SSH Notes

These notes apply to OpenSSH

• SSH sessions
  • Initiate a session
    • Use ssh [email protected] to initiate an ssh session (can alternatively use ssh -l user domain.com)
  • Files stored locally in ~/.ssh
    • Known hosts
      • The first time you connect to a remote server via SSH, you are asked if you want to continue--if you do, that server is added to the known_hosts file
    • Permissions: recommended is 700 for the .ssh folder and 600 for ssh files
  • Useful commands
    • Type ssh --help, scp --help, or ssh-keygen -help to see possible options
    • -v for verbose output
    • -C compress a session (for slow connections) - Ex: ssh -C domain.com
    • -o PubkeyAuthentication=no
      • Useful for when you receive the following error: Too many authentication failures for username
      • Bypasses key authentication and goes straight to username/password
    • -o PreferredAuthentications=hostbased,publickey,keyboard-interactive,password
      • List the order of preferred authentication methods
  • Escape character
    • Alerts ssh that there are special commands to follow, which aren't sent immediately to the server
    • Usage
      • Default is ~
      • Must be the first character on the command line to be treated as an escape character
      • Next character determines the effect--Ex: Ctrl-Z will suspend ssh, like any other shell job
      • -e "new-character" will change the escape character, when initializing an ssh session; Ex - ssh -e "%" [email protected]
• SSH keys
  • Generate a new DSA or RSA key: ssh-keygen
    • -t lets you specify either a dsa or rsa key (rsa is default and preferred) -- Ex: ssh-keygen -t rsa
    • -b specifies the number of bits in the key (default is 2048) -- Ex: ssh-keygen -t dsa -b 2048
    • -f specifies the name relative to your current directory
      • Ex: ssh-keygen -t dsa -f mykey
      • If you omit, -f, you are prompted for a name
      • Default name is id_dsa and id_rsa
    • -N specifies the passphrase
      • Ex: ssh-keygen -t dsa -N secretword
      • If you omit this, you'll be prompted later
    • -C specifies a comment
      • Defaults to username@host where host is the local host name
      • Ex: ssh-keygen -t rsa -C "This is a comment"
    • Be careful using the above flags if your command line is logged!!!
    • Passphrase (password) - always provide this because it encrypts the key; should be 10-15 characters long and not a grammatical sentence
    • -p to change the passphrase of an existing key
      • Also specify the filename with -f and the old and new passphrases with -P and -N
      • Ex: ssh-keygen -t dsa -p -f mykey -P secretword -N newword
      • (If you omit the flags, you'll be prompted to enter the information)
      • Benefit of this is that it doesn't change the file, just the passphrase for encryption, so no new public key uploads are needed
    • ssh-add [key-name] adds private key identities to the authentication agent (necessary for some OS programs)
      • -d removes specified identities from the agent
      • -D deletes all identities from the agent
      • -l lists fingerprints of all registered identities
      • -L lists public key parameters of all registered identities
      • -K add passphrase in your keychain when adding identity (Mac OS)
      • -c subjects added identities to confirmation
  • Authorized keys
    • Public keys go in a file called ~/.ssh/authorized_keys--transfer the contents of your public key into this file, all on one line
    • When using ssh2, the name of this file can be authorized_keys2
    • ssh-copy-id is a script that copies local key files onto a server in ~/.ssh./authorized_keys
      • ssh-copy-id -i key_file [email protected]
      • Ex: ssh-copy-id -i mykey [email protected] (don't need .pub extension for key file)
      • Creates a new authorized_keys file on the server or appends a new line to one
      • Does not create a new line before the key, so make sure there's one there already
      • Does create a new line at the end of the key, to prepare for the next one
  • SSH agent
    • Tracks keys for you so you don't have to repeatedly enter a passphrase
    • ssh-agent $SHELL
      • Invokes ssh agent with the specified shell
      • Ex: ssh-agent $bash
    • ssh-add
• Configuration files
  • Syntax
    • Set with a combination of keywords and values
    • Can use Keyword value or Keyword = value
    • Can use the -o flag to set individual configuration options
      • Ex: ssh -o "User sally" or ssh -o User=sally
      • Use multiple -o "Keyword value" inline to set multiple options
    • File usually stored as ~/.ssh/config
    • -F will specify a different configuration file than the default
      • Ex: ssh -F /usr/local/ssh/other_config
  • Host myserver
    • Allows you to set host specific configuration
    • Indent configuration values under this line (not required, but easier to read)
    • myserver can be a server name, an ip address, or a nickname
    • Wildcards are allowed - Ex: Host *.example.com
      • If multiple wildcards match the same server, all settings that match apply; if there are duplicate settings, the earliest setting is applied
    • Host settings keywords
      • User
      • HostName
      • IdentityFile
      • ForwardAgent
      • Port
      • Cipher
• Transferring files
  • scp [source] [destination]
  • scp [email protected]:filename new-local-filename
  • Leaving the user name off of the source domain indicates that the remote name is the same as the local one
• SSH server configuration
  • Configuration file located in /etc/ssh/sshd_config
  • Change port number to something other than the default
  • Restart ssh deamon /etc/init.d/ssh reload