-
Notifications
You must be signed in to change notification settings - Fork 0
/
ssh
201 lines (140 loc) · 5.47 KB
/
ssh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
Troubleshoot connecting {{{1
https://docs.digitalocean.com/products/droplets/resources/troubleshooting-ssh
username wrong or wrong permissions:
$HOME dir 700 or 755
$HOME/.ssh 700
host disk out of space
host user account dir
missing or restricted access to ~/.ssh
authorized_keys file wrong permissions: should be 600
# Gloud with OS Login enabled
# username andmalc_gmail_com
# run to see which keys in account profile: gcloud compute os-login describe-profile
# https://cloud.google.com/compute/docs/instances/ssh
# https://cloud.google.com/compute/docs/instances/managing-instance-access#add_oslogin_keys
~
Change port on Fedora/Centos
semanage port -a -t ssh_port_t -p tcp 2292
firewall-cmd --zone=public --permantent --add-port=2292/tcp
Login/Password config {{{1
Prevent host key checking for logins to localhost
NoHostAuthenticationForLocalhost yes
UserKnownHostsFile /dev/null
Disable password login:
sshd_config: PasswordAuthentication no
/etc/pam.d/ssh: disable unix passwords
Disable root login except for restrictions
sshd_config: PermitRootLogin forced-commands-only
authorized_keys: command="rdiff-backup --server --restrict-read-only /",from="workstation",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty <rest of public key>
If other use attempted, login fails with passphrase & password prompts
Command {{{1
ssh user@host [-p port] -L<port#>:localhost:<port#>
Options
p change passphrase
f run command without shell
D dynamic, app-level port forwarding
used now for Socks4 server
ssh -D 1080 my.box.com
i load identity private key
L forward ports
e.g. SMTP & POP3
set AllowTcpForwarding 'yes' in sshd_config
ssh -N -L <local port #>:localhost:<remote port #> username@remote-server
N no command - good for port forwarding
X forward local connection to X display server to remote session
DISPLAY variable set by ssh will point to server machine and with a
number greater than 0 to refer to a 'Proxy' server created on remote
side.
AllowXForwarding must be 'yes' in remote sshd_config
a forward local connection to authentication agent to remote
ssh-add
-l lists loaded identities
Keys {{{1
Change passphrase
ssh-keygen -t <type> -p
Display fingerprint
ssh-keygen -lf <pub key file name> # SHA256 format - new
ssh-keygen -E md5 -lf <pub key file name> # MD5 format - old
Key formats:
MD5 32 bit 41:0e:07:a1:5d:89:32:e1:42:30:70:ff:91:6e:d4:1f
SHA 40 bit 2048 SHA256:gfno3KCYssX6XgdaJki/VbDcQpgiUM9+Qzgn+uJsbI8
Convert public key to MD5 fingerprint:
Echo <content of public key> | base64 -d | md5sum
OpenSSH key format + convert to PEM
http://blog.oddbit.com/2011/05/08/converting-openssh-public-keys/
public key
ssh-keygen -e -m pem -f .ss/keyfile
private key
openssl rsa -in ~/.ssh/id_rsa -outform pem > id_rsa.pem
In place conversion of existing ECDSA private key
ssh-keygen -p -m PEM -N "" -f id_ecdsa
In place conversion of existing ECDSA private key
ssh-keygen -p -m PEM -N "" -f id_ecdsa
escapes {{{1
Default escape: Enter + ~ + .
Config option is EscapeChar (could change to %)
Terminate connection .
Suspend connection ^Z
Port forward term C
List forwarded #
only shows if connection is in use.
Instead run 'netstat -tpln' from local host
Override escape ~ (i.e. ~~)
Port Forwarding {{{1
http://unix.stackexchange.com/questions/46235/how-does-reverse-ssh-tunneling-work
https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding
-L Answer on local side, deliver to local
-R answer on remote side, delivers to local
-R <remote port>:localhost:<local port>
Format: ssh -L <local port>:<server host>:<server port> [<jump host if used>]
If port forwarded on same host as ssh server, <server host> is localhost
Client Config
LocalForward 2001 localhost:143
Server sshd_config
AllowTcpForwarding yes
sshfs {{{1
Options
allow_other allow other users to access mounnt point
default_permissions ?
identityfile give absolute path
reconnect maybe causing issues with suspend
sudo sshfs {{user id}}@{{server}}:{{remote share}} {{local mount point}} \
-o idmap=user -o allow_other -o uid={{local user id}} -o gid={{local group id}}
fstab entry:
[email protected]: /var/home/andmalc/mnt/f39gce fuse.sshfs x-systemd.automount,x-systemd.idle-timeout=120s,IdentityFile=/var/home/andmalc/.ssh/id_ecdsa,_netdev,allow_other 0 0
Auto reconnect
-o reconnect,ServerAliveInterval=15,ServerAliveCountMax=3
Systemd troubleshoot
systemctl status var-home-andmalc-mnt-f39gce.mount
Docs {{{1
Run remote Python script. Note strong quotes to protect $HOME.
ssh vex.net 'env PYTHONPATH=$HOME/lib/python python -c "import mytest"'
File Transfer (w/o scp)
ssh uid@remotehost 'cat > /path/to/dest' < /path/to/source
cat .ssh/id_dsa.pub | ssh user1@remote \
"cat - >>.ssh/authorized_keys"
utils {{{1
ssh-agent
run:
ssh-agent zsh
eval `ssh-agent` (old)
kill and unset env vars:
eval `ssh-agent -k`
ssh-add
run: ssh-add <key>
if no arg to ssh-add, adds default keys
l list fingerprints of added identitites
L list full public keys of added identitites
D delete all identities
related programs {{{1
scp
wildcards for remote path: may need to quote or escape
-p preserve permissions and timestamps
do not use to copy trees as links copied as target files
instead:
tar cf - /usr/local/bin | ssh server.example.com tar xf -
sftp
login to remote host
sftp -oPort=2222 localhost
techniques {{{1
bypass fw by running on SSL handshake port 443