Differences

This shows you the differences between two versions of the page.


ssh [2019/01/04 23:07] (current) – created - external edit 127.0.0.1
Line 1: Line 1:
 +====== Secure Shell (SSH) ======
  
 +  * [[dropbear]]
 +  * [[OpenSSH]]
 +  * [[ssh-keygen]]
 +
 +=== Managing Keys ===
 +
 +You can have as many public keys as you like.  When using ssh, you can specify which one to use if it is a non-standard name (id_rsa, id_dsa) using ''ssh -i <path to key>''
 +
 +You can see which keys are authorized to login by looking at ''~/.ssh/authorized_keys''  Each key is listed, one per line.
 +
 +=== Key Generation ===
 +
 +Open a terminal and run this command to create a new key.  You can pick from two encryption methods: RSA or DSA.
 +
 +<code>ssh-keygen -t dsa</code>
 +
 +Follow the prompts.  If you want to use a key with no passphrase (for example, for use with cron jobs) then leave the passphrase empty.
 +
 +Once finished your private and public key will be in ''~/.ssh/''
 +
 +Your private key will be named ''id_dsa'' or ''id_rsa'' Be sure to keep this file secret, and back it up somewhere secure.  The ''id_dsa.pub'' or ''id_rsa.pub'' is your public key.  These can be freely given to anyone and copied anywhere to a box where you'd like to grant yourself SSH access.
 +
 +=== Uploading a Public Key ===
 +
 +If you have password-based authentication available on a server, there is a simple way to copy your public key over to allow key-based authentication.
 +
 +<code>ssh-copy-id -i ~/.ssh/id_dsa.pub user@server</code>
 +
 +This will automatically create the ''~/.ssh'' directory on the new server, copy your public key to the ''authorized_keys'' file and set the correct permissions on the directory and the file.
 +
 +Otherwise, make sure the permissions are set correctly.  ''.ssh'' should be set to 0700, and ''authorized_keys'' set to 0600.  Without these permissions, public key authentication will not work.
 +==== Configuration ====
 +
 +You can modify your configuration file for SSH to simplify connections.
 +
 +Say, for example, you wanted to connect to a server on a non-standard port, without a DNS name.  A terminal command might look like this:
 +
 +<code>ssh [email protected] -p 9822</code>
 +
 +You can put all these custom settings in ''~/.ssh/config'' instead:
 +
 +<code>
 +Host seekrit-server
 +User dumont
 +HostName 192.168.15.79
 +Port 9822
 +</code>
 +
 +Then your command would be this:
 +
 +<code>ssh seekrit-server</code>
 +
 +This would also work with any SFTP clients as well.
 +
 +==== JumpBox ====
 +
 +You can jump through another box to SSH into a second one (and third, fourth, etc.):
 +
 +<code>
 +ssh -J jumpbox.beandog.org dest.beandog.org 
 +</code>
 +
 +==== Notes ====
 +
 +Setup rate-limiting in the firewall so users can only attempt a connection every certain number of times per minute.  Here's an example from Ubuntu's wiki.
 +
 +  * [[https://help.ubuntu.com/community/SSH/OpenSSH/Advanced?action=show&redirect=AdvancedOpenSSH]]
 +
 +<code>
 +iptables -N rate-limit
 +iptables -A rate-limit -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j RETURN
 +iptables -A rate-limit -j DROP
 +iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit
 +</code>
 +
 +==== Gotchas ====
 +
 +** Running ''ssh'' in a while loop exits early **
 +
 +''ssh'' may be reading things from stdin, so pipe ''/dev/null'' to it directly:
 +
 +<code>
 +ssh < /dev/null
 +</code>

Trace:

Navigation
QR Code
QR Code ssh (generated for current page)