ssh rsync squid
======================================================
DEBIAN - SYSTEM ADMINISTRATION - SSH / RSYNC / SQUID
======================================================
- Sysadmin: SSH Key-based authentication
- Sysadmin: Backup / Copy Tools - remote rsync
- Proxy Server: SQUID
SSH Public-Key based authentication (+ BSU Ref. Sheet 7)
===================================
For the next weeks, you have a shell account "flastname" (first letter
of your first name + lastname, for example "omueller") on a remote
server called "moon.omx.ch". The default password is "Welcome42".
Your home directory there is: /home/abbts/username/ (username = your login)
Please try to connect to your "moon"-account with ssh from your Debian
system. (you will be requested to change your password on first login:
please enter a secure password, as the server is online 24h/24, and as
you will need this account for the exams)
In addition to basic password authentication, openssh supports also a
public/private-key authentication system. You will now create a
key-pair and allow password-free access to your moon account.
1) Generate a pair of keys
$ ssh-keygen -t dsa
Please use a secure passphrase (longer than just a password), this is
the only one you will have to remember ever for accesses on moon.omx.ch.
The keys are saved in the .ssh/ directory in your $HOME:
[om@abbts ~]$ ls -la .ssh/
total 8
drwx------ 2 omueller omueller 512 Feb 8 21:18 .
drwxr-xr-x 4 omueller omueller 512 Feb 8 21:18 ..
-rw------- 1 omueller omueller 1743 Feb 8 21:18 id_dsa
-rw-r--r-- 1 omueller omueller 410 Feb 8 21:18 id_dsa.pub
- id_dsa = your private key, must be secure and readable only by yourself
(chmod 0600)
- id_dsa.pub = your public key
Other files which may be present as well:
- known_hosts: list of hosts public keys, added the first time you
connect to a remote host, to prevent "man in the middle" attack.
- authorized_keys: list of public keys from (remote-)accounts which may
connect to your account with public-key authentication
- config: local options (man ssh_config)
2) Add your new public key generated on your virtual server
to your $HOME/.ssh/authorized_keys on moon:
IMPORTANT: *never* copy your private key (id_dsa) to a server! Only
your public key.
- using copy/paste & vi via ssh
- or with scp:
$ scp .ssh/id_dsa.pub username@moon.omx.ch:
$ ssh username@moon.omx.ch
$ cat id_dsa.pub >> ~/.ssh/authorized_keys
$ rm id_dsa.pub
$ exit
(make sure the .ssh/ exists first on the target)
3) Test if it works:
$ ssh username@moon.omx.ch
Enter passphrase for key '/home/om/.ssh/id_dsa': ************
Last login: Mon Feb 8 18:50:47 2010 from 180.254.166.203
[...]
[omueller@ks39410 ~]$
4) Add another key:
Please now add my key ( http://omx.ch/om/sshpubkey.txt ) to your
~/.ssh/authorized_keys file. So now you should have 2 long lines in this
file: one for your own key, one for mine.
Note: If you use nano or pico for that, it may try to wrap long lines:
use the "-w" option to prevent that ("pico -w .ssh/authorized_keys"). On
the other hand, vi will not have any problem here :)
5) SSH Agent
To prevent having to type your "master" key passphrase every time you
connect to another server, it is convenient to use an "agent" to hold
the key for the current session.
man ssh-agent:
"ssh-agent is a program to hold private keys used for public key
authentication (RSA, DSA). The idea is that ssh-agent is started in the
beginning of an X-session or a login session, and all other windows or
programs are started as clients to the ssh-agent program. Through use of
environment variables the agent can be located and automatically used for
authentication when logging in to other machines using ssh(1)."
5.1) start the agent:
$ eval `ssh-agent -s` (backquotes!)
-> a process "ssh-agent" will run in background, ready to ready read and
manage your key(s)
-> environment variables "SSH_AGENT_PID" and "SSH_AUTH_SOCK" are set
(env | grep SSH)
5.2) add the key(s)
$ ssh-add -l
The agent has no identities.
-> for the moment, the agent is "empty"
$ ssh-add ~/.ssh/id_dsa
Enter passphrase for /home/om/.ssh/id_dsa: ********************
Identity added: /home/om/.ssh/id_dsa (/home/om/.ssh/id_dsa)
$ ssh-add -l
1024 a4:df:52:b0:fd:c2:54:b6:66:87:1a:e5:dd:2a:75:0d /home/om/.ssh/id_dsa (DSA)
-> key is now saved & active
5.3) use the agent
Once the keys are loaded, the agent is used automatically.
$ ssh username@moon.omx.ch
[...]
[om@ks39410 ~]$
5.4) If you need to remove the key from the agent:
$ ssh-add -d ~/.ssh/id_dsa
or
$ ssh-add -D (delete all identities)
or
$ kill
or
$ killall ssh-agent
or
reboot...
6) Automatic startup of the agent
A very practical thing is to have the agent started automatically on the
first login to your account, and remain active as long the computer is
active.
For this, you just have to add this line at the end of your local
~/.bashrc file (= autoexec on shell start)
. $HOME/.ssh/agentcheck
And copy/paste these lines to a script called .ssh/agentcheck :
--------------------------------------------------[ cut ]----
#!/bin/sh
# Checks for current ssh agent, otherwise starts one.
SSH_ENV=$HOME/.sshenv
function start_agent {
echo "Initialising new SSH agent..."
ssh-agent > ${SSH_ENV}
chmod 600 ${SSH_ENV}
. ${SSH_ENV} > /dev/null
ssh-add
}
# Source SSH settings, if applicable
if [ -f "${SSH_ENV}" ]; then
. ${SSH_ENV} > /dev/null
ps ${SSH_AGENT_PID} > /dev/null || {
start_agent;
}
else
start_agent;
fi
--------------------------------------------------[ cut ]----
-> save, make executable, disconnect, and reconnect to your virtual machine:
On login, the first time, it should now ask:
Initialising new SSH agent...
Enter passphrase for /home/omtest/.ssh/id_dsa:
Identity added: /home/omtest/.ssh/id_dsa (/home/omtest/.ssh/id_dsa)
If you logout and login again, it should not ask this again, and
connecting as username@moon.omx.ch should still be possible without any
password request.
It should ask again only if you reconnect after a reboot, if you delete
the .sshenv file or if you kill the ssh-agent process.
More information:
man ssh, man ssh-agent, man ssh-add, etc.
and in German: http://www.invenate.com/decus/SSH-Intro.pdf
System Administration: Backup / Copy tools : rsync
==================================================
Now that your ssh-agent is active, you can copy data from your virtual
server to moon as if moon were a local directory.
Tasks:
0) make sure you are done with first part of the "backup / tar / rsync"
practical tasks from last week
1) create a directory on moon : "/home/abbts/username/rsynctest/"
2) and now from your virtual server (connected as user, not root),
run a remote backup for
/etc/ -> /home/abbts/username/rsynctest/etc/
and
/var/log/status/ -> /home/abbts/username/rsynctest/status/
Hint1: there is no rsyncd (daemon) running on the "moon.omx.ch"
server, but we don't need one anyway...
Hint2: always use trailing "/", otherwise you will have results like
.../rsynctest/status/status/status/
3) if you re-run the 2 rsync commands after a few minutes, it should
only copy what has changed, not everything.
4) write down the command you used:
HTTP Proxy Server - SQUID (+ BSU Ref. Sheet 8)
=========================
Squid is a proxy server and web cache daemon. It has a wide
variety of uses, from speeding up a web server by caching
repeated requests, to caching web, DNS and other computer
network lookups for a group of people sharing network
resources, to aiding security by filtering traffic.
1) Basic setup
- install the "squid" package
- find the config file and the logs : start a "tail -f *.log" on
all logs in another terminal window
- on your notebook/computer, setup the browser to use the proxy
you just installed: IP = 10.x.y.z, PORT: 3128 (for http, https
and ftp)
- then try to reach a page, for example: www.abbts.ch
-> it should fail (default setup).
- backup the original squid config file
- edit it, and add these line before the "http_access deny all" line:
acl our_net src 10.0.0.0/255.0.0.0
http_access allow our_net
http_access allow localhost
- restart the squid daemon and test again : it should now work and you
should see requests in the logfiles
- if it is not the case, you may need to set the "visible_hostname"
in the config file.
- visit http://omx.ch/zzz.php with the proxy active or not
and compare the "HTTP Headers Information" part of the page.
2) Block facebook.com
-> any access to facebook.com should be blocked
3) Extra: adzapper
- we want our HTTP proxy to filter Ads: there is a package
just for that: adzapper.
- install the debian package
- check the man page and Readme file:
/usr/share/doc/adzapper/README.Debian
- update squid.conf according to the docs
- test with http://www.piazza.ch if ads are removed
(if it's not the case: have you restarted squid after setup?)
- update the patterns according to
http://adzapper.sourceforge.net/ to make it work better.
4) Questions:
. where is the squid config file?
- where are the logfiles?
- where is the squid cache directory?