If you have to use bastion hosts (say to get at a DMZ or HA) or do a lot of scping between multiple linux machines something that can be really useful to setup is ssh-agent forwarding. This will basically take your ssh-agent session from your client computer and forward the keys to a server you connect to so on THAT server you can use the same keys to connect to another one. You can also chain this multiple times if you need to (I go from my client, to a bastion host, to one HA, to another HA behind that one on a regular basis).
You need to have ssh keys and an agent setup already. You could do something like this:client> ssh-keygen # follow the prompts client> ssh-copy-id firstname.lastname@example.org # copy your generated keys to two hosts client> ssh-copy-id email@example.com client> ssh-agent > ~/agent # starts an agent and creates a file with the needed environmental variables client> . ~/agent # load the variables so you can get at the agent, I have this line in my .bash_login client> ssh-add # add your new keys to the agent, the password is the one you put on the keys above
So you have keys, an agent you can talk to, and two hosts those keys should work with. To setup forwarding you would create ~/.ssh/config and add these options:Host *.example.org # entire domain ForwardAgent yes Host host1.example.org # specific host ForwardAgent yes Host 192.168.1.* # subnet ForwardAgent yes
Any of these will work, obviously you have to set them up for your environment. Now, as long as everything worked you should be able to do the following...client> ssh user@host1 host1> ssh user@host2 host2>
...and nowhere in that process should you have been asked for a password. Word of warning, don't do this:Host * ForwardAgent Yes # no no no
Reason being, any host you connect to will get your keys. If you connect to a sketchy one a malicious admin could theoretically access your private key as long as you were connected. Save this for trusted hosts. If you wanted to disable this option on a host you would set "AllowAgentForwarding no" in /etc/ssh/sshd_config and recycle the ssh service (you'll have to reconnect to the host to test it).
If you have sudo setup (setup sudo, seriously) and are okay with the security implications (you probably aren't) you can combine this with the NOPASSWD option and as long as your accounts don't age (another bad idea) you'll never need to type in a password again. That'd be a line in /etc/sudoers like this...%wheel ALL=(ALL) NOPASSWD: ALL
Which would apply to members of the 'wheel' group. Might be useful for test and development machines, terrible idea for production.
Shameless plug, I write about this stuff on my tech blog though for this little blurb I actually cover more here than on the article. Thanks for playing!submitted by itripovermyownfeet
[link] [1 comment]
I installed Debian (no - x system) - I have my user i set up.
- I cant do anything with it * If i want to change shit i have to SU/SUDO shit
- Lets edit .profile - need to su
- lets edit /var/www/index.html - nope no privs
- lets do anything - nope no privs
Please tell me i am missing something ?
Everyone says not to log in as root, but i cant do shit unless im root. I have to SU/SUDO everything. Why not have user privs, that allow you to do shit ?
Please teach me, it just baffles my ming that there is like 2 user types.submitted by gr1
[link] [8 comments]
Is it possible in anyway to configure SSHD to listen on port 443 & at the same time run a HTTPS webserver?
I've found that when I reboot the server I cannot start HTTPD as I've configured SSHD to listen on port 443.
Ive found that if I bring the httpd service up first before sshd, I can still connect via ssh on port 443 and the webserver works as intended.
Would this be true, and can somebody explain why this is the case?submitted by CronkDocker
[link] [1 comment]
Open source directors from Intel, Citrix and the OpenDaylight Foundation shared some of their secrets of collaborative development in an afternoon panel discussion, moderated by Linux Foundation Executive Director Jim Zemlin.
best for what??? being lite or features or console based or which distro. Im using vuse. it brings the java runtime which is a bit heavy but most already have it. Vuse is open source and free as in freedom. It has a ton of plugins so you can design it for your picky needs, many features and bells and particularly switches. Im using vuse-extreme-mod from sb-innovation.de it soars. also like ktorrent and rtorrent but use vuse. I refuse to use Deluge as its piggish and buggy. pleeez seed.submitted by bloonoise
Reddit: Intermittent fault on wireless broadcom BCM4313 after upgrading (clean install) from Linux Mint 14 to 15 and 16
My wife got a Dell M5040 a couple of years ago and I installed Mint 14 on it and she's had no problems with the network ever. Now to try and fix a problem with her audio (looks like the jack sensor problem) I tried to update the laptop with a clean OS install to mint 16 but she found it was too slow so I downgraded to 15 and she's having an intermittent problem where the wifi is still showing as connected but she completely looses connectivity to the internet. I've ran pings in the terminal and when this happens they show destination unreachable. Looking in the syslog, I see this message happening when connection drops :
Kernel: [xxxxx.xxxxxx]: wlan0: deauthenticated from xx:xx:xx:xx:xx (Reason: 7)
wpa_supplicatn[xxx]: wlan0: CTRL-EVENT-DISCONNECTED bssid xx:xx:xx:xx:xx (reason=7)
Any ideas on how to debug and fix this?submitted by Raath
[link] [3 comments]
Open source and collaborative software development has evolved in recent years to become an essential part of technology industry innovation, said Linux Foundation Executive Director Jim Zemlin in his opening keynote at Collaboration Summit today.