Categories
Linux

SSH Access Without OS Shell in Gitlab

Exposing SSH of your gitlab on the internet could be dangerous as attackers can get shell access into your server. So here we show you a way to enable SSH for Git without opening access to shell of the hosting OS.

Step 1: Run another SSH instance just for gitlab

Copy sshd config file and make a soft link of sshd binary in /usr/sbin:

sudo cp /etc/ssh/sshd_config /etc/ssh/gitlabsshd_config
cd /usr/sbin
sudo ln -s sshd gitlabsshd

Now open the copied ssh config file:

sudo vim /etc/ssh/gitlabsshd_config

And make below changes in it:

Port 5446 (Use something random)
PasswordAuthentication no
AllowUsers git
PermitRootLogin no

Create a systemd service file:

sudo vim /lib/systemd/system/sshgitlab.service

And copy below config in it:

[Unit]
Description=Gitlab Only Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
ExecStart=/usr/sbin/gitlabsshd -D -f /etc/ssh/gitlabsshd_config
ExecReload=/usr/sbin/gitlabsshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
[Install]
WantedBy=multi-user.target
Alias=gitlabsshd.service

Reload systemd daemon, enable and start the service:

sudo systemctl daemon-reload
sudo systemctl enable sshgitlab
sudo systemctl start sshgitlab

Step 2: Config gitlab.rb

Open gitlab config file:

sudo vim /etc/gitlab/gitlab.rb

Find ‘gitlab_shell_ssh_port’ and set it to the port you chose on previous step:

gitlab_rails['gitlab_shell_ssh_port'] = 5446

Reconfigure gitlab:

sudo gitlab-ctl reconfigure

Step 3: Open SSH port on your firewall

Based on which firewall you’re using this step varies, but if you’re using iptables you can use the command below:

sudo iptables -A INPUT -p tcp --dport 5446 -m state --state NEW -j ACCEPT

Now you can use git with ssh, but users cannot access shell of your OS.

Categories
Automation Linux

Using Putty to Automate Cisco Devices

Sometimes you want to automate some cumbersome tasks in your Cisco devices, namely I am dealing with an old 3750 core router with OS version 12.x and I don’t want to login to it manually every time I want to change a config or shutdown an interface. Hence I thought I can make use of SSH command to access the device and automate it. But SSH doesn’t help at all due to exec channel issue of Cisco, in fact you can’t send multiple lines of command to your device via SSH command.

After searching a while I figured out that I can use Plink instead of SSH. the Plink belongs to PuTTY project and you can download it from here for windows users, or if you are linux user you can install it via command line.

using Plink, it is easy to communicate with your Cisco devices, One way that I automate some of my tasks is like following :

#!/bin/sh

plink -hostkey a7:98:f8:db:87:0d:fc:ec:4e:00:00:00:00:a8:fe:a8 -ssh -l USERNAME 1.1.1.1 -pw PASSWORD< /home/automate_change_vlan_101_103/commands101.txt

As you can see I defined a commands101.txt, inside this file I put my Cisco commands.

conf t
interface gi1/0/22
 no shutdown
do wr
exit
exit
exit

Breakdown :

The only thing you need to know is, you need to have the public key of your device. The -hostkey is attaching public key to Plink, so Plink works in silent mode and it won’t prompt you to add public key.

Happy Automating!

Categories
Linux

After configuring Ubuntu to use LDAP ssh login become too slow

This is a common symptom of mis behaviour of systemd-logind. I couldn’t still find-out what is really happening underneath of this service but if you experience such issues you can try to restart the service using following command

sudo service systemd-logind restart

and make sure to run this code on the console not just by using ssh.

If anyone knows more about underlying components of systemd-logind please give me some more information about it.