Table of Contents
Secure Shell (SSH)
Managing Keys
You can have as many public keys as you like. When using ssh, you can specify which one to use if it is a non-standard name (id_rsa, id_dsa) using ssh -i <path to key>
You can see which keys are authorized to login by looking at ~/.ssh/authorized_keys
Each key is listed, one per line.
Key Generation
Open a terminal and run this command to create a new key. You can pick from two encryption methods: RSA or DSA.
ssh-keygen -t dsa
Follow the prompts. If you want to use a key with no passphrase (for example, for use with cron jobs) then leave the passphrase empty.
Once finished your private and public key will be in ~/.ssh/
Your private key will be named id_dsa
or id_rsa
. Be sure to keep this file secret, and back it up somewhere secure. The id_dsa.pub
or id_rsa.pub
is your public key. These can be freely given to anyone and copied anywhere to a box where you'd like to grant yourself SSH access.
Uploading a Public Key
If you have password-based authentication available on a server, there is a simple way to copy your public key over to allow key-based authentication.
ssh-copy-id -i ~/.ssh/id_dsa.pub user@server
This will automatically create the ~/.ssh
directory on the new server, copy your public key to the authorized_keys
file and set the correct permissions on the directory and the file.
Otherwise, make sure the permissions are set correctly. .ssh
should be set to 0700, and authorized_keys
set to 0600. Without these permissions, public key authentication will not work.
Configuration
You can modify your configuration file for SSH to simplify connections.
Say, for example, you wanted to connect to a server on a non-standard port, without a DNS name. A terminal command might look like this:
ssh [email protected] -p 9822
You can put all these custom settings in ~/.ssh/config
instead:
Host seekrit-server User dumont HostName 192.168.15.79 Port 9822
Then your command would be this:
ssh seekrit-server
This would also work with any SFTP clients as well.
JumpBox
You can jump through another box to SSH into a second one (and third, fourth, etc.):
ssh -J jumpbox.beandog.org dest.beandog.org
Notes
Setup rate-limiting in the firewall so users can only attempt a connection every certain number of times per minute. Here's an example from Ubuntu's wiki.
iptables -N rate-limit iptables -A rate-limit -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j RETURN iptables -A rate-limit -j DROP iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit
Gotchas
Running ssh
in a while loop exits early
ssh
may be reading things from stdin, so pipe /dev/null
to it directly:
ssh < /dev/null