cm0s 118 Posted ... serverbox is 192.168.1.103 clientbox is 192.168.1.100 if you have a current ssh install back files up and do a new install: # systemctl stop sshd # mv /etc/ssh ~/sshbkup # mv ~/.ssh ~/.sshbkup # pacman -S --noconfirm openssh nmap check the files in /etc/ssh: # ls /etc/ssh moduli ssh_config sshd_config # cp /etc/ssh/sshd_config ~/sshd_configbkup # cp /etc/ssh/ssh_config ~/ssh_configbkup on the serverbox create user servz: # useradd -m -g users -G wheel -s /bin/bash servz # passwd servz enter new password twice on the clientbox create user clyz: # useradd -m -g users -G wheel -s /bin/bash clyz # passwd clyz enter new password twice on the serverbox create ssh directory: # mkdir /home/servz/.ssh # touch /home/servz/.ssh/authorized_keys # chown -R servz:wheel authorized_keys # ls -l /home/servz/.ssh/authorized_keys -rw-r--r-- 1 servz wheel 735 Jul 30 15:10 authorized_keys # mkdir /home/servz/sshfilez # chown -R servz:wheel /home/servz/sshfilez on the clientbox create ssh directory: # mkdir /home/clyz/.ssh # touch /home/clyz/.ssh/authorized_keys # chown -R clyz:wheel authorized_keys # ls -l /home/clyz/.ssh/authorized_keys -rw-r--r-- 1 clyz wheel 735 Jul 30 15:10 authorized_keys # mkdir /home/clyz/sshfilez # chown -R clyz:wheel /home/clyz/sshfilez check yer local and destination... # nmap -sS -O -p22 IPHERE # iptables -nL | grep 22 nmap should show this on both boxes: PORT STATE SERVICE 22/tcp open ssh since the serverbox is 192.168.1.103 and the clientbox is 192.168.1.100 set iptables for each box accordingly this allows only xyz ip to port 22 # iptables -I INPUT -p tcp --dport 22 -s IPHERE -j ACCEPT # iptables -A INPUT -p tcp --dport 22 -j REJECT verify: # iptables -nL | grep 22 ACCEPT tcp -- 192.168.1.103 0.0.0.0/0 tcp dpt:22 REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 reject-with icmp-port-unreachable start ssh on both boxes: # systemctl start sshd verify: # systemctl status sshd Active: active (running) do a login from the clientbox: # ssh -p 22 servz@192.168.1.103 type yes and enter the password root > ssh -p 22 servz@192.168.1.103 The authenticity of host '192.168.1.103 (192.168.1.103)' can't be established. ECDSA key fingerprint is SHA256:nTXLL8Z/i7sumshitcodekeystuffherebruhright. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.103' (ECDSA) to the list of known hosts. servz@192.168.1.103's password: [servz@h0stm0st ~]$ exit logout Connection to 192.168.1.103 closed. repeat for the serverbox: # ssh -p 22 clyz@192.168.1.100 the previous was a basic login password only without key authentication/non-root using a stock ssh config if you need root type su or use sudo after login for wan/vps access if needed to remove a user account: # userdel username # rm -r /home/username for key authentication only login from the clientbox: # ssh -p 22 servz@192.168.1.103 enter the password for the user servz [servz@h0stm0st ~]$ gen the key with sudo and no password: # sudo ssh-keygen -t rsa -b 4096 -P '' again enter the password for the user servz hit enter for default location [servz@h0stm0st ~]$ sudo ssh-keygen -t rsa -b 4096 -P '' We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for servz: Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:sumkeystuffshowzherebruhFmdYX2XpGpD8lsVRIfs root@h0stm0st The key's randomart image is: +---[RSA 4096]----+ | =BX..o@| | ..@.=o* | | . o O.* | | o . . O.. | | nofuxway. . oE | | . = = + . | | + . + + | | . . + o | | . o | +----[SHA256]-----+ [servz@h0stm0st ~]$ exit banner for serverbox: # cat <<-EOF > /home/servz/.ssh/servz.motd Welcome 2 serverbox we all float down here EOF banner for clientbox: # cat <<-EOF > /home/clyz/.ssh/clyz.motd Welcome 2 clientbox we all float down here EOF from serverbox: # cat ~/.ssh/id_rsa.pub | ssh clyz@192.168.1.100 'cat >> /home/clyz/.ssh/authorized_keys && echo "key copied to clientbox"' root > cat ~/.ssh/id_rsa.pub | ssh clyz@192.168.1.100 'cat >> /home/clyz/.ssh/authorized_keys && echo "key copied to clientbox"' servz@192.168.1.100's password: key copied to clientbox root > from clientbox: # cat ~/.ssh/id_rsa.pub | ssh servz@192.168.1.103 'cat >> /home/servz/.ssh/authorized_keys && echo "key copied to serverbox"' root > cat ~/.ssh/id_rsa.pub | ssh servz@192.168.1.103 'cat >> /home/servz/.ssh/authorized_keys && echo "key copied to serverbox"' servz@192.168.1.103's password: key copied to serverbox root > stop sshd on both boxes: # systemctl stop sshd set banner on serverbox: # grep --null -lr "#Banner none" /etc/ssh/sshd_config | xargs --null sed -i 's|#Banner none|Banner /home/servz/.ssh/servz.motd|g' /etc/ssh/sshd_config set banner on clientbox: # grep --null -lr "#Banner none" /etc/ssh/sshd_config | xargs --null sed -i 's|#Banner none|Banner /home/clyz/.ssh/clyz.motd|g' /etc/ssh/sshd_config set key only each box: # grep --null -lr "#PubkeyAuthentication yes" /etc/ssh/sshd_config | xargs --null sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config on each box disable passwords for the ssh client: # grep --null -lr "# PasswordAuthentication yes" /etc/ssh/ssh_config | xargs --null sed -i 's/# PasswordAuthentication yes/# PasswordAuthentication no/g' /etc/ssh/ssh_config on serverbox: # chown -R servz:wheel /home/servz/.ssh/servz.motd on clientbox: # chown -R clyz:wheel /home/clyz/.ssh/clyz.motd start sshd on both boxes: # systemctl start sshd verify: # systemctl status sshd Active: active (running) login key only custom banner from clientbox with example gaining root with root password: root > ssh -p 22 servz@192.168.1.103 Welcome 2 serverbox we all float down here Last login: Sun Jul 30 15:47:26 2017 from 192.168.1.100 [servz@h0stm0st ~]$ su Password: root > pwd /home/servz root > exit exit [servz@h0stm0st ~]$ exit logout Connection to 192.168.1.103 closed. create a test file on the clientbox: # cat <<-EOF > /home/clyz/sshfilez/file2server.md this is a text document to transfer to the server EOF transfer the file to the serverbox: # scp /home/clyz/sshfilez/file2server.md servz@192.168.1.103:/home/servz/sshfilez from the clientbox you should see this: root > pwd /home/clyz/sshfilez root > cat <<-EOF > /home/clyz/sshfilez/file2server.md > this is a text document to > transfer to the server > EOF root > scp /home/clyz/sshfilez/file2server.md servz@192.168.1.103:/home/servz/sshfilez Welcome 2 serverbox we all float down here file2server.md 100% 61 79.7KB/s 00:00 root > to send a directory located on the clientbox to the serverbox: # scp -r /home/clyz/sshfilez/files4server servz@192.168.1.103:/home/servz/sshfilez output: root > pwd /home/clyz/sshfilez root > ls files4server root > scp -r /home/clyz/sshfilez/files4server servz@192.168.1.103:/home/servz/sshfilez Welcome 2 serverbox we all float down here file2server.md 100% 61 75.6KB/s 00:00 root > delete the files4server directory from the clientbox: # rm -r files4server to send a directory located on the serverbox back to the clientbox: # scp -r servz@192.168.1.103:/home/servz/sshfilez/files4server /home/clyz/sshfilez output: root > pwd /home/clyz/sshfilez root > ls root > scp -r servz@192.168.1.103:/home/servz/sshfilez/files4server /home/clyz/sshfilez Welcome 2 serverbox we all float down here file2server.md 100% 61 73.3KB/s 00:00 root > ls files4server root > Quote Share this post Link to post
Not connected, Your IP: 18.116.24.111
Online: 26294 users - 307027 Mbit/s total BW