Service config:

/etc/ssh/sshd_config

UseDNS no  #To avoid dns lookup edit /etc/ssh/sshd_conf and add the command

To deny password-authentification for non-root-users set the following options:

PasswordAuthentication no
PubkeyAuthentication yes
RSAAuthentication yes

To deny root login:

PermitRootLogin no

To allow root-login just for particular IP´s:

PermitRootLogin yes
AllowUsers root@10.6.3.100 root@10.6.3.101 root@10.6.3.102

To deny (additionally) password authentification (in combination with “PasswordAuthentication no”):

ChallengeResponseAuthentication no

ssh -X -c 172.22.49.120            #
ssh -XCl stream 172.22.49.113      #Login with "X" on X-Terminal
ssh -l root suse10
ssh root@suse10                    #root = user, suse10 = host (or IP Adress)

Howto:

Generate private and public key (stored in ~/.ssh/) on the server_A

ssh-keygen -t rsa -b 4096                                                   #Generate "rsa" Keyfile. Note: there is also "dsa" encrytion

Created files:

id_rsa                                                                      #File location "/home/username/.ssh" or "/root/.ssh"

and

id_rsa.pub                                                                  #Private Key. File location "/home/username/.ssh" or "/root/.ssh"

To copy the authorized_keys (contains “id_rsa.pub”) to remoteHost (“/home/user/.ssh/authorized_keys”):

ssh-copy-id –i ~/.ssh/id_rsa.pub user@remoteHost

Note: “/home/user/.ssh/authorized_keys” will be created!

Copy the authorized_keys to remoteHost (explained in single manual steps):

Create a new file called

authorized_keys                                                             #Public Key. File location "/home/username/.ssh" or "/root/.ssh"

Copy the content of id_rsa.pub into authorized_keys (or append) with:

cat id_rsa.pub >> authorized_keys

Copy authorized_keys to server_B

scp authorized_keys root@IP:

On server_B copy content of authorized_keys (from server_A) to ~/.ssh

cat authorized_keys > ~/.ssh/authorized_keys

or

cat authorized_keys >> ~/.ssh/authorized_keys

Access server_B from server_A via SSH

ssh Server_B

or

ssh IP(server_B)

To copy the key at once:

ssh-copy-id –i ~/.ssh/id_rsa.pub user@remoteHost

ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

To limit ssh-access to one host add the following code to the “authorized_keys” file:

from="testhost.domain.local",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty

Example entry (private key inclusive):

from="testhost.domain.local",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyPW9iLLvMA4sfiDLDst6cLbrxQiw0xjFV+uZA+pnulcxotbyNzRDhi3PMjXce7V6WQSJ6izYFCN8Xv0w5HIju8BpPBob9d9VyU2wdFx+nCX3xFzlcquVUTR8WqzikbipLJF52nPLuemH5xBTZXgagnpX9ESZFhhYXol+MQuPC8+HW5xtCCN3+8D4K8GJiauL/0Uq0N9SfXK/0G8wBb28499F483ZnSm31DTTJq13iyiphtfwjqncW+H2mJKGoum8HoeQHx8ArfCtwelTKrXc7E/94ZFO/z7b0jPNXFH4jCZmq2/fjgwnO/nVPvfNbis4wxSomuihU7fA0ywxBferx root@testhost

Create the key-files on a windows client with putty. Start “puttygen.exe” and generate the key.

The public and private key has to be saved to a folder.

Append the content of the public file to:

/home/user/.ssh/authorized_keys                                             #(via samba e.g.)

Note: always restart the sshd server:

/etc/init.d/sshd restart
rcsshd restart
service sshd restart

or other distributed way

# ----------------------------------------------------------
# Machine 1
# ----------------------------------------------------------

$ cat free_hosts
IP=testtesttest

# ----------------------------------------------------------
# Machine 2
# ----------------------------------------------------------

$ . <(ssh machine1 cat free_hosts); echo "$IP"
testtesttest

. <(ssh 192.168.64.131 cat /root/somefile); echo "$IP" 

ssh user@IP sudo /scripts/linux_modify.sh   #Execute "/scripts/linux_modify.sh" on remote machine with non root priveleagues (sudo)
ssh user@IP /scripts/linux_modify.sh        #Execute "/scripts/linux_modify.sh" on remote machine 
ssh user@IP "sudo uname -a"                 #Execute command "uname -a" on remote machine with non root priveleagues (sudo)
ssh user@IP "uname -a"                      #Execute command "uname -a" on remote machine 

ssh-agent -s                                #Start the agent
ssh-add ~/.ssh/id_rsa                       #Add the key (passphrase will be promted)

Script:

#!/bin/bash
ssh-agent -s && ssh-add ~/.ssh/id_rsa

ssh -L 4242:suse10.site:110tmade@suse10.site		#user tmade forwards the connection comming in on port 4242 of his local host suse10 to port 110(POP3) on the remote host suse10 via ssh tunnel (port forwarding)

ssh -o ProxyCommand="nc -X connect -x proxy_host_or_IP:port %h %p" username@hostname
ssh -o PORT=2022 -o ProxyCommand="nc -X connect -x proxy_host_or_IP:port %h %p" username@hostname              #with ssh port 2022

Hint: Package “netcat-openbsd” which contains the programm “nc” has to been installed!

To run a X11-Programm with root, if root-login is not allowed:

• Login with your normal user (don´t execute “sudo su -” during login)
• xauth -f ~/.Xauthority extract /tmp/Xauthtmp :10
• Start an external X-Server (such as Xming)
• sudo su -
• xauth merge /tmp/Xauthtmp
• export DISPLAY=localhost:10.0
• xclock (or another X-Programm)

sshd -t                       #command to check for syntax errors in your configuration file
sshd -T                       #output active directives