Beard: Created page with "

 daemon: 	sshd (sometimes ssh)  packages: 	openssh 	openssh-server 	openssh-clients  config: 	/etc/ssh/sshd_config 	/etc/ssh/ssh_config 	/etc/ssh/ssh_known_hosts 	~/.ssh/..."

2016-02-29T21:38:00Z

Created page with "<pre> daemon: sshd (sometimes ssh) packages: openssh openssh-server openssh-clients config: /etc/ssh/sshd_config /etc/ssh/ssh_config /etc/ssh/ssh_known_hosts ~/.ssh/..."

New page

<pre>
daemon:
sshd (sometimes ssh)

packages:
openssh
openssh-server
openssh-clients

config:
/etc/ssh/sshd_config
/etc/ssh/ssh_config
/etc/ssh/ssh_known_hosts
~/.ssh/config
~/.ssh/rc
~/.ssh/authorized_keys
/var/log/secure
/var/log/messages

ssh_config:

CASE SENSATIVE

arguments:
ForwardX11 yes
TCPKeepAlive yes (default: yes)

sshd_config:

CASE SENSATIVE

arguments:
AllowUsers user user - can use * and ?. no need to explicitly deny afterwards.
DenyUsers user user
AllowGroups group group
DenyGroup group group
PermitRootLogin no
PasswordAuthentication yes (default: yes, change to 'no' for RSA key only)
PermitEmptyPassword no (default: no)
AuthorizedKeysFile %h/.ssh/authorized_keys
RSAAuthentication yes
PubkeyAuthentication yes
ChrootDirectory /path
IgnoreRhosts yes - ignores .rhosts and .shosts. "Yes" is more secure.

UsePAM yes - default yes
StrictModes yes - more secure but may cause permission problems (default: yes)
LoginGraceTime <#> - session timeout. default 120. Infinite 0.
MaxSessions <#> - default 10
MaxAuthTries <#> - default 6

Banner /path/file.txt
X11Forwarding no
TCPKeepAlive yes (default: yes)

commands:
ssh user@host <command> - user is on remote system. command is optional.
-X - run with X11 forwarding
-Y - X11 forwarding in "trusted" mode
-N - do not execute remote commands
-D <port> - opens a port for forwarding traffic. applications may use this port for secure connections. does not open a shell.
-C - use compression

scp - secure copy
scp user@from-host:/path/file user@to-host:file
to copy to localhost just put file instead of user@to-host:file (or vice versa)
-r - recursive
-p - preserve
-C - compression
-p <port> - port

sftp - secure ftp
sftp user@host

ssh-keygen - create keys, allowing login without password
ssh-keygen -t <type> -b <#bits>
rsa - default bits: 2048, minimum bits: 768
dsa - required bits: 1024
will generate private key (~/.ssh/id_rsa) and public key (~/.ssh/id_rsa.pub)
copy ~/.ssh/id_rsa.pub to the server as ~/.ssh/authorized_keys
done

ssh-keygen -p - changes password in RSA key (default file: ~/.ssh/id_rsa)

nohup <command> - runs command on remote machine without disruption from shell disconnection.
run while logged in on remote machine.
outputs need to be redirected.

RSA key authentication:
start on the host from which you will be administering other systems.
use 'ssh-keygen -t rsa' to generate keys (use -b <#> to use different number of bits, passphrase optional)
copy ~/.ssh/id_rsa.pub to the remote system. could use 'scp ~/.ssh/id_rsa.pub username@host:~'
ssh into the remote system using 'ssh username@host'
run 'cat ~/id_rsa.pub >> ~/.ssh/authorized_keys' if file already exists. ALWAYS APPEND!
edit /etc/ssh/sshd_config (still in remote machine) and edit these lines as follows:
PermitRootLogin no
PasswordAuthentication no
AuthorizedKeysFile %h/.ssh/authorized_keys
RSAAuthentication yes
PubkeyAuthentication yes
restart the daemon (ssh or sshd)
exit the ssh session
you can now remotely administer the system that has the public key
In a GUI shell, sometimes the "Keyring" saves the passphrase for the RSA key.

port forwarding: ?
-L <local-port>:<remote-host>:<remote-port> <target-host> - port forwarding from local host (usually use with -N)
-R <local-port>:<remote-host>:<remote-port> <target-host> - port forwarding from remote hosts

</pre>

Ssh - Revision history

Beard: Created page with "
daemon: sshd (sometimes ssh) packages: openssh openssh-server openssh-clients config: /etc/ssh/sshd_config /etc/ssh/ssh_config /etc/ssh/ssh_known_hosts ~/.ssh/..."