If you have the problem when pushing to github for example.
You can just empty the core.askpass param:
git config --global core.askpass ''
See also man git config
Bsync is a bidirectional file synchronization tool, using rsync for transfers. Moved files are also synchronized in a smart way.
It uses rsync for file transfers, find to generate filelist snapshots, and ssh for remote transfers.
bsync is an alternative to Unison, written in Python 3. A big strength of bsync: it can detect and apply moved files from one side to the other (Unison uses some copy calls to handle moved files).
I developped it to be able to synchronize my music directory from my laptop to my Raspberry Pi in an efficient way, and to sync with my girlfriend laptop too.
Bsync is released under GPL. Feel free to report any bugs/wishes in GitHub issues.
Several desktop environments (Gnome, KDE) automatically start an SSH agent at startup. However, you have to think of running ssh-add before connecting to a server.
Waiting for automatic ssh-add in OpenSSH, you can add this to your .bashrc:
ssh-add -l >/dev/null || alias ssh='ssh-add -l >/dev/null || ssh-add && unalias ssh; ssh'
The alias is created only if the identity is not added, and the alias destroys itself once run.
This way the regular ssh command is used after the identity has been added.
You have 2 systems and you want to set up a secure backup with rsync + SSH of one system to the other.
Very simply, you can use:
backup.example.com# rsync -avz --numeric-ids --delete root@myserver.example.com:/path/ /backup/myserver/
To do the backup, you have to be root on the remote server, because some files are only root readable.
Problem: you will allow backup.example.com to do anything on myserver.example.com, where just read only access on the directory is sufficient.
To solve it, you can use the command="" directive in the authorized_keys file to filter the command.
To find this command, start rsync adding the -e'ssh -v' option:
rsync -avz -e'ssh -v' --numeric-ids --delete root@myserver.example.com:/path/ /backup/myserver/ 2>&1 | grep "Sending command"
You get a result like:
debug1: Sending command: rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/
Now, just add the command before the key in /root/.ssh/authorized_keys:
command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/" ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......
And for even more security, you can add an IP filter, and other options:
from="backup.example.com",command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......
Now try to open a ssh shell on the remote server.. and try some unauthorized rsync commands…
Notes:
- Beware that if you change rsync command options, change also the
authorized_keysfile. - No need for complex chroot anymore. Forget my previous article: sftp-chroot-rsync
See also:
man ssh #/AUTHORIZED_KEYS FILE FORMATman rsyncview /usr/share/doc/rsync/scripts/rrsync.gz(restricted rsync, allows you to manage allowed options precisely)
This is how to open a SSH connexion to a serveur hidden behind a NAT gateway.
We use a reverse SSH tunnel:
nated-host$ ssh -R 2222:localhost:22 anyuser@public-host anyuser@public-host$
This command opens 2222 port on public-host, forwarding it to local 22 port on nated-host.
Finally, from public-host we connect to 2222 local port with SSH, to end on nated-host:
public-host$ ssh -p2222 localhost nated-host$
References:
Problem:
I want to create a server-www alias that connects me to the SSH server and change the directory to /var/www/ right after the connection.
There it is :
ssh -t server 'cd /var/www && $SHELL'
And for the alias, add this in your ~/.bashrc:
alias server-www="ssh -t server 'cd /var/www && $SHELL'" server-www # test it !
References :
Here is howto make sftp shares with chroot.
In /etc/ssh/sshd_config:
# we use openssh internal sftp
# because /usr/lib/openssh/sftp-server won't be available in chroot
Subsystem sftp internal-sftp
Match group sftp
ChrootDirectory %h
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
UPDATE 17/06/2010: Beware with the syntax! Comments must start at the line beginning, and no spaces at the end of the ForceCommand internal-sftp line.
Now just create users belonging to sftp group, and that’s it.
Test it with:
sftp user@myserver.com
Problem: we cannot use the rsync command to send files, because rsync is not available in the chroot.
First, we allow other commands, commenting the line:
#ForceCommand internal-sftp
Then, we build the following tree in the chroot directory:
bin/ bin/bash bin/rsync lib/ lib/libncurses.so.5 lib/ld-linux.so.2 lib/libacl.so.1 lib/libpopt.so.0 lib/libattr.so.1 lib/i686 lib/i686/cmov lib/i686/cmov/libdl.so.2 lib/i686/cmov/libc.so.6
We must put both bash and rsync commands, and all their librairies (you can display them with the ldd command).
Note: the user must have /bin/bash as default shell.
Note2: the chroot dir must belong to root, even if it’s the user’s folder. To allow the user to write in it, you have to create a subfolder with appropriate permissions. According to OpenSSH programers, it’s a big constraint, but very important for a chroot’s security.
References :
If you discover lots of ssh connection tries in your /var/log/auth.log (bots testing users/passwords), you have to do something.
The simpler is to use an IP restriction rule in your iptables firewall, or in /etc/hosts.deny
If you don’t want or can’t use this restriction, use Fail2ban:
aptitude install fail2ban
The default install blocks SSH connection tries.
You can tune the config a bit or activate Fail2ban for other services. Example:
vi /etc/fail2ban/jail.conf bantime = 86400 maxretry = 10 # pour ssh enabled = true # pour vsftpd maxretry = 10 # pour vsftpd
Then, the iptables -L command gives you all banned IP addresses.
Sorry, this entry is only available in Français.