{"id":7131,"date":"2022-04-10T17:17:58","date_gmt":"2022-04-10T15:17:58","guid":{"rendered":"https:\/\/milchyn.cz\/?page_id=7131"},"modified":"2025-12-29T14:12:32","modified_gmt":"2025-12-29T14:12:32","slug":"sifrovane-spojeni-ssh","status":"publish","type":"page","link":"https:\/\/milchyn.cz\/sifrovane-spojeni-ssh","title":{"rendered":"\u0160ifrovan\u00e9 spojen\u00ed &#8211; ssh"},"content":{"rendered":"<a id=\"instalace_program\u016f\"><\/a><div class=\"mch-acr\"><div class=\"mch-acr-title\" role=\"button\" tabindex=\"0\" aria-expanded=\"false\" aria-controls=\"mch-acr-content-12\">Instalace program\u016f<\/div><div id=\"mch-acr-content-12\" class=\"mch-acr-content\" hidden><\/p>\n<h5>Strana klient<\/h5>\n<p>Skupina p\u0159\u00edkaz\u016f pro kop\u00edrov\u00e1n\u00ed dat, p\u0159ed\u00e1v\u00e1n\u00ed si port\u016f (tunneling), p\u0159ipojen\u00ed se jako termin\u00e1l, v\u0161e \u0161ifrovan\u00fdm spojen\u00edm se s c\u00edlovou stranou (server), kde naslouch\u00e1 slu\u017eba <code>sshd<\/code>.<\/p>\n<p>\ud83d\udcbb <code>sudo apt install openssh-client<\/code><\/p>\n<h5>Strana server<\/h5>\n<p>C\u00edlov\u00e1 strana, kde b\u011b\u017e\u00ed slu\u017eba <code>sshd<\/code>, naslouchaj\u00edc\u00ed standardn\u011b na portu <code>22<\/code>. V instalaci je obsa\u017een i klient.<\/p>\n<p>\ud83d\udcbb <code>sudo apt install openssh-server<\/code><\/p>\n<p><\/div><\/div>\n<a id=\"um\u00edst\u011bn\u00ed_ssh_autorizace_a_kl\u00ed\u010d\u016f\"><\/a><div class=\"mch-acr\"><div class=\"mch-acr-title\" role=\"button\" tabindex=\"0\" aria-expanded=\"false\" aria-controls=\"mch-acr-content-13\">Um\u00edst\u011bn\u00ed ssh autorizace a kl\u00ed\u010d\u016f<\/div><div id=\"mch-acr-content-13\" class=\"mch-acr-content\" hidden><\/p>\n<p>Zak\u00e1z\u00e1n\u00ed opr\u00e1vn\u011bn\u00ed p\u0159\u00edstupu \u010dten\u00ed a z\u00e1pisu v\u0161em, krom\u011b u\u017eivatele vlastn\u00edka a to na cel\u00fd adres\u00e1\u0159 <code>~\/.ssh<\/code> .<\/p>\n<p>\ud83d\udcbb <code>mkdir ~\/.ssh<\/code><\/p>\n<p>\ud83d\udcbb <code>chmod -R u+w,go-rwx ~\/.ssh<\/code><\/p>\n<h5>Strana klient<\/h5>\n<p>Zde se jedn\u00e1 p\u0159edev\u0161\u00edm o soubory kl\u00ed\u010de priv\u00e1tn\u00edho <em>(bez koncovky .pub)<\/em> a p\u0159idru\u017een\u00e9ho ve\u0159ejn\u00e9ho <em>(s koncovkou .pub)<\/em>.<br \/>\n<pre>~\/.ssh\/uzivatel@hostname_key\n~\/.ssh\/uzivatel@hostname_key.pub<\/pre><br \/>\nLze na klient u\u017eivateli p\u0159ednastavit, kter\u00fd kl\u00ed\u010d se m\u00e1 po\u017e\u00edvat, pokud nen\u00ed v <code>ssh<\/code> p\u0159\u00edkazu uveden za parametrem <code>-i ...<\/code> \u00a0 a to v souboru<\/p>\n<p>\ud83d\udcbb <code>vi ~\/.ssh\/config<\/code><\/p>\n<p>Vlo\u017ei:<br \/>\n<pre>Host *\n&nbsp;&nbsp;&nbsp;&nbsp;IdentityFile ~\/.ssh\/uzivatel@hostname_key<\/pre><\/p>\n<h5>Strana server<\/h5>\n<p>Zde na c\u00edlov\u00e9 stran\u011b je p\u0159edev\u0161\u00edm soubor autorizace <code>authorized_keys<\/code>, obsahuj\u00edc\u00ed obsahy ve\u0159ejn\u00fdch kl\u00ed\u010d\u016f od klient\u016f s mo\u017enost\u00ed dal\u0161\u00edch restrikc\u00ed, kter\u00fdm je t\u00edmto umo\u017en\u011bno nav\u00e1z\u00e1n\u00ed spojen\u00ed.<\/p>\n<p><\/div><\/div>\n<a id=\"vygenerov\u00e1n\u00ed_ssh_kl\u00ed\u010de\"><\/a><div class=\"mch-acr\"><div class=\"mch-acr-title\" role=\"button\" tabindex=\"0\" aria-expanded=\"false\" aria-controls=\"mch-acr-content-14\">Vygenerov\u00e1n\u00ed ssh kl\u00ed\u010de<\/div><div id=\"mch-acr-content-14\" class=\"mch-acr-content\" hidden><\/p>\n<h5>Strana klient<\/h5>\n<p>P\u0159\u00edklad vytvo\u0159en\u00ed kl\u00ed\u010de typu <samp>ed25519<\/samp> , pojmenovan\u00e9ho slo\u017een\u00edm z u\u017eivatesk\u00e9ho jm\u00e9na, jeho hostname a p\u0159\u00edpadn\u011b poskytovan\u00e9ho portu (sestaven\u00e9ho do prom\u011bnn\u00e9 <code>NAME<\/code>). V pr\u016fb\u011bhu je dotaz na zvolen\u00ed hesla ssh kl\u00ed\u010de. V\u00fdsledkem jsou dva soubory, kdy jeho ve\u0159ejn\u00e1 \u010d\u00e1st, soubor s koncovkou <code>.pub<\/code> se p\u0159ed\u00e1 c\u00edlov\u00e9 stran\u011b, kter\u00e1 je u sebe obsah vlo\u017e\u00ed do autoriza\u010dn\u00edho souboru <code>authorized_keys<\/code> c\u00edlov\u00e9ho u\u017eivatele a t\u00edm povol\u00ed klientu mo\u017enost ssh login.<br \/>\nV souboru <code>~\/.ssh\/config<\/code> p\u0159eddefinov\u00e1n\u00ed pou\u017eit\u00ed ssh kl\u00ed\u010de, kdy se pak v <code>ssh<\/code> p\u0159\u00edkazu nemus\u00ed zad\u00e1vat p\u0159es parametr <code>-i<\/code> .<\/p>\n<p>&nbsp;<\/p>\n<p>\ud83d\udcbb <code>NAME=&quot;`whoami`@`hostname -s`&quot;<\/code><\/p>\n<p>\ud83d\udcbb <code>sudo ssh-keygen -t ed25519 -C &quot;${NAME}_key&quot; -f ~\/.ssh\/${NAME}_key<\/code><\/p>\n<p>\ud83d\udcbb <code>echo -e &quot;Host *n IdentityFile ~\/.ssh\/&#039;${NAME}_key&#039;&quot; |tee -a ~\/.ssh\/config<\/code><\/p>\n<p>\ud83d\udcbb <code>chmod -R u+w,go-rwx ~\/.ssh<\/code><\/p>\n<p><\/div><\/div>\n<a id=\"omezen\u00ed_p\u0159\u00edstupu_na_sshd_server_pouze_na_autentikaci_kl\u00ed\u010de\"><\/a><div class=\"mch-acr\"><div class=\"mch-acr-title\" role=\"button\" tabindex=\"0\" aria-expanded=\"false\" aria-controls=\"mch-acr-content-15\">Omezen\u00ed p\u0159\u00edstupu na sshd server pouze na autentikaci kl\u00ed\u010de<\/div><div id=\"mch-acr-content-15\" class=\"mch-acr-content\" hidden><\/p>\n<h5>Strana server<\/h5>\n<p>Sshd server umo\u017e\u0148uje ov\u011b\u0159en\u00ed u\u017eivatele heslem jako m\u00e1 login v Linuxu (u\u017eivatel root toto povolen\u00e9 standardn\u011b nem\u00e1). \u0160ifrov\u00e1n\u00ed z\u016fst\u00e1v\u00e1, v\u00fdhodou snad je jen, \u017ee pro p\u0159ihl\u00e1\u0161en\u00ed odpad\u00e1 nutnost m\u00edt po\u0159e\u0161en\u00e9 na klientu a serveru kl\u00ed\u010de. Ov\u0161em pou\u017eit\u00edm kl\u00ed\u010d\u016f je adresn\u011bj\u0161\u00ed kontrola p\u0159\u00edstup\u016f a opr\u00e1vn\u011bn\u00ed, co\u017e v\u00edce posiluje zabezpe\u010den\u00ed. V principu vypnout p\u0159ihl\u00e1\u0161en\u00ed p\u0159es login heslo a ponechat autentikaci na heslo kl\u00ed\u010de. Jedn\u00e1 se o zm\u011bnu v konfigura\u010dn\u00edm souboru:<\/p>\n<p>\ud83d\udcbb <code>sudo vi \/etc\/ssh\/sshd_config<\/code><\/p>\n<p>Vlo\u017eit:<br \/>\n<pre>PasswordAuthentication no\nStrictModes no\nChallengeResponseAuthentication no\nUsePAM no\nPrintMotd no\nAcceptEnv LANG LC_*\nSubsystem sftp \/usr\/lib\/openssh\/sftp-server<\/pre><\/p>\n<h5>\u26a0\ufe0f Pozor u server instalace na cloud-init<\/h5>\n<p>Parametr <code>PasswordAuthentication no<\/code> je p\u0159eb\u00edjen stejn\u00fdm povoluj\u00edc\u00edm parametrem v <code>cloud-ini<\/code> a t\u00edm st\u00e1le\u00a0 umo\u017e\u0148uje p\u0159ihl\u00e1\u0161en\u00ed p\u0159es klasick\u00fd login.<br \/>\nOdinstalovat.<\/p>\n<p>\ud83d\udcbb <code>sudo apt remove --purge cloud-init<\/code><\/p>\n<p>\ud83d\udcbb <code>sudo rm -rf \/etc\/cloud \/var\/lib\/cloud \/etc\/ssh\/sshd_config.d\/50-cloud-init.conf<\/code><\/p>\n<h5>Zaveden\u00ed zm\u011bn<\/h5>\n<p>\ud83d\udcbb <code>sudo systemctl reload sshd.service<\/code><\/p>\n<p>u server instalace<\/p>\n<p>\ud83d\udcbb <code>sudo systemctl reload ssh<\/code><\/p>\n<p><\/div><\/div>\n<a id=\"autorizace_a_restrikce_p\u0159\u00edstupu_klienta_na_sshd_server\"><\/a><div class=\"mch-acr\"><div class=\"mch-acr-title\" role=\"button\" tabindex=\"0\" aria-expanded=\"false\" aria-controls=\"mch-acr-content-16\">Autorizace a restrikce p\u0159\u00edstupu klienta na sshd server<\/div><div id=\"mch-acr-content-16\" class=\"mch-acr-content\" hidden><\/p>\n<p>Akcetpovateln\u00fd klient m\u00e1 na c\u00edlov\u00e9m sshd serveru u u\u017eivatele, na kter\u00fd se p\u0159ihla\u0161uje v autoriza\u010dn\u00edm souboru <code>~\/.ssh\/authorized_keys<\/code> p\u0159ips\u00e1n obsah souboru klientova ve\u0159ejn\u00e9ho kl\u00ed\u010de (soubor s koncovkou .pub). V autoriza\u010dn\u00edm souboru co klient, to \u0159\u00e1dek a p\u0159idan\u00e1 omezen\u00ed pro dan\u00e9ho klienta se vkl\u00e1daj\u00ed do stejn\u00e9ho \u0159\u00e1dku kde m\u00e1 ve\u0159ejn\u00fd kl\u00ed\u010d. Omezen\u00ed jsou obzvl\u00e1\u0161\u0165 nutn\u00e1 pro nezaheslovan\u00e9 kl\u00ed\u010de (p\u0159\u00edpad bezobslu\u017en\u00e9ho nav\u00e1z\u00e1n\u00ed spojen\u00ed).<\/p>\n<p>P\u0159\u00edklad pln\u00fdch omezen\u00ed, kdy klientem vlo\u017een\u00fd p\u0159\u00edkaz c\u00edl ignoruje a odpov\u00ed jen echem (pro ignoraci bez odezvy lze: <code>command=&quot;\/bin\/true&quot;<\/code>):<br \/>\n<pre>command=&quot;\/bin\/echo ECHO: $SSH_ORIGINAL_COMMAND&quot;,no-X11-forwarding,no-agent-forwarding,no-user-rc,no-pty &amp;lt;ve\u0159ejn\u00fd kl\u00ed\u010d klienta&amp;gt;<\/pre><br \/>\n<\/div><\/div>\n<a id=\"u\u017eivatel_pro_navazov\u00e1n\u00ed_tunnel_spojen\u00ed\"><\/a><div class=\"mch-acr\"><div class=\"mch-acr-title\" role=\"button\" tabindex=\"0\" aria-expanded=\"false\" aria-controls=\"mch-acr-content-17\">U\u017eivatel pro navazov\u00e1n\u00ed tunnel spojen\u00ed<\/div><div id=\"mch-acr-content-17\" class=\"mch-acr-content\" hidden><\/p>\n<p>Pro mo\u017enost p\u0159\u00edstupu nap\u0159\u00edklad admina s pevnou, ve\u0159ejnou IP na klienta, kter\u00fd nem\u00e1 pevnou, ve\u0159ejnou IP, je za NATetm lze p\u0159es <mark>\u0161ifrovan\u00fd ssh tunnel<\/mark> navazovan\u00fd klientem. <mark>Nav\u00e1z\u00e1n\u00ed ssh tunnel spojen\u00ed je pouze poskytnut\u00ed portu, p\u0159es kter\u00fd se d\u00e1 zp\u011bt na klienta p\u0159ihl\u00e1sil u\u017e zaheslovan\u00fdm ssh loginem<\/mark>.<\/p>\n<p>Z d\u016fvodu bezpe\u010dnosti je nejvhodn\u011bj\u0161\u00ed <mark>navazovat tunnel spojen\u00ed pouze pod u\u017eivatelem s k tomu omezen\u00fdmi pr\u00e1vy<\/mark>.<\/p>\n<h5>Na klientu:\u00a0 Vytvo\u0159en\u00ed u\u017eivatele &#8222;tunnel&#8220; pouze k navazov\u00e1n\u00ed tunnel spojen\u00ed<\/h5>\n<p>Zvolen\u00e9 ID <code>1999<\/code> pro u\u017eivatele <code>tunnel<\/code> mus\u00ed b\u00fdt na klientu unik\u00e1tn\u00ed (pokud ji\u017e existuje, zvolit jin\u00fd).<br \/>\nKlientem poskytnut\u00fd ssh c\u00edlov\u00fd port <code>55520<\/code> mus\u00ed b\u00fdt na adminu unik\u00e1tn\u00ed, jinak pro n\u011bj zvolit jin\u00fd.<br \/>\nPro p\u0159ehlednost jsem zde zvolil pojmenov\u00e1n\u00ed ssh kl\u00ed\u010de slo\u017een\u00e9ho z u\u017eivatele tunnel, hostname klienta a poskytovan\u00e9ho portu (sestaven\u00e9ho do prom\u011bnn\u00e9 <code>NAME<\/code>). Vytvo\u0159\u00ed se nezaheslovan\u00fd ssh kl\u00ed\u010d, dva soubory, kdy jeho ve\u0159ejn\u00e1 \u010d\u00e1st (soubor s koncovkou <code>.pub<\/code>) se p\u0159ed\u00e1 adminovi, ktery je u sebe vlo\u017e\u00ed autoriza\u010dn\u00edho souboru a t\u00edm povol\u00ed klientu mo\u017enost nav\u00e1zat ssh tunnel spojen\u00ed.<br \/>\nNakonec omezen\u00ed p\u0159\u00edstupv\u00fdch pr\u00e1v do skryt\u00e9ho adres\u00e1\u0159e <code>\/home\/.tunnel<\/code> .<\/p>\n<p>\ud83d\udcbb <code>sudo useradd -u 1999 -g 65534 -c &quot;Pro tunelovani portu&quot; -Md \/home\/.tunnel -s \/bin\/false -o tunnel<\/code><\/p>\n<p>\ud83d\udcbb <code>sudo mkdir -p \/home\/.tunnel\/.ssh<\/code><\/p>\n<p>\ud83d\udcbb <code>NAME=&quot;tunnel@`hostname -s`&quot;<\/code><\/p>\n<p>\ud83d\udcbb <code>sudo ssh-keygen -t ed25519 -N &quot;&quot; -C &quot;${NAME}_key&quot; -f \/home\/.tunnel\/.ssh\/${NAME}_key<\/code><\/p>\n<p>\ud83d\udcbb <code>sudo chown -R tunnel:nogroup \/home\/.tunnel<\/code><\/p>\n<p>\ud83d\udcbb <code>sudo chmod -R u-w,go-rwx \/home\/.tunnel<\/code><\/p>\n<h5>Na adminu:\u00a0 Vytvo\u0159en\u00ed u\u017eivatele pouze pro navazov\u00e1n\u00ed tunnel spojen\u00ed<\/h5>\n<p>Princip stejn\u00fd jako na klientu s rozd\u00edlem, kdy m\u00edsto generov\u00e1n\u00ed kl\u00ed\u010de se vytvo\u0159\u00ed autoriza\u010dn\u00ed soubor <code>authorized_keys<\/code> obsahuj\u00edc\u00ed ve\u0159ejnou \u010d\u00e1st ssh kl\u00ed\u010de klienta (obsah souboru s <code>.pub<\/code> koncovkou) a <mark>omezen\u00ed pr\u00e1v jen pro tunnel spojen\u00ed a jen ur\u010dit\u00fd port<\/mark> <code>55520<\/code>. Zde je v p\u0159\u00edkladu obecn\u011b hostname ve jm\u00e9n\u011b souboru <code>tunnel@hostname_key.pub<\/code> a jeho obsah p\u0159id\u00e1n do <code>authorized_keys<\/code>\u00a0 souboru <code>echo<\/code> p\u0159\u00edkazem.<br \/>\nNakonec omezen\u00ed p\u0159\u00edstupov\u00fdch pr\u00e1v cel\u00e9mu adres\u00e1\u0159i <code>\/home\/.tunnel<\/code> .<\/p>\n<p>\ud83d\udcbb <code>sudo useradd -u 1999 -g 65534 -c &quot;Pro tunelovani portu&quot; -Md \/home\/.tunnel -s \/bin\/false -o tunnel sudo mkdir -p \/home\/.tunnel\/.ssh<\/code><\/p>\n<p>\ud83d\udcbb <code>sudo echo &#039;permitopen=&quot;localhost:55520&quot;,command=&quot;\/bin\/true&quot;,no-X11-forwarding,no-agent-forwarding,no-user-rc,no-pty&#039; `cat \/home\/.tunnel\/.ssh\/&#039;tunnel@hostname_key.pub&#039;` |sudo tee -a \/home\/.tunnel\/.ssh\/authorized_keys<\/code><\/p>\n<p>\ud83d\udcbb <code>sudo chown -R tunnel:nogroup \/home\/.tunnel<\/code><\/p>\n<p>\ud83d\udcbb <code>sudo chmod -R u-w,go-rwx \/home\/.tunnel<\/code><\/p>\n<p><\/div><\/div>\n<a id=\"na_klientu_nav\u00e1z\u00e1n\u00ed_tunnel_spojen\u00ed_s_adminem\"><\/a><div class=\"mch-acr\"><div class=\"mch-acr-title\" role=\"button\" tabindex=\"0\" aria-expanded=\"false\" aria-controls=\"mch-acr-content-18\">Na klientu:  Nav\u00e1z\u00e1n\u00ed tunnel spojen\u00ed s adminem<\/div><div id=\"mch-acr-content-18\" class=\"mch-acr-content\" hidden><\/p>\n<p>P\u0159i \u00fasp\u011b\u0161n\u00e9m nav\u00e1z\u00e1n\u00ed spojen\u00ed p\u0159\u00edkaz nevr\u00e1t\u00ed prompt. Pro ukon\u010den\u00ed spojen\u00ed je stisk <code>Ctrl<\/code> + <code>c<\/code> .<\/p>\n<p>\ud83d\udcbb <code>sudo -u tunnel ssh -v -CXNn -F \/dev\/null -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o ConnectTimeout=7 -o ConnectionAttempts=1 -o ServerAliveCountMax=2 -o ServerAliveInterval=120 -TR 55520:localhost:22 -i \/home\/.tunnel\/.ssh\/&#039;tunnel@hostname_key&#039; tunnel@admin.server.com<\/code><\/p>\n<p><\/div><\/div>\n<a id=\"p\u0159\u00edklad_sd\u00edlen\u00ed_samba_soborov\u00e9ho_syst\u00e9mu_p\u0159es_tunnel\"><\/a><div class=\"mch-acr\"><div class=\"mch-acr-title\" role=\"button\" tabindex=\"0\" aria-expanded=\"false\" aria-controls=\"mch-acr-content-19\">P\u0159\u00edklad sd\u00edlen\u00ed SAMBA soborov\u00e9ho syst\u00e9mu p\u0159es tunnel<\/div><div id=\"mch-acr-content-19\" class=\"mch-acr-content\" hidden><\/p>\n<p>Jde o \u0161ifrovan\u00e9 tunelov\u00e1n\u00ed, serverem poskytnut\u00ed SAMBA portu klientu s autentikac\u00ed nezaheslovan\u00e9ho ssh kl\u00ed\u010de jen pro bezobslu\u017en\u00e9mu nav\u00e1z\u00e1n\u00ed spojen\u00ed a z\u00e1rove\u0148 omezen\u00ed klienta pouze pro \u00fa\u010del tunelov\u00e1n\u00ed (p\u0159evzet\u00ed) SAMBA portu.<\/p>\n<p>Z c\u00edlov\u00e9ho serveru si klient tunelem nasd\u00edl\u00ed samba port 445 k sob\u011b jako lok\u00e1ln\u00ed nap\u0159. 55445. Po aktivaci tohoto port tunelu bude mo\u017en\u00e9 sd\u00edlen\u00ed souborov\u00e9 odkazem lok\u00e1ln\u011b na port 55445 (localhost).<\/p>\n<h5>Na klientu:\u00a0 Vygenerov\u00e1n\u00ed bezheslov\u00e9ho kl\u00ed\u010de pro nav\u00e1z\u00e1n\u00ed tunnel spojen\u00ed<\/h5>\n<p>S parametrem <code>-N &quot;&quot;<\/code>\u00a0 se vygeneruje kl\u00ed\u010d rovnou nezaheslovan\u00fd. Vzniknou soubory:\u00a0 <code>~\/.ssh\/samba@hostname_NOPWD_key<\/code>\u00a0 a\u00a0 <code>~\/.ssh\/samba@hostname_NOPWD_key.pub<\/code><\/p>\n<p>\ud83d\udcbb <code>ssh-keygen -t ed25519 -N &quot;&quot; -C &quot;samba@hostname_NOPWD_key&quot; -f ~\/.ssh\/samba@hostname_NOPWD_key<\/code><\/p>\n<h5>Na serveru:\u00a0 Nastaven\u00ed omezen\u00ed pro bezheslov\u00e9 nav\u00e1z\u00e1n\u00ed pouh\u00e9ho tunnel spojen\u00ed<\/h5>\n<p>Do souboru <code>~\/.ssh\/authorized_keys<\/code> se p\u0159id\u00e1 \u0159\u00e1dek obsahuj\u00edc\u00ed pravidla omezuj\u00edc\u00ed spojen\u00ed a obsah souboru ve\u0159ejn\u00e9ho kl\u00ed\u010de klienta. Nepopisuji jak p\u0159ekop\u00edrovat p\u0159edem tento ve\u0159ejn\u00fd kl\u00ed\u010d z klienta na server.<\/p>\n<p>\ud83d\udcbb <code>echo &#039;permitopen=&quot;localhost:445&quot;,command=&quot;\/bin\/true&quot;,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-user-rc,no-pty&#039; `cat ~\/.ssh\/samba@hostname_NOPWD_key.pub` &amp;gt;&amp;gt; ~\/.ssh\/authorized_keys cat ~\/.ssh\/authorized_keys<\/code><\/p>\n<h5>Na klientu:\u00a0 Tunnel spojen\u00edm p\u0159evzet\u00ed ze serveru port 445 a jeho lok\u00e1ln\u00ed poskytnut\u00ed jako 55445<\/h5>\n<p>Pro otestov\u00e1n\u00ed je p\u0159id\u00e1n parametr <code>-v<\/code> (debug m\u00f3d) a nepou\u017e\u00edt <code>-q<\/code> ,aby nebyl potla\u010den v\u00fdpis. P\u0159i \u00fasp\u011bchu lze potla\u010dit v\u00fdpisy odebr\u00e1n\u00edm <code>-v<\/code> a p\u0159id\u00e1n\u00edm <code>-q<\/code> .<\/p>\n<p>\ud83d\udcbb <code>ssh -v -CXNn -F \/dev\/null -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o ConnectTimeout=7 -o ConnectionAttempts=1 -o ServerAliveCountMax=2 -o ServerAliveInterval=120 -L 55445:localhost:445 -i ~\/.ssh\/samba@hostname_NOPWD_key uzivatel@cilovy.server.com<\/code><\/p>\n<p>Jeliko\u017e nav\u00e1zan\u00e9 ssh tunnel spojen\u00ed nevr\u00e1t\u00ed promtp (lze ukon\u010dit [Ctrl]), tak z jin\u00e9ho termin\u00e1lu klienta otestovat pr\u016fchodnost tunelu<\/p>\n<p>\ud83d\udcbb <code>nc -vzw 1 localhost 55445 &amp;amp;&amp;amp; echo OK || echo FAILED<\/code><\/p>\n<p>Vr\u00e1t\u00ed-li nc p\u0159\u00edkaz &#8222;<strong>OK<\/strong>&#8220; a\u00a0 z\u00e1rove\u0148 ssh tunel spojen\u00ed <strong>nevyp\u00ed\u0161e<\/strong> chybu &#8222;<em><strong>channel 1: open failed: administratively prohibited: open failed<\/strong><\/em>&#8222;, je mo\u017eno zkusi p\u0159ipojit souborov\u00e9 sd\u00edlen\u00ed.<\/p>\n<p>D\u00e1l je to dosti individu\u00e1ln\u00ed dle konfigurace na stran\u011b samba serveru, tak jen ilustra\u010dn\u011b p\u0159\u00edklad p\u0159ipojen\u00ed sd\u00edlen\u00ed s n\u00e1zvem &#8222;ShareDir&#8220; na adres\u00e1\u0159 &#8222;\/mnt&#8220; .<\/p>\n<p>\ud83d\udcbb <code>sudo mount.cifs -o username=uzivatel,port=55445 \/\/localhost\/ShareDir \/mnt<\/code><\/p>\n<p><\/div><\/div>\n<a id=\"vygenerov\u00e1n\u00ed_ssh_kl\u00ed\u010de_pro_sftp_spojen\u00ed_z_mobilu\"><\/a><div class=\"mch-acr\"><div class=\"mch-acr-title\" role=\"button\" tabindex=\"0\" aria-expanded=\"false\" aria-controls=\"mch-acr-content-20\">Vygenerov\u00e1n\u00ed ssh kl\u00ed\u010de pro sftp spojen\u00ed z mobilu<\/div><div id=\"mch-acr-content-20\" class=\"mch-acr-content\" hidden><\/p>\n<p>Mus\u00ed b\u00fdt typu pem:<\/p>\n<p>\ud83d\udcbb <code>ssh-keygen -t ed25519 -m PEM -C &quot;mobil&quot; -f ~\/.ssh\/mobil_key<\/code><\/p>\n<p><\/div><\/div>\n<a id=\"akceptace_pouze_souboru_kl\u00ed\u010de_v_ssh_parametru_i\"><\/a><div class=\"mch-acr\"><div class=\"mch-acr-title\" role=\"button\" tabindex=\"0\" aria-expanded=\"false\" aria-controls=\"mch-acr-content-21\">Akceptace pouze souboru kl\u00ed\u010de v ssh parametru \u201e-i\u201c \ud83c\udd98<\/div><div id=\"mch-acr-content-21\" class=\"mch-acr-content\" hidden><\/p>\n<p>Zamezen\u00ed dotazu na p\u0159edvolen\u00fd kl\u00ed\u010d v <samp>~\/.ssh\/config<\/samp>, ne\u017e je v ssh parametru \u201e<samp>-i kl\u00ed\u010d_key<\/samp>\u201c.<\/p>\n<p><code>ssh -F \/dev\/null -o IdentitiesOnly=yes ...<\/code><\/p>\n<p><\/div><\/div>\n<a id=\"zak\u00e1z\u00e1n\u00ed_zad\u00e1v\u00e1n\u00ed_ssh_hesla_p\u0159es_dialogov\u00e9ho_okno\"><\/a><div class=\"mch-acr\"><div class=\"mch-acr-title\" role=\"button\" tabindex=\"0\" aria-expanded=\"false\" aria-controls=\"mch-acr-content-22\">Zak\u00e1z\u00e1n\u00ed zad\u00e1v\u00e1n\u00ed ssh hesla p\u0159es dialogov\u00e9ho okno \ud83c\udd98<\/div><div id=\"mch-acr-content-22\" class=\"mch-acr-content\" hidden><\/p>\n<p>P\u0159i pou\u017eit\u00ed ssh p\u0159\u00edkazu v xfce4 termin\u00e1lu se objev\u00ed dialogov\u00e9ho okno pro heslo, m\u00edsto setrv\u00e1n\u00ed v p\u0159\u00edkazov\u00e9m \u0159\u00e1dku.<\/p>\n<p>Lze tomu zabr\u00e1nit: <samp>unset SSH_AUTH_SOCK<\/samp> p\u0159\u00edkazem v termin\u00e1lu nebo pro cel\u00e9 prost\u0159ed\u00ed v <samp>~\/.bashrc<\/samp><\/p>\n<p><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"parent":6311,"menu_order":888,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-7131","page","type-page","status-publish","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.1.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>\u0160ifrovan\u00e9 spojen\u00ed - ssh - milchyn.cz<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/milchyn.cz\/sifrovane-spojeni-ssh\" \/>\n<meta property=\"og:locale\" content=\"cs_CZ\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u0160ifrovan\u00e9 spojen\u00ed - ssh - milchyn.cz\" \/>\n<meta property=\"og:url\" content=\"https:\/\/milchyn.cz\/sifrovane-spojeni-ssh\" \/>\n<meta property=\"og:site_name\" content=\"milchyn.cz\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-29T14:12:32+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Odhadovan\u00e1 doba \u010dten\u00ed\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minut\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/milchyn.cz\/sifrovane-spojeni-ssh\",\"url\":\"https:\/\/milchyn.cz\/sifrovane-spojeni-ssh\",\"name\":\"\u0160ifrovan\u00e9 spojen\u00ed - ssh - milchyn.cz\",\"isPartOf\":{\"@id\":\"https:\/\/milchyn.cz\/#website\"},\"datePublished\":\"2022-04-10T15:17:58+00:00\",\"dateModified\":\"2025-12-29T14:12:32+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/milchyn.cz\/sifrovane-spojeni-ssh#breadcrumb\"},\"inLanguage\":\"cs\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/milchyn.cz\/sifrovane-spojeni-ssh\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/milchyn.cz\/sifrovane-spojeni-ssh#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Dom\u016f\",\"item\":\"https:\/\/milchyn.cz\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Linux\",\"item\":\"https:\/\/milchyn.cz\/pocitac-s-linuxem\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Po\u010d\u00edta\u010d s Xubuntu\",\"item\":\"https:\/\/milchyn.cz\/pocitac-s-linuxem\/pocitac-s-xubuntu\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Zabezpe\u010den\u00ed \ud83d\udd10\",\"item\":\"https:\/\/milchyn.cz\/linux-zabezpeceni\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"\u0160ifrovan\u00e9 spojen\u00ed &#8211; ssh\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/milchyn.cz\/#website\",\"url\":\"https:\/\/milchyn.cz\/\",\"name\":\"milchyn.cz\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/milchyn.cz\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"cs\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\u0160ifrovan\u00e9 spojen\u00ed - ssh - milchyn.cz","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/milchyn.cz\/sifrovane-spojeni-ssh","og_locale":"cs_CZ","og_type":"article","og_title":"\u0160ifrovan\u00e9 spojen\u00ed - ssh - milchyn.cz","og_url":"https:\/\/milchyn.cz\/sifrovane-spojeni-ssh","og_site_name":"milchyn.cz","article_modified_time":"2025-12-29T14:12:32+00:00","twitter_card":"summary_large_image","twitter_misc":{"Odhadovan\u00e1 doba \u010dten\u00ed":"6 minut"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/milchyn.cz\/sifrovane-spojeni-ssh","url":"https:\/\/milchyn.cz\/sifrovane-spojeni-ssh","name":"\u0160ifrovan\u00e9 spojen\u00ed - ssh - milchyn.cz","isPartOf":{"@id":"https:\/\/milchyn.cz\/#website"},"datePublished":"2022-04-10T15:17:58+00:00","dateModified":"2025-12-29T14:12:32+00:00","breadcrumb":{"@id":"https:\/\/milchyn.cz\/sifrovane-spojeni-ssh#breadcrumb"},"inLanguage":"cs","potentialAction":[{"@type":"ReadAction","target":["https:\/\/milchyn.cz\/sifrovane-spojeni-ssh"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/milchyn.cz\/sifrovane-spojeni-ssh#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Dom\u016f","item":"https:\/\/milchyn.cz\/"},{"@type":"ListItem","position":2,"name":"Linux","item":"https:\/\/milchyn.cz\/pocitac-s-linuxem"},{"@type":"ListItem","position":3,"name":"Po\u010d\u00edta\u010d s Xubuntu","item":"https:\/\/milchyn.cz\/pocitac-s-linuxem\/pocitac-s-xubuntu"},{"@type":"ListItem","position":4,"name":"Zabezpe\u010den\u00ed \ud83d\udd10","item":"https:\/\/milchyn.cz\/linux-zabezpeceni"},{"@type":"ListItem","position":5,"name":"\u0160ifrovan\u00e9 spojen\u00ed &#8211; ssh"}]},{"@type":"WebSite","@id":"https:\/\/milchyn.cz\/#website","url":"https:\/\/milchyn.cz\/","name":"milchyn.cz","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/milchyn.cz\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"cs"}]}},"_links":{"self":[{"href":"https:\/\/milchyn.cz\/index.php?rest_route=\/wp\/v2\/pages\/7131","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/milchyn.cz\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/milchyn.cz\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/milchyn.cz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/milchyn.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7131"}],"version-history":[{"count":0,"href":"https:\/\/milchyn.cz\/index.php?rest_route=\/wp\/v2\/pages\/7131\/revisions"}],"up":[{"embeddable":true,"href":"https:\/\/milchyn.cz\/index.php?rest_route=\/wp\/v2\/pages\/6311"}],"wp:attachment":[{"href":"https:\/\/milchyn.cz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7131"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}