SSH

Configuration

-------------

- server config file is /etc/ssh/sshd_config

- user config file is ~/.ssh/config

Options and Parameters on /etc/ssh/sshd_config

ClientAliveInterval	number of interval in seconds in checking if an ssh client is still responsive
ClientAliveCountMax	number of times ssh will check if ssh client is still responsive or not

Commands

--------

##forces ipv4 packets

ssh -4

##removes server from known_hosts

ssh-keygen -R

##fixes rsa/dsa keys

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key

ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

## reads a key

ssh-keygen -if

## ssh host key

/etc/ssh/ssh_host_key.pub

ssh-keygen -ef ~/.ssh/id_dsa.pub --> converts OpenSSH key to SSH2 key

ssh-keygen -if ~/.ssh/id_dsa_SSH2 --> converts SSH2 key to OpenSSH key

SSH2 vs OpenSSH format

SSH2 key

---- BEGIN SSH2 PUBLIC KEY ---- Comment: "2048-bit RSA, converted from OpenSSH by root@server" AAAAB3NzaC1yc2EAAAABIwAAAQEA04dh1xm3KfeztO9zcrofeuddJ9yQ7RCSrUibD6vw8W xATGW5kD/a5ZjtF/GURh5AbUcZnjVjIn7RnFbSLeeZb+SuLNREnOHrtAkwcBUY+dSGrqhy +8Mzfp2oI9UFKP53rCp1ttM1kquB50LozTh3y278Po4YdfwWlb43laTB97qqMFjzx0uK5R AgvgyVHtGKUY9Q+VVq++cHIfUzYlCMILg+hh+EBSxRVtkYSTxGZgjOKyAjpzjggVgJEi0R XzFSuVpy5MbtTIIYpyS0A+RN1874TSWsCU9+N6CkDxQBY3fWrHHvjhCXy7Uw5hmHLCUyHe +c0Gh7kFMHNK6jXH7HEw== ---- END SSH2 PUBLIC KEY ----

OpenSSH key (continious long line of key)

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA04dh1xm3KfeztO9zcrofeuddJ9yQ7RCSrUibD6vw8WxATGW5kD/a5ZjtF/GURh5AbUcZnjVjIn7RnFbSLeeZb+SuLNREnOHrtAkwcBUY+dSGrqhy+8Mzfp2oI9UFKP53rCp1ttM1kquB50LozTh3y278Po4YdfwWlb43laTB97qqMFjzx0uK5RAgvgyVHtGKUY9Q+VVq++cHIfUzYlCMILg+hh+EBSxRVtkYSTxGZgjOKyAjpzjggVgJEi0RXzFSuVpy5MbtTIIYpyS0A+RN1874TSWsCU9+N6CkDxQBY3fWrHHvjhCXy7Uw5hmHLCUyHe+c0Gh7kFMHNK6jXH7HEw== root@server

Tutorials

---------

Creating SSH keys	ssh-keygen -f /path/to/private_key -t rsa -N ''   # specifies output file for private key and disables passphrase   # public key will be created on same path
Passwordless SSH 1	1. create public and private keys (verify if files are created under ~/.ssh): ssh-keygen -t rsa 2. copy A's public key to B's authorized_keys file (authorized_keys will be automatically created under B's ssh dir): ssh-copy-id -i /root/.ssh/id_rsa.pub user_name@machine_B or scp ~/.ssh/id_rsa.pub user_name@machineB:/user_home_dir_path/.ssh/authorized_keys 3. make sure that ~/.ssh and ~/.ssh/authorized_keys are at 700  and 600 permissions respectively 4. log in to machine B without password 5. repeat steps 1 - 3 inside machine B (same concept). NOTE: - target home directory should be of 700 or 750 permissions - target .ssh directory must be of 700 permission - files under target .ssh/ directory must be 600
Passwordless SSH 2: (with modifications on local passwd file)	1. create public and private keys (verify if files are created under ~/.ssh): ssh-keygen -t rsa 2. copy A's public key to B's authorized_keys file (authorized_keys will be automatically created under B's ssh dir): ssh-copy-id -i /root/.ssh/id_rsa.pub user_name@machine_B or scp ~/.ssh/id_rsa.pub user_name@machineB:/user_home_dir_path/.ssh/authorized_keys 3. make sure that ~/.ssh and ~/.ssh/authorized_keys are at 700  and 600 permissions respectively 4. check local passwd on target server - second field shouldn't have an "x" x should be eliminated: srpadm:x:7016:1003:SAP System Administrator:/usr/sap/SRP:/bin/csh entry should like be this: srpadm:5rPrU590FyVIs:7016:1003:SAP System Administrator:/usr/sap/SRP:/bin/csh  use this command to change local passwd file only and not the NIS passwd file: passwd -r files 5. log in to machine B without password 6. repeat steps 1 - 3 inside machine B (same concept).
converts ssh key formats	to convert this format into openssh format (for unix/linux based systems): ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "rsa-key-20130424" AAAAB3NzaC1yc2EAAAABJQAAAIBzxhgzK3bv7yOKXpZR5uIru6OoKANrkn2MmbAC wSIutaZCKuOaPAPGQv/YPI3JPk0UCOvgtjN/G3Ejm3gzFw/g35rmdQJj8PtPtugE jgZnWxYWyhsOoAepeGrfw6Wu/tFBHctHt1VnPzRqZU+gwk1dCzuQP46lYyosXLKF CLZFKQ== ---- END SSH2 PUBLIC KEY ---- execute this command: ssh-keygen -i -f /tmp/identity2.pub >> ~/.ssh/authorized_keys
Supress banners	1. This will suppress banners ssh -q my.host.com 2. Annoyed of "Are you sure you want to continue connecting (yes/no)?"? You can use "StrictHostKeyChecking" option to make ssh automatically add the remote hosts's fingerprint (aka public key) into your known_hosts file. This can be useful if you have multiple servers to access and you don't want to manually reply "yes" on each of them. bash-3.2$ for i in `cat servers`; do ssh -o "StrictHostKeyChecking no" $i "hostname"; done hostA.com hostB.com hostC.com bash-3.2$
Daily scenarios that are annoying and can be suppressed	The following can be added under ~/.ssh/config. An example is: Host *   StrictHostKeyChecking no   UserKnownHostsFile /dev/null 1. Disable prompts for host keys. StrictHostKeyChecking no 2. Disable known_hosts file. This is applicable if you a remote hosts whose fingerprint constantly changes. UserKnownHostsFile /dev/null
Generates public key from private key	ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

Troubleshooting

---------------

Common issues

# example of correct password but unable to login due to PAM user@remote.server.com's password: Connection closed by 192.168.54.100  # example of incorrect password user@remote.server.com's password: Permission denied, please try again.   # double authentication error: [esl-playbooks]_$ ssh user@server.com Permission denied (publickey). solution: double authentication - you need to login via password and public key at the same time # no matching host key type found. Their offer: ssh-dss Resolution: Add this on ssh command: ssh -oHostKeyAlgorithms=+ssh-dss 192.168.1.34 # no matching key exchange method found. Their offer: diffie-hellman-group1-sha1 Resolution: Add this on ssh command: ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 inv-filerd.msred.dom