Thomas' writings, builds, toys

2008-03-26

SSH MacGyver: Power-using the Swiss Knife

ssh logo

Introduction: Remote Computer Access

There are many technologies available to access a computer from another (computer's terminal) over a network. With a rough hand, most of them can be fitted into one of the following two categories.

The first kind enables a user to control the remote computer's console keyboard (and mouse in the case of a GUI) while not being physically near the computer. Common examples of this are Windows Remote Desktop, VNC, telnet/SSH, X11 and Nomachine NX.

The second kind provides access to a remote computer's filesystem. Remote file access is provided by Windows SMB (also known as network neighborhood and SAMBA), Unix NFS, FTP and HTTP webdav.

These days, most (terminal) access to UNIX boxes happens over a secure connection. The technical term for this is 'secure shell' (SSH). In fact sysadmins still running insecure TELNET or FTP services (and/or exposing them to the internet) better have a good excuse. Computing power has sufficiently peaked over the last years, so the processor overhead of a ssh login or file transfer shouldn't be a bottleneck.

The OpenBSD OpenSSH server is used all over the world and distributed with almost every free operating system released today.

SSH however, has many other uses aside from just logging on to a remote host over a safe connection. You can use it to;

  • Use another computer/server (you have access to) to relay a TCP connection to yet another computer over a safe channel.
  • Access the filesystem of a computer/server (a 'remote host', provided you have access to that host).
  • Public key authentication does away with having to send your password.

Over the years, I used combinations of these three features to create powerful and interesting system and network services on my computer systems.

This text describes a few interesting set-up's I used with SSH.

Shell access

The easiest way to get rid of the endless password: prompts, is to use the ssh-keygen command to generate a key pair. You can have the remote machine recognise your identity by installing you public key into ~/.ssh/authorized_keys on the box using ssh-copy-id.

ssh-copy-id is a script that uses ssh to log into a remote machine (presumably using a login password, so password authentication should be enabled, unless you've done some clever use of multiple identities)

man ssh-copy-id

Typical usage

ssh-copy-id [-i [identity_file]] [user@]machine

ssh-argv-0 typical usage

ln -s /usr/bin/ssh-argv0 ~/.r/bin/dilbert

Provided you have ~/.r/bin in your $PATH, running the dilbert command will have the same effect as running ssh dilbert

.ssh/config

The ~/.ssh/config is read by the ssh tools. You can specify default options for hosts, e.g.

  • Port 2222: If an Internet Service Provider should block ports < 1024 of the remote host.
  • User john_doe: Login with a custom set username (SSH's standard is $USER).
  • Tab completion of hostnames if you use the zsh! (this is really cool, especially with long DynDNS hostnames!)

Setting up a ~/.ssh/config saves you from having to type arguments each time you start a ssh client.

Note that you can specify multiple DNS hostnames for a certain machine. Let's assume that, depending on the time of the day, you prefer to connect to a machine via a different IP address:

  • dilbert.lan (home,sofa: Wireless)
  • dilbert.local (home,desk: wired gigabit LAN),
  • dilbert.dyndns.org (on the road: public internet address).

The following entry will enable you to <TAB> complete any of the three IP addresses you will use depending on your laptop's location.

Host dilbert, dilbert.lan, dilbert.local
    User dogbert
Host dilbert.dyndns.org
    User dogbert
    Port 2222

File transfer

SCP

scp works like a regular cp with the exception that you can prefix source or destination paths with a hostname:

scp dilbert:/tmp/out.txt .

SFTP

sftp works just like the interactive ftp shell command. These days the file manager's of the GNOME and KDE desktop environment have transparent support for the sftp:// URI [1]

thomas@bauknecht ~ % sftp whirlpool.
Connecting to whirlpool....
sftp> cd /tmp
sftp> pwd
Remote working directory: /tmp
sftp> ls -l
drwx------    3 pulse    pulse        4096 Mar 27 12:36 gconfd-pulse
drwx------    2 thomas   thomas       4096 Mar 27 12:42 gconfd-thomas
drwx------    2 pulse    pulse        4096 Mar 27 12:36 orbit-pulse
<...>
sftp>^D
[1]Uniform Resource Identifier, e.g.: http://, ftp://

SSHFS

Sshfs works like ftpfs, you can locally mount a directory over sftp.

thomas@bauknecht ~ % mkdir mnt
thomas@bauknecht ~ % sshfs whirlpool:/tmp mnt
thomas@bauknecht ~ % ls -m mnt
gconfd-pulse, gconfd-thomas, orbit-pulse, orbit-thomas,
seahorse-plsP8D, tmp.TpGrxA6977, virtual-thomas.2wcLq2
thomas@bauknecht ~ % fusermount -u mnt && rmdir mnt

In most Linux distributions the package is named sshfs.

File sharing with Unix-enabled friends

Note

When used in this text, the term 'file sharing' has nothing to do with infringing upon copyright law or illegal practices, the expression is used solely for its actual meaning in the English language!

Caution!

Be careful if you are allowing remote access to your box. Disabling password authentication may be a good start. Please check what files the untrusted remote user has access to. Expect the unexpected!

Imagine this situation: Your Linux-geek peers all have at least one of their boxes running a SSH daemon that is reachable from the internet (if necessary port-forwarded to pass a NAT router).

You can create UNIX logins/users for each other. It's up to you to decide if you want a separate login for everyone.

It is preferable to use only public key authentication, just add the public keys to the authorized_keys files of your file-share-login.

Securing things it a bit

Your peers now have shell access to your box, allowing them to set up port forwarding and a SOCKS proxy. This enables them to commit crimes or fraud using your IP address. Law enforcement will trace the root of evil to you! Even if you trust those you hand out login permission to, beware that keys might fall into the wrong hands, thus it may be wise to restrict the actions said login can perform on your box. FIXME To prevent port forwarding, put a AllowTcpForwarding no line in your system-wide /etc/ssh/sshd_config file. This disables port forwarding for all users. Which is probably not what you want.

Jailkit

Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier and can be automated using these utilities.

The Jailkit website

Use jailkit to setup a restricted shell for the user. The chroot jail should only contain the sftp and scp binaries.

OpenSSH and... Windows?!

Some of us have not succeeded in cleaning all windows installs from our networks. In a world not entirely free of gates and windows, you can still use open technologies to access a Windows computer.

This usecase will explain how to set up OpenSSH/Cygwin and RealVNC to access a Windows box' filesystem and console. Only a few steps are needed. I assume you created a public/private key pair for your user and will be using a UNIX machine to access the windows box.

  1. Download the Cygwin installer
  2. Run it, during setup select the package OpenSSH,
  3. Have windows run the sshd.exe service on system boot. Use the Configuration Panel's 'Services' icon.
  4. Locate the Cygwin home folder for your user on the Windows box.
  5. Install your public key in ~/.ssh/authorized_keys [2]
  6. Install RealVNC
  7. Open RealVNC's preferences dialog
  8. Change: Allow access to the VNC desktop:only from localhost
  9. Disable password authentication.

You can now access the machine's filesystem using scp and sftp. Continue reading SSH and VNC to set up a tcp tunnel to the VNC server from your UNIX box. (You can also use another Windows box with Cygwin.)

[2]I also install wget during Cygwin setup. This allows me to do a mkdir ~/.ssh ; wget -O ~/.ssh/authorized_keys http://machine+path/id_pub.dsa on the windows box.

Tunnels

SOCKS5 proxy

You can configure Firefox to use a SOCKS5 proxy provided by the sshd of the remote host. This way you can surf the web over an unsecure connection.

network.proxy.socks_remote_dns=true
network.proxy.socks_port=9090
network.proxy.socks=localhost
network.proxy.type=1

Quickproxy+gSTM

SSH and VNC

On your workstation invoke the ssh client like this to set up port forwarding to the computer running the VNC server; (Or have this TCP tunnel set up with a GUI tool: gSTM.)

ssh -N -L 5901:127.0.0.1:5900 remotehost

Now you can use the command vncviewer localhost:1 to connect to the VNC session. Most likely your VNC client supports the -via switch, if that is the case, you can have vncviewer invoke the ssh client:

vncviewer -via remotehost localhost:0

GUI tool: gSTM

If you like to use a GUI program, you will find gSTM to be very elegant GUI to set up SSH tunnels. It supports fixed port forwarding and SOCKS proxy's.

gSTM is a front-end for managing SSH-tunneled port redirects. It stores tunnel configurations in a simple XML format. The tunnels (local, remote and dynamic) can be managed and individually started/stopped through one simple interface.

The gSTM website

inetd: Tunnel-on-demand

I wrote an article on using inetd to open a SSH tunnel on demand. Inetd invokes a ssh client with a shared public/private key. On the remote end, sshd will recognise the public key and run a netcat to a preset host:port.

That article (OpenWRTTunnel) could be merged in here, but for the time being, I'll leave it there.