Ssh
Links
- Understanding ssh-agent and ssh-add
- https://www.ssh.com/ssh/key/
- SSH supported authentication methods
HOWTO
chrooted sftp
Homedir as defined in /etc/passwd /home/someuser
chmod 755 /home/someuser chown root.root /home/someuser
And then create writable dir for user:
mkdir /home/someuser/downloads chown someuser.someuser /home/someuser/downloads
Subsystem sftp internal-sftp
Per group:
/etc/ssh/sshd_config
Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no
#Remember this one to close Match block! Match all
Per user:
Match User username ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no #Remember this one to close Match block! Match all
The ChrootDirectory must be owned by root.root with permissons 755. If you want group based access rights, you can do that in subdirectories.
ssh tunnels
Simple tunnel to port on remote host
ssh -L 1234:192.168.100.2:80 remotehost
And then connect to localhost:1234
Simple reverse tunnel
Give a host access to port on system you're on:
ssh -R 1234:localhost:22 you@the.other.host
Provide access to a server you can only reach from your desktop
Where S is the server you have firewall access on, and 192.168.150.223 the server you can only reach from office.
ssh -R S:1234:192.168.150.223:22 S
Remember to enable GatewayPorts on S and to allow access to port 1234
Systemd service for reverse tunnel
[Unit] Description=SSH Tunnel After=network.target
[Service] Restart=always RestartSec=20 User=root ExecStart=/bin/ssh -p 2222 -o ServerAliveInterval=30 -o ServerAliveCountMax=6 -o ExitOnForwardFailure=yes -gNR :10022:localhost:22 user@example.com
[Install] WantedBy=multi-user.target
So to ssh to remote server you use
ssh -p 10020 localhost
Copy public key to authorized_keys
ssh-copy-id
Run command on another system
ssh remotehost 'some command'
Open ssh url in firefox
Create script ~/runssh
#!/bin/bash
# open ssh url
url=$1
protocol=${url//:*/}
machine=${url//*:\/\//}
machine=${machine%/}
konsole -e "$protocol $machine"
# or for gnome:
#/usr/bin/gnome-terminal -e "$protocol $machine"
In about:config set network.protocol-handler.app.ssh to ~/runssh
scp via intermediate host
scp -oProxyJump=intermediate thefile user@destination:/tmp
FAQ
Server side
key type ssh-rsa not in PubkeyAcceptedAlgorithms
PubkeyAcceptedKeyTypes +ssh-rsa
ssh multiplexing
https://www.cyberciti.biz/faq/linux-unix-reuse-openssh-connection
remember key passphrase
ssh-agent bash ssh-add ~/.ssh/id_rsa
root access from single host
Match Address 192.168.1.100
PermitRootLogin yes
The agent has no identities.
multihop tunnel
ssh -A -t -l user jump-host \ -L 8080:localhost:8080 \ ssh -A -t -l user webserver.dmz \ -L 8080:localhost:8080
OR in .ssh/config define
Host targethost ProxyCommand ssh jumphost -W %h:%p
and then just
ssh -L 1234:<LAN address>:<port> targethost
SSH tunnel with putty
https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/
Failed publickey
- acccess rights?
14: No supported authentication methods available [preauth]
Putty not configured to look at correct private key?
bind Cannot assign requested address
Maybe try ssh -4, also check firewall
Unable to negotiate with 192.168.100.4 port 22: no matching cipher found.
passing old cipher, like -o arcfour??
no matching host key type found. their offer: ssh-rsa:
In your ~/ssh/config try
HostkeyAlgorithms +ssh-rsa
and maybe
PubkeyAcceptedAlgorithms +ssh-rsa
in .ssh/config
Error messages
scp: no matching key exchange method found.
scp seems to ignore .ssh/config, so use
scp -o Ciphers=xxx
scp: Received message too long
Something about defaulting to sftp and messing up forced commands expecting scp Try
scp -O
kex_exchange_identification: read: Connection reset by peer
only way to find out about that is look on server
bad ownership or modes for file authorized_keys
chmod 600 ~/.ssh/authorized_keys
Reverse tunnel with autossh
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -fgNR :10023:localhost:22 the.server
And in the.server:/etc/ssh/sshd_config
GatewayPorts clientspecified
to allow connecting to 10023 from outside
As systemd service: In /etc/systemd/system/sshtunnel.service
[Unit] Description=SSH Tunnel After=network.target
[Service] Restart=always RestartSec=20 User=root ExecStart=/bin/ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=6 -gNR :10023:localhost:22 user@ssh.example.com
[Install] WantedBy=multi-user.target
The RSA host key for host has changed
If you're migrating to a new server: copy /etc/ssh/ssh_host_rsa_key* to the new server
ssh require both key and user password
In sshd_config AuthenticationMethods "publickey,password" # do not just set to no! #PasswordAuthentication yes
Or for just one user
Match User someuser AuthenticationMethods "publickey,password"
add your key to remote authorized_keys
ssh-copy-id remotehost
or, if not installed:
cat ~/.ssh/rsa_pub.id | ssh remotehost "cat >> ~/.ssh/authorized_keys"
Show key fingerprint
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
SSH Client side
no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
kex_exchange_identification: banner line contains invalid characters
Sure you're talking to an ssh service?
ssh_exchange_identification: Connection closed by remote host
Force password prompt
When using pubkey:
ssh -o PubkeyAuthentication=no -o PreferredAuthentications=password
Permission denied (publickey).
Not much you can do on client side, server will probably have
PasswordAuthentication yes
so find an allowed key
