So Tired !_! 逆水行舟, 不进则退!

12Dec/13

ssh证书登录方式

Posted by Nick Xu

在/etc/ssh/sshd_config中将以下注释去掉(去掉行首的#号)

 

  1. RSAAuthentication yes
  2. PubkeyAuthentication yes
  3. AuthorizedKeysFile  %h/.ssh/authorized_keys

  4. PasswordAuthentication no

 

加入登录通知机制:

/etc/pam.d/sshd

加入 session optional pam_exec.so seteuid /root/notify.sh

linux下ssh登录限制ip的方法

vi /etc/hosts.allow
sshd:192.168.0.100:allow          //允许IP 192.168.0.100 登录
sshd:192.168.0.:allow            //允许IP 192.168.0.  网段登录
sshd:all:deny                     //禁止其他的所有IP登录
或者
sshd:223.227.223.*:allow              //允许IP 223.227.223.*   网段登录
sshd:192.168.0.*:allow                //允许IP 192.168.0.*  网段登录
sshd:all:deny                                //禁止其他的所有IP登录

fedora下 修改后保存后生效

 

客户端

ssh可以使用密钥对互相建立信任,以后再链接信任的计算机就不需要输入密码了。

1、建立密钥对
niu@niu:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/niu/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/niu/.ssh/id_rsa.
Your public key has been saved in /home/niu/.ssh/id_rsa.pub.
The key fingerprint is:
27:00:f4:ce:a0:6f:61:a8:55:27:af:9a:bc:2b:d5:21 niu@niu
niu@niu:~$
过程中就一直按回车即可。此时会在 /home/niu/.ssh/ 目录下生成一对文件 id_rsa, id_rsa.pub

2、配置远程计算机
将id_ras.pub文件复制到远程计算机待登录用户个人目录下的.ssh目录中(如不存在自己创建),并将文件名改为 authorized_keys

3、完成

 

 

2Nov/12

Setup a Git server on Windows machine, with MSysGit and CopSSH(使用msysgit与copssh搭建基于windows的git服务器)

Posted by Nick Xu

On Server Box

1. install CopSSH
Be sure to install it to a folder without space in its name. I used C:\SSH. Then just press next until it finishes.
 
2. install MSysGit  

Be sure to install it to a folder without space in its name. I used C:\Git. The default values suits me well.
3. Config CopSSH
a. I would like to user a separate user for git access. So create a user from command line
 
net user git userspassword /add
b. Then, goto "Start | Programs | Copssh | 01. Activate a user" to activate the user.
Note, you should clear the 2nd checkbox, we'll generate keys later.
c. goto C:\SSH\etc folder, open the sshd_config file using wordpad (ornotepad2), don't use notepad, it's a UNIX format file. Remove the leading # character for item "PasswordAuthentication" and change the "yes" to "no". Also you can review the rest of the config file and change if necessary. For me, most of the default settings works fine.
 

d. Goto C:\SSH\home\git\.ssh folder, create a file named authorized_keys. Open this file using wordpad.

e. Install/extract Putty if you have not. Invoke PUTTYGEN.EXE to generate a pair of keys:
I used a 4096 bit SSH2 key. Save the private key to a folder and remember it. We'll use it later. Copy the content in the text box labelled with "Public key for pasting...." to the wordpad window you opened at step d, and save it, close the wordpad.

f. (Re)Start SSH Server. You can either reboot your PC, or use below command line:
net stop opensshserver
net start opensshserver

g. Now it's ready to test SSH connection. Invoke Putty.EXE, put localhost as host name, if you changed port in step c, don't forget to change it here. Navigate to Connection/SSH/Auth node, press the "Browse" button to select the private file you generated and stored in step e, as shown below:

You can save the settings to save you some typing next time. Google it if you don't know how. Now press "Open" button, you will see a warning window on first connection, press "Yes" to accept the key. Then a block terminal window pops up, with prompt "login as:", input "git" (without quote), and you should be prompted for a key-phrase if you set it when you saved the private key. Note, this is not the password of the git user you created during step a!!!. And with some luck (which you don't need if you know what you are doing), you should see some window similar to this:
If you've made it, congratulations, the hardest part is behind you. If you don't see it, then please review carefully what you have missed.

h. invoke a command window if you have not (where have you executed those "net xxx" commands?), and type
cd /d %USERPROFILE%
echo export HOME=/c/SSH/home/git > .bashrc

i. goto C:\SSH\home\git folder, open the .bashrc file (yes, the same name as in the above line). Insert below line to the first line: (AGAIN, THIS IS A UNIX FILE!)
export PATH=/cygdrive/c/Git/bin:/cygdrive/c/Git/libexec/git-core:$PATH
 

NOTE, above "export PATH=..." must be in the same line!
4. setup a Git repository.
goto C:\SSH\home\git and make a folder named test.git. Right click the folder and select "Git Bash" from context menu. (What? You did not choose the explorer integration? Goto start menu, find Git|Git Bash, and use command line to goto this folder). Then input below lines:
$ git init --bare
Initialized empty Git repository in C:/SSH/home/git/test.git/

Now the server setup is DONE. You might need a cup of coffee of a cake to ease your nerve.

Special notes no 2003 server. It seems the sshd will experience error if the user account used to login is not a member of administrator (thanks for the comment from Raphael). So if you experience problem, try to add the user's account to administrator group and try again.


On Client PC

1. Install MSysGit, as on server. You can choose any folder you like (better a folder without space in it's path).

2. Test connection, using Putty. Change the host name and port as in your environment. Don't forget the Connection | SSH | Auth node setting. Copy the private key file to client machine and point the file in this node. Then press "Open" button, you should find it similar to what you have experienced at step g above. But this time, after you logged in, you are actually logged in to another computer! After you logged in, type "git", and see if you have the familiar git help screen before you. If you see

-bash: git: command not found
then please check if you have step i done correctly.

3. Opne a command window, type

cd /d %USERPROFILE%
md .ssh

Then use windows explorer to open this folder. create a files (id_rsa.pub) if they don't exist.

4. Fire up PuttyGen.EXE again, load the private key you used at step 2. Paste the content of the text box to file id_ras.pub, and use menu "Conversions | Export OpenSSH key" to save to the folder you created at step 3, in name "id_rsa". Now the folder %USERPROFILE"\.ssh should have at least 2 files: id_rsa and id_rsa.pub

5. create a empty folder and invoke the Git Bash and navigate to that folder. Type
ssh git@your.remote.host "echo something"

input "yes" to accept the remote key. Then you should get an echo "something"


6. Now we are ready to clone the empty project we created at server
$ git clone ssh://git@tst/SSH/home/git/test.git
Initialized empty Git repository in D:/g/gt/test/.git/
warning: You appear to have cloned an empty repository.

Now you can make some change and push it back

$cd test
$vim readme.txt
$git add readme.txt
$git commit -a -m "first commit"
[master (root-commit) f216dfe] first commit

1 files changed, 1 insertions(+), 0 deletions(-)

create mode 100644 readme.txt
$ git push origin master

Counting objects: 3, done.
Writing objects: 100% (3/3), 236 bytes, done.
Total 3 (delta 0), reused 0 (delta 0)
To ssh://git@oti-tst/SSH/home/git/test.git
* [new branch] master -> master

Congratulations, you can clone and push back. It's not as hard as it sounds, after all 😀


 Setting up multiple accounts

I just realized that I forgot the part on how to make your repository accessible to multiple users. It's simple once you have gone through above steps: adding another user is just to generate another key-pair, and put the public-key into the authorized-key file. That's all. Then the new user can access your repository. (just follow the client setup, no other server settings needs to be changed).
I know a better way is to use Gitosis, but I'm not able to run it without cygwin yet :(
Tagged as: , , , No Comments
22Sep/12

利用SSH代理爬墙

Posted by Nick Xu

最近,河蟹无处不在,翻墙危险重重,不过本人发现其实利用putty的ssh tunnel功能也可以实现安全的代理,原理是当用putty ssh连接到美国VPS的时候,putty可以在本地开启一个端口,本地的应用程序连接到本地的这个端口。相当于putty在本地充当了一个socks代理服务器为本地的应用程序提供socks代理。而这个socks代理通过美国VPS连接外网,socks代理和美国VPS直接的数据通信是在ssh隧道里进行的,是安全的。

配置方法:
connection –> SSH  –> Tunnels项下增加一动态端口转发选项,Source port中填入本机要监听的端口,选”Dynamic”,然后再点Add就添加成功了。对于Port forwarding里的Loal ports accept connections from other hosts选项,如果你选中该选项的话,将映射本地所有端口到服务器上,默认只是映射你指定的端口。
Putty

 

接着在浏览器里添加代理即可
Firefox proxy

linux下配置方法:

sudo apt-get install putty

plink -C -D 127.0.0.1:1080 -N -pw 密码 用户名@服务器地址

用系统自带的SSH亦可:

ssh -CfNg -D 127.0.0.1:1080 用户名@服务器地址

Mac下方法一样:

ssh -CfNg -D 127.0.0.1:1080 用户名@服务器地址

不过在我用自己的DremaHost做SSH代理的时候,对于FaceBook和Twitter之类的网站还是无法打开,发现原来网站的DNS解析被河蟹了,所以通过SSH代理也是无法解决的,所以要更改DNS解析才行。我们可以直接使用服务端来进行DNS解析,不过目前我发现只有FireFox支持远端DNS解析,在about:config里,改写
network.proxy.socks_remote_dns=true 就行了。

至于chrome貌似要同过Proxy Switchy这个插件才能解决,其实Firefox也可以通过FoxyProxy插件进行解决。而IE么,就很麻烦了,有人建议用polipo或者是privoxy将socks代理转成http代理,所以比较恶心……

其他一些翻墙利器推荐:

Power.com 在线代理翻墙工具    官方网站:http://www.power.com
翻墙网 超强匿名在线代理服务器,翻墙利器
官方网站:http://www.fanqiang.cc
Puff the magic dragon,简称 Puff,一款专业小巧实用的翻墙工具。
官方主页:http://www.erights.net(已被河蟹)
UseJump 无需任何设置即可翻墙的浏览器,个人感觉速度比TOR快,据说是对链接进行过优化。
官方网站http://beta.usejump.com/
Tagged as: , No Comments
22Jul/11

ssh超时断开的解决方法

Posted by Nick Xu

感谢厚积网的投递
当用SSH Secure Shell连接Linux时,如果几分钟没有任何操作,连接就会断开,必须重新登陆才行,每次都重复相同的操作,很是烦人,本文总结了两种解决的方法。

方法1:更改ssh服务器的配置文件/etc/ssh/sshd_config

ClientAliveInterval指定了服务器端向客户端请求消息的时间间隔, 默认是0,不发送。而ClientAliveInterval 60表示每分钟发送一次,然后客户端响应,这样就保持长连接了。这里比较怪的地方是:不是客户端主动发起保持连接的请求(如FTerm, CTerm等),而是需要服务器先主动。

另外,至于ClientAliveCountMax,使用默认值3即可。ClientAliveCountMax表示服务器发出请求后客户端没有响应的次数达到一定值,就自动断开,正常情况下,客户端不会不响应。

 

ClientAliveCountMax

Sets the number of client alive messages (see below) which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the ses-sion. It is important to note that the use of client alive messages is very different from TCPKeepAlive (below). The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive.The default value is 3. If ClientAliveInterval (see below) is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. This option applies to protocol version 2 only.

 

ClientAliveInterval

Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client. This option applies to protocol version 2 only.

vim /etc/ssh/sshd_config

找到ClientAliveInterval 参数,如果没有就自己加一行。

ClientAliveInterval 参数的数值是秒,比如你设置为540,就是9分钟.

ClientAliveInterval 540

对于ClientAliveCountMax

指如果发现客户端没有相应,则判断一次超时,这个参数设置允许超时的次数,比如10。

ClientAliveInterval 540

ClientAliveCountMax 10;

则代表允许超时 5400秒 = 90分钟。

方法2:配置客户端

1 linux下的ssh命令

vim /etc/ssh/ssh_config

然后找到里面的ServerAliveInterval 参数,如果没有你同样自己加一个就好了。参数意义相同,都是秒数,比如9分钟:

ServerAliveInterval 540

2 SecureCRT

设置反空闲,如下图所示

securecrt_to

3 Putty

启用putty keepalive

putty -> Connection -> Seconds between keepalives ( 0 to turn off ),默认为0,改为60。

Tagged as: No Comments
21Jul/11

plink的使用方法

Posted by Nick Xu

基本格式

plink 选项 user@host 命令

选项介绍

-ssh 强迫使用ssh协议,其实默认的就是ssh

-P port 连接到指定的端口, 一般默认是22
-l user 用户名, 如果你不愿意使用user@host的格式的花

-pw "FuckGFW" 使用FuckGFW作为password,嘿嘿ie

-D [listen-IP:]listen-port
动态socks端口转发 这个最重要, listen-ip 可以填127.0.0.1也可不填,也可填你的外部IP,比如192.168.0.99

另外两个转发参数

-L [listen-IP:]listen-port:host:port
转发本地端口 到 远程主机地址
-R [listen-IP:]listen-port:host:port
转发远程端口 到 本地地址

-X -x enable / disable X11 forwarding
-A -a enable / disable agent forwarding
-t -T enable / disable pty allocation

-1 -2 force use of particular protocol version
-4 -6 force use of IPv4 or IPv6
-C 使用压缩传输

-i key private key file for authentication

-N don’t start a shell/command (SSH-2 only) 不要开启shell

范例

plink.exe -4 -C -N -i d:\key.ppk -D 127.0.0.1:7080 -l b335925 205.196.216.115

plink -N 205.196.216.115 -l username -pw "FuckGFW" -D 127.0.0.1:7080

很多参数 跟OpenSSH是一样的,不过OpenSSH我也记不住

Tagged as: , No Comments
   
site
site