Secure Shell
From KevinWiki
|  (→Transfer Client Key to Host) | |||
| Line 86: | Line 86: | ||
| Or, | Or, | ||
| - |   ssh-copy-id <username>@<host> | + |   ssh-copy-id <username>@<host>   | 
| - |   ssh-copy-id -i ~/.ssh/rsa_file.pub <username>@<host> | + |   ssh-copy-id -i ~/.ssh/rsa_file.pub <username>@<host>   | 
| To specify the port number | To specify the port number | ||
| - |   ssh-copy-id -i ~/.ssh/rsa_file.pub "username@ | + |   ssh-copy-id -i ~/.ssh/rsa_file.pub "username@host -p 1234"   | 
| If it fails with the following error message. | If it fails with the following error message. | ||
|   Received disconnect from 1.2.3.4: Too many authentication failures for user |   Received disconnect from 1.2.3.4: Too many authentication failures for user | ||
| Set <code>-o PubkeyAuthentication=no</code> option. | Set <code>-o PubkeyAuthentication=no</code> option. | ||
| - |   ssh-copy-id -i ~/.ssh/rsa_file.pub "username@ | + |   ssh-copy-id -i ~/.ssh/rsa_file.pub "username@host -p 1234 -o PubkeyAuthentication=no" | 
| - | + | ||
| === Set up to Use only SSH Key to Log in === | === Set up to Use only SSH Key to Log in === | ||
Revision as of 17:25, 28 March 2013
| Contents | 
Secure Shell (SSH)
Secure Shell (SSH) is a network protocol which transfers data using a secure channel between two networks.
Change Port Number
- Changing the port number for ssh can be one solution to ignore ssh brute force attack.
- Open /etc/ssh/sshd_configfile and change the port number.
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
e.g)
Port 1234
- and change the following lines
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
to like these lines below
# Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes AllowUsers username
Tunneling
-Creating a tunnel through ssh
$ ssh id@<remote machine address> -L <port number on local machine>:<local machine address>:<port on remote machine>
-To forward traffic from port 4881 on the local machine to port 8080 on the remote machine the IP of which is 192.168.0.10.
$ ssh id@192.168.0.10 -L 4881:localhost:8080
-To test a Java web application, running on tomcat server on a remote machine.
$ ssh id@remote.address -L 8080:localhost:8080
-To just forward a port, -N option can be used.
$ ssh id@192.168.0.10 -NL 4881:localhost:8080
-N Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).
SCP
-Copy a file in the 'dir' directory on the remote machine to the directory 'home' on the local machine.
$ scp -pr username@remote_address:dir/file /home/
-p Preserves modification times, access times, and modes from the original file. -r Recursively copy entire directories.
-Copy a file on the local machine to remote machine
$ scp -p localfile remote.address:dir
SSH Key
Generate RSA Key
$ mkdir ~/.ssh $ chmod 700 ~/.ssh $ ssh-keygen -t rsa
SSH Key Encryption Level
The default ssh key encryption level is 2048. To increase it to 4096
$ ssh-keygen -t rsa -b 4096
Transfer Client Key to Host
$ scp -P PORT_NUMBER ~/.ssh/id_rsa.pub user@hostname:.ssh/uploaded_key.pub $ ssh user@hostname.com "cat ~/.ssh/uploaded_key.pub >> ~/.ssh/authorized_keys"
Or,
ssh-copy-id <username>@<host> ssh-copy-id -i ~/.ssh/rsa_file.pub <username>@<host>
To specify the port number
ssh-copy-id -i ~/.ssh/rsa_file.pub "username@host -p 1234"
If it fails with the following error message.
Received disconnect from 1.2.3.4: Too many authentication failures for user
Set -o PubkeyAuthentication=no option.
ssh-copy-id -i ~/.ssh/rsa_file.pub "username@host -p 1234 -o PubkeyAuthentication=no"
Set up to Use only SSH Key to Log in
Set up to use only ssh key instead of username and password to log in to the server
edit /etc/ssh/sshd_config
PermitRootLogin no PasswordAuthentication no
e.g.)
# by Kevin (1 line) PasswordAuthentication no
Login without Using SSH Key
If SSH access failed with the following error,
$ ssh username@host ssh: connect to host kevin-l port 22: No route to host
try this.
$ ssh -o PubkeyAuthentication=no username@host

