admin:linux:cli:ssh

OpenSSH

ssh -p port user@server

allocate new TTY/shell, don't execute bashrc/profile

ssh -t username@hostname /bin/sh

don't use keys

ssh user@server -o PreferredAuthentications=keyboard-interactive

disable the ssh agent

export SSH_AUTH_SOCK=""; ssh user@server

Never disclose your private key (also called privkey) to anybody! It's private. A public key (also called pubkey) is used to identify you on a remote system and you can copy it to any system you want to authenticate with.

ssh-keygen -t ed25519 -f ~/.ssh/new_key

You will find two files in your ~/.ssh/ directory: new_key (your private key) and new_key.pub (your public key).

ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
ssh-keygen -f ".ssh/known_hosts" -R servername/ip
~/.ssh/config
Host arbitraryhostname
  HostName realhostnameorIPhere
  User usernamehere
  Port 12345

more ideas: http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/

password-less authentication

  • Standard key is ~/.ssh/id_rsa.pub
  • copy with ssh-copy-id user@server:port
  • Alternative:
    cat ~/.ssh/id_rsa.pub | ssh user@server "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys"
/etc/ssh/sshd_config
Port 12345
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation yes
 
KeyRegenerationInterval 3600
ServerKeyBits 768
 
SyslogFacility AUTH
LogLevel INFO
 
LoginGraceTime 60
PermitRootLogin without-password
StrictModes yes
 
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys
IgnoreRhosts yes
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#IgnoreUserKnownHosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
#PasswordAuthentication yes
 
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes

Security

  • use `sshguard` instead of `fail2ban`

SFTP

/etc/ssh/sshd_config
Subsystem sftp internal-sftp
 
Match Group sftponly
 ForceCommand internal-sftp
 ChrootDirectory /wwwhome

The ChrootDirectory must have chmod 750 and permissions of root:sftponly!

If you want to connect to target computer on the target port of your SSH computer through localhost:

ssh -L 8888:targetcomputer:targetport ssh-computername -N

With ssh -L 8888:webserver:80 dmz-server -N you can make a webserver which is only available in the destination network available on localhost:8888.

If you want to reverse tunnel a connection (i.e. make the destination port available to connect from the outside), you can use

ssh -o "GatewayPorts=yes" -L 80:localhost:8080 destination -N

This will forward the remote port 8080 to the local 80. Keep in mind you also have to open the firewall on the remote machine.

You can pipe to/from SSH. (Quelle)

remote to local

ssh user@server 'echo 0' | cat - > echo.out

local to remote

echo 0 | ssh user@server 'cat - > echo.out'

The command-line tool ssh should be installed already. If it isn't, consult your package manager and install the OpenSSH package.

Recommended is the msys2 shell, installable through chocolatey. If you want to transfer files with a GUI, you can use WinSCP. Don't use PuTTY, it's old and slow. If you absolutely must use a GUI tool, KiTTY is the better alternative.

OpenSSH server is available for Windows and you can even use PowerShell through it.

If your SSH session doesn't close on reboot or shutting down, you might lack a timeout in the OpenSSHd config or the corresponding systemd package so the session gets closed cleanly.

remedy 1: install libpam-systemd

Debian:

apt install libpam-systemd dbus

Check that you actually use the PAM module:

/etc/ssh/sshd_config
UsePAM=yes

remedy 2: enable sshd session cleanup

cp /usr/share/doc/openssh-client/examples/ssh-session-cleanup.service /etc/systemd/system/
systemctl  enable ssh-session-cleanup.service

remedy 3: set a timeout in your client

  • Last modified: 2020-04-02 10:13