Difference between revisions of "Linux: SSH"
Rafahsolis (talk | contribs) |
Rafahsolis (talk | contribs) |
||
| Line 38: | Line 38: | ||
Other settings: | Other settings: | ||
*/etc/ssh/sshd_config | */etc/ssh/sshd_config | ||
| − | Recomended: Disable password login | + | Recomended: Disable password login: |
| + | ChallengeResponseAuthentication no | ||
| + | PasswordAuthentication no | ||
| + | UsePAM no | ||
| + | |||
| + | sudo service ssh restart | ||
== Videos == | == Videos == | ||
Revision as of 16:35, 17 October 2015
SSH stands for Secure Shell. Establishes a secure communication between 2 computers.
Create a key pair
To create a key pair for the ssh:
ssh-keygen -t rsa -C "your_email@example.com"
To convert the key pair to PEM format:
ssh-keygen -e -f id_rsa.pub > yourfilename.pub
-i is the inverse of the -e switch
Add the key to the ssh-agent
eval "$(ssh-agent -s)" ssh-add ~/.ssh/id_rsa
View key information
ssh-keygen -l -f id_rsa.pub
Returns something like: 2048 3f:4b:dd:ce:2b:cd:dc:99:13:ff:38:4a:24:95:d4:e9 rafahsolis@gmail.com (RSA)
ssh tunneling
This is used for example to connect to a database on a server that has the database port closed but ssh port open.
- ssh -N -L localport:remotehost:remoteport remoteuser@remotehost
Example:
ssh -i .ssh/MySshKey.pem -N -L 8888:localhost:3306 ubuntu@myserver.com
This will tunnel local port 8888 to the remote port 3306 (MySQL port) So you would be able to connect to
the database on myserver.com using your local port 8888.
(*) -N tells ssh that you won't execute any commands on the ssh shell.
Check/close open tunnels
netstat -n --protocol inet | grep ':22' sudo lsof -i -n | egrep '\<ssh\>' sudo lsof -i -n | egrep '\<sshd\>'
To close open tunnels
kill using the pattern:
kill pkill -f my_ssh_key.pem
To see what it will kill
ps aux | grep my_ssh_key.pem
Configuration
Edit the following files to configure ssh
(Message of the Day)
- /etc/motd
Other settings:
- /etc/ssh/sshd_config
Recomended: Disable password login:
ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no
sudo service ssh restart
Videos
SSH Tutorial Basic server administration with SSH (mp4)
SSH SCP and key pairs tutorial Secure authentication and encrypted comunication (mp4)
Config file
sudo nano /etc/ssh/sshd_config
Welcome message
Two files must be edited:
/etc/motd (message of the day)
/etc/ssh/sshd_config: Change the setting PrintLastLog to "no", this will disable the "Last login" message.
Convert rsa to ppk
puttygen keyname -o keyname.ppk
Avoid broken pipe
2 options:
1:
create file: /home/user/.ssh/ssh_config with the following content: (client side)
HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no ServerAliveInterval 120
(server side) This one worked!!
echo "ClientAliveInterval 60" | sudo tee -a /etc/ssh/sshd_config
2:
echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time
Shell script to reconnect on broken pipe:
#!/bin/sh
#This is an SSH-D proxy with auto-reconnect on disconnect
#Created by Liang Sun on 28, Sep, 2011
#Email: i@liangsun.org
i=0
while test 1==1
do
remote_ip=YOUR_REMOTE_IP
remote_user=YOUR_REMOTE_USER
local_port=YOUR_LOCAL_PORT
exist=`ps aux | grep $remote_user@$remote_ip | grep $local_port`
#echo $exist
if test -n "$exist"
then
if test $i -eq 0
then
echo "I'm alive since $(date)"
fi
i=1
else
i=0
echo "I died... God is bringing me back..."
ssh $remote_user@$remote_ip -f -N -D 0.0.0.0:$local_port
fi
sleep 1
done