Difference between revisions of "Linux: SSH"

To create a key pair for the ssh:

ssh-keygen -t rsa -C "your_email@example.com"

To convert the key pair to PEM format:

ssh-keygen -e -f id_rsa.pub > yourfilename.pub

-i is the inverse of the -e switch

Change SSH key Password

ssh-keygen -f id_rsa -p

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa

ssh-keygen -l -f id_rsa.pub

Returns something like: 2048 3f:4b:dd:ce:2b:cd:dc:99:13:ff:38:4a:24:95:d4:e9 rafahsolis@gmail.com (RSA)

ssh-copy-id -i path/to/key_name.pub user_name@host_name

If .pub is already uploaded to the server:

cat filename.pub >> $HOME/.ssh/authorized_keys

$ /sbin/umount.ecryptfs_private
$ cd $HOME
$ chmod 700 .
$ mkdir -m 700 .ssh
$ chmod 500 .
$ echo $YOUR_REAL_PUBLIC_KEY > .ssh/authorized_keys
$ /sbin/mount.ecryptfs_private

or change in /etc/ssh/sshd_config the line:

AuthorizedKeysFile /etc/ssh/%u/authorized_keys

ssh -J xe50582@vegeta.rra.lan -ND 1080 15.17.170.46

Jump via .ssh/config

Host raspisalto
    Hostname 15.17.170.46
    User pi
    PreferredAuthentications password
    PubkeyAuthentication no
    ProxyCommand ssh vegeta.rra.lan -W 15.17.170.46:22

ssh -D 1080 -N -f -C -q raspisalto

This is used for example to connect to a database on a server that has the database port closed but ssh port open.

ssh -N -L localport:remotehost:remoteport remoteuser@remotehost
ssh ip_maq_intermedia -L puerto_local_kali:ip_destino_real:puerto_remoto
ssh www.intermediate.com -NL 5432:fesfe-dbpg.c9hdfwhhklwy.eu-central-1.rds.amazonaws.com:5432

Example:

ssh -i .ssh/MySshKey.pem -N -L 8888:localhost:3306 ubuntu@myserver.com

This will tunnel local port 8888 to the remote port 3306 (MySQL port) So you would be able to connect to
the database on myserver.com using your local port 8888.
(*) -N tells ssh that you won't execute any commands on the ssh shell.

Check/close open tunnels

         netstat -n --protocol inet | grep ':22'
         sudo lsof -i -n | egrep '\<ssh\>'
         sudo lsof -i -n | egrep '\<sshd\>'

To close open tunnels
kill using the pattern:

kill pkill -f my_ssh_key.pem  

To see what it will kill

ps aux | grep my_ssh_key.pem

Examples

• Access to a remote MySQL binded to 127.0.0.1 (it woudn't be accesible from outside)

Runing this command on your box:

ssh -N -L 3666:localhost:3306 user@some.remotehost.com

Makes the MySQL Server accesible at your local machine at port 3666

Edit the following files to configure ssh
(Message of the Day)

• /etc/motd (old)
• /etc/update-motd.d/* (new)

echo -e "\e[31m\\u2588\u2588\u2588\u2588\u2588\u2588\u2588\e[33m\\n\u2588\u2588\u2588\u2588\u2588\u2588\u2588\n\e[31m\\u2588\u2588\u2588\u2588\u2588\u2588\u2588\e[37m" > /etc/update-motd.d/flag
echo "cat /etc/update-motd.d/flag" >> /etc/update-motd.d/00-header

Other settings:

• /etc/ssh/sshd_config

Recomended: Disable password login:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no 

sudo service ssh restart

SSH Tutorial Basic server administration with SSH (mp4)
SSH SCP and key pairs tutorial Secure authentication and encrypted comunication (mp4)

sudo nano /etc/ssh/sshd_config (ssh daemon config)

$HOME/.ssh/config

Host morpheus
             IdentityFile ~/.ssh/Trinity.pub
             User rafa
             port 10535
         
         === $WORK/.ssh/config ===
         Host flirt
             IdentityFile ~/.ssh/Trinity.pub
             User rafa
             port 10536

(connections config)

Host fpsim-frontend
             IdentityFile ~/.ssh/DNC-FKY.pem
         
         Host *
             ServerAliveInterval 30
             ServerAliveCountMax 2
         
         Host mi6.rra.lan
             IdentityFile ~/.ssh/rra_fake.pem
             User rra
         
         Host leaks.rra.lan
             IdentityFile ~/.ssh/rt_rsa
             User xe50582
         
         Host news.menupayapp.com
             IdentityFile ~/.ssh/rra_id.pem
             User ubuntu
         
         Host 20.1.40.109
             IdentityFile ~/.ssh/rt_rsa
             User rra
         
         Host gitrra.dyndns.org
             IdentityFile ~/.ssh/DNC-FKY.pem
             User ubuntu
         
         Host mapper1
             IdentityFile ~/.ssh/id_rsa
             HostName WF00MPA1.igrupobbva
             User pi
         
         Host mapper2
             IdentityFile ~/.ssh/id_rsa
             HostName WF00MPA2.igrupobbva
             User pi
         
         
         
         # LEAVE THIS ONES AT THE BOTTOM (WILDCHARS) First match will be used 
         Host 20.1.40.*
             IdentityFile ~/.ssh/rt_rsa
             User xe50582
         
         Host *.rra.lan
             IdentityFile ~/.ssh/rt_rsa
             User xe50582
         
         
         Host 10.255.0.*
             IdentityFile ~/.ssh/rt_rsa
             User xe50582

AuthorizedKeysCommand /bin/ldapkeyfile
AuthorizedKeysCommandUser nobody

Two files must be edited:
/etc/motd (message of the day)
/etc/ssh/sshd_config: Change the setting PrintLastLog to "no", this will disable the "Last login" message.

puttygen keyname -o keyname.ppk

2 options:

ClientAliveInterval, SeverAliveInterval

Client side

Use ClientAliveInterval if you have a jump machine
create file: /home/user/.ssh/config with the following content: (client side) chmod 600

          Host *
              ServerAliveInterval 60
              ServerAliveCountMax 2

For each user, or ading to /etc/ssh/ssh_config

ServerAliveInterval 60
ClientAliveCountMax 2

Server side

echo "ClientAliveInterval 60" | sudo tee -a /etc/ssh/sshd_config

2:

         echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time

Shell script to reconnect on broken pipe:

#!/bin/sh

#This is an SSH-D proxy with auto-reconnect on disconnect

#Created by Liang Sun on 28, Sep, 2011
#Email: i@liangsun.org

i=0
while test 1==1
do
    remote_ip=YOUR_REMOTE_IP
    remote_user=YOUR_REMOTE_USER
    local_port=YOUR_LOCAL_PORT

    exist=`ps aux | grep $remote_user@$remote_ip | grep $local_port`
    #echo $exist
    if test -n "$exist"
    then
        if test $i -eq 0
        then
            echo "I'm alive since $(date)"
        fi
        i=1
    else
        i=0
        echo "I died... God is bringing me back..."
        ssh $remote_user@$remote_ip -f -N -D 0.0.0.0:$local_port
    fi
    sleep 1
done

Remove offending key

If when trying to connect to a host you get the message:

Offending ECDSA key in /home/user/.ssh/known_hosts:#:

and you trust the host (this can happen when you change CNAME file of your DNS to point to a different server

ssh-keygen -f "/home/user/.ssh/known_hosts" -R server_dns_or_ip

# update-rc.d -f ssh enable 2 3 4 5
systemctl enable ssh

ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no example.com

ssh -ND 1111 ubuntu@ec2-52-57-220-220.eu-central-1.compute.amazonaws.com -i ~/.ssh/DNC-FKY.pem
ssh -D 10.28.0.81:1111 rafa@10.28.0.81

Path ~/.ssh/config

ps aux | grep xe84049 | grep sshd | awk '{print $2}' | xargs -n 1 sudo kill -9

Work

Host fpsim-frontend
             IdentityFile ~/.ssh/DNC-FKY.pem
             User ubuntu
         Host *
             ServerAliveInterval 30
             ServerAliveCountMax 2
         
         Host 10.255.0.*
             IdentityFile ~/.ssh/rt_rsa
             User xe50582
         
         Host leaks.rra.lan
             IdentityFile ~/.ssh/rt_rsa
             User xe50582
         
         Host news.menupayapp.com
             IdentityFile ~/.ssh/rra_id.pem
             User ubuntu
         
         Host 20.1.40.109
             IdentityFile ~/.ssh/rt_rsa
             User rra
         
         Host 20.1.40.*
             IdentityFile ~/.ssh/rt_rsa
             User xe50582
         
         
         Host pdgrt.rra.lan
             User rra
         
         
         host geoip.dyndns.org
             IdentityFile ~/.ssh/rra_springfield.pem
             User ubuntu
         
         host rrafara.dyndns.org
             IdentityFile ~/.ssh/DNC.pem
             User ubuntu
         
         host deathnote.rra.lan
             User rra
         
         host savvius.rra.lan
             User root
         
         
         Host *.rra.lan
             # IdentityFile ~/.ssh/rt_rsa
             User xe50582
         
         
         Host 10.255.0.32
             IdentityFile ~/.ssh/rra_fake.pem
             user rra
         
         Host aws-gitlab
             IdentityFile ~/.ssh/DNC-FKY.pem
             User ubuntu
         

Trinity

PreferredAuthentications password
PubkeyAuthentication no

Host *.herrerosolis.com
    IdentityFile ~/.ssh/whispers.pem
    User ubuntu

Host herrerosolis.com
    IdentityFile ~/.ssh/whispers.pem
    User ubuntu

Host git.herrerosolis.com
    IdentityFile ~/.ssh/whispers.pem
    User ubuntu

Host geoip.dyndns.org
    IdentityFile /media/rafa/secrets/.ssh/rra_springfield
    User ubuntu

Host morpheus.lan
    IdentityFile ~/.ssh/Trinity.pub
    User rafa
    Port 10535

Host flirt
    IdentityFile ~/.ssh/Trinity.pub
    User rafa
    Port 10536

Host pivpn*
    IdentityFile ~/.ssh/Trinity.pub
    User pi

Host kodi.lan
    User root
    PreferredAuthentications password
    PubkeyAuthentication no

Host libreelec.lan
    User root
    PreferredAuthentications password
    PubkeyAuthentication no

#Host bitbucket.org
#   IdentityFile ~/.ssh/cpc_bitbucket

Host peibol.duckdns.org
    User ubuntu
    IdentityFile ~/.ssh/Trinity

Host lightning01
    User pi
    IdentityFile ~/.ssh/Trinity

Host scripting-ssii.rra.lan
    User rra

Host *.rra.lan
    User xe50582

Host felixnomada.duckdns.org
    User ubuntu
    IdentityFile ~/.ssh/felixInteractions.pem

Host bitbucket.org
    IdentityFile ~/.ssh/bitbucket