Secure Shell (SSH)

Managing Keys

You can have as many public keys as you like. When using ssh, you can specify which one to use if it is a non-standard name (id_rsa, id_dsa) using ssh -i <path to key>

You can see which keys are authorized to login by looking at ~/.ssh/authorized_keys Each key is listed, one per line.

Key Generation

Open a terminal and run this command to create a new key. You can pick from two encryption methods: RSA or DSA.

ssh-keygen -t dsa

Follow the prompts. If you want to use a key with no passphrase (for example, for use with cron jobs) then leave the passphrase empty.

Once finished your private and public key will be in ~/.ssh/

Your private key will be named id_dsa or id_rsa. Be sure to keep this file secret, and back it up somewhere secure. The id_dsa.pub or id_rsa.pub is your public key. These can be freely given to anyone and copied anywhere to a box where you'd like to grant yourself SSH access.

Uploading a Public Key

If you have password-based authentication available on a server, there is a simple way to copy your public key over to allow key-based authentication.

ssh-copy-id -i ~/.ssh/id_dsa.pub user@server

This will automatically create the ~/.ssh directory on the new server, copy your public key to the authorized_keys file and set the correct permissions on the directory and the file.

Otherwise, make sure the permissions are set correctly. .ssh should be set to 0700, and authorized_keys set to 0600. Without these permissions, public key authentication will not work.

Configuration

You can modify your configuration file for SSH to simplify connections.

Say, for example, you wanted to connect to a server on a non-standard port, without a DNS name. A terminal command might look like this:

ssh dumont@192.168.15.79 -p 9822

You can put all these custom settings in ~/.ssh/config instead:

Host seekrit-server
User dumont
HostName 192.168.15.79
Port 9822

Then your command would be this:

ssh seekrit-server

This would also work with any SFTP clients as well.

Notes

Setup rate-limiting in the firewall so users can only attempt a connection every certain number of times per minute. Here's an example from Ubuntu's wiki.

iptables -N rate-limit
iptables -A rate-limit -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j RETURN
iptables -A rate-limit -j DROP
iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit

Gotchas

Running ssh in a while loop exits early

ssh may be reading things from stdin, so pipe /dev/null to it directly:

ssh < /dev/null