[[File:Ssh cheat sheet.pdf|thumb]]
See the [[Using keys]] article as well
HOWTO can be found at http://www.debuntu.org/ssh-key-based-authentication
Another good site with HOWTO and explanatory info, along with commercial products and support, is https://www.ssh.com/ssh/
== Configuration ==
Note the KexAlgorithms line for GitHub. You might need to add this if you're getting a 'failed to negotiate a key exchange' error from github. See <code>ssh -vQ kex</code> for the algos your system supports. And fix up your moduli file <ref>https://stribika.github.io/2015/01/04/secure-secure-shell.html</ref>
== Server Configuration ==
<blockquote>It is strongly recommended that LogLevel be set to VERBOSE. This way, the key fingerprint for any SSH key used for login is logged. This information is important for SSH key management, especially in legacy environments.
</blockquote> <ref>https://www.ssh.com/ssh/sshd_config/</ref>
<pre>
PasswordAuthentication no
PrintMotd yes
LogLevel VERBOSE
PermitRootLogin prohibit-password
UsePAM no
</pre>
(Don't forget to sudo service ssh restart)
== Client ==
Installing a program like [http://projects.gnome.org/seahorse/ Seahorse] makes it trivially easy to manage your GnuPG encryption keys. Seahorse just makes it easier for you to do what you otherwise would accomplish with several commands. You can generate a private key; and add the public key to remote servers enabling you to login to those remote servers without using a password.
=== VSCode and VirtualBox ===
When using [[VirtualBox]] to manage Linux VMs on your local Windows host, you can setup your SSH config file with a simple stanza to forward local connections on port 2222 to the SSH server on the VM like this.
<syntaxhighlight lang="bash">
Host 127.0.0.1
HostName 127.0.0.1
User root
Port 2222
IdentityFile C:/Users/greg/.ssh/id_ed25519
</syntaxhighlight>
In this way, [[VSCode]] will be able to seamlessly connect to the VM, without prompting for a password every time.
== Fingerprints ==
== Public Key ==
{{ambox
|text=
<code>ssh-keygen -t ed25519 -b 4096</code> is the new standard rather than using the old RSA key encryption format. Ed25519 has a smaller key size (so faster and more efficient) and can be more secure.
}}
Normally, with <code>ssh-keygen -t rsa -C "you@example.com"</code> you get a (private) key file <code>id_rsa</code>, plus a (public) key denoted with the extension .pub <code>id_rsa.pub</code>. But what about formats like .pem? Amazon AWS manages access with "keypairs" and you are prompted to download the private X509 certificate file as a .pem file when you generate the keypair. Where is the public key? Amazon displays the 'fingerprint' for the file which is usually enough to identify the private file, but can you place a fingerprint in the <code>authorized_keys</code> file? If you have a private key file and want to show the public key that corresponds to it, you can do so with <code>ssh-keygen</code>
<source lang="bash">
== Logging ==
On the server side, to see what's going on, <code>tail /var/log/auth.log</code>
== On Windows ==
Since late 2018, Microsoft has included a '''fork''' of the OpenSSH project in Windows.<ref>"OpenSSH has been added to Windows (as of autumn 2018), and is included in Windows Server and Windows client." - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_overview
At the time of writing, the Microsoft fork is 618 commits ahead, 168 commits behind openssh:master of the OpenBSD OpenSSH project. 'portable' in the OpenSSH project was the term used when the software was made compatible with Unixes other than OpenBSD. The '''open source OpenSSH project repo is at https://github.com/openssh/openssh-portable '''
The Microsoft fork of OpenSSH is at https://github.com/PowerShell/openssh-portable
</ref>
Your client config on Windows is at
<tt>%userprofile%\. ssh\config</tt>
{{References}}
[[Category:System Administration]]
[[Category:Security]]
[[Category:SSH]]