Module: Latest 1.0.2
@mrmarkuz after installing and configuring ns8-openssh the configuarion page returns back with an empty password field, so there is no way to recover the password?
So once installed, from a remote location, what do I need to do use the new ssh method?
TIA
Yes, the password isn’t shown anymore as a security feature. Just enter a new password to change it.
If you really need to recover it, it’s saved in the environment file:
[root@node1 ~]# runagent -m openssh1 grep PASSWORD environment
PASSWORD=Secret123
It should be used automatically. So you shouldn’t get a warning on the Mac anymore when connecting to the OpenSSH container.
It’s me, but I fail to understand. Normally I login remotely e.g. “ssh root@myserver.com -p 11111”…
If I login like I always do, the message is still there…
Sorry!
Are you really connecting to the OpenSSH container or still to the host system OpenSSH?
On the settings page you can get the right TCP port to connect to:
ssh root@myserver.com -p 20010
Gotcha!
Some more questions:
TIA!
The NS8 host is reachable under IP 10.0.0.1.
ssh user@10.0.0.1
See also GitHub - mrmarkuz/ns8-openssh: OpenSSH server · GitHub
The original SSH server is needed to connect to it but you could remove the firewall port, so it’s not accessible from public anymore.
firewall-cmd --permanent --service=ssh --remove-port=22/tcp
firewall-cmd --reload
Yep, thanks!
Exactly, maybe worthwhile to add this to the readme?
I edited my previous questions and added, can the TCP port be set in settings opposed to predefined?
Many thanks!
Done.
NS8 provides free ports to the apps and my intention was to avoid port conflicts but I’m thinking about it…
Many thanks!
What would be the preferred syntax to enable TCP port 22 back again please?
What if I alredy changed port TCP/Port 22 to another port e.g. 2022, should one close (or open back again) 2022?
TIA
firewall-cmd --permanent --service=ssh --add-port=22/tcp
firewall-cmd --reload
It depends on your needs. No open firewall port is needed to connect from the OpenSSH container to the host system sshd as it’s a local connection.
So if it’s enough to use the OpenSSH container as jumphost to the host system sshd, all host system sshd ports (22 and the redirected 2022) can be removed from the firewall.
@mrmarkuz as we are taking steps in securing NS8 here, how can one disable the bash history in the OpenSSH app, so IF one could get into the container, there is no history of any other forensics to explore for any intruder please?
TIA
Can this be set by config, for now it is kind of useless, since it is documented and a default?
I’m going to include those options in a next release.
When connected to the OpenSSH container one can execute the following to disable and remove the history.
unset HISTFILE
echo 'unset HISTFILE' >> ~/.bash_profile
rm .bash_history
It’s the IP address to reach the host from inside the OpenSSH container.
I set it to 10.0.0.1, the default is 169.254.1.2, see ns8-openssh/imageroot/systemd/user/openssh.service at main · mrmarkuz/ns8-openssh · GitHub and podman-run — Podman documentation
I think I’ll change it to the default 169.254.1.2 as 10.0.0.1 could be used by other devices…
Thanks, but my (maybe confused) thinking is, what the purpose of a SSH container is if the keys to hop on to the host are for grabs by using well known defaults?
The host keys can’t be grabbed from the container as there’s no access to the hosts filesystem.
One can get the IP to reach the host easily inside the container, it’s written to the containers /etc/hosts file.
343d16b177b9:~$ cat /etc/hosts
...
10.0.0.1 host.containers.internal host.docker.internal
So far for my paranoid mode…