====== Secure Shell (SSH) ======

  * [[dropbear]]
  * [[OpenSSH]]
  * [[ssh-keygen]]

=== Managing Keys ===

You can have as many public keys as you like.  When using ssh, you can specify which one to use if it is a non-standard name (id_rsa, id_dsa) using ''ssh -i <path to key>''

You can see which keys are authorized to login by looking at ''~/.ssh/authorized_keys''  Each key is listed, one per line.

=== Key Generation ===

Open a terminal and run this command to create a new key.  You can pick from two encryption methods: RSA or DSA.

<code>ssh-keygen -t dsa</code>

Follow the prompts.  If you want to use a key with no passphrase (for example, for use with cron jobs) then leave the passphrase empty.

Once finished your private and public key will be in ''~/.ssh/''

Your private key will be named ''id_dsa'' or ''id_rsa''.  Be sure to keep this file secret, and back it up somewhere secure.  The ''id_dsa.pub'' or ''id_rsa.pub'' is your public key.  These can be freely given to anyone and copied anywhere to a box where you'd like to grant yourself SSH access.

=== Uploading a Public Key ===

If you have password-based authentication available on a server, there is a simple way to copy your public key over to allow key-based authentication.

<code>ssh-copy-id -i ~/.ssh/id_dsa.pub user@server</code>

This will automatically create the ''~/.ssh'' directory on the new server, copy your public key to the ''authorized_keys'' file and set the correct permissions on the directory and the file.

Otherwise, make sure the permissions are set correctly.  ''.ssh'' should be set to 0700, and ''authorized_keys'' set to 0600.  Without these permissions, public key authentication will not work.
==== Configuration ====

You can modify your configuration file for SSH to simplify connections.

Say, for example, you wanted to connect to a server on a non-standard port, without a DNS name.  A terminal command might look like this:

<code>ssh dumont@192.168.15.79 -p 9822</code>

You can put all these custom settings in ''~/.ssh/config'' instead:

<code>
Host seekrit-server
User dumont
HostName 192.168.15.79
Port 9822
</code>

Then your command would be this:

<code>ssh seekrit-server</code>

This would also work with any SFTP clients as well.

==== JumpBox ====

You can jump through another box to SSH into a second one (and third, fourth, etc.):

<code>
ssh -J jumpbox.beandog.org dest.beandog.org 
</code>

==== Notes ====

Setup rate-limiting in the firewall so users can only attempt a connection every certain number of times per minute.  Here's an example from Ubuntu's wiki.

  * [[https://help.ubuntu.com/community/SSH/OpenSSH/Advanced?action=show&redirect=AdvancedOpenSSH]]

<code>
iptables -N rate-limit
iptables -A rate-limit -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j RETURN
iptables -A rate-limit -j DROP
iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit
</code>

==== Gotchas ====

** Running ''ssh'' in a while loop exits early **

''ssh'' may be reading things from stdin, so pipe ''/dev/null'' to it directly:

<code>
ssh < /dev/null
</code>