ssh otp 
Install oathtool.
sudo apt-get install oathtool libpam-oath

Generate a secret.
export HEX_SECRET=$(head -10 /dev/urandom | md5sum | cut -b 1-30)

Generate the TOTP details, 6 digits long.
oathtool --verbose --totp $HEX_SECRET

Enter the base32 secret in Android FreeOTP.

Create and populate the /etc/security/users.oath file.
sudo bash -c "echo HOTP/T30 $USER - $HEX_SECRET >> /etc/security/users.oath"
sudo chmod 0600 /etc/security/users.oath

Forget the secret!

prefix /etc/pam.d/sshd with
auth sufficient usersfile=/etc/security/users.oath window=10 digits=6

Allow this in sshd and restart.
sudo sed -Ei -e 's/(ChallengeResponseAuthentication) no/\1 yes/' /etc/ssh/sshd_config
sudo service ssh restart

Test with
ssh localhost

You should see:
One-time password (OATH) for `USER':

To avoid otp for some users prefix /etc/pam.d/sshd with
auth [success=1 default=ignore] user in user1:user2

[ view entry ] ( 2008 views )   |  print article
sftp and port forward only login 
I need a ssh login for restricted portforward but without a shell for the user.

This got realized with /etc/ssh/sshd_config:
Subsystem sftp internal-sftp

Match user USER
PasswordAuthentication yes
AllowAgentForwarding no
X11Forwarding no
ForceCommand internal-sftp
PermitOpen localhost:22
ChrootDirectory /home/USER

"PermitOpen"restricts portforward to localhost:22 (remote port forward is not restricted)

But if the client needs a login shell this failes.

Well you could tell the client to not use a login shell:

ssh -N -L2222:IP:22 USER@SERVER

putty: SSH / Protocol Option enable "Don't start a shell or command at all"

or use an own loginshell where the user can only press return to disconnect:

Subsystem sftp internal-sftp

Match user USER
PasswordAuthentication yes
AllowAgentForwarding no
X11Forwarding no
ChrootDirectory /home/USER

sudo touch /home/USER/.hushlogin
sudo cp own_loginshell /home/USER/

simple program to print to stdout and read from stdin without libc

taken from

modified 2011 by Peter Holik (

gcc -nostdlib -nostartfiles -fno-builtin own_loginshell.c -o own_loginshell

/* Types - I've defined these just to match the kernel's macros, typedefs, and structs */
typedef unsigned int size_t;

/* Syscalls */
exit(int error_code) {
/* The asm call is a GCC thing that allows us to put assembly
* inline with our C code. This particular use is the extended version,
* which provides a very clean and easy way to map variables in
* our code with registers in the assembly code.
asm("int $0x80"
: // no output registers
: "a" (1), "b" (error_code)

size_t read(unsigned int fd, char * buf, size_t count) {
size_t ret;
/* In this call, we have a return value, which know will be
* of type size_t, so we put the value of %eax into ret.
asm("int $0x80"
: "=a" (ret)
: "a" (3), "b" (fd), "c" (buf), "d" (count)
return ret;

size_t write(unsigned int fd, const char * buf, size_t count) {
size_t ret;
asm("int $0x80"
: "=a" (ret)
: "a" (4), "b" (fd), "c" (buf), "d" (count)
return ret;

/* Notice that there is no main in this code, that is because
* main is not _really_ required. All that is _really_ required
* is the entry point for Linux to execute. I'd suggest
* always using a main() for compatibility reasons.
void _start() {
char *buf = "press enter to close connection";

write(1, buf, 31);
read(0, buf, 1);

[ view entry ] ( 2949 views )   |  print article
chrooted sftp only 
useradd -s /bin/false -m SFTPUSER
mkdir /home/SFTPUSER/.ssh
ssh-keygen -t rsa -b 2048 -N '' -f /home/SFTPUSER/.ssh/id_rsa
chmod 600 /home/SFTPUSER/.ssh/id_rsa

Subsystem       sftp    internal-sftp

Match user SFTPUSER
PasswordAuthentication no
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftp
ChrootDirectory /chroot
chown root:root /chroot
mkdir /chroot/SFTPUSERDIR

echo "put FILENAME" | \
sftp -oIdentityFile=/home/SFTPUSER/.ssh/id_rsa \
-oTCPKeepAlive=no -oServerAliveInterval=15 \

[ view entry ] ( 2426 views )   |  print article
secure rsync to only one directory 
I want to rsync to a remote host to a given directory.

ssh-keygen -t rsa
keyfilename: ~/.ssh/rsync
ssh-copy-id -i .ssh/rsync rsyncuser@remote-host

rsync files with ssh:
rsync -vaHxr --delete \
-e "ssh -i ~/.ssh/rsync -c arcfour -o Compression=no -x" \
LOCALDIR rsyncuser@remote-host:


ssh-dss 012345678...
limit access with from (optional).
On sucessfully ssh login command is executed.

[ view entry ] ( 2445 views )   |  print article
block ssh brute force attacs / prevent synflooding 
With iptables module recent you can limit the count of tcp connection attempts. In my case i allow only 3 ssh connection attempts per minute. This stops script kiddies doing ssh brute force attacs.
iptables -N synflood
iptables -A synflood -p tcp --dport ssh -m recent --set --name SSH
iptables -A synflood -p tcp --dport ssh -m recent --update \
--seconds 60 --hitcount 4 --name SSH -j DROP

iptables -A INPUT -p tcp -m state --state NEW -j synflood
iptables -A FORWARD -i $OUT -p tcp -m state --state NEW -j synflood

[ view entry ] ( 772 views )   |  print article

<<First <Back | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | Next> Last>>