Difference between revisions of "Linux: SSH"

SSH stands for Secure Shell. Establishes a secure communication between 2 computers.

Create a key pair

To create a key pair for the ssh:

ssh-keygen -t rsa -C "your_email@example.com"

To convert the key pair to PEM format:

ssh-keygen -e -f id_rsa.pub > yourfilename.pub

-i is the inverse of the -e switch

Add the key to the ssh-agent

eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_rsa

View key information

ssh-keygen -l -f id_rsa.pub

Returns something like: 2048 3f:4b:dd:ce:2b:cd:dc:99:13:ff:38:4a:24:95:d4:e9 rafahsolis@gmail.com (RSA)

Copy key to server

ssh-copy-id -i path/to/key_name.pub user_name@host_name

If .pub is already uploaded to the server:

cat filename.pub >> $HOME/.ssh/authorized_keys

If home directory is encrypted

$ /sbin/umount.ecryptfs_private
$ cd $HOME
$ chmod 700 .
$ mkdir -m 700 .ssh
$ chmod 500 .
$ echo $YOUR_REAL_PUBLIC_KEY > .ssh/authorized_keys
$ /sbin/mount.ecryptfs_private

or change in /etc/ssh/sshd_config the line:

AuthorizedKeysFile /etc/ssh/%u/authorized_keys

ssh tunneling

This is used for example to connect to a database on a server that has the database port closed but ssh port open.

ssh -N -L localport:remotehost:remoteport remoteuser@remotehost
ssh ip_maq_intermedia -L puerto_local_kali:ip_destino_real:puerto_remoto

Example:

ssh -i .ssh/MySshKey.pem -N -L 8888:localhost:3306 ubuntu@myserver.com

This will tunnel local port 8888 to the remote port 3306 (MySQL port) So you would be able to connect to
the database on myserver.com using your local port 8888.
(*) -N tells ssh that you won't execute any commands on the ssh shell.

Check/close open tunnels

netstat -n --protocol inet | grep ':22'
sudo lsof -i -n | egrep '\<ssh\>'
sudo lsof -i -n | egrep '\<sshd\>'

To close open tunnels
kill using the pattern:

kill pkill -f my_ssh_key.pem  

To see what it will kill

ps aux | grep my_ssh_key.pem

Configuration

Edit the following files to configure ssh
(Message of the Day)

• /etc/motd

Other settings:

• /etc/ssh/sshd_config

Recomended: Disable password login:

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no 

sudo service ssh restart

Videos

SSH Tutorial Basic server administration with SSH (mp4)
SSH SCP and key pairs tutorial Secure authentication and encrypted comunication (mp4)

Config file

sudo nano /etc/ssh/sshd_config

Welcome message

Two files must be edited:
/etc/motd (message of the day)
/etc/ssh/sshd_config: Change the setting PrintLastLog to "no", this will disable the "Last login" message.

Convert rsa to ppk

puttygen keyname -o keyname.ppk

Avoid broken pipe

2 options:
1:
create file: /home/user/.ssh/ssh_config with the following content: (client side)

HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
ServerAliveInterval 120

(server side) This one worked!!

echo "ClientAliveInterval 60" | sudo tee -a /etc/ssh/sshd_config

2:

echo 60 > /proc/sys/net/ipv4/tcp_keepalive_time

Shell script to reconnect on broken pipe:

#!/bin/sh

#This is an SSH-D proxy with auto-reconnect on disconnect

#Created by Liang Sun on 28, Sep, 2011
#Email: i@liangsun.org

i=0
while test 1==1
do
    remote_ip=YOUR_REMOTE_IP
    remote_user=YOUR_REMOTE_USER
    local_port=YOUR_LOCAL_PORT

    exist=`ps aux | grep $remote_user@$remote_ip | grep $local_port`
    #echo $exist
    if test -n "$exist"
    then
        if test $i -eq 0
        then
            echo "I'm alive since $(date)"
        fi
        i=1
    else
        i=0
        echo "I died... God is bringing me back..."
        ssh $remote_user@$remote_ip -f -N -D 0.0.0.0:$local_port
    fi
    sleep 1
done

known_hosts

Remove offending key

If when trying to connect to a host you get the message:

Offending ECDSA key in /home/user/.ssh/known_hosts:#:

and you trust the host (this can happen when you change CNAME file of your DNS to point to a different server

ssh-keygen -f "/home/user/.ssh/known_hosts" -R server_dns_or_ip