Difference between revisions of "Linux: SSH"
Jump to navigation
Jump to search
Rafahsolis (talk | contribs) |
Rafahsolis (talk | contribs) Tag: visualeditor |
||
| (32 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
SSH stands for Secure Shell. Establishes a secure communication between 2 computers.<br /> | SSH stands for Secure Shell. Establishes a secure communication between 2 computers.<br /> | ||
| − | == Create a key pair == | + | ==Create a key pair== |
To create a key pair for the ssh: | To create a key pair for the ssh: | ||
ssh-keygen -t rsa -C "your_email@example.com" | ssh-keygen -t rsa -C "your_email@example.com" | ||
| Line 6: | Line 6: | ||
ssh-keygen -e -f id_rsa.pub > yourfilename.pub | ssh-keygen -e -f id_rsa.pub > yourfilename.pub | ||
-i is the inverse of the -e switch | -i is the inverse of the -e switch | ||
| − | == Add the key to the ssh-agent == | + | ===Change SSH key Password=== |
| + | ssh-keygen -f id_rsa -p | ||
| + | |||
| + | ==Add the key to the ssh-agent== | ||
eval "$(ssh-agent -s)" | eval "$(ssh-agent -s)" | ||
ssh-add ~/.ssh/id_rsa | ssh-add ~/.ssh/id_rsa | ||
| − | == View key information == | + | ==View key information== |
ssh-keygen -l -f id_rsa.pub | ssh-keygen -l -f id_rsa.pub | ||
Returns something like: 2048 3f:4b:dd:ce:2b:cd:dc:99:13:ff:38:4a:24:95:d4:e9 rafahsolis@gmail.com (RSA) | Returns something like: 2048 3f:4b:dd:ce:2b:cd:dc:99:13:ff:38:4a:24:95:d4:e9 rafahsolis@gmail.com (RSA) | ||
| − | == Copy key to server == | + | ==Copy key to server== |
ssh-copy-id -i path/to/key_name.pub user_name@host_name | ssh-copy-id -i path/to/key_name.pub user_name@host_name | ||
If .pub is already uploaded to the server: | If .pub is already uploaded to the server: | ||
cat filename.pub >> $HOME/.ssh/authorized_keys | cat filename.pub >> $HOME/.ssh/authorized_keys | ||
| − | == If home directory is encrypted == | + | ==If home directory is encrypted== |
$ /sbin/umount.ecryptfs_private | $ /sbin/umount.ecryptfs_private | ||
$ cd $HOME | $ cd $HOME | ||
| Line 28: | Line 31: | ||
AuthorizedKeysFile /etc/ssh/%u/authorized_keys | AuthorizedKeysFile /etc/ssh/%u/authorized_keys | ||
| − | == ssh tunneling == | + | ==SSH with jump machine== |
| + | <syntaxhighlight lang="bash"> | ||
| + | ssh -J xe50582@vegeta.rra.lan -ND 1080 15.17.170.46 | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ===Jump via .ssh/config=== | ||
| + | <syntaxhighlight lang="text"> | ||
| + | Host raspisalto | ||
| + | Hostname 15.17.170.46 | ||
| + | User pi | ||
| + | PreferredAuthentications password | ||
| + | PubkeyAuthentication no | ||
| + | ProxyCommand ssh vegeta.rra.lan -W 15.17.170.46:22 | ||
| + | </syntaxhighlight><syntaxhighlight lang="bash"> | ||
| + | ssh -D 1080 -N -f -C -q raspisalto | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ==ssh tunneling== | ||
This is used for example to connect to a database on a server that has the database port closed but ssh port open.<br /> | This is used for example to connect to a database on a server that has the database port closed but ssh port open.<br /> | ||
| − | + | <source lang="bash">ssh -N -L localport:remotehost:remoteport remoteuser@remotehost | |
| − | + | ssh ip_maq_intermedia -L puerto_local_kali:ip_destino_real:puerto_remoto | |
| + | ssh www.intermediate.com -NL 5432:fesfe-dbpg.c9hdfwhhklwy.eu-central-1.rds.amazonaws.com:5432</source> | ||
| + | |||
Example: | Example: | ||
ssh -i .ssh/MySshKey.pem -N -L 8888:localhost:3306 ubuntu@myserver.com | ssh -i .ssh/MySshKey.pem -N -L 8888:localhost:3306 ubuntu@myserver.com | ||
| Line 37: | Line 59: | ||
the database on myserver.com using your local port 8888.<br /> | the database on myserver.com using your local port 8888.<br /> | ||
(*) -N tells ssh that you won't execute any commands on the ssh shell.<br /> | (*) -N tells ssh that you won't execute any commands on the ssh shell.<br /> | ||
| − | === Check/close open tunnels === | + | ===Check/close open tunnels=== |
<nowiki> | <nowiki> | ||
| − | netstat -n --protocol inet | grep ':22' | + | netstat -n --protocol inet | grep ':22' |
| − | sudo lsof -i -n | egrep '\<ssh\>' | + | sudo lsof -i -n | egrep '\<ssh\>' |
| − | sudo lsof -i -n | egrep '\<sshd\>'</nowiki> | + | sudo lsof -i -n | egrep '\<sshd\>'</nowiki> |
'''To close open tunnels'''<br /> | '''To close open tunnels'''<br /> | ||
| Line 48: | Line 70: | ||
'''To see what it will kill''' | '''To see what it will kill''' | ||
ps aux | grep my_ssh_key.pem | ps aux | grep my_ssh_key.pem | ||
| + | ===Examples=== | ||
| − | == Configuration == | + | *Access to a remote MySQL binded to 127.0.0.1 (it woudn't be accesible from outside) |
| + | |||
| + | Runing this command on your box: | ||
| + | ssh -N -L 3666:localhost:3306 user@some.remotehost.com | ||
| + | Makes the MySQL Server accesible at your local machine at port 3666 | ||
| + | |||
| + | ==Configuration== | ||
Edit the following files to configure ssh<br /> | Edit the following files to configure ssh<br /> | ||
(Message of the Day) | (Message of the Day) | ||
| − | */etc/motd | + | |
| + | */etc/motd (old) | ||
| + | */etc/update-motd.d/* (new) | ||
| + | |||
| + | echo -e "\e[31m\\u2588\u2588\u2588\u2588\u2588\u2588\u2588\e[33m\\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\e[31m\\u2588\u2588\u2588\u2588\u2588\u2588\u2588\e[37m" > /etc/update-motd.d/flag | ||
| + | echo "cat /etc/update-motd.d/flag" >> /etc/update-motd.d/00-header | ||
| + | |||
Other settings: | Other settings: | ||
| + | |||
*/etc/ssh/sshd_config | */etc/ssh/sshd_config | ||
| + | |||
Recomended: Disable password login: | Recomended: Disable password login: | ||
ChallengeResponseAuthentication no | ChallengeResponseAuthentication no | ||
| Line 62: | Line 99: | ||
sudo service ssh restart | sudo service ssh restart | ||
| − | == Videos == | + | ==Videos== |
[https://www.dropbox.com/s/uxng22kpge7luxf/SSH%20Tutorial%20-%20Basic%20server%20administration%20with%20SSH-DbPDraCYju8.mp4?dl=0 SSH Tutorial Basic server administration with SSH (mp4)]<br /> | [https://www.dropbox.com/s/uxng22kpge7luxf/SSH%20Tutorial%20-%20Basic%20server%20administration%20with%20SSH-DbPDraCYju8.mp4?dl=0 SSH Tutorial Basic server administration with SSH (mp4)]<br /> | ||
[https://www.dropbox.com/s/hzvkdcdw11t1cxk/SSH%20SCP%20and%20key%20pairs%20tutorial%20%28Secure%20authentication%20and%20encrypted%20comunication%29-oHoRYCY-LYU.mp4?dl=0 SSH SCP and key pairs tutorial Secure authentication and encrypted comunication (mp4)] | [https://www.dropbox.com/s/hzvkdcdw11t1cxk/SSH%20SCP%20and%20key%20pairs%20tutorial%20%28Secure%20authentication%20and%20encrypted%20comunication%29-oHoRYCY-LYU.mp4?dl=0 SSH SCP and key pairs tutorial Secure authentication and encrypted comunication (mp4)] | ||
| − | == Config | + | ==Config files== |
| − | sudo nano /etc/ssh/sshd_config | + | sudo nano /etc/ssh/sshd_config (ssh daemon config)<br /> |
| − | == Welcome message == | + | ===$HOME/.ssh/config=== |
| + | <nowiki>Host morpheus | ||
| + | IdentityFile ~/.ssh/Trinity.pub | ||
| + | User rafa | ||
| + | port 10535 | ||
| + | |||
| + | === $WORK/.ssh/config === | ||
| + | Host flirt | ||
| + | IdentityFile ~/.ssh/Trinity.pub | ||
| + | User rafa | ||
| + | port 10536</nowiki> | ||
| + | |||
| + | (connections config) | ||
| + | <nowiki>Host fpsim-frontend | ||
| + | IdentityFile ~/.ssh/DNC-FKY.pem | ||
| + | |||
| + | Host * | ||
| + | ServerAliveInterval 30 | ||
| + | ServerAliveCountMax 2 | ||
| + | |||
| + | Host mi6.rra.lan | ||
| + | IdentityFile ~/.ssh/rra_fake.pem | ||
| + | User rra | ||
| + | |||
| + | Host leaks.rra.lan | ||
| + | IdentityFile ~/.ssh/rt_rsa | ||
| + | User xe50582 | ||
| + | |||
| + | Host news.menupayapp.com | ||
| + | IdentityFile ~/.ssh/rra_id.pem | ||
| + | User ubuntu | ||
| + | |||
| + | Host 20.1.40.109 | ||
| + | IdentityFile ~/.ssh/rt_rsa | ||
| + | User rra | ||
| + | |||
| + | Host gitrra.dyndns.org | ||
| + | IdentityFile ~/.ssh/DNC-FKY.pem | ||
| + | User ubuntu | ||
| + | |||
| + | Host mapper1 | ||
| + | IdentityFile ~/.ssh/id_rsa | ||
| + | HostName WF00MPA1.igrupobbva | ||
| + | User pi | ||
| + | |||
| + | Host mapper2 | ||
| + | IdentityFile ~/.ssh/id_rsa | ||
| + | HostName WF00MPA2.igrupobbva | ||
| + | User pi | ||
| + | |||
| + | |||
| + | |||
| + | # LEAVE THIS ONES AT THE BOTTOM (WILDCHARS) First match will be used | ||
| + | Host 20.1.40.* | ||
| + | IdentityFile ~/.ssh/rt_rsa | ||
| + | User xe50582 | ||
| + | |||
| + | Host *.rra.lan | ||
| + | IdentityFile ~/.ssh/rt_rsa | ||
| + | User xe50582 | ||
| + | |||
| + | |||
| + | Host 10.255.0.* | ||
| + | IdentityFile ~/.ssh/rt_rsa | ||
| + | User xe50582</nowiki> | ||
| + | <syntaxhighlight lang="text"> | ||
| + | |||
| + | |||
| + | |||
| + | </syntaxhighlight> | ||
| + | |||
| + | ==LDAP ldapkeyfile== | ||
| + | <source lang="bash">#!/usr/bin/env bash | ||
| + | ldapsearch -h rtLDAP01.igrupobbva -b dc=rtLDAP01,dc=igrupobbva -x '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' | ||
| + | |||
| + | #sudo ldapsearch -x '(objectClass=*)' -h 192.168.56.103 | ||
| + | #-b ou=users,dc=rtLDAP01,dc=igrupobbva</source> | ||
| + | |||
| + | ==sshd_config LDAP ldapsearch== | ||
| + | AuthorizedKeysCommand /bin/ldapkeyfile | ||
| + | AuthorizedKeysCommandUser nobody | ||
| + | |||
| + | ==Welcome message== | ||
Two files must be edited:<br /> | Two files must be edited:<br /> | ||
/etc/motd (message of the day)<br /> | /etc/motd (message of the day)<br /> | ||
/etc/ssh/sshd_config: Change the setting PrintLastLog to "no", this will disable the "Last login" message. | /etc/ssh/sshd_config: Change the setting PrintLastLog to "no", this will disable the "Last login" message. | ||
| − | == Convert rsa to ppk == | + | |
| + | == Add Key Oneliner == | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | ssh-keyscan -t rsa gitlab.roqs.basf.net | tee gitlab.roqs.basf.net-key-temp | ssh-keygen -lf - | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ==Convert rsa to ppk== | ||
puttygen keyname -o keyname.ppk | puttygen keyname -o keyname.ppk | ||
| − | == Avoid broken pipe == | + | ==Avoid broken pipe== |
2 options:<br /> | 2 options:<br /> | ||
| − | + | ===ClientAliveInterval, SeverAliveInterval=== | |
| − | create file: /home/user/.ssh/ | + | ====Client side==== |
| + | Use ClientAliveInterval if you have a jump machine<br /> | ||
| + | create file: /home/user/.ssh/config with the following content: (client side) chmod 600 | ||
<nowiki> | <nowiki> | ||
| − | + | Host * | |
| − | + | ServerAliveInterval 60 | |
| − | + | ServerAliveCountMax 2</nowiki> | |
| − | + | For each user, or ading to /etc/ssh/ssh_config | |
| − | + | ServerAliveInterval 60 | |
| + | ClientAliveCountMax 2 | ||
| + | |||
| + | ====Server side==== | ||
echo "ClientAliveInterval 60" | sudo tee -a /etc/ssh/sshd_config | echo "ClientAliveInterval 60" | sudo tee -a /etc/ssh/sshd_config | ||
| Line 89: | Line 219: | ||
2: | 2: | ||
<nowiki> | <nowiki> | ||
| − | echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time</nowiki> | + | echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time</nowiki> |
Shell script to reconnect on broken pipe: | Shell script to reconnect on broken pipe: | ||
| Line 124: | Line 254: | ||
done | done | ||
</source> | </source> | ||
| − | == known_hosts == | + | |
| + | ==known_hosts== | ||
===Remove offending key=== | ===Remove offending key=== | ||
If when trying to connect to a host you get the message: | If when trying to connect to a host you get the message: | ||
| Line 130: | Line 261: | ||
and you trust the host (this can happen when you change CNAME file of your DNS to point to a different server | and you trust the host (this can happen when you change CNAME file of your DNS to point to a different server | ||
ssh-keygen -f "/home/user/.ssh/known_hosts" -R server_dns_or_ip | ssh-keygen -f "/home/user/.ssh/known_hosts" -R server_dns_or_ip | ||
| + | ==Enable ssh at boot== | ||
| + | # update-rc.d -f ssh enable 2 3 4 5 | ||
| + | systemctl enable ssh | ||
| + | |||
| + | ==Force password authentication== | ||
| + | ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no example.com | ||
| + | ==Open ssh SOCKS5 Proxy Server (Dynamic port redirection)== | ||
| + | ssh -ND 1111 ubuntu@ec2-52-57-220-220.eu-central-1.compute.amazonaws.com -i ~/.ssh/DNC-FKY.pem | ||
| + | ssh -D 10.28.0.81:1111 rafa@10.28.0.81 | ||
| + | |||
| + | ==SSH Config== | ||
| + | Path ~/.ssh/config | ||
| + | |||
| + | ==Kill User sessions== | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | ps aux | grep xe84049 | grep sshd | awk '{print $2}' | xargs -n 1 sudo kill -9 | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ===Work=== | ||
| + | <nowiki>Host fpsim-frontend | ||
| + | IdentityFile ~/.ssh/DNC-FKY.pem | ||
| + | User ubuntu | ||
| + | Host * | ||
| + | ServerAliveInterval 30 | ||
| + | ServerAliveCountMax 2 | ||
| + | |||
| + | Host 10.255.0.* | ||
| + | IdentityFile ~/.ssh/rt_rsa | ||
| + | User xe50582 | ||
| + | |||
| + | Host leaks.rra.lan | ||
| + | IdentityFile ~/.ssh/rt_rsa | ||
| + | User xe50582 | ||
| + | |||
| + | Host news.menupayapp.com | ||
| + | IdentityFile ~/.ssh/rra_id.pem | ||
| + | User ubuntu | ||
| + | |||
| + | Host 20.1.40.109 | ||
| + | IdentityFile ~/.ssh/rt_rsa | ||
| + | User rra | ||
| + | |||
| + | Host 20.1.40.* | ||
| + | IdentityFile ~/.ssh/rt_rsa | ||
| + | User xe50582 | ||
| + | |||
| + | |||
| + | Host pdgrt.rra.lan | ||
| + | User rra | ||
| + | |||
| + | |||
| + | host geoip.dyndns.org | ||
| + | IdentityFile ~/.ssh/rra_springfield.pem | ||
| + | User ubuntu | ||
| + | |||
| + | host rrafara.dyndns.org | ||
| + | IdentityFile ~/.ssh/DNC.pem | ||
| + | User ubuntu | ||
| + | |||
| + | host deathnote.rra.lan | ||
| + | User rra | ||
| + | |||
| + | host savvius.rra.lan | ||
| + | User root | ||
| + | |||
| + | |||
| + | Host *.rra.lan | ||
| + | # IdentityFile ~/.ssh/rt_rsa | ||
| + | User xe50582 | ||
| + | |||
| + | |||
| + | Host 10.255.0.32 | ||
| + | IdentityFile ~/.ssh/rra_fake.pem | ||
| + | user rra | ||
| + | |||
| + | Host aws-gitlab | ||
| + | IdentityFile ~/.ssh/DNC-FKY.pem | ||
| + | User ubuntu | ||
| + | </nowiki> | ||
| + | ===Trinity=== | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | PreferredAuthentications password | ||
| + | PubkeyAuthentication no | ||
| + | |||
| + | Host *.herrerosolis.com | ||
| + | IdentityFile ~/.ssh/whispers.pem | ||
| + | User ubuntu | ||
| + | |||
| + | Host herrerosolis.com | ||
| + | IdentityFile ~/.ssh/whispers.pem | ||
| + | User ubuntu | ||
| + | |||
| + | Host git.herrerosolis.com | ||
| + | IdentityFile ~/.ssh/whispers.pem | ||
| + | User ubuntu | ||
| + | |||
| + | Host geoip.dyndns.org | ||
| + | IdentityFile /media/rafa/secrets/.ssh/rra_springfield | ||
| + | User ubuntu | ||
| + | |||
| + | Host morpheus.lan | ||
| + | IdentityFile ~/.ssh/Trinity.pub | ||
| + | User rafa | ||
| + | Port 10535 | ||
| + | |||
| + | Host flirt | ||
| + | IdentityFile ~/.ssh/Trinity.pub | ||
| + | User rafa | ||
| + | Port 10536 | ||
| + | |||
| + | Host pivpn* | ||
| + | IdentityFile ~/.ssh/Trinity.pub | ||
| + | User pi | ||
| + | |||
| + | Host kodi.lan | ||
| + | User root | ||
| + | PreferredAuthentications password | ||
| + | PubkeyAuthentication no | ||
| + | |||
| + | Host libreelec.lan | ||
| + | User root | ||
| + | PreferredAuthentications password | ||
| + | PubkeyAuthentication no | ||
| + | |||
| + | #Host bitbucket.org | ||
| + | # IdentityFile ~/.ssh/cpc_bitbucket | ||
| + | |||
| + | Host peibol.duckdns.org | ||
| + | User ubuntu | ||
| + | IdentityFile ~/.ssh/Trinity | ||
| + | |||
| + | Host lightning01 | ||
| + | User pi | ||
| + | IdentityFile ~/.ssh/Trinity | ||
| + | |||
| + | Host scripting-ssii.rra.lan | ||
| + | User rra | ||
| + | |||
| + | Host *.rra.lan | ||
| + | User xe50582 | ||
| + | |||
| + | Host felixnomada.duckdns.org | ||
| + | User ubuntu | ||
| + | IdentityFile ~/.ssh/felixInteractions.pem | ||
| + | |||
| + | Host bitbucket.org | ||
| + | IdentityFile ~/.ssh/bitbucket | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ==Kill Session== | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | pkill -9 -t pts/2 | ||
| + | </syntaxhighlight> | ||
Latest revision as of 07:59, 11 September 2024
SSH stands for Secure Shell. Establishes a secure communication between 2 computers.
Create a key pair
To create a key pair for the ssh:
ssh-keygen -t rsa -C "your_email@example.com"
To convert the key pair to PEM format:
ssh-keygen -e -f id_rsa.pub > yourfilename.pub
-i is the inverse of the -e switch
Change SSH key Password
ssh-keygen -f id_rsa -p
Add the key to the ssh-agent
eval "$(ssh-agent -s)" ssh-add ~/.ssh/id_rsa
View key information
ssh-keygen -l -f id_rsa.pub
Returns something like: 2048 3f:4b:dd:ce:2b:cd:dc:99:13:ff:38:4a:24:95:d4:e9 rafahsolis@gmail.com (RSA)
Copy key to server
ssh-copy-id -i path/to/key_name.pub user_name@host_name
If .pub is already uploaded to the server:
cat filename.pub >> $HOME/.ssh/authorized_keys
If home directory is encrypted
$ /sbin/umount.ecryptfs_private $ cd $HOME $ chmod 700 . $ mkdir -m 700 .ssh $ chmod 500 . $ echo $YOUR_REAL_PUBLIC_KEY > .ssh/authorized_keys $ /sbin/mount.ecryptfs_private
or change in /etc/ssh/sshd_config the line:
AuthorizedKeysFile /etc/ssh/%u/authorized_keys
SSH with jump machine
ssh -J xe50582@vegeta.rra.lan -ND 1080 15.17.170.46
Jump via .ssh/config
Host raspisalto
Hostname 15.17.170.46
User pi
PreferredAuthentications password
PubkeyAuthentication no
ProxyCommand ssh vegeta.rra.lan -W 15.17.170.46:22
ssh -D 1080 -N -f -C -q raspisalto
ssh tunneling
This is used for example to connect to a database on a server that has the database port closed but ssh port open.
ssh -N -L localport:remotehost:remoteport remoteuser@remotehost
ssh ip_maq_intermedia -L puerto_local_kali:ip_destino_real:puerto_remoto
ssh www.intermediate.com -NL 5432:fesfe-dbpg.c9hdfwhhklwy.eu-central-1.rds.amazonaws.com:5432
Example:
ssh -i .ssh/MySshKey.pem -N -L 8888:localhost:3306 ubuntu@myserver.com
This will tunnel local port 8888 to the remote port 3306 (MySQL port) So you would be able to connect to
the database on myserver.com using your local port 8888.
(*) -N tells ssh that you won't execute any commands on the ssh shell.
Check/close open tunnels
netstat -n --protocol inet | grep ':22'
sudo lsof -i -n | egrep '\<ssh\>'
sudo lsof -i -n | egrep '\<sshd\>'
To close open tunnels
kill using the pattern:
kill pkill -f my_ssh_key.pem
To see what it will kill
ps aux | grep my_ssh_key.pem
Examples
- Access to a remote MySQL binded to 127.0.0.1 (it woudn't be accesible from outside)
Runing this command on your box:
ssh -N -L 3666:localhost:3306 user@some.remotehost.com
Makes the MySQL Server accesible at your local machine at port 3666
Configuration
Edit the following files to configure ssh
(Message of the Day)
- /etc/motd (old)
- /etc/update-motd.d/* (new)
echo -e "\e[31m\\u2588\u2588\u2588\u2588\u2588\u2588\u2588\e[33m\\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\e[31m\\u2588\u2588\u2588\u2588\u2588\u2588\u2588\e[37m" > /etc/update-motd.d/flag echo "cat /etc/update-motd.d/flag" >> /etc/update-motd.d/00-header
Other settings:
- /etc/ssh/sshd_config
Recomended: Disable password login:
ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no
sudo service ssh restart
Videos
SSH Tutorial Basic server administration with SSH (mp4)
SSH SCP and key pairs tutorial Secure authentication and encrypted comunication (mp4)
Config files
sudo nano /etc/ssh/sshd_config (ssh daemon config)
$HOME/.ssh/config
Host morpheus
IdentityFile ~/.ssh/Trinity.pub
User rafa
port 10535
=== $WORK/.ssh/config ===
Host flirt
IdentityFile ~/.ssh/Trinity.pub
User rafa
port 10536
(connections config)
Host fpsim-frontend
IdentityFile ~/.ssh/DNC-FKY.pem
Host *
ServerAliveInterval 30
ServerAliveCountMax 2
Host mi6.rra.lan
IdentityFile ~/.ssh/rra_fake.pem
User rra
Host leaks.rra.lan
IdentityFile ~/.ssh/rt_rsa
User xe50582
Host news.menupayapp.com
IdentityFile ~/.ssh/rra_id.pem
User ubuntu
Host 20.1.40.109
IdentityFile ~/.ssh/rt_rsa
User rra
Host gitrra.dyndns.org
IdentityFile ~/.ssh/DNC-FKY.pem
User ubuntu
Host mapper1
IdentityFile ~/.ssh/id_rsa
HostName WF00MPA1.igrupobbva
User pi
Host mapper2
IdentityFile ~/.ssh/id_rsa
HostName WF00MPA2.igrupobbva
User pi
# LEAVE THIS ONES AT THE BOTTOM (WILDCHARS) First match will be used
Host 20.1.40.*
IdentityFile ~/.ssh/rt_rsa
User xe50582
Host *.rra.lan
IdentityFile ~/.ssh/rt_rsa
User xe50582
Host 10.255.0.*
IdentityFile ~/.ssh/rt_rsa
User xe50582
LDAP ldapkeyfile
#!/usr/bin/env bash
ldapsearch -h rtLDAP01.igrupobbva -b dc=rtLDAP01,dc=igrupobbva -x '(&(objectClass=posixAccount)(uid='"$1"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
#sudo ldapsearch -x '(objectClass=*)' -h 192.168.56.103
#-b ou=users,dc=rtLDAP01,dc=igrupobbva
sshd_config LDAP ldapsearch
AuthorizedKeysCommand /bin/ldapkeyfile AuthorizedKeysCommandUser nobody
Welcome message
Two files must be edited:
/etc/motd (message of the day)
/etc/ssh/sshd_config: Change the setting PrintLastLog to "no", this will disable the "Last login" message.
Add Key Oneliner
ssh-keyscan -t rsa gitlab.roqs.basf.net | tee gitlab.roqs.basf.net-key-temp | ssh-keygen -lf -
Convert rsa to ppk
puttygen keyname -o keyname.ppk
Avoid broken pipe
2 options:
ClientAliveInterval, SeverAliveInterval
Client side
Use ClientAliveInterval if you have a jump machine
create file: /home/user/.ssh/config with the following content: (client side) chmod 600
Host *
ServerAliveInterval 60
ServerAliveCountMax 2
For each user, or ading to /etc/ssh/ssh_config
ServerAliveInterval 60 ClientAliveCountMax 2
Server side
echo "ClientAliveInterval 60" | sudo tee -a /etc/ssh/sshd_config
2:
echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time
Shell script to reconnect on broken pipe:
#!/bin/sh
#This is an SSH-D proxy with auto-reconnect on disconnect
#Created by Liang Sun on 28, Sep, 2011
#Email: i@liangsun.org
i=0
while test 1==1
do
remote_ip=YOUR_REMOTE_IP
remote_user=YOUR_REMOTE_USER
local_port=YOUR_LOCAL_PORT
exist=`ps aux | grep $remote_user@$remote_ip | grep $local_port`
#echo $exist
if test -n "$exist"
then
if test $i -eq 0
then
echo "I'm alive since $(date)"
fi
i=1
else
i=0
echo "I died... God is bringing me back..."
ssh $remote_user@$remote_ip -f -N -D 0.0.0.0:$local_port
fi
sleep 1
done
known_hosts
Remove offending key
If when trying to connect to a host you get the message:
Offending ECDSA key in /home/user/.ssh/known_hosts:#:
and you trust the host (this can happen when you change CNAME file of your DNS to point to a different server
ssh-keygen -f "/home/user/.ssh/known_hosts" -R server_dns_or_ip
Enable ssh at boot
# update-rc.d -f ssh enable 2 3 4 5 systemctl enable ssh
Force password authentication
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no example.com
Open ssh SOCKS5 Proxy Server (Dynamic port redirection)
ssh -ND 1111 ubuntu@ec2-52-57-220-220.eu-central-1.compute.amazonaws.com -i ~/.ssh/DNC-FKY.pem ssh -D 10.28.0.81:1111 rafa@10.28.0.81
SSH Config
Path ~/.ssh/config
Kill User sessions
ps aux | grep xe84049 | grep sshd | awk '{print $2}' | xargs -n 1 sudo kill -9
Work
Host fpsim-frontend
IdentityFile ~/.ssh/DNC-FKY.pem
User ubuntu
Host *
ServerAliveInterval 30
ServerAliveCountMax 2
Host 10.255.0.*
IdentityFile ~/.ssh/rt_rsa
User xe50582
Host leaks.rra.lan
IdentityFile ~/.ssh/rt_rsa
User xe50582
Host news.menupayapp.com
IdentityFile ~/.ssh/rra_id.pem
User ubuntu
Host 20.1.40.109
IdentityFile ~/.ssh/rt_rsa
User rra
Host 20.1.40.*
IdentityFile ~/.ssh/rt_rsa
User xe50582
Host pdgrt.rra.lan
User rra
host geoip.dyndns.org
IdentityFile ~/.ssh/rra_springfield.pem
User ubuntu
host rrafara.dyndns.org
IdentityFile ~/.ssh/DNC.pem
User ubuntu
host deathnote.rra.lan
User rra
host savvius.rra.lan
User root
Host *.rra.lan
# IdentityFile ~/.ssh/rt_rsa
User xe50582
Host 10.255.0.32
IdentityFile ~/.ssh/rra_fake.pem
user rra
Host aws-gitlab
IdentityFile ~/.ssh/DNC-FKY.pem
User ubuntu
Trinity
PreferredAuthentications password
PubkeyAuthentication no
Host *.herrerosolis.com
IdentityFile ~/.ssh/whispers.pem
User ubuntu
Host herrerosolis.com
IdentityFile ~/.ssh/whispers.pem
User ubuntu
Host git.herrerosolis.com
IdentityFile ~/.ssh/whispers.pem
User ubuntu
Host geoip.dyndns.org
IdentityFile /media/rafa/secrets/.ssh/rra_springfield
User ubuntu
Host morpheus.lan
IdentityFile ~/.ssh/Trinity.pub
User rafa
Port 10535
Host flirt
IdentityFile ~/.ssh/Trinity.pub
User rafa
Port 10536
Host pivpn*
IdentityFile ~/.ssh/Trinity.pub
User pi
Host kodi.lan
User root
PreferredAuthentications password
PubkeyAuthentication no
Host libreelec.lan
User root
PreferredAuthentications password
PubkeyAuthentication no
#Host bitbucket.org
# IdentityFile ~/.ssh/cpc_bitbucket
Host peibol.duckdns.org
User ubuntu
IdentityFile ~/.ssh/Trinity
Host lightning01
User pi
IdentityFile ~/.ssh/Trinity
Host scripting-ssii.rra.lan
User rra
Host *.rra.lan
User xe50582
Host felixnomada.duckdns.org
User ubuntu
IdentityFile ~/.ssh/felixInteractions.pem
Host bitbucket.org
IdentityFile ~/.ssh/bitbucket
Kill Session
pkill -9 -t pts/2