Pour générer le fingerprint (md5 ou sha256) de votre clé ssh publique
Vous pouvez faire :

ssh-keygen -lf ~/.ssh/id_ed25519.pub
ou
ssh-keygen -l -E md5 -f ~/.ssh/id_ed25519.pub

C’est pratique pour faire la correspondance entre clé publique en local sur son poste et le fingerprint dans l’interface de Github ((https://github.com/settings/keys)

not bad! better than unprotected socket access ;)

cat agentmanagement.sh

variables=~/.ssh/variables

sshadd() {
source "$variables" > /dev/null
ssh-add -l > /dev/null 2>&1
case "$?" in
1)
ssh-add /root/.ssh/key > /dev/null 2>&1
;;
2)
rm "$variables"
sshagent
;;
esac
}

sshagent() {
if [ -f "$variables" ] ; then
sshadd
else
ssh-agent -s > $variables
sshadd
fi
}

sshagent

tail .bashrc

source /root/agentmanagement.sh

It took me some time to figure this one out, as everybody is using rsync and ssh-keys without passphrases, but I insist that an ssh-key should have a passphrase.

In my first attemts I got this error messages mailed to me by crontab:
Permission denied (gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive).

Here are the steps to automate a backup initiated from crontab using rsync, SSH and ssh-keys with a passphrase:

Make a set of SSH keys.
Setup SSH to use the agent automatically.
Login once as the user who's cron will run the backup script. You will be asked for a passphrase. When the machine reboots, you will need to login once more, to enter the passphrase again.
Make a backup script that includes some SSH variables.
This script could be as simple as this:
. /home/username/.ssh/variables
rsync -avz --delete /data/ example.com:data

N.B. This variables file only contains these lines:
SSH_AUTH_SOCK=/tmp/ssh-DmFcb18036/agent.18036; export SSH_AUTH_SOCK;
SSH_AGENT_PID=18037; export SSH_AGENT_PID;
echo Agent pid 18037;
Put that script in crontab.

That should do it for you, as it works like a charm for me!

-R [bind_address:]port:host:hostport

ssh -R *:8080:localhost:80 -N root@website.com
or
ssh -R 0.0.0.0:8080:localhost:80 -N root@website.com
or
ssh -R [::]:8080:localhost:80 -N root@website.com

Note that if you use OpenSSH sshd server, the server's GatewayPorts option needs to be enabled (set to yes or clientspecified) for this to work (check file /etc/ssh/sshd_config on the server). Otherwise (default value for this option is no), the server will always force port bound on the loopback interface only.

Dans les logs d'accès ssh (/var/log/auth.log), si vous avez passé le loglevel de SSH à VERBOSE, vous pouvez voir pour chaque accès la clé qui a été utilisé.
Le format est différent de celui dans authorized_keys pour des raisons de lisibilité j'imagine.. Pour faire la conversion depuis authorized_keys vers ce format :

echo key | base64 | md5
ou
ssh-keygen -lf key.pub

Trouver tous les pid des sessions ssh en cours :
ss -tnp|grep ':22'
ss -tp|grep ':22'|grep -Eo ',[0-9]+,'|grep -Eo '[0-9]+'

Trouver depuis quand ces process sont démarrés :

ps -eo pid,etimes|grep 26205

26205 329840

echo "$(date +%s) - 329743"|bc

1419103787

date -d@$(echo "$(date +%s) - 329743"|bc)

Sat Dec 20 20:31:42 CET 2014

One liner :

start time

for pid in $(ss -tp|grep ':22'|grep -Eo ',[0-9]+,'|grep -Eo '[0-9]+'); do date -d@$(echo "$(date +%s) - $(ps -o etimes -p $pid --no-headers)"|bc); done

pid + start time

for pid in $(ss -tp|grep ':22'|grep -Eo ',[0-9]+,'|grep -Eo '[0-9]+'); do echo -n "$pid : " && date -d@$(echo "$(date +%s) - $(ps -o etimes -p $pid --no-headers)"|bc); done

Si le log level de ssh est en VERBOSE, on peut chercher dans auth.log le fingerprint de la clé publique correspondant à la date à laquelle une session ssh a démarré :

zgrep sshd /var/log/auth.log*|grep Accepted|grep 'Dec 20'

Je préfère cette solution, à savoir passer sshd en VERBOSE.

L'autre solution consiste à utiliser environment dans le fichier authorized_keys puis à écrire dans un fichier (à l'aide de .bashrc par exemple). Mais l'utilisateur peut modifier ce fichier..

ssh-keygen -lf /path/to/public_key_file

petit rappel
cheatsheet bien faite

via skunnyk

Quelques pistes pour monitorer le TCPforwarding

This morning a discussion with a friend about various shells lead me to think it would be nice if my bash shell could tab complete hostnames from .ssh/known_hosts when I type ‘ssh <tab>’. I soon found this blog post which nicely documents how to do it. I made a directory in $HOME called .bash.completion and then added this to my .profile, which loops round any files in there, sourcing them individually:

if [ -d ${HOME}/.bash.completion ]; then
for file in ${HOME}/.bash.completion/* ; do
source $file
done
fi

All sorted. However, it wasn’t long before I discovered that ‘ssh user@<tab>’ doesnt work, I tend to use this quite a lot so wanted to see if I could fix up the bash function to support that use case. Bit of hacking around and I’ve got it working, the replacement ssh-completion file is shown below:

Add bash completion for ssh: it tries to complete the host to which you

want to connect from the list of the ones contained in ~/.ssh/known_hosts

__ssh_known_hosts() {
if [[ -f ~/.ssh/known_hosts ]]; then
cut -d " " -f1 ~/.ssh/known_hosts | cut -d "," -f1
fi
}
_ssh() {
local cur known_hosts
COMPREPLY=()
cur="${COMP_WORDS[COMP_CWORD]}"
known_hosts="$(__ssh_known_hosts)"
if [[ ! ${cur} == - ]] ; then
if [[ ${cur} == @ ]] ; then
COMPREPLY=( $(compgen -W "${known_hosts}" -P ${cur/@/}@ -- ${cur/*@/}) )
else
COMPREPLY=( $(compgen -W "${known_hosts}" -- ${cur}) )
fi
fi
return 0
}
complete -o bashdefault -o default -o nospace -F _ssh ssh 2>/dev/null \
|| complete -o default -o nospace -F _ssh ssh

Ahah a tester

Cool stuff :

ssh user@server 'bash -s' < local_script.sh > local_script.log 2>&1

Un serveur, mais surtout un client pour faire du port knocking

Un exemple d'utilisation de -R

Donner un acces sftp chrooté