Show pagesourceBack to top Share via Share via... Twitter LinkedIn Telegram Yammer RedditRecent ChangesSend via e-MailPrintPermalink × Table of Contents connect to server allocate new TTY/shell, don't execute bashrc/profile don't use keys disable the ssh agent Key handling generate private/public key pair generate pubkey from private key remove trusted host key (e.g. if offending host key was detected) Configuration Client password-less authentication Server Security SFTP Tunnel Pipes remote to local local to remote Software GNU/Linux Windows Troubleshooting ssh connection doesn't close on shutdown remedy 1: install libpam-systemd remedy 2: enable sshd session cleanup remedy 3: set a timeout in your client OpenSSH connect to server ssh -p port user@server allocate new TTY/shell, don't execute bashrc/profile ssh -t username@hostname /bin/sh don't use keys ssh user@server -o PreferredAuthentications=keyboard-interactive # or: ssh user@server -o PreferredAuthentications=password disable the ssh agent export SSH_AUTH_SOCK=""; ssh user@server Key handling Never disclose your private key (also called privkey) to anybody! It's private. A public key (also called pubkey) is used to identify you on a remote system and you can copy it to any system you want to authenticate with. generate private/public key pair ssh-keygen -t ed25519 -f ~/.ssh/new_key You will find two files in your ~/.ssh/ directory: new_key (your private key) and new_key.pub (your public key). generate pubkey from private key ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub remove trusted host key (e.g. if offending host key was detected) ssh-keygen -f ".ssh/known_hosts" -R servername/ip Configuration Client ~/.ssh/config Host arbitraryhostname HostName realhostnameorIPhere User usernamehere Port 12345 more ideas: http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/ password-less authentication Standard key is ~/.ssh/id_rsa.pub copy with ssh-copy-id user@server:port ssh-copy-id script: https://gist.github.com/vamf12/1639381 Alternative: cat ~/.ssh/id_rsa.pub | ssh user@server "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys" Server /etc/ssh/sshd_config Port 12345 #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 60 PermitRootLogin without-password StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys IgnoreRhosts yes RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no #IgnoreUserKnownHosts yes PermitEmptyPasswords no ChallengeResponseAuthentication no #PasswordAuthentication yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes Security use `sshguard` instead of `fail2ban` SFTP /etc/ssh/sshd_config Subsystem sftp internal-sftp Match Group sftponly ForceCommand internal-sftp ChrootDirectory /wwwhome The ChrootDirectory must have chmod 750 and permissions of root:sftponly! Tunnel If you want to connect to target computer on the target port of your SSH computer through localhost: ssh -L 8888:targetcomputer:targetport ssh-computername -N With ssh -L 8888:webserver:80 dmz-server -N you can make a webserver which is only available in the destination network available on localhost:8888. If you want to reverse tunnel a connection (i.e. make the destination port available to connect from the outside), you can use ssh -o "GatewayPorts=yes" -L 80:localhost:8080 destination -N This will forward the remote port 8080 to the local 80. Keep in mind you also have to open the firewall on the remote machine. Pipes You can pipe to/from SSH. (Quelle) remote to local ssh user@server 'echo 0' | cat - > echo.out local to remote echo 0 | ssh user@server 'cat - > echo.out' Software GNU/Linux The command-line tool ssh should be installed already. If it isn't, consult your package manager and install the OpenSSH package. Windows see SSH on Windows wiki page Troubleshooting ssh connection doesn't close on shutdown If your SSH session doesn't close on reboot or shutting down, you might lack a timeout in the OpenSSHd config or the corresponding systemd package so the session gets closed cleanly. remedy 1: install libpam-systemd Debian: apt install libpam-systemd dbus Check that you actually use the PAM module: /etc/ssh/sshd_config UsePAM=yes remedy 2: enable sshd session cleanup cp /usr/share/doc/openssh-client/examples/ssh-session-cleanup.service /etc/systemd/system/ systemctl enable ssh-session-cleanup.service remedy 3: set a timeout in your client Host * ServerAliveInterval 15 ServerAliveCountMax 5 Last modified: 2023-01-12 12:22