Secure Shell
From KevinWiki
(→Transfer Client Key to Host) |
(→Generate RSA Key) |
||
(5 intermediate revisions not shown) | |||
Line 73: | Line 73: | ||
=== Generate RSA Key === | === Generate RSA Key === | ||
- | + | <pre> | |
- | + | $ mkdir ~/.ssh | |
- | + | $ chmod 700 ~/.ssh | |
+ | </pre> | ||
+ | <pre> | ||
+ | $ ssh-keygen -t rsa | ||
+ | </pre> | ||
+ | * OR | ||
+ | <pre> | ||
+ | $ ssh-keygen -t rsa -C "username@your.email.com" | ||
+ | </pre> | ||
=== SSH Key Encryption Level === | === SSH Key Encryption Level === | ||
Line 108: | Line 116: | ||
# by Kevin (1 line) | # by Kevin (1 line) | ||
PasswordAuthentication no | PasswordAuthentication no | ||
+ | |||
+ | If logging in with SSH key fails with the following error message. | ||
+ | Agent admitted failure to sign using the key. | ||
+ | |||
+ | run <code>ssh-add</code> | ||
+ | <pre> | ||
+ | $ ssh-add your-key | ||
+ | Enter passphrase for your-key: | ||
+ | Identity added: your-key (your-key) | ||
+ | </pre> | ||
=== Login without Using SSH Key === | === Login without Using SSH Key === | ||
Line 115: | Line 133: | ||
try this. | try this. | ||
$ ssh -o PubkeyAuthentication=no username@host | $ ssh -o PubkeyAuthentication=no username@host | ||
+ | |||
+ | |||
+ | == known_hosts == | ||
+ | * Way to remove key from ~/.ssh/known_hosts | ||
+ | <pre> | ||
+ | $ ssh-keygen -f "/home/USERNAME/.ssh/known_hosts" -R IP_ADDRESS | ||
+ | </pre> | ||
+ | e.g.) | ||
+ | <pre> | ||
+ | $ ssh-keygen -f "/home/USERNAME/.ssh/known_hosts" -R 1.2.3.4 | ||
+ | </pre> | ||
+ | |||
+ | |||
+ | = Troubleshooting = | ||
+ | == SSH timed out too quickly == | ||
+ | *Problem: | ||
+ | ** Accessing a server through SSH and use it. | ||
+ | ** don't use it for a short period of time (like less than 1 minute). | ||
+ | ** Then the server doesn't respond anymore. | ||
+ | * Possible Solution: | ||
+ | ** Edit <code>/etc/ssh/ssh_config</code> file. Add the following line. | ||
+ | <pre> | ||
+ | ServerAliveInterval 30 | ||
+ | </pre> | ||
+ | * The client will check if the server is still alive every 30 seconds. |
Latest revision as of 09:29, 1 June 2013
Contents |
Secure Shell (SSH)
Secure Shell (SSH) is a network protocol which transfers data using a secure channel between two networks.
Change Port Number
- Changing the port number for ssh can be one solution to ignore ssh brute force attack.
- Open
/etc/ssh/sshd_config
file and change the port number.
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
e.g)
Port 1234
- and change the following lines
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
to like these lines below
# Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes AllowUsers username
Tunneling
-Creating a tunnel through ssh
$ ssh id@<remote machine address> -L <port number on local machine>:<local machine address>:<port on remote machine>
-To forward traffic from port 4881 on the local machine to port 8080 on the remote machine the IP of which is 192.168.0.10.
$ ssh id@192.168.0.10 -L 4881:localhost:8080
-To test a Java web application, running on tomcat server on a remote machine.
$ ssh id@remote.address -L 8080:localhost:8080
-To just forward a port, -N
option can be used.
$ ssh id@192.168.0.10 -NL 4881:localhost:8080
-N Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).
SCP
-Copy a file in the 'dir' directory on the remote machine to the directory 'home' on the local machine.
$ scp -pr username@remote_address:dir/file /home/
-p Preserves modification times, access times, and modes from the original file. -r Recursively copy entire directories.
-Copy a file on the local machine to remote machine
$ scp -p localfile remote.address:dir
SSH Key
Generate RSA Key
$ mkdir ~/.ssh $ chmod 700 ~/.ssh
$ ssh-keygen -t rsa
- OR
$ ssh-keygen -t rsa -C "username@your.email.com"
SSH Key Encryption Level
The default ssh key encryption level is 2048. To increase it to 4096
$ ssh-keygen -t rsa -b 4096
Transfer Client Key to Host
$ scp -P PORT_NUMBER ~/.ssh/id_rsa.pub user@hostname:.ssh/uploaded_key.pub $ ssh user@hostname.com "cat ~/.ssh/uploaded_key.pub >> ~/.ssh/authorized_keys"
Or,
ssh-copy-id <username>@<host> ssh-copy-id -i ~/.ssh/rsa_file.pub <username>@<host>
To specify the port number
ssh-copy-id -i ~/.ssh/rsa_file.pub "username@host -p 1234"
If it fails with the following error message.
Received disconnect from 1.2.3.4: Too many authentication failures for user
Set -o PubkeyAuthentication=no
option.
ssh-copy-id -i ~/.ssh/rsa_file.pub "username@host -p 1234 -o PubkeyAuthentication=no"
Set up to Use only SSH Key to Log in
Set up to use only ssh key instead of username and password to log in to the server
edit /etc/ssh/sshd_config
PermitRootLogin no PasswordAuthentication no
e.g.)
# by Kevin (1 line) PasswordAuthentication no
If logging in with SSH key fails with the following error message.
Agent admitted failure to sign using the key.
run ssh-add
$ ssh-add your-key Enter passphrase for your-key: Identity added: your-key (your-key)
Login without Using SSH Key
If SSH access failed with the following error,
$ ssh username@host ssh: connect to host kevin-l port 22: No route to host
try this.
$ ssh -o PubkeyAuthentication=no username@host
known_hosts
- Way to remove key from ~/.ssh/known_hosts
$ ssh-keygen -f "/home/USERNAME/.ssh/known_hosts" -R IP_ADDRESS
e.g.)
$ ssh-keygen -f "/home/USERNAME/.ssh/known_hosts" -R 1.2.3.4
Troubleshooting
SSH timed out too quickly
- Problem:
- Accessing a server through SSH and use it.
- don't use it for a short period of time (like less than 1 minute).
- Then the server doesn't respond anymore.
- Possible Solution:
- Edit
/etc/ssh/ssh_config
file. Add the following line.
- Edit
ServerAliveInterval 30
- The client will check if the server is still alive every 30 seconds.