r7 - 2010-11-05 - 21:53:14 - HarlanStennYou are here: NTP >  Dev Web > SshNotes
NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p13 was released on 07 March 2019. It addresses 1 medium-severity security issue in ntpd, and provides 17 non-security bugfixes and 1 other improvements over 4.2.8p12.

Please see the NTP Security Notice for vulnerability and mitigation details.

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.

SSH Configuration Notes

Ahoy, intrepid SSH users. Here are a few useful things that you may like when trying to configure your copy of OpenSSH.

ssh config files

Getting the nice user@host password: prompt.

In order to get this, you need to understand the distinction between the two different "password" authentication methods, "password" and "keyboard-interactive".
  • password: This displays the full user@host password: prompt when trying to log into a remote host.
  • keyboard-interactive: This just displays a brief password: prompt and doesn't tell you where you're logging into.

Which of these you get is dependent in part on the server, but if you are offered a choice, you can determine which one you prefer with the following methods.

  • Interactively: Use ssh -oPreferredAuthentications=hostbased,pubkey,password,keyboard-interactive
  • In your ~/.ssh/config file add the line PreferredAuthentications hostbased,pubkey,password,keyboard-interactive inside of your Host * block, like below.

(~/.ssh/config)

Host ntp1.isc.org
...

Host ntp2.isc.org
...

Host *.udel.edu
...

Host *
PreferredAuthentications hostbased,pubkey,password,keyboard-interactive

Now isn't that nice?

-- JohnConner - 17 Nov 2004


I had to add publickey as one of the methods for 3.5p1.

Of course, 3.9p1 is way more recent...

-- HarlanStenn - 18 Nov 2004

Tunnelling X

You may also want to add:

  ForwardX11 yes
  ForwardX11Trusted yes

-- HarlanStenn - 17 May 2008


Generating keys with ssh-keygen

On the machine you plan to log in on run any or all of:

  • ssh-keygen
  • ssh-keygen -t dsa
  • ssh-keygen -t rsa

which will generate a version 1 RSA key, and version 2 DSA and RSA keys, respectively.

You can generate keys that either do or do not require a password.

V1 keys are generated in ~/.ssh/identity (your private key) and ~/.ssh/identity.pub (the corresponding public key).

V2 DSA keys are generated in ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub .

V2 RSA keys are generated in ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub .

Get any of the public (not private) keys installed in the remote machine's ~/.ssh/authorized_keys file, and then you can log in to the remote machine using the password (which might be empty if that's how you generated it) to log in.

The ssh-keygen man page contains useful information.

Use ssh -v remote-site to get debug information. Problems are usually permission-related. SSH likes its files to be writable only be you, and the directories above these files should also be non-writable by "group" and "other".

Setting up an SSH tunnel

(I have not tested this.)

Let's say you are on machine A, and you are blocked from connecting to UDel.

If you have access to another machine, say, B that is not blocked from connecting to UDel, there are at least two ways you can then access the UDel machines:

  1. ssh from A to B, and on B, ssh into UDel. If you make sure that X forwarding is enabled, you can fire up an xterm (or rxvt, or whatever) on B that will pop up its display on machine A.
      A> xterm -e ssh B
      B> xterm -e ssh pogo.udel.edu
  1. set up an ssh tunnel on B: ssh -L 2222:pogo.udel.edu:22
    and then on machine A: ssh -p 2222 B and you should be connected to pogo.udel.edu .

Also see:

For example, suppose myserver.example.com were actually a firewall that protected, among others, the system private.local. The system private.local is accessible from myserver.example.com but not from the internet directly. So, now you could run:

ssh -T -N -L 3308:private.local:3306 myserver.example.com

Here, ssh listens on port 3308 on the local system and it forwards that data to port 3306 on private.host, but it does that via the server myserver.example.com. In other words the local traffic on port 3308 gets transferred first to the remote system which then transfers it to port 3306 on private.host. Of course, if private.local's mysql server is only listening on its local interface this won't work, you'll need something more involved.

Another type of tunneling you can do is to reverse the tunnel: rather than using -L you can specify -R so that the listen side of the tunnel is on the remote side rather than on the local side. For example, suppose phpmyadmin was installed on myserver.example.com and you wanted to allow somebody using that phpmyadmin installation to connect to the mysql instance running on your local system. Just substitute -R for -L in the first ssh command above:

ssh -T -N -R 3308:localhost:3306 myserver.example.com

Here the remote ssh listens on port 3308 of myserver.example.com and then forwards traffic on that connection to port 3306 on your local system. Note that by default ssh is only listening on the localhost interface of the remote system so if the remote phpmyadmin install is secure your local system will also be secure. Remember that you still run this ssh command from your local system, you don't run it from the server (and unless your system is routable you probably couldn't successfully execute it on the remote system anyway).

Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r7 < r6 < r5 < r4 < r3 | More topic actions
 
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback