[[http://tmade.de|Home tmade.de]]

[[http://wiki.tmade.de|Home Wiki]]

===== SSH =====

==== SSHD ====

Service config:

  /etc/ssh/sshd_config

  UseDNS no  #To avoid dns lookup edit /etc/ssh/sshd_conf and add the command
  
To deny password-authentification for non-root-users set the following options:
  
  PasswordAuthentication no
  PubkeyAuthentication yes
  RSAAuthentication yes
  
To deny root login:

  PermitRootLogin no

To allow root-login just for particular IP´s:

  PermitRootLogin yes
  AllowUsers root@10.6.3.100 root@10.6.3.101 root@10.6.3.102

To deny (additionally) password authentification (in combination with "PasswordAuthentication no"):

  ChallengeResponseAuthentication no
==== Login =====

  ssh -X -c 172.22.49.120            #
  ssh -XCl stream 172.22.49.113      #Login with "X" on X-Terminal
  ssh -l root suse10
  ssh root@suse10                    #root = user, suse10 = host (or IP Adress)
  
==== SSH KEY-Authentication ====
Howto:

Generate private and public key (stored in ~/.ssh/) on the server_A
  ssh-keygen -t rsa -b 4096                                                   #Generate "rsa" Keyfile. Note: there is also "dsa" encrytion
Created files:
  id_rsa                                                                      #File location "/home/username/.ssh" or "/root/.ssh"
and
  id_rsa.pub                                                                  #Private Key. File location "/home/username/.ssh" or "/root/.ssh"
  
To copy the authorized_keys (contains "id_rsa.pub") to remoteHost ("/home/user/.ssh/authorized_keys"):

  ssh-copy-id –i ~/.ssh/id_rsa.pub user@remoteHost
  
 **Note: "/home/user/.ssh/authorized_keys" will be created!**

\\

  
Copy the authorized_keys to remoteHost (explained in single manual steps):
  
Create a new file called 
  authorized_keys                                                             #Public Key. File location "/home/username/.ssh" or "/root/.ssh"
Copy the content of id_rsa.pub into authorized_keys (or append) with:
  cat id_rsa.pub >> authorized_keys
Copy authorized_keys to server_B
  scp authorized_keys root@IP:
On server_B copy content of authorized_keys (from server_A) to ~/.ssh
  cat authorized_keys > ~/.ssh/authorized_keys
or 
  cat authorized_keys >> ~/.ssh/authorized_keys
Access server_B from server_A via SSH
  ssh Server_B
or
  ssh IP(server_B)
  
To copy the key at once:

  ssh-copy-id –i ~/.ssh/id_rsa.pub user@remoteHost

==== Public Key from id_rsa ====

  ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
  
==== "authorized_keys" ====  
To limit ssh-access to one host add the following code to the "authorized_keys" file:

  from="testhost.domain.local",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
  
Example entry (private key inclusive):
  
<code>
from="testhost.domain.local",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyPW9iLLvMA4sfiDLDst6cLbrxQiw0xjFV+uZA+pnulcxotbyNzRDhi3PMjXce7V6WQSJ6izYFCN8Xv0w5HIju8BpPBob9d9VyU2wdFx+nCX3xFzlcquVUTR8WqzikbipLJF52nPLuemH5xBTZXgagnpX9ESZFhhYXol+MQuPC8+HW5xtCCN3+8D4K8GJiauL/0Uq0N9SfXK/0G8wBb28499F483ZnSm31DTTJq13iyiphtfwjqncW+H2mJKGoum8HoeQHx8ArfCtwelTKrXc7E/94ZFO/z7b0jPNXFH4jCZmq2/fjgwnO/nVPvfNbis4wxSomuihU7fA0ywxBferx root@testhost
</code> 
==== SSH Authentication from Windows -> Linux ====

Create the key-files on a windows client with putty. Start "puttygen.exe" and generate the key. 

The public and private key has to be saved to a folder.

Append the content of the public file to:
  /home/user/.ssh/authorized_keys                                             #(via samba e.g.)

Note: always restart the sshd server:
  /etc/init.d/sshd restart
  rcsshd restart
  service sshd restart
or other distributed way

==== ssh remote ====

<code>
# ----------------------------------------------------------
# Machine 1
# ----------------------------------------------------------

$ cat free_hosts
IP=testtesttest

# ----------------------------------------------------------
# Machine 2
# ----------------------------------------------------------

$ . <(ssh machine1 cat free_hosts); echo "$IP"
testtesttest
</code>

  . <(ssh 192.168.64.131 cat /root/somefile); echo "$IP" 
  
==== ssh + script/ command ====

  ssh user@IP sudo /scripts/linux_modify.sh   #Execute "/scripts/linux_modify.sh" on remote machine with non root priveleagues (sudo)
  ssh user@IP /scripts/linux_modify.sh        #Execute "/scripts/linux_modify.sh" on remote machine 
  ssh user@IP "sudo uname -a"                 #Execute command "uname -a" on remote machine with non root priveleagues (sudo)
  ssh user@IP "uname -a"                      #Execute command "uname -a" on remote machine 
  
==== ssh-agent ====

  ssh-agent -s                                #Start the agent
  ssh-add ~/.ssh/id_rsa                       #Add the key (passphrase will be promted)

Script:

<code>
#!/bin/bash
ssh-agent -s && ssh-add ~/.ssh/id_rsa
</code>
==== ssh Tunnel ====
  ssh -L 4242:suse10.site:110tmade@suse10.site		#user tmade forwards the connection comming in on port 4242 of his local host suse10 to port 110(POP3) on the remote host suse10 via ssh tunnel (port forwarding)
  
====ssh over Proxy ====

  ssh -o ProxyCommand="nc -X connect -x proxy_host_or_IP:port %h %p" username@hostname
  ssh -o PORT=2022 -o ProxyCommand="nc -X connect -x proxy_host_or_IP:port %h %p" username@hostname              #with ssh port 2022

**Hint**: Package "netcat-openbsd" which contains the programm "nc" has to been installed!
  
==== X11 ====

To run a X11-Programm with root, if root-login is not allowed:

  *Login with your normal user (don´t execute "sudo su -" during login)
  *xauth -f ~/.Xauthority extract /tmp/Xauthtmp :10
  *Start an external X-Server (such as Xming)
  *sudo su -
  *xauth merge /tmp/Xauthtmp
  *export DISPLAY=localhost:10.0
  *xclock (or another X-Programm)

====Check ssh-config====

  sshd -t                       #command to check for syntax errors in your configuration file
  sshd -T                       #output active directives