Posts etiquetados ‘ssh’

If you are behind a proxy that allows HTTPS connections, you can use github via SSH without problems. To do so, you have to use the great tool connect.c ( As described in its homepage, this program tunnels a connection using a proxy, to allow SSH to connect to servers using a proxy.

You can configure connect as the ProxyCommand for and hosts in ~/.ssh/config. You can also set the Port to 443 aswell.

Basicly the process will be:

export PROXY=proxy:80

http_proxy=http://$PROXY wget -O /tmp/connect.c
gcc /tmp/connect.c -o ~/bin/connect 

cat >> ~/.ssh/config  <<EOF

  Port 443
  IdentityFile $HOME/.ssh/id_rsa
  ProxyCommand $HOME/bin/connect -H proxy:80 %h %p


And ready!!

git clone facter

Easy, isn’t it?

Check connect.c documentation if you need to use an authenticated user in proxy.

We want to known who will work AIX with duplicated users and groups in the BUILTIN and LDAP databases.

In Linux, with NSS, the OS follows the rules defined in /etc/nsswitch.conf, and merges the credentials. If two users entries same name and different id or vice versa, it will get the first one. But in AIX is different.


There are a lot of sites where the process is explained, just google a little bit.

I will describe the one that worked for me:

  • I am using AIX 6.1 TL4 (upgraded from AIX 5.3 TL6)
  • I have the AIX Toolbox For Linux Applications of 05.2009

I prefer to have openssh and openssl as native AIX packages. The problem is that .rpm files usually have dependencies with openssl, so I had to install the openssl rpm package as well.

First I downloaded both openssl (from IBM) and openssh 5.2p1 (from Sourceforge):

I installed it:

mkdir openssh_5.2p1_aix61 && cd openssh_5.2p1_aix61 && uncompress -c < ../openssh_5.2p1_aix61.tar.Z |tar -xvf - && installp -acXYgd . openssh
mkdir openssl. && cd openssl. && uncompress -c < ../openssl. |tar -xvf - && installp -acXYgd . openssl

Then I downloaded a compiled version of openssl 0.9.8 from (AIX Toolbox For Linux Applications of 05.2009 comes with 0.9.7, but .rpms have dependencies on 0.9.8): And I installed it rpm -i openssl-0.9.8n-1.aix5.1.ppc.rpm.

Sometimes we need to allow some users to remotelly execute commands in a server via ssh, but we want to restrict the commands to execute. There are some solutions around, like restricted shell or wrappers, but we can implement a simply solution using bash and sudo.

The idea is to use the restricted shell functionality in bash. We will simply:

  • Create a new user for this prupose
  • Asign it a script that will restrict the $PATH variable
  • Link there the needed commands (or create scripts that call sudo)
  • Set asymetric keys in ssh.

Here you have all commands for Linux or AIX, but it will work anyway (except the creation of the user).

# You have to set this variables before execute any command
# ---------------------------------------------------
# If we will use sudo for commands or only links
# User restricted and commands to link or sudo
# Remote host where execute commands
# final user to execute commands (sudo)
# ---------------------------------------------------

case `uname` in
# Add shell script as new user
chsec -f /etc/security/login.cfg -s usw -a shells=$(lssec -f /etc/security/login.cfg -s usw -a shells | cut -f 2 -d =),/home/$RESTRICTED_USER/bin/rbash
mkdir /home/$RESTRICTED_USER/bin

# Create user
mkuser groups=sshcon maxexpired=-1 loginretries=-1 $RESTRICTED_USER

# Do not need to change password
# At this moment only debian
adduser –shell /home/$RESTRICTED_USER/bin/rbash –disabled-password –no-create-home $RESTRICTED_USER

# Create shell script for restricted mode
cat >/home/$RESTRICTED_USER/bin/rbash <<EOF
#!/usr/bin/bash -e
export PATH=/home/$RESTRICTED_USER/bin
if [ “\$1” != “” ]; then
exec /bin/bash \$f “\$*”
exec /bin/bash \$*
chmod +x /home/$RESTRICTED_USER/bin/rbash

# Configure the commands
if [ “$USE_SUDO” == “yes” ]
# Sudoers
[ “$sudocmd” ] || sudocmd=“NOPASSWD:$i” && sudocmd=“$sudocmd,NOPASSWD:$i”
sudocmd=“$RESTRICTED_USER ALL=($DEST_USER) $sudocmd”
echo “Add this line to /etc/sudoers: ‘$sudocmd'”

cmdfile=$(basename $i)
cat > /home/$RESTRICTED_USER/bin/$cmdfile <<EOF
exec sudo -u $DEST_USER $i \$@
chmod +x /home/$RESTRICTED_USER/bin/$cmdfile

# Link commands

Optionally, in origin server, we create a key and the adapters commands. We can create a common script and link to it the other commands.

# Create key
ssh-keygen -i rsa_id

# Define commands
ssh -T -o IdentitiesOnly yes -o StrictHostKeyChecking=no -i id_rsa \
    $RESTRICTED_USER@$REMOTE_HOST \$(basename \$0) \$@
    cmdfile=$(basename $i)
    ln -s .$RESTRICTED_USER.$REMOTE_HOST.cmd $cmdfile

Finally we add the public key in destination server

mkdir /home/$RESTRICTED_USER/.ssh
cat > /home/$RESTRICTED_USER/.ssh/authorized_keys <<EOF
<here goes your public key>

Easy, isn’t it?

I want to use SSH to remotelly monitor some hosts. The problem with ssh is the overhead related to the creation of new connections.

But we can use the functionality of Control Master from OpenSSH (see Using it, ssh will connect only once reusing the connection.

This is great for monitoring scripts.

To use Control Master, you have to execute something like:

ssh -o "ControlMaster=yes" -o "ControlPath=/somepath/ssh-%r@%h:%p" -N user@host

The idea: create a remote user in each monitored host, stablish persistent ssh connection and use Control Master for the monitoring scripts. To deamonize and control the ssh master connections, I will use runit


Los usuarios-administradores de servicios que corren en mi máquina muchas veces tienen que ejecutar programas gráficos. Por supuesto, les tengo prohibido entrar con usuarios de sistema o servicios, y les obligo a usar sudo para convertirse en el usuario de turno.

Para simplificarles la vida, he hecho este script que propaga las credenciales X11, a un usuario destino usando sudo.

De esta forma podemos entrar en una máquina con nuestro usuario corporativo con las X11 activas (p.ej. con Xming) y poder usar el sistema gráfico con un usuario de sistema, como oracle o was.

En inglés: Script to propagate xauth (x11) credentials to other user using sudo.

El script:

Para eso sólo hay que ejecutar:

./ <usuario>

Por ejemplo:

$ ./ pepito
Testing the display 'localhost:17.0'. Close the graphical program 'xclock' when displayed
Exporting dcdcorejees1/unix:12 to user pepito.
myuser's password for sudo: *****
WARNING, sudo does not propagate the $DISPLAY variable. It must be set manually:
 'sudo -H -u pepito DISPLAY=localhost:17.0 <command>'
Testing the display 'localhost:17.0' for user 'pepito'. Close the graphical program 'xclock' when displayed
It works!!!
To execute any command as 'pepito', use this command line:
 'sudo -H -u pepito DISPLAY=localhost:17.0 <command> [<args>]'

So. to work with a shell with 'pepito', execute this command:'
 'sudo -H -u pepito DISPLAY=localhost:17.0 sh'

Luego, durante esa sesión, podremos convertirnos al usuario de turno y ejecutar comandos que requieran entorno gráfico.

IMPORTANTE: en el sudo debe indicarse la opción –H, para que establezca el $HOME al del usuario destino.