Secure Shell

From KevinWiki

(Difference between revisions)
Jump to: navigation, search
(Transfer Client Key to Host)
(Generate RSA Key)
 
(5 intermediate revisions not shown)
Line 73: Line 73:
=== Generate RSA Key ===
=== Generate RSA Key ===
-
$ mkdir ~/.ssh
+
<pre>
-
$ chmod 700 ~/.ssh
+
$ mkdir ~/.ssh  
-
$ ssh-keygen -t rsa
+
$ chmod 700 ~/.ssh  
 +
</pre>
 +
<pre>
 +
$ ssh-keygen -t rsa  
 +
</pre>
 +
* OR
 +
<pre>
 +
$ ssh-keygen -t rsa -C "username@your.email.com"
 +
</pre>
=== SSH Key Encryption Level ===
=== SSH Key Encryption Level ===
Line 108: Line 116:
  # by Kevin (1 line)
  # by Kevin (1 line)
  PasswordAuthentication no
  PasswordAuthentication no
 +
 +
If logging in with SSH key fails with the following error message.
 +
Agent admitted failure to sign using the key.
 +
 +
run <code>ssh-add</code>
 +
<pre>
 +
$ ssh-add your-key
 +
Enter passphrase for your-key:
 +
Identity added: your-key (your-key)
 +
</pre>
=== Login without Using SSH Key ===
=== Login without Using SSH Key ===
Line 115: Line 133:
try this.
try this.
  $ ssh -o PubkeyAuthentication=no username@host
  $ ssh -o PubkeyAuthentication=no username@host
 +
 +
 +
== known_hosts ==
 +
* Way to remove key from ~/.ssh/known_hosts
 +
<pre>
 +
$ ssh-keygen -f "/home/USERNAME/.ssh/known_hosts" -R IP_ADDRESS
 +
</pre>
 +
e.g.)
 +
<pre>
 +
$ ssh-keygen -f "/home/USERNAME/.ssh/known_hosts" -R 1.2.3.4
 +
</pre>
 +
 +
 +
= Troubleshooting =
 +
== SSH timed out too quickly ==
 +
*Problem:
 +
** Accessing a server through SSH and use it.
 +
** don't use it for a short period of time (like less than 1 minute).
 +
** Then the server doesn't respond anymore.
 +
* Possible Solution:
 +
** Edit <code>/etc/ssh/ssh_config</code> file. Add the following line.
 +
<pre>
 +
    ServerAliveInterval 30
 +
</pre>
 +
* The client will check if the server is still alive every 30 seconds.

Latest revision as of 09:29, 1 June 2013

Contents

Secure Shell (SSH)

Secure Shell (SSH) is a network protocol which transfers data using a secure channel between two networks.

Change Port Number

  • Changing the port number for ssh can be one solution to ignore ssh brute force attack.
  • Open /etc/ssh/sshd_config file and change the port number.
# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
e.g)
Port 1234
  • and change the following lines
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

to like these lines below

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
AllowUsers username


Tunneling

-Creating a tunnel through ssh

$ ssh id@<remote machine address> -L <port number on local machine>:<local machine address>:<port on remote machine>

-To forward traffic from port 4881 on the local machine to port 8080 on the remote machine the IP of which is 192.168.0.10.

$ ssh id@192.168.0.10 -L 4881:localhost:8080

-To test a Java web application, running on tomcat server on a remote machine.

$ ssh id@remote.address -L 8080:localhost:8080

-To just forward a port, -N option can be used.

$ ssh id@192.168.0.10 -NL 4881:localhost:8080
-N      Do not execute a remote command.  This is useful for just forwarding ports (protocol version 2 only).

SCP

-Copy a file in the 'dir' directory on the remote machine to the directory 'home' on the local machine.

$ scp -pr username@remote_address:dir/file /home/
-p      Preserves modification times, access times, and modes from the original file.
-r      Recursively copy entire directories.


-Copy a file on the local machine to remote machine

$ scp -p localfile remote.address:dir

SSH Key

Generate RSA Key

$ mkdir ~/.ssh 
$ chmod 700 ~/.ssh 
$ ssh-keygen -t rsa 
  • OR
$ ssh-keygen -t rsa -C "username@your.email.com" 

SSH Key Encryption Level

The default ssh key encryption level is 2048. To increase it to 4096

$ ssh-keygen -t rsa -b 4096

Transfer Client Key to Host

$ scp -P PORT_NUMBER ~/.ssh/id_rsa.pub user@hostname:.ssh/uploaded_key.pub 
$ ssh user@hostname.com "cat ~/.ssh/uploaded_key.pub >> ~/.ssh/authorized_keys" 

Or,

ssh-copy-id <username>@<host> 
ssh-copy-id -i ~/.ssh/rsa_file.pub <username>@<host> 

To specify the port number

ssh-copy-id -i ~/.ssh/rsa_file.pub "username@host -p 1234" 

If it fails with the following error message.

Received disconnect from 1.2.3.4: Too many authentication failures for user

Set -o PubkeyAuthentication=no option.

ssh-copy-id -i ~/.ssh/rsa_file.pub "username@host -p 1234 -o PubkeyAuthentication=no"

Set up to Use only SSH Key to Log in

Set up to use only ssh key instead of username and password to log in to the server

edit /etc/ssh/sshd_config

PermitRootLogin no
PasswordAuthentication no

e.g.)

# by Kevin (1 line)
PasswordAuthentication no

If logging in with SSH key fails with the following error message.

Agent admitted failure to sign using the key.

run ssh-add

$ ssh-add your-key 
Enter passphrase for your-key: 
Identity added: your-key (your-key)

Login without Using SSH Key

If SSH access failed with the following error,

$ ssh username@host 
ssh: connect to host kevin-l port 22: No route to host

try this.

$ ssh -o PubkeyAuthentication=no username@host


known_hosts

  • Way to remove key from ~/.ssh/known_hosts
$ ssh-keygen -f "/home/USERNAME/.ssh/known_hosts" -R IP_ADDRESS 

e.g.)

$ ssh-keygen -f "/home/USERNAME/.ssh/known_hosts" -R 1.2.3.4 


Troubleshooting

SSH timed out too quickly

  • Problem:
    • Accessing a server through SSH and use it.
    • don't use it for a short period of time (like less than 1 minute).
    • Then the server doesn't respond anymore.
  • Possible Solution:
    • Edit /etc/ssh/ssh_config file. Add the following line.
    ServerAliveInterval 30
  • The client will check if the server is still alive every 30 seconds.
Personal tools