Ssh

From TheBeard Science Project Wiki
Revision as of 16:38, 29 February 2016 by Beard (talk | contribs) (Created page with "<pre> daemon: sshd (sometimes ssh) packages: openssh openssh-server openssh-clients config: /etc/ssh/sshd_config /etc/ssh/ssh_config /etc/ssh/ssh_known_hosts ~/.ssh/...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search 
daemon:
	sshd (sometimes ssh)

packages:
	openssh
	openssh-server
	openssh-clients

config:
	/etc/ssh/sshd_config
	/etc/ssh/ssh_config
	/etc/ssh/ssh_known_hosts
	~/.ssh/config
	~/.ssh/rc
	~/.ssh/authorized_keys
	/var/log/secure
	/var/log/messages

ssh_config:

	CASE SENSATIVE

	arguments:
		ForwardX11 yes
		TCPKeepAlive yes (default: yes)

sshd_config:

	CASE SENSATIVE

	arguments:
		AllowUsers user user - can use * and ?. no need to explicitly deny afterwards.
		DenyUsers user user
		AllowGroups group group
		DenyGroup group group
		PermitRootLogin no
		PasswordAuthentication yes (default: yes, change to 'no' for RSA key only)
		PermitEmptyPassword no (default: no)
		AuthorizedKeysFile %h/.ssh/authorized_keys
		RSAAuthentication yes
		PubkeyAuthentication yes
		ChrootDirectory /path
		IgnoreRhosts yes - ignores .rhosts and .shosts. "Yes" is more secure.

		UsePAM yes - default yes
		StrictModes yes - more secure but may cause permission problems (default: yes)
		LoginGraceTime <#> - session timeout. default 120. Infinite 0.
		MaxSessions <#> - default 10
		MaxAuthTries <#> - default 6

		Banner /path/file.txt
		X11Forwarding no
		TCPKeepAlive yes (default: yes)

commands:
	ssh user@host <command> - user is on remote system. command is optional.
		-X - run with X11 forwarding
		-Y - X11 forwarding in "trusted" mode
		-N - do not execute remote commands
		-D <port> - opens a port for forwarding traffic. applications may use this port for secure connections. does not open a shell.
		-C - use compression

	scp - secure copy
		scp user@from-host:/path/file user@to-host:file
			to copy to localhost just put file instead of user@to-host:file (or vice versa)
			-r - recursive
			-p - preserve
			-C - compression
			-p <port> - port

	sftp - secure ftp
		sftp user@host

	ssh-keygen - create keys, allowing login without password
		ssh-keygen -t <type> -b <#bits>
			rsa - default bits: 2048, minimum bits: 768
			dsa - required bits: 1024
		will generate private key (~/.ssh/id_rsa) and public key (~/.ssh/id_rsa.pub)
		copy ~/.ssh/id_rsa.pub to the server as ~/.ssh/authorized_keys
		done

	ssh-keygen -p - changes password in RSA key (default file: ~/.ssh/id_rsa)

	nohup <command> - runs command on remote machine without disruption from shell disconnection.
		run while logged in on remote machine.
		outputs need to be redirected.

RSA key authentication:
	start on the host from which you will be administering other systems.
	use 'ssh-keygen -t rsa' to generate keys (use -b <#> to use different number of bits, passphrase optional)
	copy ~/.ssh/id_rsa.pub to the remote system. could use 'scp ~/.ssh/id_rsa.pub username@host:~'
	ssh into the remote system using 'ssh username@host'
	run 'cat ~/id_rsa.pub >> ~/.ssh/authorized_keys' if file already exists. ALWAYS APPEND!
	edit /etc/ssh/sshd_config (still in remote machine) and edit these lines as follows:
		PermitRootLogin no
		PasswordAuthentication no
		AuthorizedKeysFile %h/.ssh/authorized_keys
		RSAAuthentication yes
		PubkeyAuthentication yes
	restart the daemon (ssh or sshd)
	exit the ssh session
	you can now remotely administer the system that has the public key
	In a GUI shell, sometimes the "Keyring" saves the passphrase for the RSA key.

port forwarding: ?
	-L <local-port>:<remote-host>:<remote-port> <target-host> - port forwarding from local host (usually use with -N)
	-R <local-port>:<remote-host>:<remote-port> <target-host> - port forwarding from remote hosts
Retrieved from "https://beardedmaker.com/wiki/index.php?title=Ssh&oldid=161"