Freephile Wiki

SSH: Difference between revisions

Browse history interactively
← Older edit
VisualWikitext
adds tunnel and debugging
m Text replacement - "<(\/?)source" to "<$1syntaxhighlight"
 
(10 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[File:Ssh cheat sheet.pdf|thumb]]
See the [[Using keys]] article as well
See the [[Using keys]] article as well


Line 4: Line 5:


NIST has released their August 2014 draft "Security of Automated Access Management Using Secure Shell (SSH)" available at http://csrc.nist.gov/publications/drafts/nistir-7966/nistir_7966_draft.pdf
NIST has released their August 2014 draft "Security of Automated Access Management Using Secure Shell (SSH)" available at http://csrc.nist.gov/publications/drafts/nistir-7966/nistir_7966_draft.pdf
You might want to read https://stribika.github.io/2015/01/04/secure-secure-shell.html


HOWTO can be found at http://www.debuntu.org/ssh-key-based-authentication
HOWTO can be found at http://www.debuntu.org/ssh-key-based-authentication
Another good site with HOWTO and explanatory info, along with commercial products and support, is https://www.ssh.com/ssh/


== Configuration ==
== Configuration ==
Line 14: Line 19:
"<code>ssh server2</code>" rather than "ssh -v -L 55432:localhost:5432 grundlett@server2.example.com"
"<code>ssh server2</code>" rather than "ssh -v -L 55432:localhost:5432 grundlett@server2.example.com"


<source lang="bash">
<syntaxhighlight lang="bash">
cat .ssh/config
cat .ssh/config


Line 53: Line 58:
Hostname github.com
Hostname github.com
IdentityFile /home/greg/.ssh/<id_rsa.MYKEY>
IdentityFile /home/greg/.ssh/<id_rsa.MYKEY>
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1


host *.amazonaws.com
host *.amazonaws.com
Line 59: Line 65:
host amazon
host amazon
HostName ec2-72-44-63-125.compute-1.amazonaws.com
HostName ec2-72-44-63-125.compute-1.amazonaws.com
</source>
</syntaxhighlight>
 
Note the KexAlgorithms line for GitHub.  You might need to add this if you're getting a 'failed to negotiate a key exchange' error from github.  See <code>ssh -vQ kex</code> for the algos your system supports.  And fix up your moduli file <ref>https://stribika.github.io/2015/01/04/secure-secure-shell.html</ref>
 
== Server Configuration ==
 
<blockquote>It is strongly recommended that LogLevel be set to VERBOSE. This way, the key fingerprint for any SSH key used for login is logged. This information is important for SSH key management, especially in legacy environments.
</blockquote> <ref>https://www.ssh.com/ssh/sshd_config/</ref>
 
<pre>
PasswordAuthentication no
PrintMotd yes
LogLevel VERBOSE
PermitRootLogin prohibit-password
UsePAM no
</pre>
(Don't forget to sudo service ssh restart)


== Client ==
== Client ==
Line 67: Line 89:
Installing a program like [http://projects.gnome.org/seahorse/ Seahorse] makes it trivially easy to manage your GnuPG encryption keys.  Seahorse just makes it easier for you to do what you otherwise would accomplish with several commands.  You can generate a private key; and add the public key to remote servers enabling you to login to those remote servers without using a password.
Installing a program like [http://projects.gnome.org/seahorse/ Seahorse] makes it trivially easy to manage your GnuPG encryption keys.  Seahorse just makes it easier for you to do what you otherwise would accomplish with several commands.  You can generate a private key; and add the public key to remote servers enabling you to login to those remote servers without using a password.


=== VSCode and VirtualBox ===
When using [[VirtualBox]] to manage Linux VMs on your local Windows host, you can setup your SSH config file with a simple stanza to forward local connections on port 2222 to the SSH server on the VM like this.
<syntaxhighlight lang="bash">
Host 127.0.0.1
  HostName 127.0.0.1
  User root
  Port 2222
  IdentityFile C:/Users/greg/.ssh/id_ed25519
</syntaxhighlight>
In this way, [[VSCode]] will be able to seamlessly connect to the VM, without prompting for a password every time.


== Fingerprints ==
== Fingerprints ==
The SSH key fingerprint tells you the authenticity of a host.  Normally this info is stored in /etc/ssh/ for a Debian-based distro.  You can also use the same command here to look at the fingerprint for your public key.
The SSH key fingerprint tells you the authenticity of a host.  Normally this info is stored in /etc/ssh/ for a Debian-based distro.  You can also use the same command here to look at the fingerprint for your public key.
<source lang="bash">
<syntaxhighlight lang="bash">
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
2048 dd:54:23:d4:20:bc:f3:4c:88:a5:af:21:dd:a5:36:5d /etc/ssh/ssh_host_rsa_key.pub (RSA)
2048 dd:54:23:d4:20:bc:f3:4c:88:a5:af:21:dd:a5:36:5d /etc/ssh/ssh_host_rsa_key.pub (RSA)
</source>
</syntaxhighlight>


== Public Key ==
== Public Key ==
{{ambox
|text=
<code>ssh-keygen -t ed25519 -b 4096</code> is the new standard rather than using the old RSA key encryption format. Ed25519 has a smaller key size (so faster and more efficient) and can be more secure.
}}
Normally, with <code>ssh-keygen -t rsa -C "you@example.com"</code> you get a (private) key file <code>id_rsa</code>, plus a (public) key denoted with the extension .pub <code>id_rsa.pub</code>.  But what about formats like .pem?  Amazon AWS manages access with "keypairs" and you are prompted to download the private X509 certificate file as a .pem file when you generate the keypair.  Where is the public key?  Amazon displays the 'fingerprint' for the file which is usually enough to identify the private file, but can you place a fingerprint in the <code>authorized_keys</code> file?  If you have a private key file and want to show the public key that corresponds to it, you can do so with <code>ssh-keygen</code>
Normally, with <code>ssh-keygen -t rsa -C "you@example.com"</code> you get a (private) key file <code>id_rsa</code>, plus a (public) key denoted with the extension .pub <code>id_rsa.pub</code>.  But what about formats like .pem?  Amazon AWS manages access with "keypairs" and you are prompted to download the private X509 certificate file as a .pem file when you generate the keypair.  Where is the public key?  Amazon displays the 'fingerprint' for the file which is usually enough to identify the private file, but can you place a fingerprint in the <code>authorized_keys</code> file?  If you have a private key file and want to show the public key that corresponds to it, you can do so with <code>ssh-keygen</code>
<source lang="bash">
<syntaxhighlight lang="bash">
# show me the public key that corresponds to my private id_rsa key
# show me the public key that corresponds to my private id_rsa key
ssh-keygen -yf /home/greg/.ssh/id_rsa
ssh-keygen -yf /home/greg/.ssh/id_rsa
# show me the public key that corresponds to my private pem file that I got from the Amazon AWS Console
# show me the public key that corresponds to my private pem file that I got from the Amazon AWS Console
ssh-keygen -yf /home/greg/.ssh/amazon-aws.pem
ssh-keygen -yf /home/greg/.ssh/amazon-aws.pem
</source>
</syntaxhighlight>


This will output something like
This will output something like
Line 95: Line 132:


<code>ssh -o IdentitiesOnly=true -i /home/me/.ssh/my_private_key me@example.com</code> will now work
<code>ssh -o IdentitiesOnly=true -i /home/me/.ssh/my_private_key me@example.com</code> will now work
== Using No Keys ==
Sometimes you can get an error about '''too many authentication failures''' when you want to enter your password, but before you even get to enter your password.  This can happen when the source system silently offers a couple of keys (which are not authorized on the target host).  If the target host has a very low tolerance for auth failures in sshd_config like <code>MaxAuthTries=2</code>, they you'll get disconnected before you ever enter a password.  The way to counteract this is to tell ssh not to use Public Key Authentication at all:
<code>ssh -o PubkeyAuthentication=no me@example.com</code>


== Tunnel ==
== Tunnel ==
You have a headless server running your development or production database(s).  You work on a nice workstation or laptop.  You want to use a graphical database administration tool like MySQL Workbench on the remote server.   
You have a headless server running your development or production database(s).  You work on a nice workstation or laptop.  You want to use a graphical database administration tool like MySQL Workbench on the remote server.   
<source lang="text">
<syntaxhighlight lang="text">
   # send local MySQL traffic on 33306 to the remote side standard port 3306
   # send local MySQL traffic on 33306 to the remote side standard port 3306
   # this allows me to open a desktop client locally on the extended port
   # this allows me to open a desktop client locally on the extended port
Line 109: Line 150:
   User greg
   User greg
   IdentityFile  ~/.ssh/id_rsa
   IdentityFile  ~/.ssh/id_rsa
</source>
</syntaxhighlight>


=== Debugging ===
=== Debugging ===
To find out what is connected and/or listening on a given port, you can use <code>lsof</code> with the <code>-i</code> option for '''Internet files'''
To find out what is connected and/or listening on a given port, you can use <code>[[lsof]]</code> with the <code>-i</code> option for '''Internet files'''
e.g.
e.g.
<source lang="bash">
<syntaxhighlight lang="bash">
# mysql
# mysql
sudo lsof -i :3306
sudo lsof -i :3306
Line 123: Line 164:
# how much is chrome doing (don't necessarily need sudo)
# how much is chrome doing (don't necessarily need sudo)
lsof -c chrome
lsof -c chrome
</source>
</syntaxhighlight>
== Reverse Tunnel ==
== Reverse Tunnel ==
Maybe you've got a production database server that wasn't setup properly for security, and only allows "local" database connections.  You need to access your production data from places other than your datacenter.  You could fix it - but that would take a lot of effort that the boss doesn't care about.  SSH to the rescue!
Maybe you've got a production database server that wasn't setup properly for security, and only allows "local" database connections.  You need to access your production data from places other than your datacenter.  You could fix it - but that would take a lot of effort that the boss doesn't care about.  SSH to the rescue!
Line 140: Line 181:
== With rsync ==
== With rsync ==
If you need to pass SSH options to rsync, then use the <code>--rsh= (-e)</code> option.
If you need to pass SSH options to rsync, then use the <code>--rsh= (-e)</code> option.
<source lang="bash">
<syntaxhighlight lang="bash">
rsync -n -e "ssh -i /home/greg/.ssh/ec2-west-wiki.pem" -vatz --stats \
rsync -n -e "ssh -i /home/greg/.ssh/ec2-west-wiki.pem" -vatz --stats \
/var/www/phase3-extensions/ \
/var/www/phase3-extensions/ \
ubuntu@amazon:/home/ubuntu/wiki-extensions/
ubuntu@amazon:/home/ubuntu/wiki-extensions/
</source>
</syntaxhighlight>


== Logging ==
== Logging ==
On the server side, to see what's going on, <code>tail /var/log/auth.log</code>
On the server side, to see what's going on, <code>tail /var/log/auth.log</code>
== On Windows ==
Since late 2018, Microsoft has included a '''fork''' of the OpenSSH project in Windows.<ref>"OpenSSH has been added to Windows (as of autumn 2018), and is included in Windows Server and Windows client." - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview
At the time of writing, the Microsoft fork is 618 commits ahead, 168 commits behind openssh:master of the OpenBSD OpenSSH project. 'portable' in the OpenSSH project was the term used when the software was made compatible with Unixes other than OpenBSD. The '''open source OpenSSH project repo is at https://github.com/openssh/openssh-portable '''
The Microsoft fork of OpenSSH is at https://github.com/PowerShell/openssh-portable
</ref>
Your client config on Windows is at 
<tt>%userprofile%\. ssh\config</tt>
{{References}}


[[Category:System Administration]]
[[Category:System Administration]]
[[Category:Security]]
[[Category:SSH]]
Retrieved from "https://wiki.freephile.org/wiki/SSH"