Ssh: Difference between revisions
From DWIKI
mNo edit summary |
m (→FAQ) |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
= Links = | |||
=FAQ= | *[http://blog.joncairns.com/2013/12/understanding-ssh-agent-and-ssh-add/ Understanding ssh-agent and ssh-add] | ||
*[https://www.ssh.com/ssh/key/ https://www.ssh.com/ssh/key/] | |||
= FAQ = | |||
==ssh multiplexing== | |||
https://www.cyberciti.biz/faq/linux-unix-reuse-openssh-connection | |||
== remember key passphrase == | |||
ssh-agent bash | ssh-agent bash | ||
ssh-add ~/.ssh/id_rsa | ssh-add ~/.ssh/id_rsa | ||
==root access from single host== | == root access from single host == | ||
Match Address 192.168.1.100 | Match Address 192.168.1.100 | ||
PermitRootLogin yes | PermitRootLogin yes | ||
==multihop tunnel== | == multihop tunnel == | ||
ssh -A -t -l user jump-host \ | ssh -A -t -l user jump-host \ | ||
-L 8080:localhost:8080 \ | -L 8080:localhost:8080 \ | ||
| Line 19: | Line 30: | ||
-L 8080:localhost:8080 | -L 8080:localhost:8080 | ||
OR | |||
in .ssh/config define | |||
Host targethost | |||
ProxyCommand ssh jumphost -W %h:%p | |||
and then just | |||
ssh -L 1234:<LAN address>:<port> targethost | |||
== SSH tunnel with putty == | |||
[https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/ https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/] | |||
== Failed publickey == | |||
*acccess rights? | |||
== | == 14: No supported authentication methods available [preauth] == | ||
Putty not configured to look at correct private key? | Putty not configured to look at correct private key? | ||
| |||
==chrooted sftp== | == chrooted sftp == | ||
Homedir as defined in /etc/passwd /home/someuser | |||
chmod 755 /home/someuser | chmod 755 /home/someuser | ||
chown root.root /home/someuser | chown root.root /home/someuser | ||
And then create writable dir for user: | And then create writable dir for user: | ||
mkdir /home/someuser/downloads | mkdir /home/someuser/downloads | ||
chown someuser.someuser /home/someuser/downloads | chown someuser.someuser /home/someuser/downloads | ||
| |||
Subsystem sftp internal-sftp | |||
Subsystem | |||
'''Per group:''' | '''Per group:''' | ||
/etc/ssh/sshd_config | /etc/ssh/sshd_config | ||
Match Group sftponly | Match Group sftponly | ||
ChrootDirectory %h | ChrootDirectory %h | ||
| Line 69: | Line 92: | ||
Match all | Match all | ||
The ChrootDirectory must be owned by root.root with permissons 755. | The ChrootDirectory must be owned by root.root with permissons 755. If you want group based access rights, you can do that in subdirectories. | ||
If you want group based access rights, you can do that in subdirectories. | |||
| |||
== ssh tunnel == | == ssh tunnel == | ||
| Line 85: | Line 108: | ||
Maybe try ssh -4 | Maybe try ssh -4 | ||
==Unable to negotiate with 192.168.100.4 port 22: no matching cipher found.== | == Unable to negotiate with 192.168.100.4 port 22: no matching cipher found. == | ||
passing old cipher, like -o arcfour?? | passing old cipher, like -o arcfour?? | ||
==rsync only as root== | ==no matching host key type found== | ||
if that comes after 'rsa' try | |||
PubkeyAcceptedKeyTypes=+ssh-rsa | |||
in .ssh/config | |||
== rsync only as root == | |||
== scp: no matching key exchange method found. == | |||
scp seems to ignore .ssh/config, so use | |||
scp -o Ciphers=xxx | |||
| |||
== kex_exchange_identification: read: Connection reset by peer == | |||
only way to find out about that is look on server | |||
== Reverse tunnel with autossh == | |||
# https://superuser.com/questions/37738/how-to-reliably-keep-an-ssh-tunnel-open | |||
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -fgNR :10023:localhost:22 the.server | |||
And in the.server:/etc/ssh/sshd_config | |||
GatewayPorts clientspecified | |||
to allow connecting to 10023 from outside | |||
As systemd service: | |||
In /etc/systemd/system/sshtunnel.service | |||
[Unit] | |||
Description=SSH Tunnel | |||
After=network.target | |||
[Service] | |||
Restart=always | |||
RestartSec=20 | |||
User=root | |||
ExecStart=/bin/ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=6 -gNR :10023:localhost:22 user@ssh.example.com | |||
[Install] | |||
WantedBy=multi-user.target | |||
==The RSA host key for host has changed== | |||
If you're migrating to a new server: copy /etc/ssh/ssh_host_rsa_key* to the new server | |||
== ssh require both key and user password == | |||
In sshd_config | |||
AuthenticationMethods "publickey,password" | |||
# do not just set to no! | |||
#PasswordAuthentication yes | |||
== add your key to remote authorized_keys == | |||
ssh-copy-id remotehost | |||
or, if not installed: | |||
cat ~/.ssh/rsa_pub.id | ssh remotehost "cat >> ~/.ssh/authorized_keys" | |||
== Show key fingerprint == | |||
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub | |||
Revision as of 15:10, 23 June 2022
Links
FAQ
ssh multiplexing
https://www.cyberciti.biz/faq/linux-unix-reuse-openssh-connection
remember key passphrase
ssh-agent bash ssh-add ~/.ssh/id_rsa
root access from single host
Match Address 192.168.1.100
PermitRootLogin yes
multihop tunnel
ssh -A -t -l user jump-host \ -L 8080:localhost:8080 \ ssh -A -t -l user webserver.dmz \ -L 8080:localhost:8080
OR in .ssh/config define
Host targethost ProxyCommand ssh jumphost -W %h:%p
and then just
ssh -L 1234:<LAN address>:<port> targethost
SSH tunnel with putty
https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/
Failed publickey
- acccess rights?
14: No supported authentication methods available [preauth]
Putty not configured to look at correct private key?
chrooted sftp
Homedir as defined in /etc/passwd /home/someuser
chmod 755 /home/someuser chown root.root /home/someuser
And then create writable dir for user:
mkdir /home/someuser/downloads chown someuser.someuser /home/someuser/downloads
Subsystem sftp internal-sftp
Per group:
/etc/ssh/sshd_config
Match Group sftponly ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no
#Remember this one to close Match block! Match all
Per user:
Match User username ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no PermitTunnel no X11Forwarding no #Remember this one to close Match block! Match all
The ChrootDirectory must be owned by root.root with permissons 755. If you want group based access rights, you can do that in subdirectories.
ssh tunnel
ssh -L 1234:192.168.100.2:80 remotehost
And then connect to localhost:1234
bind Cannot assign requested address
Maybe try ssh -4
Unable to negotiate with 192.168.100.4 port 22: no matching cipher found.
passing old cipher, like -o arcfour??
no matching host key type found
if that comes after 'rsa' try
PubkeyAcceptedKeyTypes=+ssh-rsa
in .ssh/config
rsync only as root
scp: no matching key exchange method found.
scp seems to ignore .ssh/config, so use
scp -o Ciphers=xxx
kex_exchange_identification: read: Connection reset by peer
only way to find out about that is look on server
Reverse tunnel with autossh
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -fgNR :10023:localhost:22 the.server
And in the.server:/etc/ssh/sshd_config
GatewayPorts clientspecified
to allow connecting to 10023 from outside
As systemd service: In /etc/systemd/system/sshtunnel.service
[Unit] Description=SSH Tunnel After=network.target
[Service] Restart=always RestartSec=20 User=root ExecStart=/bin/ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=6 -gNR :10023:localhost:22 user@ssh.example.com
[Install] WantedBy=multi-user.target
The RSA host key for host has changed
If you're migrating to a new server: copy /etc/ssh/ssh_host_rsa_key* to the new server
ssh require both key and user password
In sshd_config AuthenticationMethods "publickey,password" # do not just set to no! #PasswordAuthentication yes
add your key to remote authorized_keys
ssh-copy-id remotehost
or, if not installed:
cat ~/.ssh/rsa_pub.id | ssh remotehost "cat >> ~/.ssh/authorized_keys"
Show key fingerprint
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
