38 Matching Annotations
  1. May 2020
    1. You want to execute SSH commands from the build environment to a remote server You want to rsync files from the build environment to a remote server If anything of the above rings a bell, then you most likely need an SSH key.
    1. There is a serious weakness in DSA (which extends to ECDSA) that has been exploited in several real world systems (including Android Bitcoin wallets and the PS3); the signature algorithm relies on quality randomness (bits that are indistinguishable from random); once the PRNG enters a predictable state, signatures may leak private keys. Systems that use ECDSA must be aware of this issue, and pay particular attention to their PRNG.
  2. Apr 2020
  3. Jan 2020
    1. ssh doesn't let you specify a command precisely, as you have done, as a series of arguments to be passed to execvp on the remote host. Instead it concatenates all the arguments into a string and runs them through a remote shell. This stands out as a major design flaw in ssh in my opinion... it's a well-behaved unix tool in most ways, but when it comes time to specify a command it chose to use a single monolithic string instead of an argv, like it was designed for MSDOS or something!
    1. git -c core.sshCommand="ssh -vvv" pull

      This seems like the most reliable and direct way to enable debugging of the ssh connection (authentication, etc.) used by a git command.

    1. Once the number of unauthenticated connections goes over the sshd:MaxStartUps parameter, sshd starts rejecting those connections. So preferably increase the MaxStartups in sshd_config
    2. maybe the server is getting brute-forced some way. so the ssh connections are in use this way. In this case MaxStartups would only lead to more bandwith usage and higher server load. You should think about a non default port in high port range and something like fail2ban
  4. Dec 2019
    1. I discovered that remote shells are treated differently. While non-interactive Bash shells don’t normally run ~/.bashrc commands at start-up, a special case is made when the shell is Invoked by remote shell daemon:
    1. An ssh public key in a ~/.ssh/authorized_keys file can have a command="" option which forces a particular command to be executed when the key is used to authenticate an ssh connection. This is a security control that mitigates against private key compromise. This is great when you only need to execute a single command. But if you need to perform multiple tasks, you would normally need to create and install a separate key pair for each command, or just not bother making use of forced commands and allow the key to be used to execute any command.
    1. The IdentitiesOnly yes is required to prevent the SSH default behavior of sending the identity file matching the default filename for each protocol. If you have a file named ~/.ssh/id_rsa that will get tried BEFORE your ~/.ssh/id_rsa.github without this option.
    1. Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts".
    1. echo "from="${MYIP%% *}",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="rsync ${SSH_ORIGINAL_COMMAND#* }" $(ssh-keygen -yf ~/.ssh/rsync_rsa)" | ssh targetserver "cat - >>~/.ssh/authorized_keys" Note that the ‘command=’ restriction (http://larstobi.blogspot.ch/2011/01/restrict-ssh-access-to-one-command-but.html) will not apply if ‘/etc/sshd_config’ has already a ‘ForceCommand’ directive.
    1. Just for the record newer versions of ssh support the -W option, you can do something like ProxyCommand ssh -W %h:%p gateway instead of depending on nc
    1. In today's cruel networked world, we're too often hampered behind (evil) company proxies that restricts how we can use the internet while at work, at a customers' place or even in some cases while at home or at friends'. Not only do proxies restrict what you can do, what protocols that are accepted, what sites you can visit and what TCP ports that are let through, it also allows your company or friend to log and supervise you.
  5. Mar 2019
    1. Hashicorp Vault: One-Time Password para SSH

      Está aí um assunto sob o qual quero aprender! Não é explicitamente coberto pelos tópicos de certificação DevOps, mas dá uma olhada nos assuntos cobrindo ssh e security (procura também por vault em https://wiki.lpi.org/wiki/DevOps_Tools_Engineer_Objectives_V1).

  6. Dec 2018
  7. Nov 2018
    1. rsync -azvvP /home/path/folder1/ /home/path/folder2

      Or the case with remotes:

      rsync -azvvP /full/path/source_folder_or_file username@remotehost:/full/path/target_folder_or_file

  8. Oct 2018
  9. Jan 2018
  10. Nov 2017
  11. Jul 2017
  12. Apr 2016