Home tmade.de

Home Wiki



Service config:

UseDNS no  #To avoid dns lookup edit /etc/ssh/sshd_conf and add the command

To deny password-authentification for non-root-users set the following options:

PasswordAuthentication no
PubkeyAuthentication yes
RSAAuthentication yes

To deny root login:

PermitRootLogin no

To allow root-login just for particular IP´s:

PermitRootLogin yes
AllowUsers root@ root@ root@

To deny (additionally) password authentification (in combination with “PasswordAuthentication no”):

ChallengeResponseAuthentication no


ssh -X -c            #
ssh -XCl stream      #Login with "X" on X-Terminal
ssh -l root suse10
ssh root@suse10                    #root = user, suse10 = host (or IP Adress)

SSH KEY-Authentication


Generate private and public key (stored in ~/.ssh/) on the server_A

ssh-keygen -t rsa -b 4096                                                   #Generate "rsa" Keyfile. Note: there is also "dsa" encrytion

Created files:

id_rsa                                                                      #File location "/home/username/.ssh" or "/root/.ssh"


id_rsa.pub                                                                  #Private Key. File location "/home/username/.ssh" or "/root/.ssh"

To copy the authorized_keys (contains “id_rsa.pub”) to remoteHost (“/home/user/.ssh/authorized_keys”):

ssh-copy-id –i ~/.ssh/id_rsa.pub user@remoteHost

Note: “/home/user/.ssh/authorized_keys” will be created!

Copy the authorized_keys to remoteHost (explained in single manual steps):

Create a new file called

authorized_keys                                                             #Public Key. File location "/home/username/.ssh" or "/root/.ssh"

Copy the content of id_rsa.pub into authorized_keys (or append) with:

cat id_rsa.pub >> authorized_keys

Copy authorized_keys to server_B

scp authorized_keys root@IP:

On server_B copy content of authorized_keys (from server_A) to ~/.ssh

cat authorized_keys > ~/.ssh/authorized_keys


cat authorized_keys >> ~/.ssh/authorized_keys

Access server_B from server_A via SSH

ssh Server_B


ssh IP(server_B)

To copy the key at once:

ssh-copy-id –i ~/.ssh/id_rsa.pub user@remoteHost

Public Key from id_rsa

ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub


To limit ssh-access to one host add the following code to the “authorized_keys” file:


Example entry (private key inclusive):

from="testhost.domain.local",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyPW9iLLvMA4sfiDLDst6cLbrxQiw0xjFV+uZA+pnulcxotbyNzRDhi3PMjXce7V6WQSJ6izYFCN8Xv0w5HIju8BpPBob9d9VyU2wdFx+nCX3xFzlcquVUTR8WqzikbipLJF52nPLuemH5xBTZXgagnpX9ESZFhhYXol+MQuPC8+HW5xtCCN3+8D4K8GJiauL/0Uq0N9SfXK/0G8wBb28499F483ZnSm31DTTJq13iyiphtfwjqncW+H2mJKGoum8HoeQHx8ArfCtwelTKrXc7E/94ZFO/z7b0jPNXFH4jCZmq2/fjgwnO/nVPvfNbis4wxSomuihU7fA0ywxBferx root@testhost

SSH Authentication from Windows -> Linux

Create the key-files on a windows client with putty. Start “puttygen.exe” and generate the key.

The public and private key has to be saved to a folder.

Append the content of the public file to:

/home/user/.ssh/authorized_keys                                             #(via samba e.g.)

Note: always restart the sshd server:

/etc/init.d/sshd restart
rcsshd restart
service sshd restart

or other distributed way

ssh remote

# ----------------------------------------------------------
# Machine 1
# ----------------------------------------------------------

$ cat free_hosts

# ----------------------------------------------------------
# Machine 2
# ----------------------------------------------------------

$ . <(ssh machine1 cat free_hosts); echo "$IP"
. <(ssh cat /root/somefile); echo "$IP" 

ssh + script/ command

ssh user@IP sudo /scripts/linux_modify.sh   #Execute "/scripts/linux_modify.sh" on remote machine with non root priveleagues (sudo)
ssh user@IP /scripts/linux_modify.sh        #Execute "/scripts/linux_modify.sh" on remote machine 
ssh user@IP "sudo uname -a"                 #Execute command "uname -a" on remote machine with non root priveleagues (sudo)
ssh user@IP "uname -a"                      #Execute command "uname -a" on remote machine 


ssh-agent -s                                #Start the agent
ssh-add ~/.ssh/id_rsa                       #Add the key (passphrase will be promted)


ssh-agent -s && ssh-add ~/.ssh/id_rsa

ssh Tunnel

ssh -L 4242:suse10.site:110tmade@suse10.site		#user tmade forwards the connection comming in on port 4242 of his local host suse10 to port 110(POP3) on the remote host suse10 via ssh tunnel (port forwarding)

ssh over Proxy

ssh -o ProxyCommand="nc -X connect -x proxy_host_or_IP:port %h %p" username@hostname
ssh -o PORT=2022 -o ProxyCommand="nc -X connect -x proxy_host_or_IP:port %h %p" username@hostname              #with ssh port 2022

Hint: Package “netcat-openbsd” which contains the programm “nc” has to been installed!


To run a X11-Programm with root, if root-login is not allowed:

  • Login with your normal user (don´t execute “sudo su -” during login)
  • xauth -f ~/.Xauthority extract /tmp/Xauthtmp :10
  • Start an external X-Server (such as Xming)
  • sudo su -
  • xauth merge /tmp/Xauthtmp
  • export DISPLAY=localhost:10.0
  • xclock (or another X-Programm)

Check ssh-config

sshd -t                       #command to check for syntax errors in your configuration file
sshd -T                       #output active directives
linux/ssh.txt · Last modified: 2021/10/18 09:04 by tmade
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki