If users have access to the files on your server, but you don’t want they to be able to execute commands, you can limit access to  sftp only.

Add a user to your system as normal with a password and then run the following command:

usermod -s /usr/lib/sftp-server username

Then change add the following to /etc/shells to make it a valid shell:

echo '/usr/lib/sftp-server' >> /etc/shells

Now this user can only run the sftp server as shell

 

Enjoy

Just use the following command:

iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 5 -j REJECT

In this example our connections are limited to 5.

OpenSSH 5.6 released

Valic —  August 30, 2010 — Leave a comment

OpenSSH 5.6 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly.

Features:

* Added a ControlPersist option to ssh_config(5) that automatically starts a background ssh(1) multiplex master when connecting. This connection can stay alive indefinitely, or can be set to automatically close after a user-specified duration of inactivity.

* Hostbased authentication may now use certificate host keys. CA keys must be specified in a known_hosts file using the @cert-authority marker as described in sshd(8).

* ssh-keygen(1) now supports signing certificate using a CA key that has been stored in a PKCS#11 token.

* ssh(1) will now log the hostname and address that we connected to at LogLevel=verbose after authentication is successful to mitigate “phishing” attacks by servers with trusted keys that accept authentication silently and automatically before presenting fake password/passphrase prompts.

Note that, for such an attack to be successful, the user must have disabled StrictHostKeyChecking (enabled by default) or an attacker must have access to a trusted host key for the destination server.

* Expand %h to the hostname in ssh_config Hostname options. While this sounds useless, it is actually handy for working with unqualified

Continue Reading…

The following steps can be used to ssh from one system to another without specifying a password.

Step 1. On the client run the following commands:

ssh-keygen -t rsa

The output will look like this:

[email protected]:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
cd:1c:6b:4e:01:1d:8c:02:40:24:24:95:02:dc:12:7f [email protected]

Continue Reading…

Page 2 of 212