ssh

Automaticallt start ssh agent and add keys on login
Some common options for ssh-keygen ( OpenSSH)
(Re)create known_hosts file
Generate a new key pair
Copying the Public Key to the Server
Given a private key, check which public key matches it
Given a private key, regenerate the public key
Use openssl to convert an ssh format private key to pem format (neatly justified and with header and trailer lines)
Use openssl to generate a public key in pem format from a pem format private key
How to set up SSH so I don't have to type a password
scp files to server adding automatically to known_hosts
Problems?
Client is still asking for password even though keys are setup?
References
Use openssl to encrypt or decrypt a file
Start an OpenVPN client manually from the command-line
Connect to a server manually using OpenVPN from the command-line
Tunneling
Regenerate a public key from a private key
A small script (seems to originate from Oracle) that sets up ssh keys between 2 machines
A bigger (more elaborate) script that I also found embedded in an Oracle setup
Add this to /etc/ssh/sshrc to get the magic cookies added automatically

ProxyJump, configured in .ssh/config makes connecting to customers' servers childsplay, no more tunneling headaches.

The Black Magic Of SSH / SSH Can Do That?

Automaticallt start ssh agent and add keys on login

Add this to .profile

SSH_ENV="$HOME/.ssh/environment"
function start_agent {
    echo "Initialising new SSH agent..."
    /usr/bin/ssh-agent | sed 's/^echo/#echo/' > "${SSH_ENV}"
    echo succeeded
    chmod 600 "${SSH_ENV}"
    . "${SSH_ENV}" > /dev/null
    /usr/bin/ssh-add;
}
# Source SSH settings, if applicable
if [ -f "${SSH_ENV}" ]; then
    . "${SSH_ENV}" > /dev/null
    ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
        start_agent;
    }
else
    start_agent;
fi

Some common options for ssh-keygen ( OpenSSH)

-b “Bits” This option specifies the number of bits in the key. The regulations that govern the use case for SSH may require a specific key length to be used. In general, 2048 bits is considered to be sufficient for RSA keys.

-e “Export” This option allows reformatting of existing keys between the OpenSSH key file format and the format documented in RFC 4716, “SSH Public Key File Format”.

-p “Change the passphrase” This option allows changing the passphrase of a private key file with [-P old_passphrase] and [-N new_passphrase], [-f keyfile].

-t “Type” This option specifies the type of key to be created. Commonly used values are: - rsa for RSA keys - dsa for DSA keys - ecdsa for elliptic curve DSA keys

-i "Input" When ssh-keygen is required to access an existing key, this option designates the file.

-f "File" Specifies name of the file in which to store the created key.

-N "New" Provides a new passphrase for the key.

-P "Passphrase" Provides the (old) passphrase when reading a key.

-c "Comment" Changes the comment for a keyfile.

-p Change the passphrase of a private key file.

-q Silence ssh-keygen.

-v Verbose mode.

-l "Fingerprint" Print the fingerprint of the specified public key.

-B "Bubble babble" Shows a "bubble babble" (Tectia format) fingerprint of a keyfile.

-F Search for a specified hostname in a known_hosts file.

-R Remove all keys belonging to a hostname from a known_hosts file.

-y Read a private OpenSSH format file and print an OpenSSH public key to stdout.

This only listed the most commonly used options. For full usage, including the more exotic and special-purpose options, use the man ssh-keygen command.

(Re)create known_hosts file

If the fingerprints get messed up, regenerate a hosts file by scanning it.

ssh-keyscan example.com > known_hosts

Generate a new key pair

First generate a private key

ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa

then generate a public key from the private key

ssh-keygen -y -f ~/.ssh/id_rsa

Copying the Public Key to the Server

In order to access a remote server, the public key needs to be added to the authorized_keys file on that server

ssh-copy-id -i ~/.ssh/id_rsa.pub username@remoteserver

Given a private key, check which public key matches it

The -l flag will also show the strength of the key and any comments

ssh-keygen -l -f ~/.ssh/id_rsa

do the same thing with openssl (for pem format)

openssl rsa -in ~/.ssh/id_rsa -pubout -outform pem -check

Given a private key, regenerate the public key

Sends the public key to stdout so redirect to a file to keep it. This format is suitable to add to ~/.ssh/authorized_keys

ssh-keygen -y -f ~/.ssh/id_rsa

Use openssl to convert an ssh format private key to pem format (neatly justified and with header and trailer lines)

openssl rsa -in id_rsa -outform pem > id_rsa.pem

Use openssl to generate a public key in pem format from a pem format private key

openssl rsa -in id_rsa -pubout -outform pem > id_rsa.pub.pem

How to set up SSH so I don't have to type a password

Using an ssh keypair enables us to scp files from machine to machine without needing a password
The private key MUST remain private - if anyone gets hold of it, they can also transfer files to the remote machine.
The private key stays on the local machine, the public key goes out to anyone who wants it!
Or put another way, private key is on the sending machine, public key is on the receiving machine.

Generate a key-pair

Run

ssh-keygen -t rsa

to generate an RSA keypair. You now have 2 keys. The public key is stored in $HOME/.ssh/id_rsa.pub, and your private key is in $HOME/.ssh/id_rsa.

Upload public key to remote machine

Either use ssh-copy-id

/usr/bin/ssh-copy-id -i $HOME/.ssh/id_rsa remote_user@remote_host

cat .ssh/id_rsa.pub | ssh remote_user@remote_host 'cat >> ~/.ssh/authorized_keys'

scp $HOME/.ssh/id_rsa.pub $REMOTE_HOST:/tmp

cat /tmp/id_rsa.pub >>$HOME/.ssh/authorized_keys

Check file permissions
authorized_keys and id_rsa have to be 600
id_rsa.pub can be 644

ls -al ~/.ssh/id_rsa
ls -al ~/.ssh/id_rsa.pub
ls -al ~/.ssh/authorized_keys

Load your private key into an agent (optional)

If you load your private key into an agent, it will hold the decrypted key in memory. Otherwise, you would have have to enter the key's passphrase (if you used one) every time you connect. To load the key, run

ssh-add

and enter the key's passphrase. (If your key is not in the default location ~/.ssh/id_rsa, you will need to provide the full path. For example, ssh-add ~/.ssh/id_rsa_my_ssh_key).
If ssh-add says “Could not open a connection to your authentication agent.”, then you don't have a SSH agent running. Launch one using this command:

eval $(ssh-agent)

scp files to server adding automatically to known_hosts

When copying files to a server for the first time, you are asked if you want to add the servers fingerprint to the known_hosts file. To avoid the question and add automatically, use:

scp -o Batchmode=yes -o StrictHostKeyChecking=no <files> <server>

Problems?

Permissions. Check your home directory is writable only by you (eg: 750), the .ssh directory is 700 and the id* and auth* files are 600.
From the client (the one with the private key on it), add a -v switch to the scp command. This will show debugging info. -vv gives more. -vvv gives even more!
On the server (remote machine), look at the logs to see if there is any more info in there (try /var/log/messages or /var/log/auth.log or /var/log/authlog or /var/log/secure)
Check the /etc/ssh/sshd_config file on the remote machine for settings like StrictModes. If this is on, the permissions above will be important.
After all these failed attempts, has your username been locked out?

On AIX, look at and reset the unsuccessful login counter:

USERNAME=<username>
/usr/sbin/lsuser ${USERNAME}
/usr/bin/chsec -f /etc/security/lastlog -a unsuccessful_login_count=0 -s ${USERNAME}
/usr/bin/chuser account_locked=false ${USERNAME}
/usr/bin/chuser rlogin=true ${USERNAME}

Check the server log file:

vi /etc/syslog.conf and see where the auth logs go
On AIX, this is /var/adm/syslogs/auth. This shows:
Authentication tried for <user> with correct key but not from a permitted host <host>
authorized_keys file on the server will need 'from=“<ip addr>,<ip addr>,<ip addr>…”'
On Redhat Linux, this file is called /var/log/secure

Start up another sshd server for diagnosis

Start up a second instance of sshd on an alternative port (on the server machine)

server# $(which sshd) -p 2200 -d

Keep that window open, as the debugging information is written to standard output. Then on the client, connect to the alternative port:

client$ ssh -p 2200 username@server

If the key is rejected, a reason for the rejection should be revealed on the server.

Client is still asking for password even though keys are setup?

Try forcing the ssh options… (useful if you cannot change the sshd config on the server)

ssh -o PubkeyAuthentication=yes -o PasswordAuthentication=no -X user@server

Create a local tunnel

Create a tunnel to connect to Oracle Enterprise Manager on a remote host

ssh -L localhost:17803:hn1627:7803 -Nf oracle@hn1627

or create several tunnels in one go

ssh -L localhost:17803:hn1627:7803 localhost:3000:hn1627:3000 -Nf oracle@hn1627

Go to https://localhost:17803/em/faces/logon/core-uifwk-console-login

SET TUNNEL_USER=stuart
SET TUNNEL_LUAG=192.168.151.20
SET TUNNEL_TARGET=192.168.161.34:7803
SET TUNNEL_PORT=9999
ssh -L 127.0.0.1:$TUNNEL_PORT:$TUNNEL_TARGET $TUNNEL_USER@$TUNNEL_LUAG
 

You can use https://localhost:9999/em once the tunnel has been started.

References

Use openssl to encrypt or decrypt a file

References:

Get their public key

The other person needs to send you their public key in .pem format. If they only have it in one long line (e.g., they use it for ssh), then have them do:

openssl rsa -in id_rsa -outform pem > id_rsa.pem

openssl rsa -in id_rsa -pubout -outform pem > id_rsa.pub.pem

Have them send you id_rsa.pub.pem

Generate a 256 bit (32 byte) random key

openssl rand -base64 32 > key.bin

Encrypt the key

openssl rsautl -encrypt -inkey id_rsa.pub.pem -pubin -in key.bin -out key.bin.enc

Actually Encrypt our large file

openssl enc -aes-256-cbc -salt -in SECRET_FILE -out SECRET_FILE.enc -pass file:./key.bin

Send/Decrypt the files

Send the .enc files to the other person and have them do:

openssl rsautl -decrypt -inkey id_rsa.pem -in key.bin.enc -out key.bin

openssl enc -d -aes-256-cbc -in SECRET_FILE.enc -out SECRET_FILE -pass file:./key.bin

Start an OpenVPN client manually from the command-line

Reference: Setup NordVPN on Linksys 3200AC with dd-wrt This is what to run when the GUI doesn't seem to start the client (Status –> VPN in dd-wrt setup).

openvpn --config /tmp/openvpncl/openvpn.conf --route-up /tmp/openvpncl/route-up.sh --route-pre-down /tmp/openvpncl/route-down.sh --daemon

openvpn --config /tmp/openvpncl/openvpn.conf --daemon

Connect to a server manually using OpenVPN from the command-line

This example using Surfshark - https://support.surfshark.com/hc/en-us/articles/360011051133-How-to-set-up-OpenVPN-using-Linux-Terminal

sudo dnf install openvpn unzip

mkdir -p /etc/openvpn/surfshark
cd /etc/openvpn/surfshark

Grab a list of configuration files

sudo wget https://my.surfshark.com/vpn/api/v1/server/configurations
sudo unzip configurations

Create a file containing username and password. This has to be done like this if starting openvpn from the command-line in the background.

sudo vi credentials
[username]
[password]

Example of config file

#
# Surfshark OpenVPN client connection
#

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one.  On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote uk-man.prod.surfshark.com 1443
remote uk-lon.prod.surfshark.com 1443
remote uk-gla.prod.surfshark.com 1443

# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialisation (non-Windows only)
;user nobody
;group nobody

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

remote-cert-tls server

auth-user-pass /etc/openvpn/surfshark/credentials

pull
fast-io

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
;ca /etc/openvpn/surfshark/ca.crt
<ca>
-----BEGIN CERTIFICATE-----
MIIFTTCCAzWgAwIBAgIJAMs9S3fqwv+mMA0GCSqGSIb3DQEBCwUAMD0xCzAJBgNV
BAYTAlZHMRIwEAYDVQQKDAlTdXJmc2hhcmsxGjAYBgNVBAMMEVN1cmZzaGFyayBS
b290IENBMB4XDTE4MDMxNDA4NTkyM1oXDTI4MDMxMTA4NTkyM1owPTELMAkGA1UE
BhMCVkcxEjAQBgNVBAoMCVN1cmZzaGFyazEaMBgGA1UEAwwRU3VyZnNoYXJrIFJv
...
X6IoIHlZCoLlv39wFW9QNxelcAOCVbD+19MZ0ZXt7LitjIqe7yF5WxDQN4xru087
FzQ4Hfj7eH1SNLLyKZkA1eecjmRoi/OoqAt7afSnwtQLtMUc2bQDg6rHt5C0e4dC
LqP/9PGZTSJiwmtRHJ/N5qYWIh9ju83APvLm/AGBTR2pXmj9G3KdVOkpIC7L35dI
623cSEC3Q3UZutsEm/UplsM=
-----END CERTIFICATE-----
</ca>

;cert /etc/openvpn/surfshark/client.crt
;key /etc/openvpn/surfshark/client.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

auth SHA512

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth /etc/openvpn/surfshark/ta.key 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
b02cb1d7c6fee5d4f89b8de72b51a8d0
c7b282631d6fc19be1df6ebae9e2779e
...
b260f4b45dec3285875589c97d3087c9
134d3a3aa2f904512e85aa2dc2202498
-----END OpenVPN Static key V1-----
</tls-auth>


# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
cipher AES-256-CBC

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

key-direction 1

Startup the vpn connection

sudo --config configurations/openvpn uk-lon-prod.surfshark.com_tcp.ovpn &

The certificates can be placed in files instead of appearing in the config file. They would then be simply referenced from the file with tags “ca [filename]” and “tls-auth [filename] 1”
Other reference: https://support.surfshark.com/hc/en-us/articles/360003086114-How-to-set-up-Surfshark-VPN-on-DD-WRT-router-
–route-up and –route-pre-down scripts can be added to the openvpn command to add and remove routes before starting and before stopping the tunnel

Example route-up file

#!/bin/sh
[[ ! -z "$ifconfig_netmask" ]] && vpn_netmask="/$ifconfig_netmask"
cat << EOF > /tmp/openvpncl_fw.sh
#!/bin/sh
iptables -D POSTROUTING -t nat -o $dev -j MASQUERADE 2> /dev/null
iptables -I POSTROUTING -t nat -o $dev -j MASQUERADE
iptables -t raw -D PREROUTING ! -i $dev -d $ifconfig_local$vpn_netmask -j DROP 2> /dev/null
iptables -t raw -I PREROUTING ! -i $dev -d $ifconfig_local$vpn_netmask -j DROP
EOF
chmod +x /tmp/openvpncl_fw.sh
/tmp/openvpncl_fw.sh
cat /tmp/resolv.dnsmasq > /tmp/resolv.dnsmasq_isp
env | grep 'dhcp-option DNS' | awk '{ print "nameserver " $3 }' > /tmp/resolv.dnsmasq
cat /tmp/resolv.dnsmasq_isp >> /tmp/resolv.dnsmasq
nvram set openvpn_get_dns="$(env | grep 'dhcp-option DNS' | awk '{ printf "%s ",$3 }')"
env | grep 'dhcp-option DNS' | awk '{print $NF}' | while read vpn_dns; do grep -q "^dhcp-option DNS $vpn_dns" /tmp/openvpncl/openvpn.conf || ip route add $vpn_dns via $route_vpn_gateway dev $dev 2> /dev/null; done

Example route-pre-down file

#!/bin/sh
iptables -D POSTROUTING -t nat -o $dev -j MASQUERADE
[ -f /tmp/resolv.dnsmasq_isp ] && cp -f /tmp/resolv.dnsmasq_isp /tmp/resolv.dnsmasq && nvram unset openvpn_get_dns
[[ ! -z "$ifconfig_netmask" ]] && vpn_netmask="/$ifconfig_netmask"
iptables -t raw -D PREROUTING ! -i $dev -d $ifconfig_local$vpn_netmask -j DROP

Tunneling

Building an SSH tunnel can be very useful for working on the other side of firewalls.

This sets up several tunnels in one command. The first two allow a localhost connection to access the remote Oracle Enterprise Manager programs and the other allows a localhost connection to a remote listener and therefore to all the databases.

ssh -L localhost:7803:hn1627.cln.be:7803 -L localhost:7804:hn5100.crelan.be:7803 -L localhost:51127:hn511.cln.be:3527 -Nf oracle@hn1627

References

Regenerate a public key from a private key

-y option spits out the public key!

ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

A small script (seems to originate from Oracle) that sets up ssh keys between 2 machines

#!/usr/bin/ksh
if [[ $# -lt 1 ]]; then
  echo Usage: $0 username@remotehost
  exit
fi
remote="$1"  # 1st command-line argument is the user@remotehost address
this=`hostname` # $HOST   # name of client host
PATH=/usr/bin/ssh:$PATH
  #  first check if we need to run ssh-keygen for generating
  #  $HOME/.ssh with public and private keys:
if [[ ! -d $HOME/.ssh ]]; then
  echo "just type RETURN for each question:" # no passphrase - unsecure
  # generate RSA1, RSA and DSA keys:
#  echo; echo; echo
#  ssh-keygen -t rsa1
  echo; echo; echo
  ssh-keygen -t rsa
#  echo; echo; echo
#  ssh-keygen -t dsa
else
  # we have $HOME/.ssh, but check that we have all types of
  # keys (RSA1, RSA, DSA):
#  if [[ ! -f $HOME/.ssh/identity ]]; then
#     # generate RSA1 keys:
#     echo "just type RETURN for each question:" # no passphrase - unsecure
#     ssh-keygen -t rsa1
#  fi
  if [[ ! -f $HOME/.ssh/id_rsa ]]; then
     # generate RSA keys:
     echo "just type RETURN for each question:" # no passphrase - unsecure
     ssh-keygen -t rsa
  fi
#  if [[ ! -f $HOME/.ssh/id_dsa ]]; then
#     # generate DSA keys:
#     echo "just type RETURN for each question:" # no passphrase - unsecure
#     ssh-keygen -t dsa
#  fi
fi

cd $HOME/.ssh

if [[ ! -f config ]]; then
  # make ssh try ssh -1 (RSA1 keys) first and then ssh -2 (DSA keys)
  echo "Protocol 1,2" > config
fi

  #  copy public keys (all three types) to the destination host:

echo; echo; echo
  #  create .ssh on remote host if it's not there:
ssh $remote 'if [[ ! -d .ssh ]]; then mkdir .ssh; fi'
  #  copy RSA1 key:
#scp identity.pub ${remote}:.ssh/${this}_rsa1.pub
  #  copy RSA key:
scp id_rsa.pub ${remote}:.ssh/${this}_rsa.pub
  #  copy DSA key:
#scp id_dsa.pub ${remote}:.ssh/${this}_dsa.pub
  #  make authorized_keys(2) files on remote host:

echo; echo; echo
  #  this one copies all three keys:
#ssh $remote "cd .ssh; cat ${this}_rsa1.pub >> authorized_keys; cat ${this}_rsa.pub >> authorized_keys2; cat ${this}_dsa.pub >> authorized_keys2;"
  #  this one copies RSA1 and DSA keys:
#ssh $remote "cd .ssh; cat ${this}_rsa1.pub >> authorized_keys; cat ${this}_dsa.pub >> authorized_keys2;"
  #  this one copies RSA keys:
ssh $remote "cd .ssh; cat ${this}_rsa.pub >> authorized_keys2;"

echo; echo; echo
echo "try an ssh $remote"

A bigger (more elaborate) script that I also found embedded in an Oracle setup

Discovered it as $OMS_HOME/oui/prov/resources/scripts/sshUserSetup.sh

  # !/bin/sh
  #  Nitin Jerath - Aug 2005
  # Usage sshUserSetup.sh  -user <user name> [[ -hosts \\"<space separated hostlist>\\" | -hostfile <absolute path of cluster configuration file> ]] [[ -advanced ]]  [[ -verify]] [[ -exverify ]] [[ -logfile <desired absolute path of logfile> ]] [[-confirm]] [[-shared]] [[-help]] [[-usePassphrase]] [[-noPromptPassphrase]]
  # eg. sshUserSetup.sh -hosts "host1 host2" -user njerath -advanced
  # This script is used to setup SSH connectivity from the host on which it is
  #  run to the specified remote hosts. After this script is run, the user can use # SSH to run commands on the remote hosts or copy files between the local host
  #  and the remote hosts without being prompted for passwords or confirmations.
  #  The list of remote hosts and the user name on the remote host is specified as
  #  a command line parameter to the script. Note that in case the user on the
  #  remote host has its home directory NFS mounted or shared across the remote
  #  hosts, this script should be used with -shared option.
  # Specifying the -advanced option on the command line would result in SSH
  #  connectivity being setup among the remote hosts which means that SSH can be
  #  used to run commands on one remote host from the other remote host or copy
  #  files between the remote hosts without being prompted for passwords or
  #  confirmations.
  # Please note that the script would remove write permissions on the remote hosts
  # for the user home directory and ~/.ssh directory for "group" and "others". This
  #  is an SSH requirement. The user would be explicitly informed about this by teh script and prompted to continue. In case the user presses no, the script would exit. In case the user does not want to be prompted, he can use -confirm option.
  #  As a part of the setup, the script would use SSH to create files within ~/.ssh
  #  directory of the remote node and to setup the requisite permissions. The
  # script also uses SCP to copy the local host public key to the remote hosts so
  #  that the remote hosts trust the local host for SSH. At the time, the script
  # performs these steps, SSH connectivity has not been completely setup  hence
  #  the script would prompt the user for the remote host password.
  # For each remote host, for remote users with non-shared homes this would be
  #  done once for SSH and  once for SCP. If the number of remote hosts are x, the
  #  user would be prompted  2x times for passwords. For remote users with shared
  #  homes, the user would be prompted only twice, once each for SCP and SSH.
  # For security reasons, the script does not save passwords and reuse it. Also,
  #  for security reasons, the script does not accept passwords redirected from a
  # file. The user has to key in the confirmations and passwords at the prompts.
  # The -verify option means that the user just wants to verify whether SSH has
  # been set up. In this case, the script would not setup SSH but would only check
  #  whether SSH connectivity has been setup from the local host to the remote
  #  hosts. The script would run the date command on each remote host using SSH. In
  #  case the user is prompted for a password or sees a warning message for a
  # particular host, it means SSH connectivity has not been setup correctly for
  #  that host.
  # In case the -verify option is not specified, the script would setup SSH and
  # then do the verification as well.
  # In case the user speciies the -exverify option, an exhaustive verification would be done. In that case, the following would be checked:
  #  1. SSH connectivity from local host to all remote hosts.
  #  2. SSH connectivity from each remote host to itself and other remote hosts.

  # echo Parsing command line arguments
numargs=$#

ADVANCED=false
HOSTNAME=`hostname`
CONFIRM=no
SHARED=false
i=1
USR=$USER

if  test -z "$TEMP"
then
  TEMP=/tmp
fi

IDENTITY=id_rsa
LOGFILE=$TEMP/sshUserSetup_`date +%F-%H-%M-%S`.log
VERIFY=false
EXHAUSTIVE_VERIFY=false
HELP=false
PASSPHRASE=no
RERUN_SSHKEYGEN=no
NO_PROMPT_PASSPHRASE=no

while [[ $i -le $numargs ]]
do
  j=$1
  if [[ $j = "-hosts" ]]
  then
     HOSTS=$2
     shift 1
     i=`expr $i + 1`
  fi
  if [[ $j = "-user" ]]
  then
     USR=$2
     shift 1
     i=`expr $i + 1`
   fi
  if [[ $j = "-logfile" ]]
  then
     LOGFILE=$2
     shift 1
     i=`expr $i + 1`
   fi
  if [[ $j = "-confirm" ]]
  then
     CONFIRM=yes
   fi
  if [[ $j = "-hostfile" ]]
  then
     CLUSTER_CONFIGURATION_FILE=$2
     shift 1
     i=`expr $i + 1`
   fi
  if [[ $j = "-usePassphrase" ]]
  then
     PASSPHRASE=yes
   fi
  if [[ $j = "-noPromptPassphrase" ]]
  then
     NO_PROMPT_PASSPHRASE=yes
   fi
  if [[ $j = "-shared" ]]
  then
     SHARED=true
   fi
  if [[ $j = "-exverify" ]]
  then
     EXHAUSTIVE_VERIFY=true
   fi
  if [[ $j = "-verify" ]]
  then
     VERIFY=true
   fi
  if [[ $j = "-advanced" ]]
  then
     ADVANCED=true
   fi
  if [[ $j = "-help" ]]
  then
     HELP=true
   fi
  i=`expr $i + 1`
  shift 1
done


if [[ $HELP = "true" ]]
then
  echo "Usage $0 -user <user name> [[ -hosts \\"<space separated hostlist>\\" | -hostfile <absolute path of cluster configuration file> ]] [[ -advanced ]]  [[ -verify]] [[ -exverify ]] [[ -logfile <desired absolute path of logfile> ]] [[-confirm]] [[-shared]] [[-help]] [[-usePassphrase]] [[-noPromptPassphrase]]"
echo "This script is used to setup SSH connectivity from the host on which it is run to the specified remote hosts. After this script is run, the user can use  SSH to run commands on the remote hosts or copy files between the local host and the remote hosts without being prompted for passwords or confirmations.  The list of remote hosts and the user name on the remote host is specified as a command line parameter to the script. "
echo "-user : User on remote hosts. "
echo "-hosts : Space separated remote hosts list. "
echo "-hostfile : The user can specify the host names either through the -hosts option or by specifying the absolute path of a cluster configuration file. A sample host file contents are below: "
echo
echo  "   stacg30 stacg30int 10.1.0.0 stacg30v  -"
echo  "   stacg34 stacg34int 10.1.0.1 stacg34v  -"
echo
echo " The first column in each row of the host file will be used as the host name."
echo
echo "-usePassphrase : The user wants to set up passphrase to encrypt the private key on the local host. "
echo "-noPromptPassphrase : The user does not want to be prompted for passphrase related questions. This is for users who want the default behavior to be followed."
echo "-shared : In case the user on the remote host has its home directory NFS mounted or shared across the remote hosts, this script should be used with -shared option. "
echo "  It is possible for the user to determine whether a user's home directory is shared or non-shared. Let us say we want to determine that user user1's home directory is shared across hosts A, B and C."
echo " Follow the following steps:"
echo "    1. On host A, touch ~user1/checkSharedHome.tmp"
echo "    2. On hosts B and C, ls -al ~user1/checkSharedHome.tmp"
echo "    3. If the file is present on hosts B and C in ~user1 directory and"
echo "       is identical on all hosts A, B, C, it means that the user's home "
echo "       directory is shared."
echo "    4. On host A, rm -f ~user1/checkSharedHome.tmp"
echo " In case the user accidentally passes -shared option for non-shared homes or viceversa,SSH connectivity would only be set up for a subset of the hosts. The user would have to re-run the setyp script with the correct option to rectify this problem."
echo "-advanced :  Specifying the -advanced option on the command line would result in SSH  connectivity being setup among the remote hosts which means that SSH can be used to run commands on one remote host from the other remote host or copy files between the remote hosts without being prompted for passwords or confirmations."
echo "-confirm: The script would remove write permissions on the remote hosts for the user home directory and ~/.ssh directory for "group" and "others". This is an SSH requirement. The user would be explicitly informed about this by the script and prompted to continue. In case the user presses no, the script would exit. In case the user does not want to be prompted, he can use -confirm option."
echo  "As a part of the setup, the script would use SSH to create files within ~/.ssh directory of the remote node and to setup the requisite permissions. The script also uses SCP to copy the local host public key to the remote hosts so that the remote hosts trust the local host for SSH. At the time, the script performs these steps, SSH connectivity has not been completely setup  hence the script would prompt the user for the remote host password.  "
echo "For each remote host, for remote users with non-shared homes this would be done once for SSH and  once for SCP. If the number of remote hosts are x, the user would be prompted  2x times for passwords. For remote users with shared homes, the user would be prompted only twice, once each for SCP and SSH.  For security reasons, the script does not save passwords and reuse it. Also, for security reasons, the script does not accept passwords redirected from a file. The user has to key in the confirmations and passwords at the prompts. "
echo "-verify : -verify option means that the user just wants to verify whether SSH has been set up. In this case, the script would not setup SSH but would only check whether SSH connectivity has been setup from the local host to the remote hosts. The script would run the date command on each remote host using SSH. In case the user is prompted for a password or sees a warning message for a particular host, it means SSH connectivity has not been setup correctly for that host.  In case the -verify option is not specified, the script would setup SSH and then do the verification as well. "
echo "-exverify : In case the user speciies the -exverify option, an exhaustive verification for all hosts would be done. In that case, the following would be checked: "
echo "   1. SSH connectivity from local host to all remote hosts. "
echo "   2. SSH connectivity from each remote host to itself and other remote hosts.  "
echo The -exverify option can be used in conjunction with the -verify option as well to do an exhaustive verification once the setup has been done.
echo "Taking some examples: Let us say local host is Z, remote hosts are A,B and C. Local user is njerath. Remote users are racqa(non-shared), aime(shared)."
echo "$0 -user racqa -hosts \\"A B C\\" -advanced -exverify -confirm"
echo "Script would set up connectivity from Z -> A, Z -> B, Z -> C, A -> A, A -> B, A -> C, B -> A, B -> B, B -> C, C -> A, C -> B, C -> C."
echo "Since user has given -exverify option, all these scenario would be verified too."
echo
echo "Now the user runs : $0 -user racqa -hosts \\"A B C\\" -verify"
echo "Since -verify option is given, no SSH setup would be done, only verification of existing setup. Also, since -exverify or -advanced options are not given, script would only verify connectivity from Z -> A, Z -> B, Z -> C"

echo "Now the user runs : $0 -user racqa -hosts \\"A B C\\" -verify -advanced"
echo "Since -verify option is given, no SSH setup would be done, only verification of existing setup. Also, since  -advanced options is given, script would verify connectivity from Z -> A, Z -> B, Z -> C, A-> A, A->B, A->C, A->D"

echo "Now the user runs:"
echo "$0 -user aime -hosts \\"A B C\\" -confirm -shared"
echo "Script would set up connectivity between  Z->A, Z->B, Z->C only since advanced option is not given."
echo "All these scenarios would be verified too."

exit
fi

if test -z "$HOSTS"
then
   if test -n "$CLUSTER_CONFIGURATION_FILE" && test -f "$CLUSTER_CONFIGURATION_FILE"
   then
      HOSTS=`awk '$1 !~ /^#/ { str = str " " $1 } END { print str }' $CLUSTER_CONFIGURATION_FILE`
   elif ! test -f "$CLUSTER_CONFIGURATION_FILE"
   then
     echo "Please specify a valid and existing cluster configuration file."
   fi
fi

if  test -z "$HOSTS" || test -z $USR
then
echo "Either user name or host information is missing"
echo "Usage $0 -user <user name> [[ -hosts \\"<space separated hostlist>\\" | -hostfile <absolute path of cluster configuration file> ]] [[ -advanced ]]  [[ -verify]] [[ -exverify ]] [[ -logfile <desired absolute path of logfile> ]] [[-confirm]] [[-shared]] [[-help]] [[-usePassphrase]] [[-noPromptPassphrase]]"
exit 1
fi

if [[ -d $LOGFILE ]]; then
    echo $LOGFILE is a directory, setting logfile to $LOGFILE/ssh.log
    LOGFILE=$LOGFILE/ssh.log
fi

echo The output of this script is also logged into $LOGFILE | tee -a $LOGFILE

if [[ `echo $?` != 0 ]]; then
    echo Error writing to the logfile $LOGFILE, Exiting
    exit 1
fi

echo Hosts are $HOSTS | tee -a $LOGFILE
echo user is  $USR | tee -a $LOGFILE
SSH="/usr/bin/ssh"
SCP="/usr/bin/scp"
SSH_KEYGEN="/usr/bin/ssh-keygen"
calculateOS()
{
    platform=`uname -s`
    case "$platform"
    in
       "SunOS")  os=solaris;;
       "Linux")  os=linux;;
       "HP-UX")  os=hpunix;;
         "AIX")  os=aix;;
             *)  echo "Sorry, $platform is not currently supported." | tee -a $LOGFILE
                 exit 1;;
    esac

    echo "Platform:- $platform " | tee -a $LOGFILE
}
calculateOS
BITS=1024
ENCR="rsa"

deadhosts=""
alivehosts=""
if [[ $platform = "Linux" ]]
then
    PING="/bin/ping"
else
    PING="/usr/sbin/ping"
fi
  # bug 9044791
if [[ -n "$SSH_PATH" ]]; then
    SSH=$SSH_PATH
fi
if [[ -n "$SCP_PATH" ]]; then
    SCP=$SCP_PATH
fi
if [[ -n "$SSH_KEYGEN_PATH" ]]; then
    SSH_KEYGEN=$SSH_KEYGEN_PATH
fi
if [[ -n "$PING_PATH" ]]; then
    PING=$PING_PATH
fi
PATH_ERROR=0
if test ! -x $SSH ; then
    echo "ssh not found at $SSH. Please set the variable SSH_PATH to the correct location of ssh and retry."
    PATH_ERROR=1
fi
if test ! -x $SCP ; then
    echo "scp not found at $SCP. Please set the variable SCP_PATH to the correct location of scp and retry."
    PATH_ERROR=1
fi
if test ! -x $SSH_KEYGEN ; then
    echo "ssh-keygen not found at $SSH_KEYGEN. Please set the variable SSH_KEYGEN_PATH to the correct location of ssh-keygen and retry."
    PATH_ERROR=1
fi
if test ! -x $PING ; then
    echo "ping not found at $PING. Please set the variable PING_PATH to the correct location of ping and retry."
    PATH_ERROR=1
fi
if [[ $PATH_ERROR = 1 ]]; then
    echo "ERROR: one or more of the required binaries not found, exiting"
    exit 1
fi
  # 9044791 end
echo Checking if the remote hosts are reachable | tee -a $LOGFILE
for host in $HOSTS
do
   if [[ $platform = "SunOS" ]]; then
       $PING -s $host 5 5
   elif [[ $platform = "HP-UX" ]]; then
       $PING $host -n 5 -m 5
   else
       $PING -c 5 -w 5 $host
   fi
  exitcode=`echo $?`
  if [[ $exitcode = 0 ]]
  then
     alivehosts="$alivehosts $host"
  else
     deadhosts="$deadhosts $host"
  fi
done

if test -z "$deadhosts"
then
   echo Remote host reachability check succeeded.  | tee -a $LOGFILE
   echo The following hosts are reachable: $alivehosts.  | tee -a $LOGFILE
   echo The following hosts are not reachable: $deadhosts.  | tee -a $LOGFILE
   echo All hosts are reachable. Proceeding further...  | tee -a $LOGFILE
else
   echo Remote host reachability check failed.  | tee -a $LOGFILE
   echo The following hosts are reachable: $alivehosts.  | tee -a $LOGFILE
   echo The following hosts are not reachable: $deadhosts.  | tee -a $LOGFILE
   echo Please ensure that all the hosts are up and re-run the script.  | tee -a $LOGFILE
   echo Exiting now...  | tee -a $LOGFILE
   exit 1
fi

firsthost=`echo $HOSTS | awk '{print $1}; END { }'`
echo firsthost $firsthost
numhosts=`echo $HOSTS | awk '{ }; END {print NF}'`
echo numhosts $numhosts

if [[ $VERIFY = "true" ]]
then
   echo Since user has specified -verify option, SSH setup would not be done. Only, existing SSH setup would be verified. | tee -a $LOGFILE
   continue
else
echo The script will setup SSH connectivity from the host //`hostname`// to all  | tee -a $LOGFILE
echo the remote hosts. After the script is executed, the user can use SSH to run  | tee -a $LOGFILE
echo commands on the remote hosts or copy files between this host //`hostname`// | tee -a $LOGFILE
echo and the remote hosts without being prompted for passwords or confirmations. | tee -a $LOGFILE
echo  | tee -a $LOGFILE
echo NOTE 1: | tee -a $LOGFILE
echo As part of the setup procedure, this script will use 'ssh' and 'scp' to copy | tee -a $LOGFILE
echo files between the local host and the remote hosts. Since the script does not  | tee -a $LOGFILE
echo store passwords, you may be prompted for the passwords during the execution of  | tee -a $LOGFILE
echo the script whenever 'ssh' or 'scp' is invoked. | tee -a $LOGFILE
echo  | tee -a $LOGFILE
echo NOTE 2: | tee -a $LOGFILE
echo "AS PER SSH REQUIREMENTS, THIS SCRIPT WILL SECURE THE USER HOME DIRECTORY" | tee -a $LOGFILE
echo AND THE .ssh DIRECTORY BY REVOKING GROUP AND WORLD WRITE PRIVILEDGES TO THESE  | tee -a $LOGFILE
echo "directories." | tee -a $LOGFILE
echo  | tee -a $LOGFILE
echo "Do you want to continue and let the script make the above mentioned changes (yes/no)?" | tee -a $LOGFILE

if [[ "$CONFIRM" = "no" ]]
then
  read CONFIRM
else
  echo "Confirmation provided on the command line" | tee -a $LOGFILE
fi

echo  | tee -a $LOGFILE
echo The user chose //$CONFIRM// | tee -a $LOGFILE

if [[ "$CONFIRM" = "no" ]]
then
  echo "SSH setup is not done." | tee -a $LOGFILE
  exit 1
else
  if [[ $NO_PROMPT_PASSPHRASE = "yes" ]]
  then
    echo "User chose to skip passphrase related questions."  | tee -a $LOGFILE
  else
    typeset -i PASSPHRASE_PROMPT
    if [[ $SHARED = "true" ]]
    then
        PASSPHRASE_PROMPT=2*${numhosts}+1
    else
        PASSPHRASE_PROMPT=2*${numhosts}
    fi
    echo "Please specify if you want to specify a passphrase for the private key this script will create for the local host. Passphrase is used to encrypt the private key and makes SSH much more secure. Type 'yes' or 'no' and then press enter. In case you press 'yes', you would need to enter the passphrase whenever the script executes ssh or scp. " | tee -a $LOGFILE
    echo "The estimated number of times the user would be prompted for a passphrase is $PASSPHRASE_PROMPT. In addition, if the private-public files are also newly created, the user would have to specify the passphrase on one additional occasion. " | tee -a $LOGFILE
    echo "Enter 'yes' or 'no'." | tee -a $LOGFILE
    if [[ $PASSPHRASE = "no" ]]
    then
      read PASSPHRASE
    else
      echo "Confirmation provided on the command line" | tee -a $LOGFILE
    fi

    echo  | tee -a $LOGFILE
    echo The user chose //$PASSPHRASE// | tee -a $LOGFILE

    if [[ "$PASSPHRASE" = "yes" ]]
    then
       RERUN_SSHKEYGEN="yes"
  # Checking for existence of ${IDENTITY} file
       if test -f  $HOME/.ssh/${IDENTITY}.pub && test -f  $HOME/.ssh/${IDENTITY}
       then
           echo "The files containing the client public and private keys already exist on the local host. The current private key may or may not have a passphrase associated with it. In case you remember the passphrase and do not want to re-run ssh-keygen, press 'no' and enter. If you press 'no', the script will not attempt to create any new public/private key pairs. If you press 'yes', the script will remove the old private/public key files existing and create new ones prompting the user to enter the passphrase. If you enter 'yes', any previous SSH user setups would be reset. If you press 'change', the script will associate a new passphrase with the old keys." | tee -a $LOGFILE
           echo "Press 'yes', 'no' or 'change'" | tee -a $LOGFILE
             read RERUN_SSHKEYGEN
             echo The user chose //$RERUN_SSHKEYGEN// | tee -a $LOGFILE
       fi
     else
       if test -f  $HOME/.ssh/${IDENTITY}.pub && test -f  $HOME/.ssh/${IDENTITY}
       then
         echo "The files containing the client public and private keys already exist on the local host. The current private key may have a passphrase associated with it. In case you find using passphrase inconvenient(although it is more secure), you can change to it empty through this script. Press 'change' if you want the script to change the passphrase for you. Press 'no' if you want to use your old passphrase, if you had one."
         read RERUN_SSHKEYGEN
         echo The user chose //$RERUN_SSHKEYGEN// | tee -a $LOGFILE
       fi
     fi
  fi
  echo Creating .ssh directory on local host, if not present already | tee -a $LOGFILE
  mkdir -p $HOME/.ssh | tee -a $LOGFILE
echo Creating authorized_keys file on local host  | tee -a $LOGFILE
touch $HOME/.ssh/authorized_keys  | tee -a $LOGFILE
echo Changing permissions on authorized_keys to 644 on local host  | tee -a $LOGFILE
chmod 644 $HOME/.ssh/authorized_keys  | tee -a $LOGFILE
mv -f $HOME/.ssh/authorized_keys  $HOME/.ssh/authorized_keys.tmp | tee -a $LOGFILE
echo Creating known_hosts file on local host  | tee -a $LOGFILE
touch $HOME/.ssh/known_hosts  | tee -a $LOGFILE
echo Changing permissions on known_hosts to 644 on local host  | tee -a $LOGFILE
chmod 644 $HOME/.ssh/known_hosts  | tee -a $LOGFILE
mv -f $HOME/.ssh/known_hosts $HOME/.ssh/known_hosts.tmp | tee -a $LOGFILE


echo Creating config file on local host | tee -a $LOGFILE
echo If a config file exists already at $HOME/.ssh/config, it would be backed up to $HOME/.ssh/config.backup.
echo "Host *" > $HOME/.ssh/config.tmp | tee -a $LOGFILE
echo "ForwardX11 no" >> $HOME/.ssh/config.tmp | tee -a $LOGFILE

if test -f $HOME/.ssh/config
then
  cp -f $HOME/.ssh/config $HOME/.ssh/config.backup
fi

mv -f $HOME/.ssh/config.tmp $HOME/.ssh/config  | tee -a $LOGFILE
chmod 644 $HOME/.ssh/config

if [[ $RERUN_SSHKEYGEN = "yes" ]]
then
  echo Removing old private/public keys on local host | tee -a $LOGFILE
  rm -f $HOME/.ssh/${IDENTITY} | tee -a $LOGFILE
  rm -f $HOME/.ssh/${IDENTITY}.pub | tee -a $LOGFILE
  echo Running SSH keygen on local host | tee -a $LOGFILE
  $SSH_KEYGEN -t $ENCR -b $BITS -f $HOME/.ssh/${IDENTITY}   | tee -a $LOGFILE

elif [[ $RERUN_SSHKEYGEN = "change" ]]
then
    echo Running SSH Keygen on local host to change the passphrase associated with the existing private key | tee -a $LOGFILE
    $SSH_KEYGEN -p -t $ENCR -b $BITS -f $HOME/.ssh/${IDENTITY} | tee -a $LOGFILE
elif test -f  $HOME/.ssh/${IDENTITY}.pub && test -f  $HOME/.ssh/${IDENTITY}
then
    continue
else
    echo Removing old private/public keys on local host | tee -a $LOGFILE
    rm -f $HOME/.ssh/${IDENTITY} | tee -a $LOGFILE
    rm -f $HOME/.ssh/${IDENTITY}.pub | tee -a $LOGFILE
    echo Running SSH keygen on local host with empty passphrase | tee -a $LOGFILE
    $SSH_KEYGEN -t $ENCR -b $BITS -f $HOME/.ssh/${IDENTITY} -N //  | tee -a $LOGFILE
fi

if [[ $SHARED = "true" ]]
then
  if [[ $USER = $USR ]]
  then
  # No remote operations required
    echo Remote user is same as local user | tee -a $LOGFILE
    REMOTEHOSTS=""
    chmod og-w $HOME $HOME/.ssh | tee -a $LOGFILE
  else
    REMOTEHOSTS="${firsthost}"
  fi
else
  REMOTEHOSTS="$HOSTS"
fi

for host in $REMOTEHOSTS
do
     echo Creating .ssh directory and setting permissions on remote host $host | tee -a $LOGFILE
     echo "THE SCRIPT WOULD ALSO BE REVOKING WRITE PERMISSIONS FOR "group" AND "others" ON THE HOME DIRECTORY FOR $USR. THIS IS AN SSH REQUIREMENT." | tee -a $LOGFILE
     echo The script would create ~$USR/.ssh/config file on remote host $host. If a config file exists already at ~$USR/.ssh/config, it would be backed up to ~$USR/.ssh/config.backup. | tee -a $LOGFILE
     echo The user may be prompted for a password here since the script would be running SSH on host $host. | tee -a $LOGFILE
     $SSH -o StrictHostKeyChecking=no -x -l $USR $host "/bin/sh -c \\"  mkdir -p .ssh ; chmod og-w . .ssh;   touch .ssh/authorized_keys .ssh/known_hosts;  chmod 644 .ssh/authorized_keys  .ssh/known_hosts; cp  .ssh/authorized_keys .ssh/authorized_keys.tmp ;  cp .ssh/known_hosts .ssh/known_hosts.tmp; echo \\\\"Host *\\\\" > .ssh/config.tmp; echo \\\\"ForwardX11 no\\\\" >> .ssh/config.tmp; if test -f  .ssh/config ; then cp -f .ssh/config .ssh/config.backup; fi ; mv -f .ssh/config.tmp .ssh/config\\""  | tee -a $LOGFILE
     echo Done with creating .ssh directory and setting permissions on remote host $host. | tee -a $LOGFILE
done

for host in $REMOTEHOSTS
do
  echo Copying local host public key to the remote host $host | tee -a $LOGFILE
  echo The user may be prompted for a password or passphrase here since the script would be using SCP for host $host. | tee -a $LOGFILE

  $SCP $HOME/.ssh/${IDENTITY}.pub  $USR@$host:.ssh/authorized_keys | tee -a $LOGFILE
  echo Done copying local host public key to the remote host $host | tee -a $LOGFILE
done

cat $HOME/.ssh/${IDENTITY}.pub >> $HOME/.ssh/authorized_keys | tee -a $LOGFILE

for host in $HOSTS
do
  if [[ $ADVANCED = "true" ]]
  then
    echo Creating keys on remote host $host if they do not exist already. This is required to setup SSH on host $host. | tee -a $LOGFILE
    if [[ $SHARED = "true" ]]
    then
      IDENTITY_FILE_NAME=${IDENTITY}_$host
      COALESCE_IDENTITY_FILES_COMMAND="cat .ssh/${IDENTITY_FILE_NAME}.pub >> .ssh/authorized_keys"
    else
      IDENTITY_FILE_NAME=${IDENTITY}
    fi

   $SSH  -o StrictHostKeyChecking=no -x -l $USR $host " /bin/sh -c \\"if test -f  .ssh/${IDENTITY_FILE_NAME}.pub && test -f  .ssh/${IDENTITY_FILE_NAME}; then echo; else rm -f .ssh/${IDENTITY_FILE_NAME} ;  rm -f .ssh/${IDENTITY_FILE_NAME}.pub ;  $SSH_KEYGEN -t $ENCR -b $BITS -f .ssh/${IDENTITY_FILE_NAME} -N // ; fi; ${COALESCE_IDENTITY_FILES_COMMAND} \\"" | tee -a $LOGFILE
  else
  # At least get the host keys from all hosts for shared case - advanced option not set
    if test  $SHARED = "true" && test $ADVANCED = "false"
    then
      if [[ $PASSPHRASE = "yes" ]]
      then
       echo "The script will fetch the host keys from all hosts. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase." | tee -a $LOGFILE
      fi
      $SSH  -o StrictHostKeyChecking=no -x -l $USR $host "/bin/sh -c true"
    fi
  fi
done

for host in $REMOTEHOSTS
do
  if test $ADVANCED = "true" && test $SHARED = "false"
  then
      $SCP $USR@$host:.ssh/${IDENTITY}.pub $HOME/.ssh/${IDENTITY}.pub.$host | tee -a $LOGFILE
      cat $HOME/.ssh/${IDENTITY}.pub.$host >> $HOME/.ssh/authorized_keys | tee -a $LOGFILE
      rm -f $HOME/.ssh/${IDENTITY}.pub.$host | tee -a $LOGFILE
    fi
done

for host in $REMOTEHOSTS
do
   if [[ $ADVANCED = "true" ]]
   then
      if [[ $SHARED != "true" ]]
      then
         echo Updating authorized_keys file on remote host $host | tee -a $LOGFILE
         $SCP $HOME/.ssh/authorized_keys  $USR@$host:.ssh/authorized_keys | tee -a $LOGFILE
      fi
     echo Updating known_hosts file on remote host $host | tee -a $LOGFILE
     $SCP $HOME/.ssh/known_hosts $USR@$host:.ssh/known_hosts | tee -a $LOGFILE
   fi
   if [[ $PASSPHRASE = "yes" ]]
   then
       echo "The script will run SSH on the remote machine $host. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase." | tee -a $LOGFILE
   fi
     $SSH -x -l $USR $host "/bin/sh -c \\"cat .ssh/authorized_keys.tmp >> .ssh/authorized_keys; cat .ssh/known_hosts.tmp >> .ssh/known_hosts; rm -f  .ssh/known_hosts.tmp  .ssh/authorized_keys.tmp\\"" | tee -a $LOGFILE
done

cat  $HOME/.ssh/known_hosts.tmp >> $HOME/.ssh/known_hosts | tee -a $LOGFILE
cat  $HOME/.ssh/authorized_keys.tmp >> $HOME/.ssh/authorized_keys | tee -a $LOGFILE
  # Added chmod to fix BUG NO 5238814
chmod 644 $HOME/.ssh/authorized_keys
  # Fix for BUG NO 5157782
chmod 644 $HOME/.ssh/config
rm -f  $HOME/.ssh/known_hosts.tmp $HOME/.ssh/authorized_keys.tmp | tee -a $LOGFILE
echo SSH setup is complete. | tee -a $LOGFILE
fi
fi

echo                                                                          | tee -a $LOGFILE
echo ------------------------------------------------------------------------ | tee -a $LOGFILE
echo Verifying SSH setup | tee -a $LOGFILE
echo =================== | tee -a $LOGFILE
echo The script will now run the 'date' command on the remote nodes using ssh | tee -a $LOGFILE
echo to verify if ssh is setup correctly. IF THE SETUP IS CORRECTLY SETUP,  | tee -a $LOGFILE
echo THERE SHOULD BE NO OUTPUT OTHER THAN THE DATE AND SSH SHOULD NOT ASK FOR | tee -a $LOGFILE
echo PASSWORDS. If you see any output other than date or are prompted for the | tee -a $LOGFILE
echo password, ssh is not setup correctly and you will need to resolve the  | tee -a $LOGFILE
echo issue and set up ssh again. | tee -a $LOGFILE
echo The possible causes for failure could be:  | tee -a $LOGFILE
echo   1. The server settings in /etc/ssh/sshd_config file do not allow ssh | tee -a $LOGFILE
echo      for user $USR. | tee -a $LOGFILE
echo   2. The server may have disabled public key based authentication.
echo   3. The client public key on the server may be outdated.
echo   4. ~$USR or  ~$USR/.ssh on the remote host may not be owned by $USR.  | tee -a $LOGFILE
echo   5. User may not have passed -shared option for shared remote users or | tee -a $LOGFILE
echo     may be passing the -shared option for non-shared remote users.  | tee -a $LOGFILE
echo   6. If there is output in addition to the date, but no password is asked, | tee -a $LOGFILE
echo   it may be a security alert shown as part of company policy. Append the | tee -a $LOGFILE
echo   "additional text to the <OMS HOME>/sysman/prov/resources/ignoreMessages.txt file." | tee -a $LOGFILE
echo ------------------------------------------------------------------------ | tee -a $LOGFILE
  # read -t 30 dummy
  for host in $HOSTS
  do
    echo --$host:-- | tee -a $LOGFILE

     echo Running $SSH -x -l $USR $host date to verify SSH connectivity has been setup from local host to $host.  | tee -a $LOGFILE
     echo "IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL. Please note that being prompted for a passphrase may be OK but being prompted for a password is ERROR." | tee -a $LOGFILE
     if [[ $PASSPHRASE = "yes" ]]
     then
       echo "The script will run SSH on the remote machine $host. The user may be prompted for a passphrase here in case the private key has been encrypted with a passphrase." | tee -a $LOGFILE
     fi
     $SSH -l $USR $host "/bin/sh -c date"  | tee -a $LOGFILE
echo ------------------------------------------------------------------------ | tee -a $LOGFILE
  done


if [[ $EXHAUSTIVE_VERIFY = "true" ]]
then
   for clienthost in $HOSTS
   do

      if [[ $SHARED = "true" ]]
      then
         REMOTESSH="$SSH -i .ssh/${IDENTITY}_${clienthost}"
      else
         REMOTESSH=$SSH
      fi

      for serverhost in  $HOSTS
      do
         echo ------------------------------------------------------------------------ | tee -a $LOGFILE
         echo Verifying SSH connectivity has been setup from $clienthost to $serverhost  | tee -a $LOGFILE
         echo ------------------------------------------------------------------------ | tee -a $LOGFILE
         echo "IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL."  | tee -a $LOGFILE
         $SSH -l $USR $clienthost "$REMOTESSH $serverhost \\"/bin/sh -c date\\""  | tee -a $LOGFILE
         echo ------------------------------------------------------------------------ | tee -a $LOGFILE
      done
       echo -Verification from $clienthost complete- | tee -a $LOGFILE
   done
else
   if [[ $ADVANCED = "true" ]]
   then
      if [[ $SHARED = "true" ]]
      then
         REMOTESSH="$SSH -i .ssh/${IDENTITY}_${firsthost}"
      else
         REMOTESSH=$SSH
      fi
     for host in $HOSTS
     do
         echo ------------------------------------------------------------------------ | tee -a $LOGFILE
        echo Verifying SSH connectivity has been setup from $firsthost to $host  | tee -a $LOGFILE
        echo "IF YOU SEE ANY OTHER OUTPUT BESIDES THE OUTPUT OF THE DATE COMMAND OR IF YOU ARE PROMPTED FOR A PASSWORD HERE, IT MEANS SSH SETUP HAS NOT BEEN SUCCESSFUL." | tee -a $LOGFILE
       $SSH -l $USR $firsthost "$REMOTESSH $host \\"/bin/sh -c date\\"" | tee -a $LOGFILE
         echo ------------------------------------------------------------------------ | tee -a $LOGFILE
    done
    echo -Verification from $clienthost complete- | tee -a $LOGFILE
  fi
fi
echo "SSH verification complete." | tee -a $LOGFILE

Add this to /etc/ssh/sshrc to get the magic cookies added automatically

if read proto cookie && [[ -n "$DISPLAY" ]]; then
    if [[ `echo $DISPLAY | cut -c1-10` = 'localhost:' ]]; then
        # X11UseLocalhost=yes
        echo add unix:`echo $DISPLAY |
        cut -c11-` $proto $cookie
    else
        # X11UseLocalhost=no
        echo add $DISPLAY $proto $cookie
    fi | xauth -q -
fi

Some stuff I did to get tunnels open to an Oracle server - didn't work yet

(0)bey9at77@my_PC:/home/bey9at77/scripts> telnet 207.129.217.26 22
Trying 207.129.217.26...
Connected to 207.129.217.26.
Escape character is '^]]'.
SSH-2.0-OpenSSH_6.0
^C
Connection closed by foreign host.
(0)bey9at77@my_PC:/home/bey9at77/scripts> netstat -an  | grep 207
tcp        0      0 9.36.153.84:32904           9.36.207.26:22              ESTABLISHED
unix  3      [[ ]]         STREAM     CONNECTED     20726525 /home/bey9at77/.pulse/202b121052083db8500c6fc00000001c-runtime/native
unix  3      [[ ]]         STREAM     CONNECTED     20726524
unix  3      [[ ]]         STREAM     CONNECTED     5037207 /home/bey9at77/.pulse/202b121052083db8500c6fc00000001c-runtime/native

(0)bey9at77@my_PC:/home/bey9at77/scripts> /sbin/ifconfig
eth1      Link encap:Ethernet  HWaddr 00:21:CC:65:A3:65
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:1250962 errors:0 dropped:0 overruns:0 frame:0
          TX packets:975839 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:823202227 (785.0 MiB)  TX bytes:187253577 (178.5 MiB)
          Interrupt:20 Memory:f2500000-f2520000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:548763 errors:0 dropped:0 overruns:0 frame:0
          TX packets:548763 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:275281528 (262.5 MiB)  TX bytes:275281528 (262.5 MiB)

virbr0    Link encap:Ethernet  HWaddr 52:54:00:FD:BE:C9
          inet addr:192.168.122.1  Bcast:192.168.122.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:119495 errors:0 dropped:0 overruns:0 frame:0
          TX packets:173181 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:11358048 (10.8 MiB)  TX bytes:188176715 (179.4 MiB)

(0)bey9at77@my_PC:/home/bey9at77/scripts> sudo iptables -L
[[sudo]] password for bey9at77:
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-dgm
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-dgm
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere            tcp dpt:auth reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:cfengine
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:vnc-server
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5901
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5656
ACCEPT     udp  --  anywhere             anywhere            udp dpts:avt-profile-1:avt-profile-2
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:avt-profile-1:avt-profile-2
ACCEPT     udp  --  anywhere             anywhere            udp dpt:20830
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:20830
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:sip:na-localise
ACCEPT     udp  --  anywhere             anywhere            udp dpts:sip:na-localise
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:12080
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:21100
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:dc
ACCEPT     udp  --  anywhere             anywhere            udp dpt:wizard
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:isakmp
ACCEPT     254  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            icmp router-advertisement
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:tproxy
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:virtual-places
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:52311
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:30000:30005
DROP       tcp  --  anywhere             anywhere            tcp dpts:bootps:bootpc
DROP       udp  --  anywhere             anywhere            udp dpts:bootps:bootpc
DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-ns
DROP       udp  --  anywhere             anywhere            udp dpt:netbios-ns
DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-dgm
DROP       udp  --  anywhere             anywhere            udp dpt:netbios-dgm
DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
DROP       udp  --  anywhere             anywhere            udp dpt:netbios-ssn
DROP       tcp  --  anywhere             anywhere            tcp dpts:tcpmux:ftp-data
DROP       tcp  --  anywhere             anywhere            tcp dpt:sunrpc
DROP       tcp  --  anywhere             anywhere            tcp dpts:snmp:snmptrap
DROP       tcp  --  anywhere             anywhere            tcp dpt:efs
DROP       tcp  --  anywhere             anywhere            tcp dpts:6348:6349
DROP       tcp  --  anywhere             anywhere            tcp dpts:6345:gnutella-rtr
ACCEPT     tcp  --  anywhere             192.168.122.1       tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             192.168.122.1       tcp dpt:proxima-lm
ACCEPT     tcp  --  anywhere             192.168.123.1       tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             192.168.123.1       tcp dpt:proxima-lm
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:48500
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:48500
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level info prefix `FIREWALL: '
LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level info prefix `FIREWALL: '
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             192.168.123.0/24    state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.123.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
(0)bey9at77@my_PC:/home/bey9at77/scripts> ssh -L 1521:localhost:1521 207.129.217.26
The authenticity of host '207.129.217.26 (207.129.217.26)' can't be established.
RSA key fingerprint is 2d:70:2e:b4:12:48:e9:20:fd:b0:de:b1:b4:67:41:1f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '207.129.217.26' (RSA) to the list of known hosts.
[email protected]'s password:

(0)bey9at77@my_PC:/home/bey9at77/scripts> ssh -L 1521:localhost:9099 ehemgtaix -N
The authenticity of host 'ehemgtaix (207.129.107.120)' can't be established.
RSA key fingerprint is 63:0a:a8:27:99:1f:32:73:8e:94:22:cd:80:b3:73:10.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ehemgtaix,207.129.107.120' (RSA) to the list of known hosts.
bey9at77@ehemgtaix's password:

(0)bey9at77@my_PC:/home/bey9at77/scripts> ssh -L 1521:192.168.122.1:9099 exs4bars@ehemgtaix -N
channel 1: open failed: connect failed: A remote host did not respond within the timeout period.
channel 2: open failed: connect failed: A remote host did not respond within the timeout period.
Connection to ehemgtaix closed by remote host.
You have new mail in /var/spool/mail/bey9at77

(0)bey9at77@my_PC:/home/bey9at77/scripts> ssh 192.168.122.1 -p 1521
ssh: connect to host 192.168.122.1 port 1521: Connection refused

(0)bey9at77@my_PC:/home/bey9at77/scripts> sudo iptables -A INPUT -i virbr0 -p tcp --dport 1521 -j ACCEPT
[[sudo]] password for bey9at77:
(0)bey9at77@my_PC:/home/bey9at77/scripts> ssh 192.168.122.1 -p 1521
ssh: connect to host 192.168.122.1 port 1521: Connection refused

(0)bey9at77@my_PC:/home/bey9at77/scripts> sudo iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-dgm
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-dgm
ACCEPT     udp  --  anywhere             anywhere            udp dpt:netbios-ns
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     udp  --  anywhere             anywhere            state RELATED,ESTABLISHED
REJECT     tcp  --  anywhere             anywhere            tcp dpt:auth reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:cfengine
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:vnc-server
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5901
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5656
ACCEPT     udp  --  anywhere             anywhere            udp dpts:avt-profile-1:avt-profile-2
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:avt-profile-1:avt-profile-2
ACCEPT     udp  --  anywhere             anywhere            udp dpt:20830
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:20830
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:sip:na-localise
ACCEPT     udp  --  anywhere             anywhere            udp dpts:sip:na-localise
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:12080
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:21100
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:dc
ACCEPT     udp  --  anywhere             anywhere            udp dpt:wizard
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:isakmp
ACCEPT     254  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            icmp router-advertisement
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:tproxy
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:virtual-places
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:52311
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:30000:30005
DROP       tcp  --  anywhere             anywhere            tcp dpts:bootps:bootpc
DROP       udp  --  anywhere             anywhere            udp dpts:bootps:bootpc
DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-ns
DROP       udp  --  anywhere             anywhere            udp dpt:netbios-ns
DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-dgm
DROP       udp  --  anywhere             anywhere            udp dpt:netbios-dgm
DROP       tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
DROP       udp  --  anywhere             anywhere            udp dpt:netbios-ssn
DROP       tcp  --  anywhere             anywhere            tcp dpts:tcpmux:ftp-data
DROP       tcp  --  anywhere             anywhere            tcp dpt:sunrpc
DROP       tcp  --  anywhere             anywhere            tcp dpts:snmp:snmptrap
DROP       tcp  --  anywhere             anywhere            tcp dpt:efs
DROP       tcp  --  anywhere             anywhere            tcp dpts:6348:6349
DROP       tcp  --  anywhere             anywhere            tcp dpts:6345:gnutella-rtr
ACCEPT     tcp  --  anywhere             192.168.122.1       tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             192.168.122.1       tcp dpt:proxima-lm
ACCEPT     tcp  --  anywhere             192.168.123.1       tcp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             192.168.123.1       tcp dpt:proxima-lm
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:48500
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:48500
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level info prefix `FIREWALL: '
LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level info prefix `FIREWALL: '
DROP       all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ncube-lm

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT     all  --  anywhere             192.168.122.0/24    state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
ACCEPT     all  --  anywhere             192.168.123.0/24    state RELATED,ESTABLISHED
ACCEPT     all  --  192.168.123.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
(0)bey9at77@my_PC:/home/bey9at77/scripts> grep 1521 /etc/services
ncube-lm        1521/tcp                # nCube License Manager
ncube-lm        1521/udp                # nCube License Manager
(0)bey9at77@my_PC:/home/bey9at77/scripts> sudo iptables -n -L -v --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
2        0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
3        0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
4        0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67
5     6665  477K ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
6        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
7      110 36134 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
8        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67
9        0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445
10       0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:139
11       0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           udp dpt:138
12       0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           udp dpt:137
13       0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67
14       0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
15       0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
16       0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
17       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445
18       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:139
19       0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:138
20       0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:137
21       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67
22       0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
23       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
24       0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
25    640K  300M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
26   1526K 1015M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
27   33099 3880K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
28       0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 reject-with icmp-port-unreachable
29       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5308
30       3   152 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
31       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5900
32       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5901
33       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
34       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5656
35       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:5004:5005
36       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:5004:5005
37       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:20830
38       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20830
39       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:5060:5062
40       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:5060:5062
41       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:12080
42       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
43       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53
44       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
45       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21100
46       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2001
47       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:2001
48       0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
49       0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
50       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:500
51       0     0 ACCEPT     254  --  ipsec+ *       0.0.0.0/0            0.0.0.0/0
52      37  3310 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3
53       0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 4
54     912 61240 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11
55       0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 12
56       0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 9
57    3746  225K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
58      93  4400 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 0
59       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631
60       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8081
61       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1533
62     160  8120 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:52311
63       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:30000:30005
64       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:67:68
65    2175  714K DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:67:68
66       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:137
67   71334 5594K DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:137
68       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:138
69    4358  974K DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:138
70       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:139
71       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:139
72       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:1:20
73       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:111
74       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:161:162
75       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:520
76       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:6348:6349
77       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:6345:6347
78       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            192.168.122.1       tcp dpt:445
79       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            192.168.122.1       tcp dpt:1445
80       0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            192.168.123.1       tcp dpt:445
81       0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            192.168.123.1       tcp dpt:1445
82    1222 63544 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:48500
83       0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:48500
84    3878  177K LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `FIREWALL: '
85    6981  648K LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `FIREWALL: '
86   47429 4007K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
87       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1521

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  virbr1 virbr1  0.0.0.0/0            0.0.0.0/0
2        0     0 REJECT     all  --  *      virbr1  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
3        0     0 REJECT     all  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
4     116K  183M ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24    state RELATED,ESTABLISHED
5    95393 9448K ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0
6        0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0
7        0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
8        0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
9        0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
10       0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24    state RELATED,ESTABLISHED
11       0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0
12       0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0
13       0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
14       0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
15       0     0 ACCEPT     all  --  *      virbr1  0.0.0.0/0            192.168.123.0/24    state RELATED,ESTABLISHED
16       0     0 ACCEPT     all  --  virbr1 *       192.168.123.0/24     0.0.0.0/0
17       0     0 ACCEPT     all  --  virbr1 virbr1  0.0.0.0/0            0.0.0.0/0
18       0     0 REJECT     all  --  *      virbr1  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
19       0     0 REJECT     all  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 2917 packets, 253K bytes)
num   pkts bytes target     prot opt in     out     source               destination
(0)bey9at77@my_PC:/home/bey9at77/scripts> sudo iptables -I INPUT 78 -i virbr0 -p tcp --dport 1521 -j ACCEPT
(0)bey9at77@my_PC:/home/bey9at77/scripts> sudo iptables -n -L -v --line-numbers
Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
2        0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
3        0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
4        0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67
5     6670  477K ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
6        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
7      111 36462 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
8        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67
9        0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445
10       0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:139
11       0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           udp dpt:138
12       0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           udp dpt:137
13       0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67
14       0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
15       0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
16       0     0 ACCEPT     udp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
17       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445
18       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:139
19       0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:138
20       0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:137
21       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67
22       0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
23       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
24       0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
25    642K  300M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
26   1526K 1015M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
27   33107 3881K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
28       0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 reject-with icmp-port-unreachable
29       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5308
30       3   152 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
31       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5900
32       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5901
33       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443
34       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:5656
35       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:5004:5005
36       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:5004:5005
37       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:20830
38       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:20830
39       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:5060:5062
40       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:5060:5062
41       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:12080
42       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
43       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53
44       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
45       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21100
46       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:2001
47       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:2001
48       0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
49       0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
50       0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:500
51       0     0 ACCEPT     254  --  ipsec+ *       0.0.0.0/0            0.0.0.0/0
52      37  3310 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 3
53       0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 4
54     912 61240 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11
55       0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 12
56       0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 9
57    3749  225K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8
58      93  4400 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 0
59       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631
60       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8081
61       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1533
62     160  8120 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:52311
63       0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:30000:30005
64       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:67:68
65    2175  714K DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:67:68
66       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:137
67   71334 5594K DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:137
68       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:138
69    4358  974K DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:138
70       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:139
71       0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:139
72       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:1:20
73       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:111
74       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:161:162
75       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:520
76       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:6348:6349
77       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:6345:6347
78       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1521
79       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            192.168.122.1       tcp dpt:445
80       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            192.168.122.1       tcp dpt:1445
81       0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            192.168.123.1       tcp dpt:445
82       0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            192.168.123.1       tcp dpt:1445
83    1223 63596 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:48500
84       0     0 ACCEPT     tcp  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:48500
85    3879  177K LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `FIREWALL: '
86    6981  648K LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 3/min burst 5 LOG flags 0 level 6 prefix `FIREWALL: '
87   47430 4007K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
88       0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1521

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  virbr1 virbr1  0.0.0.0/0            0.0.0.0/0
2        0     0 REJECT     all  --  *      virbr1  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
3        0     0 REJECT     all  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
4     116K  183M ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24    state RELATED,ESTABLISHED
5    95444 9455K ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0
6        0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0
7        0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
8        0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
9        0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
10       0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24    state RELATED,ESTABLISHED
11       0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0
12       0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0
13       0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
14       0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
15       0     0 ACCEPT     all  --  *      virbr1  0.0.0.0/0            192.168.123.0/24    state RELATED,ESTABLISHED
16       0     0 ACCEPT     all  --  virbr1 *       192.168.123.0/24     0.0.0.0/0
17       0     0 ACCEPT     all  --  virbr1 virbr1  0.0.0.0/0            0.0.0.0/0
18       0     0 REJECT     all  --  *      virbr1  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
19       0     0 REJECT     all  --  virbr1 *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 73 packets, 5937 bytes)
num   pkts bytes target     prot opt in     out     source               destination
(0)bey9at77@my_PC:/home/bey9at77/scripts> ssh 192.168.122.1 -p 1521
ssh: connect to host 192.168.122.1 port 1521: Connection refused

Table of Contents

Automaticallt start ssh agent and add keys on login

Some common options for ssh-keygen ( OpenSSH)

(Re)create known_hosts file

Generate a new key pair

Copying the Public Key to the Server

Given a private key, check which public key matches it

Given a private key, regenerate the public key

Use openssl to convert an ssh format private key to pem format (neatly justified and with header and trailer lines)

Use openssl to generate a public key in pem format from a pem format private key

How to set up SSH so I don't have to type a password

scp files to server adding automatically to known_hosts

Problems?

Client is still asking for password even though keys are setup?

Create a local tunnel

References

Use openssl to encrypt or decrypt a file

Get their public key

Generate a 256 bit (32 byte) random key

Encrypt the key

Actually Encrypt our large file

Send/Decrypt the files

Start an OpenVPN client manually from the command-line

Connect to a server manually using OpenVPN from the command-line

Tunneling

References

Regenerate a public key from a private key

A small script (seems to originate from Oracle) that sets up ssh keys between 2 machines

A bigger (more elaborate) script that I also found embedded in an Oracle setup

Add this to /etc/ssh/sshrc to get the magic cookies added automatically