Tag Archives: ssh

SSHuttle and RSYNC

The annoyance of having a VPS, and just wanna do RSYNC can be.. a burden. So here’s a easy version of it.

I’ve got a RSYNC-server back home, serving and loyaly keeping my backups in one (or not..) location. But doing rsync directly over the interwebs isn’t .. well, recommended (eherm).

Here’s an easy fix for your VPS that might serve data for some reason to the interwebs, but needs some access (note, I do recommend having a separate machine for this at home, and that you firewall it propperly.. ).

Before you get SSHuttle –

You’ll need the following installed on the ‘client’:

git
python
iptables
rsync

No news, and the only thing I guess you’ll have to (or, not really – you could just download it by hand) install is git (perhaps rsync as well..).

For a vanilla debian/ubuntu system, just go:

sudo apt-get install git rsync

Get SSHuttle to the ‘client’!

git clone git://github.com/apenwarr/sshuttle

Tada!

Now, simply run ((from the dir you dl’ed it into) with sudo or su’ed as root):

./sshuttle --dns -vr user@host.name.domain 10.10.10.10/32

If you need some other information of what you can give to sshuttle, simply do:

./sshuttle

Now, this test is guessing you’ve already have setup a separate ssh-key for the user at the remote ssh-server, also that you’re done with setting up the rsync server – the 10.10.10.10/32 CIDR is just an example of the RSYNC server you with to ‘route’ to. the –dns is still in there for show – this means that our DNS queries goes via sshuttle as well.

Now simply setup your cronjob to run rsync to the ‘local’ server 10.10.10.10, and you can rest a bit easier!

When it comes to sshuttle, it’s purpose wasn’t really simply tunneling rsync. Have a poke at it, and perhaps you’ll find it a better idea to have it running on your laptop you keep insiting on using on public wifi hotspots. This means the only cleartext data anyone listening can see, will be the dns lookup to your ssh-server :). With the –dns, we simply hide all ‘leaky’ traffic.

One might argue that well, a simple ssh tunnel can do this as well. Mjes.. But then again, this is easier, and a bit more fun!

Enjoy.

Single purpose SSH-key

I’m no guru – I simply “borrowed” this from a website.

Single-purpose keys
So now you’re sshing and scping your brains out. Sooner or later you’ll come across one or both of these situations:

1. You want to automate some ssh/scp process to be done after hours, but can’t because no one will be around to type the passphrase.
2. You want to allow an account to do some sort of ssh/scp operation on another machine, but are hesitant to append a key to your authorized_keys2 file because that essentially “opens the barn door” to anything that other account wants to do, not just the one operation you want to let it do. (This is the situation if you use a .shosts file.)

Single-purpose keys to the rescue!

1. Make yourself another key:

ssh-keygen -t dsa -f ~/.ssh/whoisit

Just press return when it asks you to assign it a passphrase- this will make a key with no passphrase required. If this works right you will get two files called whoisit and whoisit.pub in your .ssh dir.

2. cp ~/.ssh/whoisit.pub tempfile

We want to work on it a little. tempfile should consist of one really long line that looks kind of like this:

ssh-dss AAAAB3NzaC1k[…]9qE9BTfw== pkeck@hurly.example.com

3. Edit tempfile and prepend some things to that line so that it looks like this:

command=”echo I\’m `/usr/ucb/whoami` on `/usr/bin/hostname`”,no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss AAAAB3NzaC1k[…]9qE9BTfw== whoisitnow

That will do what we want on Solaris; to try this example on Linux use this:

command=”echo I\’m `/usr/bin/whoami` on `/bin/hostname`”,no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-dss AAAAB3NzaC1k[…]9qE9BTfw== whoisitnow

The stuff to prepend is your command that will be run when this key is activated, and some options to keep it from being abused (hopefully). The last thing on the line is just a comment, but you probably want to set it to something meaningful.

Also, most examples I see use no-pty as an additional option, but this messes up the carriage-return/linefeediness of the output of the above example. (Try it.) I haven’t looked into it enough to see why you would want it, but there you go.

4. cat tempfile |ssh burly ‘sh -c “cat – >>~/.ssh/authorized_keys2″‘

Append tempfile to your authorized_keys2 file on burly.

5. To “activate” (or perhaps “detonate”) the key from hurly (or anywhere that has the secret key), do this (maybe there is a better way?):
ssh -i ~/.ssh/whoisit burly

The following also works but is cumbersome:
ssh-agent sh -c ‘ssh-add ~/.ssh/whoisit < /dev/null && ssh burly' You can also append this "command key" to a different account's authorized_keys2 file and trigger it from a different username. You just need the secret key. Like so: ssh -i ~/.ssh/whoisit -l paulkeck burly' The next leap in the pattern is something like this: ssh -i /home/pkeck/.ssh/whoisit -l paulkeck burly' This could be run by any user on the box if they could read your secret key, so always keep your .ssh dir and all your keys chmodded to 700 and 600 respectively. 6. You could make single-purpose keys with commands to (haven't tested all these): * mt -f /dev/nst0 rewind Rewind a tape on a remote machine * nice -n 19 dd of=/dev/nst0 Send STDIN to that tape drive. Maybe STDIN is a tar stream from tar -cf -. * nice -n 19 dd if=/dev/nst0 Read stuff from there to my STDIN * cat claxon.au > /dev/audio
Play an alarm noise on a remote machine
*
cat – > /dev/audio
Play any sound you send on STDIN
*
cat – > /etc/dhcpd.conf
Replace /etc/dhcpd.conf with some stuff from STDIN on the triggering machine (sounds like a temp file would be better)
*
*
*
*
*
*

You can send the stuff on STDIN with something like this on the triggering machine:
ssh-agent sh -c ‘ssh-add ~/.ssh/whoisit < /dev/null && cat alarm.au | ssh burly' or ssh-agent sh -c 'ssh-add ~/.ssh/whoisit < /dev/null && tar cf - /home/pkeck | ssh burly' Maybe for that one the corresponding command to "catch" that stream would be: cat - > ~/backups/pkeck.tar.`date +%Y%m%d.%H-%M-%S`

You get the idea! Go crazy!

Tape examples from Ed Cashin’s Gettin’ Fancy with SSH Keys, my inspiration for getting into this whole thing!