Secure Shell
From KevinWiki
Contents |
Secure Shell (SSH)
Secure Shell (SSH) is a network protocol which transfers data using a secure channel between two networks.
Change Port Number
- Changing the port number for ssh can be one solution to ignore ssh brute force attack.
- Open
/etc/ssh/sshd_configfile and change the port number.
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
e.g)
Port 1234
- and change the following lines
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
to like these lines below
# Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes AllowUsers username
Tunneling
-Creating a tunnel through ssh
$ ssh id@<remote machine address> -L <port number on local machine>:<local machine address>:<port on remote machine>
-To forward traffic from port 4881 on the local machine to port 8080 on the remote machine the IP of which is 192.168.0.10.
$ ssh id@192.168.0.10 -L 4881:localhost:8080
-To test a Java web application, running on tomcat server on a remote machine.
$ ssh id@remote.address -L 8080:localhost:8080
-To just forward a port, -N option can be used.
$ ssh id@192.168.0.10 -NL 4881:localhost:8080
-N Do not execute a remote command. This is useful for just forwarding ports (protocol version 2 only).
SCP
-Copy a file in the 'dir' directory on the remote machine to the directory 'home' on the local machine.
$ scp -pr username@remote_address:dir/file /home/
-p Preserves modification times, access times, and modes from the original file. -r Recursively copy entire directories.
-Copy a file on the local machine to remote machine
$ scp -p localfile remote.address:dir
SSH Key
Generate RSA Key
$ mkdir ~/.ssh $ chmod 700 ~/.ssh
$ ssh-keygen -t rsa
- OR
$ ssh-keygen -t rsa -C "username@your.email.com"
SSH Key Encryption Level
The default ssh key encryption level is 2048. To increase it to 4096
$ ssh-keygen -t rsa -b 4096
Transfer Client Key to Host
$ scp -P PORT_NUMBER ~/.ssh/id_rsa.pub user@hostname:.ssh/uploaded_key.pub $ ssh user@hostname.com "cat ~/.ssh/uploaded_key.pub >> ~/.ssh/authorized_keys"
Or,
ssh-copy-id <username>@<host> ssh-copy-id -i ~/.ssh/rsa_file.pub <username>@<host>
To specify the port number
ssh-copy-id -i ~/.ssh/rsa_file.pub "username@host -p 1234"
If it fails with the following error message.
Received disconnect from 1.2.3.4: Too many authentication failures for user
Set -o PubkeyAuthentication=no option.
ssh-copy-id -i ~/.ssh/rsa_file.pub "username@host -p 1234 -o PubkeyAuthentication=no"
Set up to Use only SSH Key to Log in
Set up to use only ssh key instead of username and password to log in to the server
edit /etc/ssh/sshd_config
PermitRootLogin no PasswordAuthentication no
e.g.)
# by Kevin (1 line) PasswordAuthentication no
If logging in with SSH key fails with the following error message.
Agent admitted failure to sign using the key.
run ssh-add
$ ssh-add your-key Enter passphrase for your-key: Identity added: your-key (your-key)
Login without Using SSH Key
If SSH access failed with the following error,
$ ssh username@host ssh: connect to host kevin-l port 22: No route to host
try this.
$ ssh -o PubkeyAuthentication=no username@host
known_hosts
- Way to remove key from ~/.ssh/known_hosts
$ ssh-keygen -f "/home/USERNAME/.ssh/known_hosts" -R IP_ADDRESS
e.g.)
$ ssh-keygen -f "/home/USERNAME/.ssh/known_hosts" -R 1.2.3.4
Troubleshooting
SSH timed out too quickly
- Problem:
- Accessing a server through SSH and use it.
- don't use it for a short period of time (like less than 1 minute).
- Then the server doesn't respond anymore.
- Possible Solution:
- Edit
/etc/ssh/ssh_configfile. Add the following line.
- Edit
ServerAliveInterval 30
- The client will check if the server is still alive every 30 seconds.
