/ Andreas | System administrator / » ssh

/etc/init.d/autossh_tunnel.foo

Andreas — Wed, 27 Aug 2008 17:56:46 +0000

Autossh is a nice way to keep a ssh connection alive. This is especially useful when it comes to ssh tunnels. To make things even more automagicial I have now written the init script template autossh_tunnel.foo.

A few import facts regarding the script:

Autossh 1.4 or later is required. Earlier versions of autossh doesn’t handle PID-files.
The init script is based on the start-stop-daemon. Hence it will probably only work on Debian, Ubuntu and similar systems.
There is no way to enter a password. A setup based on ssh-keys or similar is required.
Autossh doesn’t handle every kind of ssh problem. Because of that it is possible for the initial connection to fail without the init script knowing about it.

This is by the way my first real init script. Any feedback on it would be greatly appreciated.

Debian – Ubuntu, S/Key and OPIE

Andreas — Sat, 31 May 2008 11:12:30 +0000

Been looking for a simple way to enabling S/Key support in Linux. Once I found out the magical keyboards being OPIE and PAM it became almost trivial to allow ssh-logins using One Time Passwords (OTP).

The following instructions are specifically written to apply on Debian and Ubuntu. On a general note the concept should work on any Linux system using OpenSSH and PAM.

First of all you should install the package opie-server. It will give you the necessary PAM-module and some accompanying tools.

Now edit /etc/pam.d/ssh, remove (comment) the inclusion of common-auth, and add these lines.

auth       sufficient pam_unix.so
auth       sufficient pam_opie.so
auth       required pam_deny.so

If you only want allow OTP-logins; this line will do.

auth required pam_opie.so

Next it’s time to edit /etc/ssh/sshd_config.

ChallengeResponseAuthentication yes

That’s it. Restart your sshd and it will be ready to accept OTP-logins. To initialize a user; run opiepasswd (equivivalent of keyinit). Responses are generated using opiekey.

Client-side it’s usually enough to install the package opie-client.

line_removal.pl (known_hosts)

Andreas — Thu, 15 May 2008 23:35:10 +0000

Manually removing entries from your known_hosts doesn’t take my of an effort. Still, it’s something you can grow tired of. Especially so after resent events (DSA-1571). That is why I’ve now written my very own line_removal.pl script.

Basically you feed the script one or more line numbers. Corresponding lines in your ~/.ssh/known_hosts will then be deleted.

andreas@leto:~$ ./line_removal.pl 22
Removing line #22 from /home/andreas/.ssh/known_hosts

andreas@leto:~$ ./line_removal.pl 3 37 29
Removing line #37 from /home/andreas/.ssh/known_hosts
Removing line #29 from /home/andreas/.ssh/known_hosts
Removing line #3 from /home/andreas/.ssh/known_hosts

To be honest I really don’t know if I’ll ever use this script against more than one line at a time. Somehow it still seemed wrong not to support the option of feeding it multiple arguments.