How To: Run a Command Quickly on Remote Server using SSH

Linux "Cluster"

When working in a clustered Linux environment containing two or more servers, it is not uncommon to switch back and forth between the hosts. Even if it’s running one command.

SSH is a powerful tool, it can do allot more than act as remote shell or tunnel traffic. One of those features is sending a command string to the server and fetching the output.

Assuming that you have access and privileged user on the remote server, the command works as follows

Example:
~$ ssh user@gamma.example.com "netstat -tulpna|grep -i established"
user@gamma.example.com's password: *****
...Output...

For an even more awesome experience, consider authenticating using ssh-key’s.

How To: TOTP 2FA Linux SSH Using Google-Authenticator

Lock Tux

Using only a username and password for authentication is no longer secure. With user-database dumps reaching millions of exposed, albeit hashed and salted, passwords. Secure authentication should include not only something you know, but also something you have (in your pocket… always).

There have been several OTP and general 2FA solutions for Linux. From SMS (Text-me-a-password) to Yubikeys. There exists a Free (so far) TOTP (Time-Based One Time Password) solution from Google, called Google Authenticator.

Google Authenticator for iOS

It uses an App called Authenticator for iOS (and Android i presume) to “show” you the tokens, who live for 30 seconds each. There exists an even more awesome package for Debian and Ubuntu called google-authenticator, which allows you to easily set it up! The package also includes the necessary PAM module.

I have made the following steps on a Raspberry Pi, running Raspian.

  1. Install Google Authenticator
    pi@awesomebox ~ $ sudo apt-get install libpam-google-authenticator
  2. Run Google Authenticator
    pi@awesomebox ~ $ google-authenticator
    Do you want authentication tokens to be time-based (y/n) y
    ...BIG
    ......FANCY
    .........QR-CODE
    Your new secret key is: ZZZZZZZZZZZZZZZZ
    Your verification code is 123456
    Your emergency scratch codes are:
    11111111
    22222222
    33333333
    44444444
    55555555
  3. Scan the QR-CODE on screen with the Authenticator App
    Scanning...
  4. Answer yes (y)
    Do you want me to update your "/home/pi/.google_authenticator" file (y/n) y
    Do you want to disallow multiple uses of the same authentication token? (y/n) y
    By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. Do you want to do so (y/n) y
    Do you want to enable rate-limiting (y/n) y
  5. Add PAM module
    pi@awesomebox ~ $ sudo echo "auth required pam_google_authenticator.so" >> /etc/pam.d/sshd
  6. Enable “Challenge-Response Authentication” in SSH
    pi@awesomebox ~ $ sudo vi /etc/ssh/sshd_config
    Change entry ChallengeResponseAuthentication from no to yes.
  7. Restard SSH
    pi@awesomebox ~ $ service ssh restart
  8. Test it out
    Open up a new terminal window and ssh to your box as you normally would
    user@lazybox ~ $ ssh pi@awesomebox
    Password: [Enter password]
    Verification code: [Enter TOTP-token from App]

Happy TOTP-ing :)

How to: Mount remote storage using sshfs

Mount SSHFS

For me, SSH has replaced three very flaky protocols. Telnet (true story) for an networked shell, FTP handling simple file transfers and finally NFS mounting network attached storage.

SSH provides the -encrypted- networked shell, handles simple file transfers using SCP or SFTP, and has the power to mount filesystems using SSHFS. All in one protocol!

Here’s how:
~$ sshfs USER@HOST:DIR mountpoint [options]

  • USER Remote user
  • HOST Remote host
  • DIR Remote directory to mount
  • mountpoint Local mountpoint

Example options:

  • -p PORT Specify alternate port to use
  • -C Enable compression
  • -F FILE Specify alternate ssh config file

sshfs is available on most Linux package repositories and can also be found on the fuse project page: http://fuse.sourceforge.net/sshfs.html

Happy Mounting!

How To: Avoid password theft, Faceraping, Email hijacks etc. On public networks

Network SendHas your email been blacklisted? Does your forum-posts suddenly contain nothing but kittens? Did your relationship status become same-sex over night? Well, physical access to your box may be the answer to most of these scenarios. But everything you send on public wire, in plain-text that is, has the potential to be sniffed out or otherwise phished if you are careless.

Here are a few tips in avoiding disaster:

* SSL/TLS
Encrypt, encrypt, encrypt and make sure the certificate in question is properly signed – its mandatory. Wether if its web, email or chat. Most online services today allow an encrypted alternative and that includes popular services like Google, Facebook and Twitter. Just be on the lookout for https:// and not plain http:// in the address-bar. Never trust a pretty “Lock Icon”, those can be injected onto the session while SSL is being striped out, in an attempt to fool the user.

Secure Address-Bar

The same mindset applies to SMTP/IMAP/POP3-email and various chat protocols. Enable, if any, SSL option that is available. For email, the default SSL port numbers are as follows: 993 for IMAP(S), 995 for POP3(S) and 465 for SMTP(S). The port number may vary depending on your email provider.

* SSH Tunnel
When encrypted alternatives are not available, or doesn’t exist, an SSH-tunnel can be used. Simply, tunnel the traffic through an encrypted SSH-session and relay it through the trusted network where the SSH-server is located. I have a tutorial on how to do just that, complete with syntax and resources required here: http://peppoj.net/2012/10/tunnel-http-traffic-encrypted-using-polipo-and-ssh/.

* BYOIC (Bring Your Own Internet Connection)
If all else fails and trust is an issue, avoid public networks completely and use your own connection. If you already made the leap to the new generation and bought a smartphone with a generous dataplan, why not use it? Most smartphones today (and some older devices I’ve seen) allow tethering to computers and other devices. Simply enable tethering, hock it up and mess with the network settings on your host.

Disclaimer:
None of the tips above will protect you from Phishing, or otherwise plain fraudulent websites. Use you’re brain.

Feedback welcome