2014-04-27 14:24

If you have the problem when pushing to github for example.

You can just empty the core.askpass param:

git config --global core.askpass ''

See also man git config

2014-04-27 14:24 · Tags: , ,
2013-12-05 23:22

Bsync is a bidirectional file synchronization tool, using rsync for transfers. Moved files are also synchronized in a smart way.

It uses rsync for file transfers, find to generate filelist snapshots, and ssh for remote transfers.

bsync is an alternative to Unison, written in Python 3. A big strength of bsync: it can detect and apply moved files from one side to the other (Unison uses some copy calls to handle moved files).

I developped it to be able to synchronize my music directory from my laptop to my Raspberry Pi in an efficient way, and to sync with my girlfriend laptop too.

Bsync is released under GPL. Feel free to report any bugs/wishes in GitHub issues.

More info, Download and Install on the GitHub repo.

2013-12-05 23:22 · Tags: , , , , ,
2012-09-08 23:40

Several desktop environments (Gnome, KDE) automatically start an SSH agent at startup. However, you have to think of running ssh-add before connecting to a server.

Waiting for automatic ssh-add in OpenSSH, you can add this to your .bashrc:

ssh-add -l >/dev/null || alias ssh='ssh-add -l >/dev/null || ssh-add && unalias ssh; ssh'

The alias is created only if the identity is not added, and the alias destroys itself once run.

This way the regular ssh command is used after the identity has been added.

http://superuser.com/questions/325662/how-to-make-ssh-agent-automatically-add-the-key-on-demand/471640#471640

2012-09-08 23:40 · Tags:
2010-12-29 18:36

You have 2 systems and you want to set up a secure backup with rsync + SSH of one system to the other.

Very simply, you can use:

backup.example.com# rsync -avz --numeric-ids --delete root@myserver.example.com:/path/ /backup/myserver/

To do the backup, you have to be root on the remote server, because some files are only root readable.

Problem: you will allow backup.example.com to do anything on myserver.example.com, where just read only access on the directory is sufficient.

To solve it, you can use the command="" directive in the authorized_keys file to filter the command.

To find this command, start rsync adding the -e'ssh -v' option:

rsync -avz -e'ssh -v' --numeric-ids --delete root@myserver.example.com:/path/ /backup/myserver/ 2>&1 | grep "Sending command"

You get a result like:

debug1: Sending command: rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/

Now, just add the command before the key in /root/.ssh/authorized_keys:

command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/" ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......

And for even more security, you can add an IP filter, and other options:

from="backup.example.com",command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......

Now try to open a ssh shell on the remote server.. and try some unauthorized rsync commands…

Notes:

  • Beware that if you change rsync command options, change also the authorized_keys file.
  • No need for complex chroot anymore. Forget my previous article: sftp-chroot-rsync

See also:

  • man ssh #/AUTHORIZED_KEYS FILE FORMAT
  • man rsync
  • view /usr/share/doc/rsync/scripts/rrsync.gz (restricted rsync, allows you to manage allowed options precisely)
2010-12-29 18:36 · Tags: , ,
2010-06-20 23:48

This is how to open a SSH connexion to a serveur hidden behind a NAT gateway.

We use a reverse SSH tunnel:

nated-host$ ssh -R 2222:localhost:22 anyuser@public-host
anyuser@public-host$

This command opens 2222 port on public-host, forwarding it to local 22 port on nated-host.

Finally, from public-host we connect to 2222 local port with SSH, to end on nated-host:

public-host$ ssh -p2222 localhost
nated-host$

References:

2010-06-20 23:48 · Tags: ,
2009-12-10 21:09

Problem:

I want to create a server-www alias that connects me to the SSH server and change the directory to /var/www/ right after the connection.

There it is :

ssh -t server 'cd /var/www && $SHELL'

And for the alias, add this in your ~/.bashrc:

alias server-www="ssh -t server 'cd /var/www && $SHELL'"
server-www # test it !

References :

2009-12-10 21:09 · Tags: ,
2009-10-09 17:12

Here is howto make sftp shares with chroot.

In /etc/ssh/sshd_config:

# we use openssh internal sftp
# because /usr/lib/openssh/sftp-server won't be available in chroot
Subsystem sftp internal-sftp

Match group sftp
        ChrootDirectory %h
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp

UPDATE 17/06/2010: Beware with the syntax! Comments must start at the line beginning, and no spaces at the end of the ForceCommand internal-sftp line.

Now just create users belonging to sftp group, and that’s it.
Test it with:

sftp user@myserver.com

Problem: we cannot use the rsync command to send files, because rsync is not available in the chroot.

First, we allow other commands, commenting the line:

#ForceCommand internal-sftp

Then, we build the following tree in the chroot directory:

bin/
bin/bash
bin/rsync
lib/
lib/libncurses.so.5
lib/ld-linux.so.2
lib/libacl.so.1
lib/libpopt.so.0
lib/libattr.so.1
lib/i686
lib/i686/cmov
lib/i686/cmov/libdl.so.2
lib/i686/cmov/libc.so.6

We must put both bash and rsync commands, and all their librairies (you can display them with the ldd command).

Note: the user must have /bin/bash as default shell.

Note2: the chroot dir must belong to root, even if it’s the user’s folder. To allow the user to write in it, you have to create a subfolder with appropriate permissions. According to OpenSSH programers, it’s a big constraint, but very important for a chroot’s security.

References :

2009-10-09 17:12 · Tags: , , ,
2009-08-03 14:20

If you discover lots of ssh connection tries in your /var/log/auth.log (bots testing users/passwords), you have to do something.

The simpler is to use an IP restriction rule in your iptables firewall, or in /etc/hosts.deny

If you don’t want or can’t use this restriction, use Fail2ban:

aptitude install fail2ban

The default install blocks SSH connection tries.

You can tune the config a bit or activate Fail2ban for other services. Example:

vi /etc/fail2ban/jail.conf
bantime  = 86400
maxretry = 10 # pour ssh
enabled  = true # pour vsftpd
maxretry = 10 # pour vsftpd

Then, the iptables -L command gives you all banned IP addresses.

2009-08-03 14:20 · Tags: , ,