Tag Archives: ssh

Access HP's ILO remote console via SSH

It happened many times to need a quick access to the remote console of a server like HP's ILO and not be able to open a web browser just to access it.
So let access it via SSH. Here goes.

[codesyntax lang="bash"]

ssh ilo_admin@ip_address

[/codesyntax]

2. Enter your ILO admin account and password. After that you will see the ILO prompt.

hpILO->

3. To access the remote console of the server at the ILO prompt type "TEXTCONS"

hpILO->TEXTCONS

4. You will be presented with the Login: console. Enter your root or user account of the server to gain access.

Login:

Voilà!

Segmented file transfer over ssh

Many people would say why don't you use rsync? rsync is, in deed, a wonderful little tool that has a lot of features, but it doesn't support segmented file transfer. Well, there are a lot of software applications out there that can handle segmented file transfers over FTP or HTTP protocol. One of them is prozilla. But, as rsync, prozilla doesn't support SFTP protocol. So, how can we handle this? The answer has four letters: lftp. Quote from lftp man page:

Gets  the specified file using several connections. This can speed up transfer, but loads the net and server heavily impacting other users. Use only if you really have to transfer the file ASAP

[codesyntax lang="bash"]

lftp sftp://user[:password]@host.ro[:port] -e "mirror -c --parallel=5 --use-pget-n=5 \"/path/to/folder/\""

[/codesyntax]

Very simple and effective, right?

(Very) Later edit:

[codesyntax lang="bash"]

echo 'set sftp:connect-program "ssh -a -x -i /full/path/to/the/ssh/private/key"' | tee ~/.lftprc
lftp -u user,xxx sftp://host.ro:6646 -e "mirror -c --parallel=10 --use-pget-n=10 \"/path/to/folder/\"; quit"

[/codesyntax]

 

Where:

  • user is your username on the system you connect to
  • xxx is just a junk password

Force Chrome to tunnel DNS requests through a SSH socks proxy

Setup a socks proxy (check this page for more details) on port 8888 (the port is not that important).

Start chrome with the following parameters:

[codesyntax lang="bash"]

chrome --proxy-server="socks5://localhost:8888"

[/codesyntax]

Also we can check if this works and run the following command on the SSH server. The tcpdump will show show dns traffic for any activity in Chrome.

[codesyntax lang="bash"]

tcpdump -i eth0 port 53

[/codesyntax]

Encrypt your traffic from your Android device using a ssh tunnel

As I said with a previous ocasion in China the goverment is filtering the internet traffic (including mobile trafic, dohh) so you can't access different websites and/or services and this thing is very annoying. Well, what do you have to do if you want to navigate to youtube.com for instance? Hmmm... you will have to encrypt your traffic somehow. Bellow I will tell you what do you need and how to accomplish this from your Android device.

First of all you will need a ssh server configured somewhere outside China (preferably on a different port).

After getting a ssh server, you will need to download from Android Market the SSH Tunnel application written by MAX LV.

All you have to do is to complete Host, Port, User and Password filds and thick Use socks proxy, Enable GFW List, Enable DNS Proxy (this one is extremly important) options.

That's it!

OpenVPN through SSH

This is useful if you are behind a restrictive firewall that uses SPI to block services rather than plain old port blocking. An SPI firewall is able to distinguish between one packet type and another, without just checking the port that is in use.

You’ll need root access to the OpenVPN Server, as you have to change some of the server config files.

You need to do the folllowing changes:

  • change the line proto udp to proto tcp on client and server configuration file
  • add socks-proxy localhost 5555 in the OpenVPN client configuration file
  • create an SSH tunnel between the client machine and the OpenVPN Server. Assuming you’re running Linux/Unix with the OpenSSH client binary installed then run the command:

[codesyntax lang="bash"]

ssh -ND5555 user@test.org

[/codesyntax]

 

Note: If you are using Windows please read what this guy wrote here: http://blog.ramin-hossaini.com/2009/10/06/creating-a-tunnel-and-socks-proxy-with-putty/

Encrypt your web browsing session in one command

Recently I accepted a job proposition in Shenzhen/China. So, China here I come. Things are great here, western propaganda has nothing to do with what's going on here, except one thing: internet filtering. Google results are censured, so only "accepted" results are displayed, sites like facebook.com, twiter.com, youtube.com, thepiratebay.org, openvpn.net and so many more... What do you do to pass this filtering? The solution is to encrypt your browsing session.

Using a simple SSH command, I can encrypt all my web browsing traffic and redirect it through a trusted computer when I'm on someone else's network. Today I'll set up a local proxy server that encrypts my online activity from my desktop. Here's how:

What I'll need.

  • a SSH server to act as your proxy
  • a SSH client on the computer you're using

Note: Mac and *nix machines have SSH client built right in at the command line. Windows users can set up OpenSSH with Cygwin or PuTTY

What we are going to do.
What I am doing is setting up a "middle-person" (the SSH server which will act as a proxy) between me and the internet. Using the proxy, my browser hands off web page requests to the proxy server, which handles the request and fetches the page for me from the internet. The web site actually thinks the request is coming from the proxy server, not from my computer, which is a good way to obscure my originating IP address.

The good thing about this is my traffic is over SSH which is an encrypted protocol. This prevents wifi sniffers from seeing what I am doing online.

Setting up the server.
On the computer which is acting as desktop I am going to open up a connection to the SSH server:

[codesyntax lang="bash"]

ssh -ND 9999 user@test.org

[/codesyntax]

What this command does is hand off requests to localhost, port 9999, to the SSH server at test.org to handle.

Note:

  • if your SSH server listen on different port that standard port (22/tcp), it can changed using -p switch
  • the -N tells SSH not to open an interactive prompt, so it will just hang there, waiting. That's exactly what I want.

Setting up the client.
Once proxy's up and running, configure Firefox to use it. From Firefox's Tools menu, choose Options, and from the Advanced section choose the Network tab. Next to "Configure how Firefox connects to the Internet" hit the "Settings" button and enter the SOCKS information, which is the server name (localhost) and the port you used (in the example above, 9999.)

Save those settings and hit up a web page. When it loads, it's actually coming from the proxy server over an encrypted connection.

Tips.

  • Set your proxy server to resolve DNS requests instead of your computer; in Firefox's about:config area, set network.proxy.socks_remote_dns = true.
  • For those with slower connections, you can use the -C command line option to use SSH's compression (gzip).

How to setup a VPN using ssh and pppd

This is a step by step guide for setting up a VPN using pppd and ssh. To accomplish this you will need two Linux boxes, one acting as server and the second one as client. The "server" must have a static IP address or dynamic dns name. The firewall on both boxes must allow traffic on port that sshd listens.

Server side

1. Install some package to make our job easier later

for deb based linux boxes:
[codesyntax lang="bash"]

apt-get install ipcalc

[/codesyntax]

for rpm based linux boxes:
[codesyntax lang="bash"]

yum install whatmask

[/codesyntax]

2. Create a local account on server to be used by the clients that are connecting.

[codesyntax lang="bash"]

adduser --system --group vpn

[/codesyntax]

3. Modify /etc/passwd file
[codesyntax lang="bash"]

vim /etc/passwd
:%s/\/home\/vpn:\/bin\/false/\/home\/vpn:\/bin\/bash/g
:wq

[/codesyntax]

4. Set a password for vpn account. The vpn account password will only be used while doing the initial configuration of your VPN clients, so I strongly recommend NOT to use a weak password.
[codesyntax lang="bash"]

passwd vpn

[/codesyntax]

5. This vpn account needs rights to bring the ppp connection up and down as well as modify the system routing table. Edit your sudoers file:
[codesyntax lang="bash"]

sudo visudo

[/codesyntax]

and append the following lines to the end of the file:

vpn ALL=NOPASSWD: /usr/sbin/pppd
vpn ALL=NOPASSWD: /sbin/route

6. Finally, we need to log in as the vpn and set up a few bits in its home folder.
[codesyntax lang="bash"]

sudo su - vpn
cd ~
mkdir .ssh

[/codesyntax]

Client side

1. Assuming eth0 is network interface connected to the network determine the local network details
[codesyntax lang="bash"]

CLIENT_LAN_IF="eth0"
LOCAL_IP=`ifconfig ${CLIENT_LAN_IF} | grep inet | awk '{print $2}' | sed 's/addr://'`
LOCAL_MASK=`ifconfig ${CLIENT_LAN_IF} | grep inet | awk '{print $4}' | sed 's/Mask://' | sed 's/Scope:Link//'`
LOCAL_NETWORK=`ipcalc $LOCAL_IP $LOCAL_MASK -n -b | grep Network | awk '{print $2}'`

[/codesyntax]

2. Start vpn to server
[codesyntax lang="bash"]

sudo /usr/sbin/pppd updetach noauth passive pty "/usr/bin/ssh -P host -lvpn -i id_rsa -o Batchmode=yes sudo /usr/sbin/pppd nodetach notty noauth" ipparam vpn 192.168.1.238:192.168.1.237

[/codesyntax]

Note:

  • local IP address 192.168.1.238
  • remote IP address 192.168.1.237

3. Make the server our gateway
[codesyntax lang="bash"]

sudo route add -net $LOCAL_NETWORK gw 192.168.1.238

[/codesyntax]

Links:
http://tuxnetworks.blogspot.ro/2011/05/howto-easiest-vpn-setup-ever.html

How to authenticate on a machine with ssh (protocol 1) without password

This document describes the necessary steps to be carried out in order to authenticate with ssh protocol 1 without password.

1. Generate private/public pair of keys on client computer (let's say desktop)
[codesyntax lang="bash"]

ssh-keygen -t rsa1

[/codesyntax]

2. Copy the public key to the server
[codesyntax lang="bash"]

ssh-copy-id -i identity.pub user@server

[/codesyntax]

3. Try to authenticate on server
[codesyntax lang="bash"]

ssh -1 -vvv server

[/codesyntax]

Note: If authenticate on step 3 fails with the following error message:

user@user:~/.ssh$ ssh -1 -vvv user@server
OpenSSH_5.3p1 Debian-3ubuntu7, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to staging13.vendio.com [10.111.0.236] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/identity type 0
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: Remote protocol version 1.5, remote software version 1.2.27
debug1: no match: 1.2.27
debug1: Local version string SSH-1.5-OpenSSH_5.3p1 Debian-3ubuntu7
debug2: fd 3 setting O_NONBLOCK
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug3: check_host_in_hostfile: filename /home/user/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1014
debug3: check_host_in_hostfile: filename /home/user/.ssh/known_hosts
debug3: check_host_in_hostfile: match line 1015
debug1: Host 'staging13.vendio.com' is known and matches the RSA1 host key.
debug1: Found key in /home/user/.ssh/known_hosts:1014
debug1: Encryption type: 3des
debug3: Wrote 156 bytes for a total of 194
debug1: Sent encrypted session key.
debug2: cipher_init: set keylen (16 -> 32)
debug2: cipher_init: set keylen (16 -> 32)
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug3: Wrote 20 bytes for a total of 214
debug1: RSA authentication using agent refused.
debug1: Trying RSA authentication with key '/home/user/.ssh/identity'
debug3: Wrote 268 bytes for a total of 482
Connection closed by X.X.X.X

And the sshd log on looks like:
Aug 29 00:26:21 staging13 sshd[16286]: connect from Y.Y.Y.Y
Aug 29 00:26:21 staging13 sshd[16286]: log: Connection from Y.Y.Y.Y port 43749
Aug 29 00:26:21 staging13 sshd[16286]: log: Could not reverse map address Y.Y.Y.Y.
Aug 29 00:26:22 staging13 sshd[16286]: fatal: RSA key has too many bits for RSAREF to handle (max 1024).

You should know that this is a limitation in the RSAREF library and we should set a host key with at most 896 bits. This can be accomplished by adding -b 896 parameter to ssh-keygen command on step one. After generating the key, it must be copied on the server.