Claramente no todo se puede hacer con #SSH 😜

Acá probando "sudo sshd -t" para verificar la sintaxis del archivo de configuración del servidor.

Se viene nuevo contenido en #JuncoTIC, se nota? 😉

#gnu #linux #openssh #sshd #humor #lol

Once there was https://blog.stribik.technology/2015/01/04/secure-secure-shell.html, which was fine. Now there is https://infosec.mozilla.org/guidelines/openssh, which doesn't include a date of the last update* (except perhaps the copyright 2017).

Where can I find current recommended SSH settings, with post-quantum and stuff?

* Oh, how I loathe websites that don't add the dates of creation and/or last update!

#ssh #sshd #sshd_config

找了个时间优化了服务器便利性和“安全性”

1. Termius访问
Termius生成三个密钥分配给三台服务器
export到~/.ssh/authorized_keys
检查authorized_keys内容正确
测试密钥&无密码登录

2. 配置ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow http
sudo ufw allow https
sudo ufw allow 特殊端口/tcp
sudo ufw enable
sudo ufw status verbose

3. 配置fail2ban
sudo nano /etc/fail2ban/jail.local
[DEFAULT]
bantime = 1h
findtime = 10m
maxretry = 5
banaction = ufw
ignoreip = 127.0.0.1/8 ::1 X Y Z
[sshd]
enabled = true
port = 特殊端口
backend = systemd

sudo apt update && sudo apt install python3-systemd -y
sudo systemctl enable --now fail2ban
sudo systemctl restart fail2ban
sudo fail2ban-client status sshd

3. 配置sshd_config
sudo nano /etc/ssh/sshd_config
Port 特殊端口
PermitRootLogin no
PubkeyAuthentication yes
PasswordAuthentication no

sudo sshd -t
sudo systemctl restart ssh

4. 更改hostname
sudo hostnamectl set-hostname xxx
sudo nano /etc/hosts
修改127.0.1.1 后主机名为xxx
hostnamectl status

5. 配置互通
ssh-keygen -t ed25519 -C "from_$(hostname)" -N "" -f ~/.ssh/id_ed25519
cat id_ed25519.pub
nano ~/.ssh/authorized_keys
一共三行，Termius pub、其他两台服务器的pub

6. 配置Alias
nano ~/.bashrc
alias nc='ssh -p 特殊端口 jay@ipX'
alias cc='ssh -p 特殊端口 jay@ipY'
alias hd='ssh -p 特殊端口 jay@ipZ'
source ~/.bashrc
nc (netcup)
cc (clawcloud)
hd (hostdzire)
或者
nano ~/.ssh/config
Host nc
HostName X
Port 特殊端口
User jay
Host cc
HostName Y
Port 特殊端口
User jay
Host hd
HostName Z
Port 特殊端口
User jay
ssh nc
ssh cc
ssh hd
还可以加上“ProxyJump cc”连 xxx 之前先跳到 cc

#ssh #sshd #pub #alias #ProxyJump #authorized_keys #termius #ufw #fail2ban

As you can see the build process is smooth, the execution is blazingly fast. What more could I ask for?

https://smolbsd.org/

#programming #technology #BSD #netBSD #metaOS #microVM #networking #qemu #host #bmake #curl #sshd #Linux

The mighty world of BSD

Playing with again smolBSD, a fantastic metaOS system that I talked about a few weeks ago.
I'm a newbie, a greenhorn, when it comes to meta-operating systems built on top of NetBSD.

I am very eager to learn by doing, making mistakes in the process, correcting and feel the warmth of the BSD community, who is happy to correct, esp when I show that I read the docs after making the mistakes

The journey is fantastic, the learning process is fun. microVM's are amazing. I've registered 11ms boot times on this small machine with a few CPU cores (and 40GB RAM). The fun is endless

#programming #technology #BSD #netBSD #metaOS #microVM #networking #qemu #host #bmake #curl #sshd #Linux

https://smolbsd.org/

When configuring #sshd is there a security disadvantage of explicitly allowing pty if the command is restricted. Usecase: a restricted application for user interaction. Think TUI or git shell.

Monitoring my ssh connections on the SBC Pi5

the command used is this fuction

`function psgrep() { ps axuf | grep -v grep | grep "$@" -i --color=auto; }`

#networking #sshd #ssh #ps #grep #psgrep #OpenSource #POSIX

I've just had a nice experience playing with raspberry connect. Both ssh and vnc work smoothly

https://connect.raspberrypi.com/devices

#sshd #ssh #vnc #realvnc

#RaspberryPi #Pi5 #Debian #Linux #OpenSource #POSIX #micro #HDMI #Ventoy #ISO #manager #POST #microSD #ARM

Some how I am very envious of the 60MB RAM footprint while booting into a #linode #vps. The best I could get onto my #homelab is 300MB usage on a #Ubuntu cloud image. This is unfortunately the same as my desktop #ArchLinux with #KDE running.

The Ubuntu server image idled at 600MB RAM usage with #docker & #sshd. The culprits using most ram are #snapd & #multipathd.

This how a failed GEOM Gate device in a #zfs mirror looks like after a ungraceful shutdown. The load on my 15+ year old laptop was too high I guess. #sshd suddenly logged me out after like 2 seconds, I couldn’t even login directly in front of the laptop. Console messages along the lines “jid0 couldn’t reclaim memory”. Had 3 jails, 2 VMs and a deduped ZFS pool running. Let’s see if I can keep this running if the Win7 VM’s memory is halved. Perhaps it is worth having a look at rctl…

@clacke Yes and no…
Instead of the overhead of containers, my 'jump' machines bind specific keys to the ssh commands that do the specifically authorized next hops and (where possible) restrict to specific client IPs. The OS of those machines are only accessible over a VPN or (for some VMs) a tightly secured web interface that has VNC over WebSockets inside a private network to their virtual consoles.

#infosec #bastion #jumphost
#ssh #sshd #OpenSSH

When you have an ssh jumphost, the trivial setup is one that conflates OS access and application access.

The application is ssh, providing the jump to the privileged network, but ssh also allows OS access, potentially allowing privilege escalation within the jumphost.

Are people taking this seriously and e.g. running an unprivileged sshd inside a container? Access the OS over port 22 to the privileged sshd, restricting that to the segregated admin network, access the jumping over port 2222 and minimize the attack surface on the outer host?

#infosec #bastion #jumphost
#ssh #sshd #OpenSSH

Server ကို public key နဲ့ ဝင်မရလို့ အသစ်ပြောင်းလိုက်၊ ထည့်လိုက်လုပ်တယ်။ အဲ့တာလည်း မရလို့ client ရော၊ server ရော ~/.ssh ရဲ့ file permission တွေ ပြန်စစ်တယ်။ Permission တွေကလည်း အကောင်းပဲ။ နောက်ဆုံးကျ Stackoverflow က ပြောတဲ့အတိုင်း Server ကနေ SSHD debug mode နဲ့ လုပ်ကြည့်ဆိုတော့မှပဲ culprit ကို တွေ့ရတော့တယ် 👍

ဘယ် program က မွှေသွားလဲမသိပေမယ့် အခုလို /root ကို owner နဲ့ group တွေ ပြောင်းပြီးမွှေသွားပေးလို့၊ အချိန်ကုန်အောင်လုပ်ပေးလို့ ကျေးဇူး 🙃

#SSH #SSHD

An Android #sshd server with shell access, rsync and scp/sftp services.
https://github.com/tfonteyn/Sshd4a

Who else got tripped up by the new security settings in sshd (openssh) recently?

* PerSourcePenalties
* PerSourcePenaltyExemptList

Anyone else notice that Android devices seem to trip these up specifically? Haven't dug into traces yet.

#Linux #ssh #openssh #sshd #Android

How does using the #Jolla #JollaC2 (@jolla) with #SailfishOS for about a week as a daily driver now (with my old #iPhone at home as a backup)?

In general, it works much better than I had hoped after my experiences with other alternative #smartphone systems and it indeed is the first (and so far only) system that indeed works quite well. Also at around 285€ (https://commerce.jolla.com/products/jolla-community-phone) it isn't too expensive, so one can simply try it out.

There are a few limitations though:

* I am really missing biometric unlocking
* There is no predictive text input, so typing could be more comfy
* The UX experience sometimes feels strange (but no no-gos for me)
* It is not a snappy and fast device
* Audio quality is so-so
* GPS really needs a GPS signal, so no WIFI-based location

What is great:

* It is a real #Linux, so it has a #terminal, #sshd, you can e.g. use the #Nix package manager etc.
* Android apps are running in a container
* You can have different users to limit data access

Unfortunately there are nearly no high-quality native apps so far and the built-in ones are very basic (e.g. email).

But: The #Android compatibility layer is very good, the system comes with #Fdroid and #AuroraStore (#Google store front-end) pre-installed, so you can easily install practically all official Android apps.

Most apps work very well, some (especially banking) apps do not though as they complain that the system is rooted, so YMMV regarding the apps you need.

In general I am really happy with this system.

And: All the de-ggoglefied Android phones like the #Volla will always still remain just that: A more limited Android. SailfishOS offers a path towards powerful native (#Qt/#QML/#Cplusplus/#Python/you name it) based apps.

I am hoping that Jolla will provide a significantly more powerful device option and that some of the problems above will be solved.

But already now, even with the limitations above, if you are somewhat technically inclined (but without the need to fiddle with a command line unlike with the open mobile Linux distributions), want to get rid of #Google or #Apple for whatever reason, want a #Linux #smartphone, support a #European company from #Finland, this phone is really usable.

I wish for `adhd_config` for brain just like `sshd_config` so that we can tweak it. #adhd #sshd

TIL of a deliberate source of Heisenbugs in the default sshd config:

MaxStartups 5:50:10

This means: Allow up to 5 simultaneous "starting" SSH connections. Between 5 and 10 starting connections, drop them randomly 50% of the time. Above 10: Do not allow any new SSH connections to start.

Took me a long time to diagnose why a particular combination of concurrent SSH processes would fail occasionally when connecting to this embedded machine.

https://www.simplified.guide/ssh/limit-simultaneous-connections

#sshd #ansible #swdev

How to add SSH public key authentication in Linux

It’s pretty easy, but every time I have to look up the right permissions for .ssh and the authorized_keys file. The solution is described on StackOverflow and the OpenSSH FAQ:

mkdir ~/.ssh

touch ~/.ssh/authorized_keys

chmod 700 ~/.ssh

chmod 600 ~/.ssh/authorized_keys

# now paste the user’s public key here:

cat > ~/.ssh/authorized_keys

done.

https://www.locked.de/how-to-add-ssh-public-key-authentication-in-linux/
#authorizedKeys #ssh #sshd

Given the major pre-work from Ryan Hoegg (shamsoft) i've been diving back into my coding passion, resulting in a major evolution of sham-ssh. https://github.com/janesser/sham-ssh #java #sshd #mocking