Table of contents
SSH stands for “secure shell.” It’s a way for two computers to communicate with each other over a network with encryption. The ability to communicate like this allows access to computers that don’t have a keyboard, mouse, or monitor of their own — or even to computers in a completely different location. As I know, Mac OS already have sshd installed and use launchd to manage it, and I know one way to output debug logs by sshd -E /var/log/sshd.log, but when I reviewed /etc/ssh/sshdconfig configuration and there are two lines.
Conventionally setting up SSH agent for use is a bit of a pain as it has to be run before the user session is started. Mac OS X Leopard modifies SSH agent so that it is started via the Mac OS X launchd service on demand (i.e. It will be launched on first use).
- Copying your key to a server
- From UT VPN, UT wireless, or CS network
For instructions on adding SSH keys for other platforms, visit this FAQ.
Introduction
As of April 12, 2019, SSH keys are required when SSHing to CS/CSRES networks when outside of our networks, campus wireless, or the VPN. The University ISO will quarantine any host allowing SSH access that has not disabled password authentication.
An SSH key pair consists of two keys: One public key and one private key. The public key, as the name suggests, is public and can be safely shared with the world. The private key should never be shared with anyone and should be kept safe.
In order to use SSH keys to connect to a remote computer, one must first create an SSH key pair on one's computer, then copy the public SSH key to the remote computer. You will create an SSH key pair on each computer that you want to SSH from. You can use the same public SSH key from one computer to connect to many others.
E.g., if you have two computers at home, home1 and home2, and want to use them to connect to remote1, remote2, and remote3 you would create an SSH key pair on both home1 and home2, and then send the public key from home1 to all three remote computers, and lastly you would send the public key from home2 to all three remote computers.
Below are the necessary instructions to create an SSH key pair and add your public key to your CSRES machine. For the purposes of these instructions, we will assume that you want to SSH into a CSRES machine from a computer at home. To avoid confusion, we will use the following terminology:
HOME = Your home computer
CSRES_USER = Your CSRES machine's username
SERVER.csres.utexas.edu = The machine that you need to SSH into and add an SSH key to.
NOTE: All commands will be run on HOME, unless otherwise specified.
Creating a key
To create a 4096-bit RSA key, run the following:
ssh-keygen -t rsa -b 4096
- Press Enter to use the default location. (Recommended) 1
- Enter a passphrase (ALWAYS use a passphrase!!) 23
- Enter your passphrase a second time.
It should look something like this:
Your public SSH key is located by default at
~/.ssh/id_rsa.pub
and is perfectly safe to be shared with anyone.Your private SSH key will be located by default at
~/.ssh/id_rsa
. You should NOT touch this file or share it with anyone.Copying your key to a server
From UT VPN, UT wireless, or CS network
If you are connected to UT VPN, or have brought your machine on campus and have connected to UT wireless or the CS network, then you can use one of the methods below. If for any reason the ssh-copy-id method does not work, you can still copy your public SSH key manually using the second method.
You can find more information on how to connect to UT VPN by visiting this page.
Using ssh-copy-id
To copy your SSH public key from HOME to SERVER.csres.utexas.edu, simply replace the
ssh
in a normal SSH command with ssh-copy-id
, as shown below:ssh-copy-id [email protected]
- If you see the text 'Are you sure you want to continue connecting (yes/no)?' type
yes
and press Enter. - Enter CSRES_USER's password to send your public key to the server.
It should look something like this:
Congratulations! You can now use your SSH key to log into your CSRES machine!
Using the manual method
If for any reason the ssh-copy-id method does not work, you can still copy your public SSH key manually.
cat ~/.ssh/id_rsa.pub | ssh [email protected] 'umask 0077 && mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'
- If you see the text 'Are you sure you want to continue connecting (yes/no)?' type
yes
and press Enter. - Enter CSRES_USER's password to send your public key to the server.
From Off Campus
Copy to a USB drive
If you are unable to connect to UT VPN or cannot bring your machine to campus, then copying your public SSH key to a USB drive is another solution.
On your home computer:
- Plug in a USB drive.
- If it does not auto-mount, open a file manager and open the USB device to view its contents.
- In a terminal, run
df -hT
to find the full path to your mounted USB drive. (Your USB's mountpoint path will likely start with/media/yourusername
) cp ~/.ssh/id_rsa.pub /media/yourusername/directory/
(Replace the second path with your real USB drive's mount point path)- Safely unmount/eject your USB drive and bring it to campus.
From here, you will want to log into a CS lab machine and do:
- Plug in the USB drive
- If it does not auto-mount, open a file manager and open the USB device to view its contents.
- In a terminal, run
df -hT
to find the full path to your mounted USB drive. cat /media/yourusername/directory/id_rsa.pub >> ~/.ssh/authorized_keys
(Replace the second path with your real USB drive's mount point path)chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
- If step #5's command gives any errors, please submit a helpreq.
- Safely unmount/eject your USB drive.
Using ssh-agent (optional)
ssh-agent is a program included in OpenSSH that will remember your SSH key and not require you to type its passphrase each time you use SSH. Your desktop environment on HOME should start up ssh-agent when you log in.
- To add your SSH key to the agent, simply type:
ssh-add
- Type in your SSH key's passphrase and you're good to go!
You won't need to type in your passphrase any longer. Once you log out ssh-agent will be killed and you will need to repeat the above process the next time you log in.
Disable password logins
In order to disable password logins, you will need to edit the
/etc/ssh/sshd_config
file on the CSRES machine itself and reload the SSH daemon. Note that you will need sudo or root permissions to do this.- Using your preferred editor, edit your
/etc/ssh/sshd_config
and add the following options at the end, but BEFORE any lines that start with 'Match'.PasswordAuthentication no
ChallengeResponseAuthentication no
UseDNS yes
Match Host *.cs.utexas.edu,*.csres.utexas.edu,wireless*public.utexas.edu,*.vpn.utexas.edu
PasswordAuthentication yes - Once the options have been modified, you will need to reload the SSH daemon on your linux machine (you do not need to reload anything on a Mac):
- For Ubuntu-based distributions:
systemctl reload ssh
- For Red Hat-based distributions:
systemctl reload sshd
Additional information
- If you choose to not use the recommended location for your private key, you will need to specify its location in either your
ssh
command (with -i) or after yourssh-add
command if using ssh-agent.↩ - This is not your CSRES_USER's password. The passphrase that you choose for your SSH key should be different from your CSRES_USER's password. See Selecting a strong password to learn how to choose a secure passphrase instead of a password.↩
- When typing your passphrase, you won't see any output on your screen. This is normal and is for your security.↩
This is a small manual of
iptables
, I'll show some basic commands, you may need to know to keep your computer secure.Basic commands
List rules
This is going, list the default table 'Filter'.
Edit: You may prefer to use
iptables -L -vn
to get more information, and to see ports as numbers instead of its names.List rules in specific table
You can also list the other tables like: mangle, raw and security. You should consider reading a bit more about tables. You can do it in the Tables section in the man page of
iptables
Delete all rules
Delete specific table liket nat
Specify chain policies
iptables
let's you configure default policies for chains in the filter table, where INPUT, FORWARD and OUTPUT, are the main ones (or at least the most used). Users can even define new chains.These aforementioned chains, are better explained in this graph that comes from Wikipedia.
You can see the original image here
You can define the default policy as ACCEPT and then deny specific traffic, or define default policies as DROP and then open specific traffic to and/or from your box. The last one is more secure, but require more job.
Block IP traffic from an specific IP or Network.
Block from an IP
If you want to block only on an specific NIC
Or an specific port
Using a Network and not only one IP
Block traffic from a specific MAC address
Suppose you want to bloc traffic some a MAC address instead of an IP address. This is handy if a DHCP server is changing the IP of the maching you want to protect from.
Block a specific port
If all you want is to block a port,
iptables
can still do it.And you can block incoming or outgoing traffic.
Block incoming traffic to a port
Suppose we need to block port 21 for incoming traffic:
But if you have two-NIC server, with one NIC facing the Internet and the other facing your local private Network, and you only one to block FTP access from outside world.
In this case I'm assuming eth1 is the one facing the Internet.
You can also block a port from a specific IP address:
Or even block access to a port from everywhere but a specific IP range.
Block outgoing traffic to a port
If you want to forbid outgoing traffic to port 25, this is useful, in the case you are running a Linux firewall for your office, and you want to stop virus from sending emails.
I'm using FORWARD, as in this example the server is a firewall, but you can use OUTPUT too, to block also server self traffic.
Log traffic, before taking action
Ssh Mac Manual Pdf
If you want to log the traffic before blocking it, for example, there is a rule in an office, where all employees have been said not to log into a given server, and you want to be sure everybody obeys the rule by blocking access to ssh port. But, at the same time you want to find the one who tried it.
You will be able to see which IP tried to access the server, but of course he couldn't.
Tips and Tricks
Because
iptables
executes the rules in order, if you want to change something you need to insert the rule in the specific position, or the desired effect is not going to be achieved.List rules with numbers
This is going to list all your rules with numbers preceding the rules. Determine where you want the inserted rule and write:
List specific chains
Will list all INPUT rules.
Will list all OUTPUT rules
Ssh Mac Manual Software
Insert rules
That is going to add a rule in position 3 of the 'array'
Delete rules
That is going to remove the rule inserted above. You can also remove it, by matching it.
Delete flush all rules and chains
This steps are very handy if you want to start with a completely empty and default tables:
NOTE: do not execute this rules if you are connected via ssh or something similar, you may get locked out
Simple scripts for specific needs
How to stop brute force attacks
You can also use
iptables
to stop brute force attacks to your server, for example: Allow only three attempts to log through ssh before banning the IP for 15 minutes, this should let legitimate users to log to the servers, but bots will not be able. Remember to always use strong passwordsHow to NAT with
iptables
Ssh Configuration Mac
iptables
is also very useful to configure NAT routers, a Linux mashing can act as a router, and share its public IP with a private networks behind it. It is also useful to configure the DHCP in the same server.To configure a NAT router, you will be better with a server with two NICs, let's suppose you have:
- eth0: 12.13.14.15
- eth1: 10.1.1.1
Ssh Mac Manual User
Now configure NAT to forward all traffic from 10.1.1.0 network through eth0 IP. You may want to empty all tables and start with a fresh chains and tables (see how above).
Ssh Settings Mac
That is it, you only have to enable kernel forwarding now: