Search...
Match user USER
PasswordAuthentication no
AllowTcpForwarding yes
X11Forwarding no
PermitTunnel no
GatewayPorts no
AllowAgentForwarding no
ChrootDirectory /home/USER
But if the client needs a login shell this failed.
Well you could tell the client to not use a login shell:
ssh -N -L2222:IP:22 USER@SERVER
putty: SSH / Protocol Option enable "Don't start a shell or command at all"
or use an own loginshell where the user only can press return to disconnect:
sudo useradd USER -d /home/USER -s /bin/bash
sudo mkdir /home/USER
sudo chown USER:USER /home/USER
sudo su USER
cd
touch .hushlogin (is used to not display motd's)
mkdir .ssh
chmod 0700 .ssh
cd .ssh
ssh-keygen -t rsa -b 4096
mv id_rsa.pub authorized_keys
exit
sudo passwd -d USER
sudo chown root:root /home/USER (for sshd chroot)
sudo cp own_loginshell /home/USER/
move /home/USER/.ssh/id_rsa out to your test account and test with "ssh -i id_rsa USER@IP"
I had some troubles with a chrooted environment:
/etc/passwd USER:x:ID:ID::/home/USER:/own_loginshell
.hushlogin is NOT working and motd with last login is shown!
pam.d/sshd is running all scripts in /etc/update-motd.d.
Solution move .hushlogin to /home/USER/home/USER
To hide motd and have no delays at login we could add an exception in pam.d/sshd for our user USER
session [default=2 success=ignore] pam_succeed_if.so quiet user != USER
before
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
/etc/passwd USER:x:ID:ID::/:/own_loginshell
.hushlogin is working but before sshd is doing a chroot it checks the key against
authorized_keys based on our homedir (is / for chroot) wee need to
add "AuthorizedKeysFile /home/USER/.ssh/authorized_keys" to sshd_config
Compiling
For 64Bit there is something different to 32Bit and with my studies i compiled with
gcc -s -Os -nostdlib -ffreestanding own_loginshell.c -o own_loginshell
#> chroot /ROOTDIR ./own_loginshell
chroot: failed to run command ‘./own_loginshell’: No such file or directory
With
#> strace chroot /ROOTDIR ./own_loginshell
you only see
execve("./own_loginshell", ["./own_loginshell"], 0x7fff17d94fe8 /* 24 vars */) = -1 ENOENT (No such file or directory)
But with the help of "readelf -l own_loginshell" you see
[Requesting program interpreter: /lib64/ld-linux-x86-64.so.2]
You have to copy /lib64/ld-linux-x86-64.so.2 to CHROOT/lib64/
Or compile with "-static"
own_loginshell.c:
/*
simple program to print to stdout and read from stdin without libc for x86-64
taken from https://hero.handmade.network/forums/code-discussion/t/861-compiling_without_libc_on_linux
gcc -s -Os -nostdlib -ffreestanding -static own_loginshell.c -o own_loginshell
*/
#include <stddef.h>
#include <syscall.h>
static void exit(int code)
{
__asm__ __volatile__(
"syscall"
:
: "a"(__NR_exit)
: "cc", "rcx", "r11", "memory");
__builtin_unreachable(); // syscall above never returns
}
// returns negative value for error (for example, if error is EINVAL, then -EINVAL is returned)
static int write(int fd, const void *buf, size_t size)
{
long result;
__asm__ __volatile__(
"syscall"
: "=a"(result)
: "0"(__NR_write), "D"(fd), "S"(buf), "d"(size)
: "cc", "rcx", "r11", "memory");
return result;
}
static int read(int fd, char *buf, size_t size)
{
long result;
__asm__ __volatile__(
"syscall"
: "=a"(result)
: "0"(__NR_read), "D"(fd), "S"(buf), "d"(size)
: "cc", "rcx", "r11", "memory");
return result;
}
void _start()
{
char text[] = "press enter to close connection";
// for this example let's ignore result of write
// but you should really handle it
// 1 is stdout file handle
write(1, text, sizeof(text) - 1);
read(0, text, 1);
exit(0);
}
[ view entry ] ( 2087 views ) | print article
Install oathtool.
sudo apt-get install oathtool libpam-oath
Generate a secret.
export HEX_SECRET=$(head -10 /dev/urandom | md5sum | cut -b 1-30)
Generate the TOTP details, 6 digits long.
oathtool --verbose --totp $HEX_SECRET
Enter the base32 secret in Android FreeOTP.
Create and populate the /etc/security/users.oath file.
sudo bash -c "echo HOTP/T30 $USER - $HEX_SECRET >> /etc/security/users.oath"
sudo chmod 0600 /etc/security/users.oath
Forget the secret!
unset HEX_SECRET
prefix /etc/pam.d/sshd with
auth sufficient pam_oath.so usersfile=/etc/security/users.oath window=10 digits=6
Allow this in sshd and restart.
sudo sed -Ei -e 's/(ChallengeResponseAuthentication) no/\1 yes/' /etc/ssh/sshd_config
sudo service ssh restart
Test with
ssh localhost
You should see:
One-time password (OATH) for `USER':
To avoid otp for some users prefix /etc/pam.d/sshd with
auth [success=1 default=ignore] pam_succeed_if.so user in user1:user2
[ view entry ] ( 2054 views ) | print article
kio-mtp and mtp-detect stopped working
But jmtpfs seams to work - i decided to mount on usb plug in with an udev rule
#> apt-get install jmtpfs/etc/udev/rules.d/99-jmtpfs.rules
#> mkdir -p /media/mtp
ACTION=="add", ENV{ID_MTP_DEVICE}=="1", RUN="/usr/bin/jmtpfs -o allow_other /media/mtp"
ACTION=="remove", ENV{ID_MTP_DEVICE}=="1", RUN="/bin/fusermount -u /media/mtp""A little bit faster is simple-mtpfs, but you have to compile
apt-get install libusb-dev libmtp-dev
git clone https://github.com/phatina/simple-mtpfs.git
cd imple-mtpfs
./autogen.sh
mkdir build && cd build
../configure --prefix=/usr
make
sudo make install
/etc/udev/rules.d/99-simple-mtpfs.rules
ACTION=="add",ENV{ID_MTP_DEVICE}=="1",RUN="/usr/bin/simple-mtpfs -o allow_other /media/mtp"
ACTION=="remove", ENV{ID_MTP_DEVICE}=="1", RUN="/bin/fusermount -u /media/mtp""[ view entry ] ( 4961 views ) | print article
After plug in of a wifi usb stick linux act's as a hostap.
apt-get install isc-dhcp-server hostapd
changes in /etc/hostapd/hostapd.conf
interface=wlan0
driver=nl80211
ssid=MYSSID
country_code=AT
ieee80211d=1
hw_mode=g
channel=11
beacon_int=1000
dtim_period=20
ieee80211n=1
wpa=2
wpa_passphrase=MYPASSPHRASE
wpa_pairwise=TKIP CCMP
/etc/network/interfaces
iface wlan0 inet static
address 192.168.9.1
netmask 255.255.255.0
hostapd /etc/hostapd/hostapd.conf
up iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
up /etc/init.d/isc-dhcp-server restart
down iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
down killall hostapd
first check vendor and product id with lsusb:
/etc/udev/rules.d/local.rules
ACTION=="add", SUBSYSTEMS=="usb", ATTRS{idVendor}=="148f", ATTRS{idProduct}=="3070", \
RUN+="/sbin/ifup wlan0"
ACTION=="remove", SUBSYSTEM=="net", KERNEL=="wlan0", RUN+="/sbin/ifdown wlan0"On booting this does not work for me so i started the hostap by
/etc/rc.local
lsusb | grep -q "148f:3070" && /sbin/ifup wlan0
[ view entry ] ( 1533 views ) | print article
To minimize bandwidth for video streaming i have to transcode mjpeg to h264.
To do this on demand ffserver is no option for me.
Therefore a small cgi script on the webserver with ffmpeg did the trick:
#!/bin/bash
echo -e "Content-type: video/avi\n"
#ffmpeg -an -analyzeduration 0 -f mjpeg -r 8 -i http://IP_CAM:PORT \
# -c:v libx264 -preset ultrafast -r 8 -threads 2 -b:v 150k -f avi - 2>/dev/null &
avconv -an -analyzeduration 0 -f mjpeg -r 8 -i http://IP_CAM:PORT \
-c:v libx264 -pre ultrafast -r 8 -threads 2 -b:v 150k -f avi - 2>/dev/null &
pid=$!
trap "kill $pid" SIGTERM SIGPIPE
wait
[ view entry ] ( 2603 views ) | print article
<<First <Back | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | Next> Last>>