09 Jan 2008 SFTP in batch mode
This post describes how you use sftp in batch mode. If you don’t want to type in your password read my SSH without a password post.
Create a file named myCommands.sftp that contains the commands you want to run. My file looks like this
# Change to your desired directory locally lcd /data/Hattori # Change to the desired directory on the remote server cd /backup # Transfer all remote files locally get * # We're done with this session bye
Next you run the sftp session
sftp -b myCommands.sftp example.com
That should be all that is necessary to download your files from the remote server.
This example could easily have been extended with a crontab entry.
Posted by Hans-Henry Jakobsen
09 Jan 2008 SSH Without a Password
The following steps can be used to ssh from one system to another without specifying a password.
Notes:
- The system from which the ssh session is started via the ssh command is the client.
- The system that the ssh session connects to is the server.
- These steps seem to work on systems running OpenSSH.
- The steps assume that a DSA key is being used. To use a RSA key substitute ‘rsa’ for ‘dsa’.
- The steps assume that you are using a Bourne-like shell (sh, ksh or bash)
- You should consider the security risks before implementing this feature
Steps:
- On the client run the following commands:
-
$ mkdir -p $HOME/.ssh
-
$ chmod 0700 $HOME/.ssh
-
$ ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P ''
This should result in two files, $HOME/.ssh/id_dsa (private key) and $HOME/.ssh/id_dsa.pub (public key).
- Copy $HOME/.ssh/id_dsa.pub to the server.
- On the server run the following commands:
-
$ cat id_rsa.pub >> $HOME/.ssh/authorized_keys2
-
$ chmod 0600 $HOME/.ssh/authorized_keys2
- On the client test the results by ssh’ing to the server:
-
$ ssh -i $HOME/.ssh/id_dsa server
- (Optional) Add the following $HOME/.ssh/config on the client:
Host server IdentityFile ~/.ssh/id_dsa
Depending on the version of OpenSSH the following commands may also be required:
$ cat id_rsa.pub >> $HOME/.ssh/authorized_keys $ chmod 0600 $HOME/.ssh/authorized_keys
An alternative is to create a link from authorized_keys2 to authorized_keys:
$ cd $HOME/.ssh && ln -s authorized_keys2 authorized_keys
This allows ssh access to the server without having to specify the path to the id_dsa file as an argument to ssh each time.
Tags: ssh
Posted by Hans-Henry Jakobsen
20 Dec 2007 Limit ssh access by MAC-address using iptables
This is a simple iptables rule to allow ssh access to a specific MAC-address
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT
This is a nice rule to allow only your laptop ssh access on your servers no matter what IP-address you may have while you are on the road. You do offcourse need to replace XX:XX:XX:XX:XX:XX with your actual MAC-address.
After allowing this rule you should keep an eye on your laptop :)
Posted by Hans-Henry Jakobsen
07 Dec 2007 Run X programs through ssh
A easy way to run remote X programs (from another host) on your local linux installation is to connect to it via ssh using the -Y switch.
For instance if you would like to run up2date in graphical mode on a remote machine but the server doesn’t have X installed. Then this is a great way of doing it.
On your host
ssh -Y remote_machine_name.com
When you have successfully connected to the remote host you start the up2date command.
up2date
Soon after you will get the up2date windows on your local linux machine.
Your sshd server should have enabled the X11Forwarding directive. This is enabled in your local local machines ssh config /etc/ssh/sshd_config file
X11Forwarding yes
The command you run can be anything else, for instance xterm.
Posted by Hans-Henry Jakobsen
28 Nov 2007 Deny SSH- but allow SFTP access
This is an alternative way of limiting the SSH access to only SFTP explained in my How to restrict users to SFTP only instead of SSH post.
Edit your /etc/sshd_config file and change your settings like this
Match User username
AllowTcpForwarding no
X11Forwarding no
ForceCommand /usr/libexec/sftp-server -l INFO
Replace username with the user name you would limit the SSH access for.
Posted by Hans-Henry Jakobsen
