admin:linux:cli:ssh [~wiki]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.
====== OpenSSH ======

===== connect to server =====
<code bash>ssh -p port user@server</code>

=== allocate new TTY/shell, don't execute bashrc/profile ===
<code bash>ssh -t username@hostname /bin/sh</code>

=== don't use keys ===
<code bash>
ssh user@server -o PreferredAuthentications=keyboard-interactive
# or:
ssh user@server -o PreferredAuthentications=password
</code>

=== disable the ssh agent ===
<code bash>export SSH_AUTH_SOCK=""; ssh user@server</code>

===== Key handling =====

Never disclose your //private key// (also called //privkey//) to anybody! It's __private__. A //public key// (also called //pubkey//) is used to identify you on a remote system and you can copy it to any system you want to authenticate with.

==== generate private/public key pair ====
  ssh-keygen -t ed25519 -f ~/.ssh/new_key

You will find two files in your ''~/.ssh/'' directory: ''new_key'' (your private key) and ''new_key.pub'' (your public key).

==== generate pubkey from private key ====
  ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

==== remove trusted host key (e.g. if offending host key was detected) ====
  ssh-keygen -f ".ssh/known_hosts" -R servername/ip


===== Configuration =====

==== Client ====

<file - ~/.ssh/config>
Host arbitraryhostname
  HostName realhostnameorIPhere
  User usernamehere
  Port 12345
</file>

more ideas: http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/

=== password-less authentication ===

  * Standard key is ''~/.ssh/id_rsa.pub''
  * copy with ''ssh-copy-id user@server:port''
  * ssh-copy-id script: https://gist.github.com/vamf12/1639381
  * Alternative: <code>cat ~/.ssh/id_rsa.pub | ssh user@server "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys"</code>

==== Server ====

<file bash /etc/ssh/sshd_config>
Port 12345
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation yes

KeyRegenerationInterval 3600
ServerKeyBits 768

SyslogFacility AUTH
LogLevel INFO

LoginGraceTime 60
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys
IgnoreRhosts yes
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#IgnoreUserKnownHosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
#PasswordAuthentication yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
</file>

=== Security ===
  * use `sshguard` instead of `fail2ban`

=== SFTP ===

<file conf /etc/ssh/sshd_config>
Subsystem sftp internal-sftp

Match Group sftponly
 ForceCommand internal-sftp
 ChrootDirectory /wwwhome
</file>

The ChrootDirectory __must__ have ''chmod 750'' and permissions of ''root:sftponly''!

===== Tunnel =====

If you want to connect to target computer on the target port of your SSH computer through localhost:

<code bash>ssh -L 8888:targetcomputer:targetport ssh-computername -N</code>

With ''ssh -L 8888:webserver:80 dmz-server -N'' you can make a ''webserver'' which is only available in the destination network available on ''localhost:8888''.

If you want to reverse tunnel a connection (i.e. make the destination port available to connect from the outside), you can use

<code bash>ssh -o "GatewayPorts=yes" -L 80:localhost:8080 destination -N</code>

This will forward the remote port 8080 to the local 80. Keep in mind you also have to open the firewall on the remote machine.
===== Pipes =====

You can pipe to/from SSH. ([[http://linux.icydog.net/ssh/piping.php|Quelle]])

=== remote to local ===
  ssh user@server 'echo 0' | cat - > echo.out

=== local to remote ===
  echo 0 | ssh user@server 'cat - > echo.out'

===== Software =====

==== GNU/Linux ====

The command-line tool ''ssh'' should be installed already. If it isn't, consult your package manager and install the OpenSSH package.

==== Windows ====

see [[..:..:windows:ssh|SSH on Windows]] wiki page

===== Troubleshooting =====

==== ssh connection doesn't close on shutdown ====
If your SSH session doesn't close on reboot or shutting down, you might lack a timeout in the OpenSSHd config or the corresponding systemd package so the session gets closed cleanly.

=== remedy 1: install libpam-systemd ===
Debian:
<code bash>apt install libpam-systemd dbus</code>
Check that you actually use the PAM module:
<file conf /etc/ssh/sshd_config>
UsePAM=yes
</file>
=== remedy 2: enable sshd session cleanup ===
<code bash>
cp /usr/share/doc/openssh-client/examples/ssh-session-cleanup.service /etc/systemd/system/
systemctl  enable ssh-session-cleanup.service</code>
=== remedy 3: set a timeout in your client ===
<file ~/.ssh/config>
Host *
   ServerAliveInterval 15
   ServerAliveCountMax 5
</file>