Ssh: Difference between revisions
From DWIKI
m (→Server side) |
|||
| (40 intermediate revisions by the same user not shown) | |||
| Line 4: | Line 4: | ||
*[http://blog.joncairns.com/2013/12/understanding-ssh-agent-and-ssh-add/ Understanding ssh-agent and ssh-add] | *[http://blog.joncairns.com/2013/12/understanding-ssh-agent-and-ssh-add/ Understanding ssh-agent and ssh-add] | ||
*[https://www.ssh.com/ssh/key/ https://www.ssh.com/ssh/key/] | *[https://www.ssh.com/ssh/key/ https://www.ssh.com/ssh/key/] | ||
*[https://www.baeldung.com/linux/ssh-authentication-methods SSH supported authentication methods] | |||
=HOWTO= | |||
== chrooted sftp == | |||
Homedir as defined in /etc/passwd /home/someuser | |||
chmod 755 /home/someuser | |||
chown root.root /home/someuser | |||
And then create writable dir for user: | |||
mkdir /home/someuser/downloads | |||
chown someuser.someuser /home/someuser/downloads | |||
| |||
Subsystem sftp internal-sftp | |||
'''Per group:''' | |||
/etc/ssh/sshd_config | |||
Match Group sftponly | |||
ChrootDirectory %h | |||
ForceCommand internal-sftp | |||
AllowTcpForwarding no | |||
PermitTunnel no | |||
X11Forwarding no | |||
#Remember this one to close Match block! | |||
Match all | |||
'''Per user:''' | |||
Match User username | |||
ChrootDirectory %h | |||
ForceCommand internal-sftp | |||
AllowTcpForwarding no | |||
PermitTunnel no | |||
X11Forwarding no | |||
#Remember this one to close Match block! | |||
Match all | |||
The ChrootDirectory must be owned by root.root with permissons 755. If you want group based access rights, you can do that in subdirectories. | |||
| |||
== ssh tunnels == | |||
===Simple tunnel to port on remote host=== | |||
ssh -L 1234:192.168.100.2:80 remotehost | |||
And then connect to localhost:1234 | |||
| |||
===Simple reverse tunnel=== | |||
Give a host access to port on system you're on: | |||
ssh -R 1234:localhost:22 you@the.other.host | |||
===Provide access to a server you can only reach from your desktop=== | |||
Where '''S''' is the server you have firewall access on, and 192.168.150.223 the server you can only reach from office. | |||
ssh -R '''S''':1234:192.168.150.223:22 '''S''' | |||
Remember to enable '''GatewayPorts''' on '''S''' and to allow access to port 1234 | |||
===Systemd service for reverse tunnel=== | |||
[Unit] | |||
Description=SSH Tunnel | |||
After=network.target | |||
[Service] | |||
Restart=always | |||
RestartSec=20 | |||
User=root | |||
ExecStart=/bin/ssh -p 2222 -o ServerAliveInterval=30 -o ServerAliveCountMax=6 -o ExitOnForwardFailure=yes -gNR :10022:localhost:22 user@example.com | |||
[Install] | |||
WantedBy=multi-user.target | |||
So to ssh to remote server you use | |||
ssh -p 10020 localhost | |||
==Copy public key to authorized_keys== | |||
ssh-copy-id | |||
==Run command on another system== | |||
ssh remotehost 'some command' | |||
==Open ssh url in firefox== | |||
Create script ~/runssh | |||
#!/bin/bash | |||
# open ssh url | |||
url=$1 | |||
protocol=${url//:*/} | |||
machine=${url//*:\/\//} | |||
machine=${machine%/} | |||
konsole -e "$protocol $machine" | |||
# or for gnome: | |||
#/usr/bin/gnome-terminal -e "$protocol $machine" | |||
In about:config set network.protocol-handler.app.ssh to ~/runssh | |||
==scp via intermediate host== | |||
scp -oProxyJump=intermediate thefile user@destination:/tmp | |||
==ssh keys== | |||
===Check ssh key passphrase=== | |||
ssy-keygen -y | |||
= FAQ = | = FAQ = | ||
==Server side== | |||
===key type ssh-rsa not in PubkeyAcceptedAlgorithms=== | |||
PubkeyAcceptedKeyTypes +ssh-rsa | |||
=== User not allowed because account is locked === | |||
Could be because using authorized key yet sshd_config has | |||
PasswordAuthentication yes | |||
==ssh multiplexing== | ==ssh multiplexing== | ||
| Line 22: | Line 142: | ||
Match Address 192.168.1.100 | Match Address 192.168.1.100 | ||
PermitRootLogin yes | PermitRootLogin yes | ||
==The agent has no identities.== | |||
== multihop tunnel == | == multihop tunnel == | ||
| Line 51: | Line 175: | ||
| | ||
=== bind Cannot assign requested address === | |||
Maybe try ssh -4, also check firewall | |||
== Unable to negotiate with 192.168.100.4 port 22: no matching cipher found. == | |||
passing old cipher, like -o arcfour?? | |||
==no matching host key type found. their offer: ssh-rsa:== | |||
In your ~/ssh/config try | |||
HostkeyAlgorithms +ssh-rsa | |||
and maybe | |||
PubkeyAcceptedAlgorithms +ssh-rsa | |||
in .ssh/config | |||
==Error messages== | |||
===Failed to connect to the host via ssh: Permission denied (publickey,password).=== | |||
* pubkey not in authorized_keys | |||
* IP not in authorized_keys | |||
=== scp: no matching key exchange method found. === | |||
scp seems to ignore .ssh/config, so use | |||
scp -o Ciphers=xxx | |||
=== scp: Received message too long === | |||
Something about defaulting to sftp and messing up forced commands expecting scp. | |||
Try | |||
scp -O | |||
=== scp: Ensure the remote shell produces no output for non-interactive sessions === | |||
Try | |||
scp -O | |||
=== kex_exchange_identification: read: Connection reset by peer === | |||
only way to find out about that is look on server | |||
=== bad ownership or modes for file authorized_keys === | |||
chmod 600 ~/.ssh/authorized_keys | |||
== Reverse tunnel with autossh == | |||
# https://superuser.com/questions/37738/how-to-reliably-keep-an-ssh-tunnel-open | |||
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -fgNR :10023:localhost:22 the.server | |||
And in the.server:/etc/ssh/sshd_config | |||
GatewayPorts clientspecified | |||
to allow connecting to 10023 from outside | |||
As systemd service: | |||
In /etc/systemd/system/sshtunnel.service | |||
[Unit] | |||
Description=SSH Tunnel | |||
After=network.target | |||
[Service] | |||
Restart=always | |||
RestartSec=20 | |||
User=root | |||
ExecStart=/bin/ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=6 -gNR :10023:localhost:22 user@ssh.example.com | |||
[Install] | |||
WantedBy=multi-user.target | |||
The | ==The RSA host key for host has changed== | ||
If you're migrating to a new server: copy /etc/ssh/ssh_host_rsa_key* to the new server | |||
== ssh | == ssh require both key and user password == | ||
In sshd_config | |||
AuthenticationMethods "publickey,password" | |||
# do not just set to no! | |||
#PasswordAuthentication yes | |||
Or for just one user | |||
Match User someuser | |||
AuthenticationMethods "publickey,password" | |||
== add your key to remote authorized_keys == | |||
ssh-copy-id remotehost | |||
or, if not installed: | |||
cat ~/.ssh/rsa_pub.id | ssh remotehost "cat >> ~/.ssh/authorized_keys" | |||
== Show key fingerprint == | |||
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub | |||
== SSH Client side == | |||
===error: Refused by key options=== | |||
Check authorized_keys file on server | |||
===no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1=== | |||
== | ===kex_exchange_identification: banner line contains invalid characters=== | ||
Sure you're talking to an ssh service? | |||
== | ===ssh_exchange_identification: Connection closed by remote host=== | ||
===Force password prompt=== | |||
When using pubkey: | |||
ssh -o PubkeyAuthentication=no -o PreferredAuthentications=password | |||
===Authentication tried for <user> with correct key but not from a permitted host=== | |||
Check authorized_keys | |||
===Using a SSH password instead of a key is not possible because Host Key checking is enabled=== | |||
== | ==Permission denied (publickey).== | ||
Not much you can do on client side, server will probably have | |||
PasswordAuthentication yes | |||
so find an allowed key | |||
==Connection closed by authenticating user== | |||
==Error messages== | |||
===Remote: no hostkey alg=== | |||
Probably HostKeyAlgorithms | |||
Latest revision as of 11:37, 6 March 2025
Links
- Understanding ssh-agent and ssh-add
- https://www.ssh.com/ssh/key/
- SSH supported authentication methods
HOWTO
chrooted sftp
Homedir as defined in /etc/passwd /home/someuser
chmod 755 /home/someuser chown root.root /home/someuser
And then create writable dir for user:
mkdir /home/someuser/downloads chown someuser.someuser /home/someuser/downloads
Subsystem sftp internal-sftp
Per group:
/etc/ssh/sshd_config
Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no
#Remember this one to close Match block! Match all
Per user:
Match User username ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no #Remember this one to close Match block! Match all
The ChrootDirectory must be owned by root.root with permissons 755. If you want group based access rights, you can do that in subdirectories.
ssh tunnels
Simple tunnel to port on remote host
ssh -L 1234:192.168.100.2:80 remotehost
And then connect to localhost:1234
Simple reverse tunnel
Give a host access to port on system you're on:
ssh -R 1234:localhost:22 you@the.other.host
Provide access to a server you can only reach from your desktop
Where S is the server you have firewall access on, and 192.168.150.223 the server you can only reach from office.
ssh -R S:1234:192.168.150.223:22 S
Remember to enable GatewayPorts on S and to allow access to port 1234
Systemd service for reverse tunnel
[Unit] Description=SSH Tunnel After=network.target
[Service] Restart=always RestartSec=20 User=root ExecStart=/bin/ssh -p 2222 -o ServerAliveInterval=30 -o ServerAliveCountMax=6 -o ExitOnForwardFailure=yes -gNR :10022:localhost:22 user@example.com
[Install] WantedBy=multi-user.target
So to ssh to remote server you use
ssh -p 10020 localhost
Copy public key to authorized_keys
ssh-copy-id
Run command on another system
ssh remotehost 'some command'
Open ssh url in firefox
Create script ~/runssh
#!/bin/bash
# open ssh url
url=$1
protocol=${url//:*/}
machine=${url//*:\/\//}
machine=${machine%/}
konsole -e "$protocol $machine"
# or for gnome:
#/usr/bin/gnome-terminal -e "$protocol $machine"
In about:config set network.protocol-handler.app.ssh to ~/runssh
scp via intermediate host
scp -oProxyJump=intermediate thefile user@destination:/tmp
ssh keys
Check ssh key passphrase
ssy-keygen -y
FAQ
Server side
key type ssh-rsa not in PubkeyAcceptedAlgorithms
PubkeyAcceptedKeyTypes +ssh-rsa
User not allowed because account is locked
Could be because using authorized key yet sshd_config has
PasswordAuthentication yes
ssh multiplexing
https://www.cyberciti.biz/faq/linux-unix-reuse-openssh-connection
remember key passphrase
ssh-agent bash ssh-add ~/.ssh/id_rsa
root access from single host
Match Address 192.168.1.100
PermitRootLogin yes
The agent has no identities.
multihop tunnel
ssh -A -t -l user jump-host \ -L 8080:localhost:8080 \ ssh -A -t -l user webserver.dmz \ -L 8080:localhost:8080
OR in .ssh/config define
Host targethost ProxyCommand ssh jumphost -W %h:%p
and then just
ssh -L 1234:<LAN address>:<port> targethost
SSH tunnel with putty
https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/
Failed publickey
- acccess rights?
14: No supported authentication methods available [preauth]
Putty not configured to look at correct private key?
bind Cannot assign requested address
Maybe try ssh -4, also check firewall
Unable to negotiate with 192.168.100.4 port 22: no matching cipher found.
passing old cipher, like -o arcfour??
no matching host key type found. their offer: ssh-rsa:
In your ~/ssh/config try
HostkeyAlgorithms +ssh-rsa
and maybe
PubkeyAcceptedAlgorithms +ssh-rsa
in .ssh/config
Error messages
Failed to connect to the host via ssh: Permission denied (publickey,password).
- pubkey not in authorized_keys
- IP not in authorized_keys
scp: no matching key exchange method found.
scp seems to ignore .ssh/config, so use
scp -o Ciphers=xxx
scp: Received message too long
Something about defaulting to sftp and messing up forced commands expecting scp.
Try
scp -O
scp: Ensure the remote shell produces no output for non-interactive sessions
Try
scp -O
kex_exchange_identification: read: Connection reset by peer
only way to find out about that is look on server
bad ownership or modes for file authorized_keys
chmod 600 ~/.ssh/authorized_keys
Reverse tunnel with autossh
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -fgNR :10023:localhost:22 the.server
And in the.server:/etc/ssh/sshd_config
GatewayPorts clientspecified
to allow connecting to 10023 from outside
As systemd service: In /etc/systemd/system/sshtunnel.service
[Unit] Description=SSH Tunnel After=network.target
[Service] Restart=always RestartSec=20 User=root ExecStart=/bin/ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=6 -gNR :10023:localhost:22 user@ssh.example.com
[Install] WantedBy=multi-user.target
The RSA host key for host has changed
If you're migrating to a new server: copy /etc/ssh/ssh_host_rsa_key* to the new server
ssh require both key and user password
In sshd_config AuthenticationMethods "publickey,password" # do not just set to no! #PasswordAuthentication yes
Or for just one user
Match User someuser AuthenticationMethods "publickey,password"
add your key to remote authorized_keys
ssh-copy-id remotehost
or, if not installed:
cat ~/.ssh/rsa_pub.id | ssh remotehost "cat >> ~/.ssh/authorized_keys"
Show key fingerprint
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
SSH Client side
error: Refused by key options
Check authorized_keys file on server
no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
kex_exchange_identification: banner line contains invalid characters
Sure you're talking to an ssh service?
ssh_exchange_identification: Connection closed by remote host
Force password prompt
When using pubkey:
ssh -o PubkeyAuthentication=no -o PreferredAuthentications=password
Authentication tried for <user> with correct key but not from a permitted host
Check authorized_keys
Using a SSH password instead of a key is not possible because Host Key checking is enabled
Permission denied (publickey).
Not much you can do on client side, server will probably have
PasswordAuthentication yes
so find an allowed key
Connection closed by authenticating user
Error messages
Remote: no hostkey alg
Probably HostKeyAlgorithms
