SSH: Difference between revisions

(3 intermediate revisions by the same user not shown)

Line 19:

"<code>ssh server2</code>" rather than "ssh -v -L 55432:localhost:5432 grundlett@server2.example.com"

<~~source~~ lang="bash">

cat .ssh/config

Line 65:

host amazon

HostName ec2-72-44-63-125.compute-1.amazonaws.com

</~~source~~>

</syntaxhighlight>

Note the KexAlgorithms line for GitHub. You might need to add this if you're getting a 'failed to negotiate a key exchange' error from github. See <code>ssh -vQ kex</code> for the algos your system supports. And fix up your moduli file <ref>https://stribika.github.io/2015/01/04/secure-secure-shell.html</ref>

Line 89:

Installing a program like [http://projects.gnome.org/seahorse/ Seahorse] makes it trivially easy to manage your GnuPG encryption keys. Seahorse just makes it easier for you to do what you otherwise would accomplish with several commands. You can generate a private key; and add the public key to remote servers enabling you to login to those remote servers without using a password.

=== VSCode and VirtualBox ===

When using [[VirtualBox]] to manage Linux VMs on your local Windows host, you can setup your SSH config file with a simple stanza to forward local connections on port 2222 to the SSH server on the VM like this.

Host 127.0.0.1

HostName 127.0.0.1

User root

Port 2222

IdentityFile C:/Users/greg/.ssh/id_ed25519

</syntaxhighlight>

In this way, [[VSCode]] will be able to seamlessly connect to the VM, without prompting for a password every time.

== Fingerprints ==

The SSH key fingerprint tells you the authenticity of a host. Normally this info is stored in /etc/ssh/ for a Debian-based distro. You can also use the same command here to look at the fingerprint for your public key.

<~~source~~ lang="bash">

ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub

2048 dd:54:23:d4:20:bc:f3:4c:88:a5:af:21:dd:a5:36:5d /etc/ssh/ssh_host_rsa_key.pub (RSA)

</~~source~~>

</syntaxhighlight>

== Public Key ==

{{ambox

|text=

<code>ssh-keygen -t ed25519 -b 4096</code> is the new standard rather than using the old RSA key encryption format. Ed25519 has a smaller key size (so faster and more efficient) and can be more secure.

}}

Normally, with <code>ssh-keygen -t rsa -C "you@example.com"</code> you get a (private) key file <code>id_rsa</code>, plus a (public) key denoted with the extension .pub <code>id_rsa.pub</code>. But what about formats like .pem? Amazon AWS manages access with "keypairs" and you are prompted to download the private X509 certificate file as a .pem file when you generate the keypair. Where is the public key? Amazon displays the 'fingerprint' for the file which is usually enough to identify the private file, but can you place a fingerprint in the <code>authorized_keys</code> file? If you have a private key file and want to show the public key that corresponds to it, you can do so with <code>ssh-keygen</code>

<~~source~~ lang="bash">

# show me the public key that corresponds to my private id_rsa key

ssh-keygen -yf /home/greg/.ssh/id_rsa

# show me the public key that corresponds to my private pem file that I got from the Amazon AWS Console

ssh-keygen -yf /home/greg/.ssh/amazon-aws.pem

</~~source~~>

</syntaxhighlight>

This will output something like

Line 124:

Line 139:

== Tunnel ==

You have a headless server running your development or production database(s). You work on a nice workstation or laptop. You want to use a graphical database administration tool like MySQL Workbench on the remote server.

<~~source~~ lang="text">

# send local MySQL traffic on 33306 to the remote side standard port 3306

# this allows me to open a desktop client locally on the extended port

Line 135:

Line 150:

User greg

IdentityFile ~/.ssh/id_rsa

</~~source~~>

</syntaxhighlight>

=== Debugging ===

To find out what is connected and/or listening on a given port, you can use <code>[[lsof]]</code> with the <code>-i</code> option for '''Internet files'''

e.g.

<~~source~~ lang="bash">

# mysql

sudo lsof -i :3306

Line 149:

Line 164:

# how much is chrome doing (don't necessarily need sudo)

lsof -c chrome

</~~source~~>

</syntaxhighlight>

== Reverse Tunnel ==

Maybe you've got a production database server that wasn't setup properly for security, and only allows "local" database connections. You need to access your production data from places other than your datacenter. You could fix it - but that would take a lot of effort that the boss doesn't care about. SSH to the rescue!

Line 166:

Line 181:

== With rsync ==

If you need to pass SSH options to rsync, then use the <code>--rsh= (-e)</code> option.

<~~source~~ lang="bash">

rsync -n -e "ssh -i /home/greg/.ssh/ec2-west-wiki.pem" -vatz --stats \

/var/www/phase3-extensions/ \

ubuntu@amazon:/home/ubuntu/wiki-extensions/

</~~source~~>

</syntaxhighlight>

== Logging ==

@@ Line 19: / Line 19: @@
 "<code>ssh server2</code>" rather than "ssh -v -L 55432:localhost:5432 grundlett@server2.example.com"
-<source lang="bash">
+<syntaxhighlight lang="bash">
 cat .ssh/config
@@ Line 65: / Line 65: @@
 host amazon
 HostName ec2-72-44-63-125.compute-1.amazonaws.com
-</source>
+</syntaxhighlight>
 Note the KexAlgorithms line for GitHub.  You might need to add this if you're getting a 'failed to negotiate a key exchange' error from github.  See <code>ssh -vQ kex</code> for the algos your system supports.  And fix up your moduli file <ref>https://stribika.github.io/2015/01/04/secure-secure-shell.html</ref>
@@ Line 89: / Line 89: @@
 Installing a program like [http://projects.gnome.org/seahorse/ Seahorse] makes it trivially easy to manage your GnuPG encryption keys.  Seahorse just makes it easier for you to do what you otherwise would accomplish with several commands.  You can generate a private key; and add the public key to remote servers enabling you to login to those remote servers without using a password.
+=== VSCode and VirtualBox ===
+When using [[VirtualBox]] to manage Linux VMs on your local Windows host, you can setup your SSH config file with a simple stanza to forward local connections on port 2222 to the SSH server on the VM like this.
+<syntaxhighlight lang="bash">
+Host 127.0.0.1
+  HostName 127.0.0.1
+  User root
+  Port 2222
+  IdentityFile C:/Users/greg/.ssh/id_ed25519
+</syntaxhighlight>
+In this way, [[VSCode]] will be able to seamlessly connect to the VM, without prompting for a password every time.
 == Fingerprints ==
 The SSH key fingerprint tells you the authenticity of a host.  Normally this info is stored in /etc/ssh/ for a Debian-based distro.  You can also use the same command here to look at the fingerprint for your public key.
-<source lang="bash">
+<syntaxhighlight lang="bash">
 ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
 dd:54:23:d4:20:bc:f3:4c:88:a5:af:21:dd:a5:36:5d /etc/ssh/ssh_host_rsa_key.pub (RSA)
-</source>
+</syntaxhighlight>
 == Public Key ==
+{{ambox
+|text=
+<code>ssh-keygen -t ed25519 -b 4096</code> is the new standard rather than using the old RSA key encryption format. Ed25519 has a smaller key size (so faster and more efficient) and can be more secure.
+}}
 Normally, with <code>ssh-keygen -t rsa -C "you@example.com"</code> you get a (private) key file <code>id_rsa</code>, plus a (public) key denoted with the extension .pub <code>id_rsa.pub</code>.  But what about formats like .pem?  Amazon AWS manages access with "keypairs" and you are prompted to download the private X509 certificate file as a .pem file when you generate the keypair.  Where is the public key?  Amazon displays the 'fingerprint' for the file which is usually enough to identify the private file, but can you place a fingerprint in the <code>authorized_keys</code> file?  If you have a private key file and want to show the public key that corresponds to it, you can do so with <code>ssh-keygen</code>
-<source lang="bash">
+<syntaxhighlight lang="bash">
 # show me the public key that corresponds to my private id_rsa key
 ssh-keygen -yf /home/greg/.ssh/id_rsa
 # show me the public key that corresponds to my private pem file that I got from the Amazon AWS Console
 ssh-keygen -yf /home/greg/.ssh/amazon-aws.pem
-</source>
+</syntaxhighlight>
 This will output something like
@@ Line 124: / Line 139: @@
 == Tunnel ==
 You have a headless server running your development or production database(s).  You work on a nice workstation or laptop.  You want to use a graphical database administration tool like MySQL Workbench on the remote server.
-<source lang="text">
+<syntaxhighlight lang="text">
    # send local MySQL traffic on 33306 to the remote side standard port 3306
    # this allows me to open a desktop client locally on the extended port
@@ Line 135: / Line 150: @@
    User greg
    IdentityFile  ~/.ssh/id_rsa
-</source>
+</syntaxhighlight>
 === Debugging ===
 To find out what is connected and/or listening on a given port, you can use <code>[[lsof]]</code> with the <code>-i</code> option for '''Internet files'''
 e.g.
-<source lang="bash">
+<syntaxhighlight lang="bash">
 # mysql
 sudo lsof -i :3306
@@ Line 149: / Line 164: @@
 # how much is chrome doing (don't necessarily need sudo)
 lsof -c chrome
-</source>
+</syntaxhighlight>
 == Reverse Tunnel ==
 Maybe you've got a production database server that wasn't setup properly for security, and only allows "local" database connections.  You need to access your production data from places other than your datacenter.  You could fix it - but that would take a lot of effort that the boss doesn't care about.  SSH to the rescue!
@@ Line 166: / Line 181: @@
 == With rsync ==
 If you need to pass SSH options to rsync, then use the <code>--rsh= (-e)</code> option.
-<source lang="bash">
+<syntaxhighlight lang="bash">
 rsync -n -e "ssh -i /home/greg/.ssh/ec2-west-wiki.pem" -vatz --stats \
 /var/www/phase3-extensions/ \
 ubuntu@amazon:/home/ubuntu/wiki-extensions/
-</source>
+</syntaxhighlight>
 == Logging ==