リモートパスにスペースが含まれているとエラーになるよう
$ scp localfile REMOTE:remote\ file scp: ambiguous target
'や“で括っても駄目
$ scp localfile REMOTE:"remote file" scp: ambiguous target $ scp localfile REMOTE:'remote file' scp: ambiguous target
'や”で括って\でエスケープすると通る
$ scp localfile REMOTE:"remote\ file" $ scp localfile REMOTE:'remote\ file'
もしくは「“'」か「'“」で括る
$ scp localfile REMOTE:'"remote\ file"' $ scp localfile REMOTE:"'remote\ file'"
rsyncだと\'“どれでもokなのでrsyncのほうが良さそう(scpは非推奨になっているし)
$ rsync -avc localfile REMOTE:remote\ file $ rsync -avc localfile REMOTE:"remote file" $ rsync -avc localfile REMOTE:'remote file'
$ dpkg-query -W openssh-client openssh-client 1:8.4p1-5
$ ssh-keygen -t ed25519 -f ./testkey -C testkey Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./testkey Your public key has been saved in ./testkey.pub The key fingerprint is: SHA256:TjoOlsc/EIGNjnkfNcIcme188Dn/o19IJ5cLkXb4qCs testkey The key's randomart image is: +--[ED25519 256]--+ | *.= | | o O = o | | + * + . = . | | o o o o = . = .| | . . oS. o oooo| | oo+ o..=.| | + =.. . ....| | . + o.E . o. | | . .....o.. | +----[SHA256]-----+ $ cat ./testkey.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBugIbEgGArl/mdkOGuYIEXtdGqEl1OhUZnEuF3JPbhb testkey $ rm ./testkey.pub $ ssh-keygen -e -f ./testkey | tee ./testkey.pub ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "256-bit ED25519, converted by matoken@t430s from OpenSSH" AAAAC3NzaC1lZDI1NTE5AAAAIBugIbEgGArl/mdkOGuYIEXtdGqEl1OhUZnEuF3JPbhb ---- END SSH2 PUBLIC KEY ----
tailscale経由で接続しようとすると失敗
$ ssh ${IP_ADDRESS} kex_exchange_identification: read: Connection reset by peer Connection reset by ${IP_ADDRESS} port 22
登録していないipアドレスから接続しようとしたのでエラー.
変更が少ないならtailscaleで利用しているアドレスを /etc/hosts.allow
に登録.
$ tailscale status | awk '{print $1}' | xargs -I{} echo 'sshd: {}' | sudo tee -a /etc/hosts.allow
台数が多かったり,増減がよくあるようならtailscaleの場合ここ( https://tailscale.com/kb/1015/100.x-addresses/ )にアドレス範囲があったので, /etc/hosts.allow
に以下を追記.
sshd: 100.64.0.0/255.192.0.0
firewallや sshd_config(5)
で Match Address
等を設定している場合はそちらも設定.
Match Address 100.64.0.0/10
こんな感じで怒られた.実際は62文字の長いホスト名
unix_listener: path "/home/matoken/.ssh/tmp/ssh-user@hostname:22.r3NYV60KUEAXUuRZ" too long for Unix domain socket
hostnameが長くて, ControlPath で設定したファイルの作成時にファイルシステムの制限で失敗しているよう.
とりあえず ssh のオプションで -o ControlMaster=no
してみると繋がる
~/.ssh/config の対象hostで ControlMaster no
とかしてみたけど効かない?
Host TARGETHOST ControlMaster no ControlPath no
man 5 ssh_config
から %C
で %l%h%p%r
のハッシュになるようなので
ControlPath Specify the path to the control socket used for connection sharing as described in the ControlMaster section above or the string none to disable connection sharing. Arguments to ControlPath may use the tilde syntax to refer to a user's home directory, the tokens described in the TOKENS section and environment variables as described in the ENVIRONMENT VARIABLES section. It is recommended that any ControlPath used for opportunistic connection sharing include at least %h, %p, and %r (or alternatively %C) and be placed in a directory that is not writable by other users. This ensures that shared connections are uniquely identified.
TOKENS Arguments to some keywords can make use of tokens, which are expanded at runtime: %% A literal ‘%’. %C Hash of %l%h%p%r. %d Local user's home directory. %f The fingerprint of the server's host key. %H The known_hosts hostname or address that is being searched for. %h The remote hostname. %I A string describing the reason for a KnownHostsCommand execution: either ADDRESS when looking up a host by address (only when CheckHostIP is enabled), HOSTNAME when searching by hostname, or ORDER when preparing the host key algorithm preference list to use for the destination host. %i The local user ID. %K The base64 encoded host key. %k The host key alias if specified, otherwise the original remote hostname given on the command line. %L The local hostname. %l The local hostname, including the domain name. %n The original remote hostname, as given on the command line. %p The remote port. %r The remote username. %T The local tun(4) or tap(4) network interface assigned if tunnel forwarding was requested, or "NONE" otherwise. %t The type of the server host key, e.g. ssh-ed25519. %u The local username. CertificateFile, ControlPath, IdentityAgent, IdentityFile, KnownHostsCommand, LocalForward, Match exec, RemoteCommand, RemoteForward, and UserKnownHostsFile accept the tokens %%, %C, %d, %h, %i, %k, %L, %l, %n, %p, %r, and %u. KnownHostsCommand additionally accepts the tokens %f, %H, %I, %K and %t. Hostname accepts the tokens %% and %h. LocalCommand accepts all tokens. ProxyCommand accepts the tokens %%, %h, %n, %p, and %r.
これを ~/.ssh/config
に設定してみると( ControlPath ~/.ssh/tmp/%C
)こんな感じの a1e724af86ad309c968737a2fb73a3f1c0298e05
ハッシュのファイル名になってとりあえず解決した.人間には優しくないけどそう見るものではないのでいいかな?
古い機器で短い鍵しか使えないなどといったときにどうにか出来ないかなって感じのときに?
※この方法はOpenSSH 7.2p2 では行けるらしいが,OpenSSH_7.6p1, OpenSSH 8.1p1ではNGだった.
changelogを確認すると7.1/7.1p1からNGぽいけど7.2p1で動く?
https://www.openssh.com/txt/release-7.1
* Refusing all RSA keys smaller than 1024 bits (the current minimum is
768 bits).
サポートされていない短い鍵を作ろうとすると作れない
$ ssh-keygen -t rsa -b 768 Invalid RSA key length: minimum is 1024 bits
opensslで作れる
$ openssl genrsa -out key.pem 768 Generating RSA private key, 768 bit long modulus (2 primes) ........+++++++ ................................+++++++ e is 65537 (0x010001)
パスフレーズありの場合
$ openssl genrsa -out id_rsa768 -aes256 768 Generating RSA private key, 768 bit long modulus (2 primes) ..+++++++ ..........+++++++ e is 65537 (0x010001) Enter pass phrase for id_rsa768: Verifying - Enter pass phrase for id_rsa768:
秘密鍵の確認
$ openssl rsa -text < key.pem
対応する公開鍵を作る
作れなかった.7.2p2では行けるらしいが今回試しているのは8.1p1
$ ssh-keygen -y -f key.pem > key.pub Load key "key.pem": Invalid key length
公開鍵もopensslで作る
$ openssl rsa -pubout < key.pem > key.pub writing RSA key
公開鍵の確認
$ openssl rsa -text -pubin < key.pub
しかし実際使おうとすると使えない.
$ ssh -v -i ~/.ssh/key.pem localhost : debug1: Trying private key: /home/matoken/.ssh/key.pem Load key "/home/matoken/.ssh/key.pem": Invalid key length
検証中
$ openssl ecparam -genkey -name prime256v1 -----BEGIN EC PARAMETERS----- BggqhkjOPQMBBw== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MHcCAQEEII/p1OH2ZQ6B6k1CRk1WHr4iPxOuv+N/DzK0znQ6DWpAoAoGCCqGSM49 AwEHoUQDQgAEhO6Eb8d+0awb9XXFBGcBH3C7QPh+LfZDOtpzIeAoiektPlJOVDff CeV/6xhBDuYuVkdZVen1JIrcP4mjhCpZzA== -----END EC PRIVATE KEY----- $ openssl ecparam -genkey -name secp521r1 -----BEGIN EC PARAMETERS----- BgUrgQQAIw== -----END EC PARAMETERS----- -----BEGIN EC PRIVATE KEY----- MIHcAgEBBEIAt6966Pl0MVeg629y+0SKPtXB1Y0jXVT1SRNrKPIrs22tbkmxGsTZ H6l3BxbdB9A6cvQggW+hNLO2FhsptOb7/2agBwYFK4EEACOhgYkDgYYABAEm6obx je5KY9CgO60nvX/2AsTqMyJNcqm5yOXS7Y7CWldu2fvxTz87n5E17hzNb/Eob+VD 5trMIGbUht+gjRwW9AC4seiIdZp9/pVEKVXIgL25IsqvPg7DRKRJXgYloDtpjKPV mMH96l9GloIV295s/l7VK9MweghstzyxhOiLfNGjtA== -----END EC PRIVATE KEY-----
検証中
$ openssl genpkey -algorithm ed25519
up14-sha1
古いマシンにつなごうとしてアルゴリズムが対応していない.
$ ssh 192.168.1.182 Unable to negotiate with 192.168.1.182 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-gro up14-sha1
オプションでアルゴリズムを指定して繋ぐ
$ ssh -o KexAlgorithms=diffie-hellman-group1-sha1,diffie-hellman-group14-sha1 root@192.168.1.182
繋いでみると Angstrom の OpenSSH 6.0p1
だった
# ssh -V OpenSSH_6.0p1, OpenSSL 1.0.1e 11 Feb 2013 # lsb_release -a Distributor ID: Angstrom Description: Angstrom GNU/Linux v2012.12 (Core edition) Release: v2012.12 Codename: Core edition
$ ssh localhost kex_exchange_identification: read: Connection reset by peer Connection reset by ::1 port 22
::1 ってことは ipv6 でつなぎに行こうとして失敗していそう -4 付けたら繋がった.
hosts.allow の 127.0.0.1 を LOCALHOST にして sshd_config の Match Address ::1 を追記して繋がるように
https://nitter.matoken.org/matoken1/status/1495779062060498945#mb
コメント