Secure Shell

From KevinWiki

Jump to: navigation, search


Secure Shell (SSH)

Secure Shell (SSH) is a network protocol which transfers data using a secure channel between two networks.

Change Port Number

  • Changing the port number for ssh can be one solution to ignore ssh brute force attack.
  • Open /etc/ssh/sshd_config file and change the port number.
# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
Port 1234
  • and change the following lines
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

to like these lines below

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
AllowUsers username


-Creating a tunnel through ssh

$ ssh id@<remote machine address> -L <port number on local machine>:<local machine address>:<port on remote machine>

-To forward traffic from port 4881 on the local machine to port 8080 on the remote machine the IP of which is

$ ssh id@ -L 4881:localhost:8080

-To test a Java web application, running on tomcat server on a remote machine.

$ ssh id@remote.address -L 8080:localhost:8080

-To just forward a port, -N option can be used.

$ ssh id@ -NL 4881:localhost:8080
-N      Do not execute a remote command.  This is useful for just forwarding ports (protocol version 2 only).


-Copy a file in the 'dir' directory on the remote machine to the directory 'home' on the local machine.

$ scp -pr username@remote_address:dir/file /home/
-p      Preserves modification times, access times, and modes from the original file.
-r      Recursively copy entire directories.

-Copy a file on the local machine to remote machine

$ scp -p localfile remote.address:dir


Generate RSA Key

$ mkdir ~/.ssh 
$ chmod 700 ~/.ssh 
$ ssh-keygen -t rsa 
  • OR
$ ssh-keygen -t rsa -C "" 

SSH Key Encryption Level

The default ssh key encryption level is 2048. To increase it to 4096

$ ssh-keygen -t rsa -b 4096

Transfer Client Key to Host

$ scp -P PORT_NUMBER ~/.ssh/ user@hostname:.ssh/ 
$ ssh "cat ~/.ssh/ >> ~/.ssh/authorized_keys" 


ssh-copy-id <username>@<host> 
ssh-copy-id -i ~/.ssh/ <username>@<host> 

To specify the port number

ssh-copy-id -i ~/.ssh/ "username@host -p 1234" 

If it fails with the following error message.

Received disconnect from Too many authentication failures for user

Set -o PubkeyAuthentication=no option.

ssh-copy-id -i ~/.ssh/ "username@host -p 1234 -o PubkeyAuthentication=no"

Set up to Use only SSH Key to Log in

Set up to use only ssh key instead of username and password to log in to the server

edit /etc/ssh/sshd_config

PermitRootLogin no
PasswordAuthentication no


# by Kevin (1 line)
PasswordAuthentication no

If logging in with SSH key fails with the following error message.

Agent admitted failure to sign using the key.

run ssh-add

$ ssh-add your-key 
Enter passphrase for your-key: 
Identity added: your-key (your-key)

Login without Using SSH Key

If SSH access failed with the following error,

$ ssh username@host 
ssh: connect to host kevin-l port 22: No route to host

try this.

$ ssh -o PubkeyAuthentication=no username@host


  • Way to remove key from ~/.ssh/known_hosts
$ ssh-keygen -f "/home/USERNAME/.ssh/known_hosts" -R IP_ADDRESS 


$ ssh-keygen -f "/home/USERNAME/.ssh/known_hosts" -R 


SSH timed out too quickly

  • Problem:
    • Accessing a server through SSH and use it.
    • don't use it for a short period of time (like less than 1 minute).
    • Then the server doesn't respond anymore.
  • Possible Solution:
    • Edit /etc/ssh/ssh_config file. Add the following line.
    ServerAliveInterval 30
  • The client will check if the server is still alive every 30 seconds.
Personal tools