@Pete-S said in ssh to new cloud instance?:

@scottalanmiller said in ssh to new cloud instance?:

@Pete-S said in ssh to new cloud instance?:

If you add another admin in the cloud control panel, is an account for that user created on all cloud instances that person can access?

In Vultr, there aren't users in the cloud panel at all. There are keys that you can choose to deploy at deploy time for root. Other than that, if we wanted to deploy keys (as an example), we'd do that through our management system (script, Salt, Ansible, etc.). I would not want the cloud platform to be touching my users.

OK, got it.

Does that also mean that only one person can have access to the actual Vultr account as well? I'm guessing it's multi-user.

Yeah, the cloud level is multi-user. But just as you can have multiple people with access to a data closet, and multiple people with access to a Windows instance housed in that closet, you don't want the physical closet to maintain the Windows logins. Same here, your cloud provider is like a data center or data closet with its own level of access unrelated to applications or other workloads running higher up the stack and 99.999% of the time, no association or commonality between them.

Youtube Video

@jaredbusch said in sudo problems:

@pete-s said in sudo problems:

@jaredbusch said in sudo problems:

@scottalanmiller said in sudo problems:

@jaredbusch said in sudo problems:

@scottalanmiller said in sudo problems:

@pete-s said in sudo problems:

We want to move to using ssh certificates on our servers and remove all passwords.

That's what we do.

Since when? What do you use to manage and generate certificates?

Generate with ssh-keygen. Manage with a wiki. We are only so big, so it works fine.

That is not certificates. That is keys. Completely different.

I don't know what @scottalanmiller uses but ssh-keygen is used to generate ssh certificates as well.

From the man page:
ssh-keygen supports signing of keys to produce certificates that may be used for user or host authentication. Certificates consist of a public key, some identity information, zero or more principal (user or host) names and a set of options that are signed by a Certification Authority (CA) key. Clients or servers may then trust only the CA key and verify its signature on a certificate rather than trusting many user/host keys. Note that OpenSSH certificates are a different, and much simpler, format to the X.509 certificates used in ssl(8).

But if you are automating certificate generation, you need to wrap this in something.

No, ssh-keygen does not do this (ssh certificate generation).

As you highlight, it can be used as part of the certificate process. But it cannot, and never will, be the certificate authority. Thus it is not the tool for this this.

You're actually mistaken because I've done it many times now. A Certification Authority, when it comes to openssh certificates, is really just a key pair that you carefully guard.

You create certificates by using the CA keys to sign other public keys from users and hosts. The result is a certificate named *-cert.pub

And you do all of this with the ssh-keygen utility.

Similar to how you can create CA and everything else for the more complex x509 certificates with just openssl.

OpenSSH can use host certificates to verify the host (like SSL certs on a webserver). OpenSSH can also use user certificates to verify the user (like passwords or ssh keys).

Both these types of cert to be used independently of each other.

I've tested using user certificates to authorize user login, since that is what most
people do with keys. People never really verify the host identity.

It works great and it's actually very simple. This will be my new SOP going forward.

Before starting to add hosts and users you need to create a Certificate Authority (CA) - which is actually just a key pair. It's a one-liner.

Every time you create a new host, you just need to copy the same file to it - the public key of the CA. And change one line in sshd_config to allow ssh certificates.

Every time you have a new user on your team who need access to servers, you have to generate a certificate for him. It's a one liner. He will copy the certificate to his own machine. And the ssh client will automatically send the certificate when needed.

Generating certificates is the part that could be automated. You could for instance be given a certificate that expires in 5 minutes. That would allow you to login and stay logged in. But if you need to login again, you need to generate a new certificate.

@scottalanmiller that is edgeos syntax.

Thanks, guys. It's actually the most logical solution that the ssh client side decides what keyboard layout to use.

So maybe I was mistaken then or it was something else that was off. I'll give it try with some different settings to verify how it works.

@ing-joserivera26 said in VitalPBX 3:

I will not continue posting on your blog.

This is not my blog. This is an public community targeting IT professionals.

I would (and have) posted on the VitalPBX community, but it seems that i'm eternally moderated.

if you want to also know the progress you can pipe it to pv, like in the below example

ssh [email protected] "sudo dd if=/dev/nvme0n1" | pv | dd of=/Users/someuser/Desktop/mydisk.img

@stacksofplates said in Termius cross platform sync:

@scottalanmiller said in Termius cross platform sync:

@stacksofplates said in Termius cross platform sync:

@scottalanmiller said in Termius cross platform sync:

@JaredBusch said in Termius cross platform sync:

@stacksofplates said in Termius cross platform sync:

@gjacobse said in Termius cross platform sync:

@stacksofplates said in Termius cross platform sync:

@IRJ said in Termius cross platform sync:

Remina is great on Linux platforms, but the question for me is why is this a need?

This seems like everyone could and should manage this independently. All you need is DNS name or IP to initiate a remote connection. In my opinion, it's better for IT team to know exactly where they are trying to go instead of clicking the wrong button or sending the wrong command

Yeah I agree. I'm assuming it's for syncing credentials across devices. Which means you'd have to trust their cloud service with your system credentials.

While yes, it would be nice to sync the entire session - connection and UserID / password. I'm more concerned with the connection itself. Yes, I can keep track of the addresses - but it gets to be a pain.. UserId / Passwords are different. I could care less - I mainly want the address; IP address or dns name..

I mean, honestly what's the difference between a word document/text file and the syncing at that point?

Right. An besides, even Windows has native SSH now. So why use anything else anyway?

Right, I've not used PuTTY in quite some time. Not that it isn't good, I just don't see the point of installing third party software that doesn't do anything any better than the built in tool that is always there and ready to go. And quite frankly, I find PowerShell's terminal to work far better for me.

I can't stand PuTTY. I'm not sure why, I've just always hated it.

I hate that it lacks a local shell and you have to launch the damn thing for every connection!

Maybe that's what it is. Tunnelling is a pain, I just find it awkward.

That, too. Other than doing a good job rendering fonts and being available back in an era when nothing else was, PuTTY really doesn't offer anything positive.

@JaredBusch said in Keep my ssh config file synchronized between two systems:

@stacksofplates said in Keep my ssh config file synchronized between two systems:

I use git for this type of stuff. I have all of my dotfiles stored in a git repo and synced between systems.

I thought about that, but then it gets into git triggers and scheduled jobs.

I just do it when I open my terminal. It auto downloads when a new window is opened.

uptodate.png

@Pete-S said in sftp without ssh shell access?:

Thanks guys.

To summarize the link above, it's these lines in sshd_config that does the magic.

Match User sftpuser ForceCommand internal-sftp <snip>

The first line will tell sshd what user(s) the rest of the settings apply to.
The second line tells it to go straight into sftp mode. So this will only apply to the users that match the rule above.

Just make sure to test SSH after you do the changes ok a new session otherwise you might just have broken SSH access.

@stacksofplates said in Securing SSH:

Another really good option is not letting them log directly into the systems at all and forcing them to use a config management tool. So something like Tower or a Jenkins server that logs all of the commands run and has the permissions set there.

Right. Just like the best defense is a good offense (or vice versa?) The most secure port, is a closed port. Locking down SSH, no matter how good, isn't as good as completely closing it.

Or using config management to only open it when necessary, is an "in between" step, too.

I've already used this guide again. LOL, boy this is handy.

@dafyre said in How to mount remote filesystem over ssh (both Windows & Linux):

@black3dynamite said in How to mount remote filesystem over ssh (both Windows & Linux):

@dafyre Installing sshfs and winfsp via choco is older than the ones from GitHub.

If you installed them via choco do this to mount at the host root directory or other directories.
https://github.com/billziss-gh/sshfs-win/issues/102

Host root directory
\\sshfs\remoteuser@host\..\..

Specific directory like /var/www
\\sshfs\remoteuser@host\..\..\var\www

Thanks for the pointer. I did install using choco. I'm able to make it work now.

Edit: Just to see if I can, I may go back and do straight installs.

As I said above with the latest version I mount the root directory with \\sshfs.r\user@host

However, if you want to mount another directory like /var/www you have to do:
\\sshfs.r\user@host\var\www\
The trailing \ is very important!
It just doesn't work without it if your path is more than one directory deep. You also need to use backslash and not the forward slash.

@black3dynamite said in Copy SSH public key to ssem behind a jump box:

# From your host to your JUMPBOX # Not needed if your public key is already in placed cat ~/.ssh/id_ed25519.pub | ssh jump.domain.com 'umask 0077; mkdir -p .ssh; cat >> .ssh/authorized_keys'

ssh-copy-id should do this

@Romo said in Does Windows 2016 Server have SSH?:

@Pete-S start and type winver

Awesome!

Unfortunately it's a version 1607 build 14393.3243.
So I can't install with powershell according to the article above.

@JaredBusch said in SSH Access to Windows 10 Pro Workstations:

@DustinB3403 said in SSH Access to Windows 10 Pro Workstations:

@scottalanmiller said in SSH Access to Windows 10 Pro Workstations:

On Server, no issue. SSH the same as with Linux. SSH on Windows 10 is "single user" just like anything else on Windows 10.

So then why would they have the statement about "usually to correct problems" as to me this would be a two person use. One who is using the desktop and the other administrator who is working on fixing an issue via ssh (presumably while the other user is using said system).

I'm not bothering to reread anything, but MS has long allowed admin connections.

Yes this has been a known fact for as long as i can remember... Admins are exempt for administrative purposes.