From KevinWiki

Latest revision as of 09:29, 1 June 2013

Secure Shell (SSH)

Secure Shell (SSH) is a network protocol which transfers data using a secure channel between two networks.

Change Port Number

• Changing the port number for ssh can be one solution to ignore ssh brute force attack.
• Open /etc/ssh/sshd_config file and change the port number.

# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22

e.g)
Port 1234

• and change the following lines

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

to like these lines below

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
AllowUsers username

Tunneling

-Creating a tunnel through ssh

$ ssh id@<remote machine address> -L <port number on local machine>:<local machine address>:<port on remote machine>

-To forward traffic from port 4881 on the local machine to port 8080 on the remote machine the IP of which is 192.168.0.10.

$ ssh id@192.168.0.10 -L 4881:localhost:8080

-To test a Java web application, running on tomcat server on a remote machine.

$ ssh id@remote.address -L 8080:localhost:8080

-To just forward a port, -N option can be used.

$ ssh id@192.168.0.10 -NL 4881:localhost:8080

-N      Do not execute a remote command.  This is useful for just forwarding ports (protocol version 2 only).

SCP

-Copy a file in the 'dir' directory on the remote machine to the directory 'home' on the local machine.

$ scp -pr username@remote_address:dir/file /home/

-p      Preserves modification times, access times, and modes from the original file.
-r      Recursively copy entire directories.

-Copy a file on the local machine to remote machine

$ scp -p localfile remote.address:dir

SSH Key

Generate RSA Key

$ mkdir ~/.ssh 
$ chmod 700 ~/.ssh 

$ ssh-keygen -t rsa 

• OR

$ ssh-keygen -t rsa -C "username@your.email.com" 

SSH Key Encryption Level

The default ssh key encryption level is 2048. To increase it to 4096

$ ssh-keygen -t rsa -b 4096

Transfer Client Key to Host

$ scp -P PORT_NUMBER ~/.ssh/id_rsa.pub user@hostname:.ssh/uploaded_key.pub 
$ ssh user@hostname.com "cat ~/.ssh/uploaded_key.pub >> ~/.ssh/authorized_keys" 

Or,

ssh-copy-id <username>@<host> 
ssh-copy-id -i ~/.ssh/rsa_file.pub <username>@<host> 

To specify the port number

ssh-copy-id -i ~/.ssh/rsa_file.pub "username@host -p 1234" 

If it fails with the following error message.

Received disconnect from 1.2.3.4: Too many authentication failures for user

Set -o PubkeyAuthentication=no option.

ssh-copy-id -i ~/.ssh/rsa_file.pub "username@host -p 1234 -o PubkeyAuthentication=no"

Set up to Use only SSH Key to Log in

Set up to use only ssh key instead of username and password to log in to the server

edit /etc/ssh/sshd_config

PermitRootLogin no
PasswordAuthentication no

e.g.)

# by Kevin (1 line)
PasswordAuthentication no

If logging in with SSH key fails with the following error message.

Agent admitted failure to sign using the key.

run ssh-add

$ ssh-add your-key 
Enter passphrase for your-key: 
Identity added: your-key (your-key)

Login without Using SSH Key

If SSH access failed with the following error,

$ ssh username@host 
ssh: connect to host kevin-l port 22: No route to host

try this.

$ ssh -o PubkeyAuthentication=no username@host

known_hosts

• Way to remove key from ~/.ssh/known_hosts

$ ssh-keygen -f "/home/USERNAME/.ssh/known_hosts" -R IP_ADDRESS 

e.g.)

$ ssh-keygen -f "/home/USERNAME/.ssh/known_hosts" -R 1.2.3.4 

Troubleshooting

SSH timed out too quickly

• Problem:
  • Accessing a server through SSH and use it.
  • don't use it for a short period of time (like less than 1 minute).
  • Then the server doesn't respond anymore.
• Possible Solution:
  • Edit /etc/ssh/ssh_config file. Add the following line.

    ServerAliveInterval 30

• The client will check if the server is still alive every 30 seconds.