Ssh

From DWIKI
Revision as of 14:44, 20 December 2024 by Tony (talk | contribs) (→‎Error messages)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Links

HOWTO

chrooted sftp

Homedir as defined in /etc/passwd /home/someuser

chmod 755 /home/someuser
chown root.root /home/someuser

And then create writable dir for user:

mkdir /home/someuser/downloads
chown someuser.someuser /home/someuser/downloads

 

Subsystem sftp internal-sftp

Per group:

/etc/ssh/sshd_config

 Match Group sftponly
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTcpForwarding no
   PermitTunnel no
   X11Forwarding no
 #Remember this one to close Match block!
 Match all

Per user:

 Match User username
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTcpForwarding no
   PermitTunnel no
   X11Forwarding no
 #Remember this one to close Match block!
 Match all

The ChrootDirectory must be owned by root.root with permissons 755. If you want group based access rights, you can do that in subdirectories.

 

ssh tunnels

Simple tunnel to port on remote host

ssh -L 1234:192.168.100.2:80 remotehost

And then connect to localhost:1234

 

Simple reverse tunnel

Give a host access to port on system you're on:

ssh -R 1234:localhost:22 you@the.other.host

Provide access to a server you can only reach from your desktop

Where S is the server you have firewall access on, and 192.168.150.223 the server you can only reach from office.

ssh -R S:1234:192.168.150.223:22 S

Remember to enable GatewayPorts on S and to allow access to port 1234


Systemd service for reverse tunnel

[Unit]
Description=SSH Tunnel
After=network.target
[Service]
Restart=always
RestartSec=20
User=root
ExecStart=/bin/ssh -p 2222 -o ServerAliveInterval=30 -o ServerAliveCountMax=6 -o ExitOnForwardFailure=yes -gNR :10022:localhost:22 user@example.com
[Install]
WantedBy=multi-user.target


So to ssh to remote server you use

ssh -p 10020 localhost

Copy public key to authorized_keys

ssh-copy-id

Run command on another system

ssh remotehost 'some command'

Open ssh url in firefox

Create script ~/runssh

#!/bin/bash
# open ssh url
url=$1
protocol=${url//:*/}
machine=${url//*:\/\//}
machine=${machine%/}
konsole -e "$protocol $machine"
# or for gnome:
#/usr/bin/gnome-terminal -e "$protocol $machine"

In about:config set network.protocol-handler.app.ssh to ~/runssh


scp via intermediate host

scp -oProxyJump=intermediate thefile user@destination:/tmp

FAQ

Server side

key type ssh-rsa not in PubkeyAcceptedAlgorithms

PubkeyAcceptedKeyTypes +ssh-rsa


ssh multiplexing

https://www.cyberciti.biz/faq/linux-unix-reuse-openssh-connection

remember key passphrase

ssh-agent bash
ssh-add ~/.ssh/id_rsa

root access from single host

Match Address 192.168.1.100
       PermitRootLogin yes


The agent has no identities.

multihop tunnel

ssh -A -t -l user jump-host \
-L 8080:localhost:8080 \
ssh -A -t -l user webserver.dmz \
-L 8080:localhost:8080

OR in .ssh/config define

Host targethost
ProxyCommand ssh jumphost -W %h:%p

and then just

ssh -L 1234:<LAN address>:<port> targethost

SSH tunnel with putty

https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/

Failed publickey

  • acccess rights?

14: No supported authentication methods available [preauth]

Putty not configured to look at correct private key?

 


bind Cannot assign requested address

Maybe try ssh -4, also check firewall

Unable to negotiate with 192.168.100.4 port 22: no matching cipher found.

passing old cipher, like -o arcfour??

no matching host key type found. their offer: ssh-rsa:

In your ~/ssh/config try

HostkeyAlgorithms +ssh-rsa

and maybe

PubkeyAcceptedAlgorithms +ssh-rsa

in .ssh/config


Error messages

Failed to connect to the host via ssh: Permission denied (publickey,password).

pubkey not in authorized_keys

scp: no matching key exchange method found.

scp seems to ignore .ssh/config, so use

scp -o Ciphers=xxx

scp: Received message too long

Something about defaulting to sftp and messing up forced commands expecting scp Try

scp -O

kex_exchange_identification: read: Connection reset by peer

only way to find out about that is look on server


bad ownership or modes for file authorized_keys

chmod 600 ~/.ssh/authorized_keys

Reverse tunnel with autossh

  1. https://superuser.com/questions/37738/how-to-reliably-keep-an-ssh-tunnel-open
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -fgNR :10023:localhost:22 the.server

And in the.server:/etc/ssh/sshd_config

GatewayPorts clientspecified

to allow connecting to 10023 from outside

As systemd service: In /etc/systemd/system/sshtunnel.service

[Unit]
Description=SSH Tunnel
After=network.target
[Service]
Restart=always
RestartSec=20
User=root
ExecStart=/bin/ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=6 -gNR :10023:localhost:22 user@ssh.example.com
[Install]
WantedBy=multi-user.target

The RSA host key for host has changed

If you're migrating to a new server: copy /etc/ssh/ssh_host_rsa_key* to the new server


ssh require both key and user password

In sshd_config
 AuthenticationMethods "publickey,password"
# do not just set to no!
#PasswordAuthentication yes

Or for just one user

Match User someuser
 AuthenticationMethods "publickey,password"

add your key to remote authorized_keys

ssh-copy-id remotehost

or, if not installed:

cat ~/.ssh/rsa_pub.id | ssh remotehost "cat >> ~/.ssh/authorized_keys"

Show key fingerprint

ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub


SSH Client side

no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

kex_exchange_identification: banner line contains invalid characters

Sure you're talking to an ssh service?

ssh_exchange_identification: Connection closed by remote host

Force password prompt

When using pubkey:

ssh -o PubkeyAuthentication=no -o PreferredAuthentications=password

Authentication tried for <user> with correct key but not from a permitted host

Check authorized_keys


Using a SSH password instead of a key is not possible because Host Key checking is enabled

Permission denied (publickey).

Not much you can do on client side, server will probably have

PasswordAuthentication yes

so find an allowed key


Connection closed by authenticating user