the ~/.