Archive

Archive for the ‘networking’ Category

Connect Through SSH Without a Password

December 10, 2008 Leave a comment

lockpickOne day, you will find yourself trying to execute  a command on a remote UNIX box without the need of typing the password. The basis of using this technique relies on public keys which are a kind of digital signatures.

Let’s supose we have a server named “Mailserver” and another server called “Monitor” and you want Monitor to connect every 30 minutes to Mailserver and verify the health of some services.

Anyway, here is the quick-guide:

First of all connect to Monitor with the user of you choice.

Then,  type:

ssh-keygen -t rsa
This command will create the RSA public key of the current user. You will be asked to type a passphrase but it’s not necesary at all; You can just ignore it.

When the command finishes execution, a message will appear telling you the location of the new files. In most cases it is placed in the .ssh/ directory inside your home/ path.

Next, you’ll have to copy the public they to the authorized_keys2 file on the remote server (in this case Mailserver). To make it simple, here is the command (Remember to substitute user and hostname with your own):

scp ~/.ssh/id_rsa.pub user@hostname:~/.ssh/authorized_keys2
This will the last time you’ll prompted to type the password. When the transfer finishes, you should be able to ssh from Monitor to Mailserver without being prompted for a pass. 🙂

NOTE: On some UNIX like Solaris the default location of the public-keys can vary from system to system.

NOTE 2: You must have RSAAuthentication yes in your /etc/ssh/sshd_config file. On many Linux installations this setting is commented out in a default install.

Advertisements
Categories: networking, ssh Tags: ,

Connection closed by remote host: ssh_exchange_identification

October 9, 2008 1 comment

Often when a process that uses SSH runs in a regular basis, you may get a “Connection closed by remote host” error.

For example, in my case I was using a Nagios based monitor that needed to connect to a group of hosts and, from time to time I got bursts of this error when trying to access the monitored machines.

This is an example of the log file:

10 13:43:02  hoard04 [2]: Protocol error. ssh is complaining, see next
message. #d83bb35 (ssh_common.c 427)
10 13:43:02  hoard04 [2]: ssh_exchange_identification: Connection
closed by remote host

Even though the problem solves automatically by just ingnoring it for a while (really) I prefer to fix the problem rather than the symptoms, so with a little help from google I came up with the right solution.

This problem happens when the server hits the MaxStartups limit in the /etc/ssh/sshd_config file. This value acts as a security measure if for example someone tries to compromise your server with a DoS attack. By default its set to 10 so its relatively easy for SSH to get stuck at 10 connections.

Anyway, to solve the issue you just have to edit the mentioned file and bump the MaxStartups limit to, say 25 or 50 if you need a lot of connections.

Categories: networking, ssh Tags:

Linux Internet Connection Sharing

September 24, 2008 Leave a comment

Iptables is a well known program for its firewall and traffic filtering capabilities. But it also can be used to share our beloved Internet connection. And amazingly it’s relatively easy to setup a shared connection in Linux.

For this example I will be using a Fedora 9 x86_64 system with a wireless Ethernet device named wlan0

First you have to enable IP forwarding. Log in as root and type:

# echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# /sbin/iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
# /etc/init.d/iptables save

Now a little bit of theory on what the previous commands do.

The first command is mostly self explanatory; it just tells the system to activate the IP forwarding feature.
Next, the iptables command line defines a Routing Table of NAT (Network Address Translation) type which is used to hide (masquerade) an IP address space behind a single IP address in another address space.
Finally, the last command just saves the configuration.

At this point, the configuration is ready and the only thing left is to actually modify the machines network configuration:

Example Router Address:
IP: 192.168.1.1

First Computer (Connected to Internet):
IP: 192.168.1.10
Netmask: 255.255.255.0
Gateway: 192.168.1.1

Second Computer:
IP: 192.168.1.20
Netmask: 255.255.255.0
Gateway: 192.168.1.10

That’s it, now both computers share the same Internet connection… fast and simple.

Be aware that this is a very simple example of network sharing, not an Enterprise Level solution. There are many alternative ways… more “elegant” and more secure ways to share a connection (proxy servers, SSH encrypted tunnels, etc)… you might want to try different methods and go for the one that fits your needs.

Categories: networking Tags: , ,