IT notes

Block SSH on MacOS

To block incoming ssh connections, edit the /etc/pf.conf and add the following line at the bottom: block in log quick proto tcp from any to any port 22 You can use vim or use something like this: sudo sh -c "echo 'block in log quick proto tcp from any to any port 22' >> /etc/pf.conf" Then reload the pfrules: sudo pfctl -Fa -f /etc/pf.conf For this to work the firewall must be enabled.

Git SSH

To create a git repository and access to it via ssh: $ ssh your.host $ mkdir my-new-repo $ cd my-new-repo $ git --bare init To access your repo (clone it): $ git clone ssh://[email protected]:2222/~user/my-new-repo

ssh CanonicalDomains

SSH Canonicalization CanonicalDomains example.com example.net example.org # CanonicalizeFallbackLocal no CanonicalizeHostname yes Host *.example.com IdentityFile ~/.ssh/exampleCOM User foo Host *.example.net IdentityFile ~/.ssh/exampleNET User foo Host *.example.org User foo IdentityFile ~/.ssh/exampleORG more info: https://dotfiles.tnetconsulting.net/articles/2016/0109/ssh-canonicalization.html

ssh permissions are too open

To set mode 0400 to all your ssh keys: $ find ~/.ssh/* -type f -name "id*" -not -iname "*.pub" -exec chmod 0400 {} \+

UseKeychain

To save SSH keys in macOS Sierra keychain add this to ~/.ssh/config: Host * AddKeysToAgent yes UseKeychain yes Keychain changes Prior to macOS Sierra, ssh would present a dialog asking for your passphrase and would offer the option to store it into the keychain. This UI was deprecated some time ago and has been removed. Instead, a new UseKeychain option was introduced in macOS Sierra allowing users to specify whether they would like for the passphrase to be stored in the keychain.

ssh update Host Keys

To create new ssh keys on the server: ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa -b 521 To check the fingerprint: ssh-keygen -lf ssh_host_ecdsa_key On the client side: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed.

two factor authentication with ssh

Two-Factor-Authentication “2FA” with SSH Install google authenticator and libqrencode: pkg install pam_google_authenticator pkg install libqrencode Edit /etc/pam.d/sshd an add the following line to the auth section: # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth required pam_unix.so no_warn try_first_pass auth required /usr/local/lib/pam_google_authenticator.so Add this to/etc/ssh/sshd_config: CallengeResponseAuthentication yes UsePAM yes AuthenticationMethods publickey,keyboard-interactive This setup will do a “publickey + verification code”, without password, in case you require password edit the /etc/pam.

pdsh

pdsh - issue commands to groups of hosts in parallel Install: brew install pdsh Usage: pdsh -R ssh -w ^servers.txt "<command>" In where servers.txt is something like: 10.8.4.2 10.8.4.3 10.8.4.4 one-liner: pdsh -b -w "10.8.4.2, 10.8.4.3, 10.8.4.4" "<command>" -b Disable ctrl-C status feature so that a single ctrl-C kills parallel job. (Batch Mode)

haproxy ssh

HTTPS and SSH on the same port Using HAProxy to server SSH and SSL available on the same port: global maxconn 1000000 spread-checks 3 log /var/run/log local0 notice daemon tune.ssl.default-dh-param 2048 defaults mode http balance roundrobin option http-server-close option abortonclose option dontlognull option redispatch timeout check 3s timeout client 30s # Client and server timeout must match the longest timeout connect 5s timeout http-keep-alive 5s timeout http-request 10s # A complete request may never take that long.

tmux ssh

Tmux multiple ssh connections with synchronized panels If need to debug/check in real-time multiple servers via ssh, this can be used. tmux script #!/bin/sh TARGET="tmux-ssh" SSH_USER="devops" i=0 while read line do if [ $i == 0 ] then tmux new-window -a -n ${TARGET} "ssh -l ${SSH_USER} ${line}" else tmux split-window -t "${TARGET}" "ssh -l ${SSH_USER} ${line}" && \ tmux select-layout -t "${TARGET}" tiled fi let i++ done < "${1:-/dev/stdin}" tmux set-window-option -t ${TARGET} synchronize-panes on hosts If the input is json, jq can be used to extract hosts, assuming your output is similar to: