Difference between revisions of "Ssh"

From DWIKI
 
(26 intermediate revisions by the same user not shown)
Line 1: Line 1:
=FAQ=


==multihop tunnel==
= Links =
ssh -A -t -l user jump-host \
 
-L 8080:localhost:8080 \
*[http://blog.joncairns.com/2013/12/understanding-ssh-agent-and-ssh-add/ Understanding ssh-agent and ssh-add]
  ssh -A -t -l user webserver.dmz \
*[https://www.ssh.com/ssh/key/ https://www.ssh.com/ssh/key/]
  -L 8080:localhost:8080
 
 
 
 
=HOWTO=
== chrooted sftp ==
 
Homedir as defined in /etc/passwd /home/someuser
 
  chmod 755 /home/someuser
  chown root.root /home/someuser


==Failed publickey==
And then create writable dir for user:
*acccess rights?


==14: No supported authentication methods available [preauth]==
mkdir /home/someuser/downloads
Putty not configured to look at correct private key?
chown someuser.someuser /home/someuser/downloads


 


==chrooted sftp==
Subsystem sftp internal-sftp


'''Per group:'''
'''Per group:'''


/etc/ssh/sshd_config
/etc/ssh/sshd_config
   Match Group sftponly
   Match Group sftponly
     ChrootDirectory %h
     ChrootDirectory %h
Line 31: Line 41:
'''Per user:'''
'''Per user:'''


==remove host key==
ssh-keygen -R hostname
   Match User username
   Match User username
     ChrootDirectory %h
     ChrootDirectory %h
Line 42: Line 50:
   Match all
   Match all


The ChrootDirectory must be owned by root.root with permissons 755.
The ChrootDirectory must be owned by root.root with permissons 755. If you want group based access rights, you can do that in subdirectories.
If you want group based access rights, you can do that in subdirectories.
 
 
 
== ssh tunnel ==


==ssh tunnel==
  ssh -L 1234:192.168.100.2:80 remotehost
  ssh -L 1234:192.168.100.2:80 remotehost
And then connect to localhost:1234
And then connect to localhost:1234


==rsync only as root==
 
 
 
= FAQ =
==Server side==
===key type ssh-rsa not in PubkeyAcceptedAlgorithms===
PubkeyAcceptedKeyTypes +ssh-rsa
 
 
==ssh multiplexing==
https://www.cyberciti.biz/faq/linux-unix-reuse-openssh-connection
 
== remember key passphrase ==
 
ssh-agent bash
ssh-add ~/.ssh/id_rsa
 
== root access from single host ==
 
Match Address 192.168.1.100
        PermitRootLogin yes
 
== multihop tunnel ==
 
ssh -A -t -l user jump-host \
-L 8080:localhost:8080 \
ssh -A -t -l user webserver.dmz \
-L 8080:localhost:8080
 
OR
in .ssh/config define
Host targethost
ProxyCommand ssh jumphost -W %h:%p
and then just
ssh -L 1234:<LAN address>:<port> targethost
 
== SSH tunnel with putty ==
 
[https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/ https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/]
 
== Failed publickey ==
 
*acccess rights?
 
== 14: No supported authentication methods available [preauth] ==
 
Putty not configured to look at correct private key?
 
&nbsp;
 
 
=== bind Cannot assign requested address ===
 
Maybe try ssh -4
 
== Unable to negotiate with 192.168.100.4 port 22: no matching cipher found. ==
 
passing old cipher, like -o arcfour??
 
==no matching host key type found==
their offer: ssh-rsa:
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
 
in .ssh/config
 
== rsync only as root ==
 
== scp: no matching key exchange method found. ==
 
scp seems to ignore .ssh/config, so use
 
scp -o Ciphers=xxx
 
&nbsp;
 
== kex_exchange_identification: read: Connection reset by peer ==
 
only way to find out about that is look on server
 
== Reverse tunnel with autossh ==
# https://superuser.com/questions/37738/how-to-reliably-keep-an-ssh-tunnel-open
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -fgNR :10023:localhost:22 the.server
 
And in the.server:/etc/ssh/sshd_config
 
GatewayPorts clientspecified
 
to allow connecting to 10023 from outside
 
As systemd service:
In /etc/systemd/system/sshtunnel.service
[Unit]
Description=SSH Tunnel
After=network.target
 
[Service]
Restart=always
RestartSec=20
User=root
ExecStart=/bin/ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=6 -gNR :10023:localhost:22 user@ssh.example.com
 
[Install]
WantedBy=multi-user.target
 
==The RSA host key for host has changed==
If you're migrating to a new server: copy /etc/ssh/ssh_host_rsa_key* to the new server
 
 
== ssh require both key and user password ==
In sshd_config
  AuthenticationMethods "publickey,password"
# do not just set to no!
#PasswordAuthentication yes
 
== add your key to remote authorized_keys ==
ssh-copy-id remotehost
or, if not installed:
cat ~/.ssh/rsa_pub.id | ssh remotehost "cat >> ~/.ssh/authorized_keys"
 
== Show key fingerprint ==
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
 
 
== SSH Client side ==
===no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1===
 
===kex_exchange_identification: banner line contains invalid characters===
Sure you're talking to an ssh service?

Latest revision as of 10:23, 2 December 2022

Links



HOWTO

chrooted sftp

Homedir as defined in /etc/passwd /home/someuser

chmod 755 /home/someuser
chown root.root /home/someuser

And then create writable dir for user:

mkdir /home/someuser/downloads
chown someuser.someuser /home/someuser/downloads

 

Subsystem sftp internal-sftp

Per group:

/etc/ssh/sshd_config

 Match Group sftponly
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTcpForwarding no
   PermitTunnel no
   X11Forwarding no
 #Remember this one to close Match block!
 Match all

Per user:

 Match User username
   ChrootDirectory %h
   ForceCommand internal-sftp
   AllowTcpForwarding no
   PermitTunnel no
   X11Forwarding no
 #Remember this one to close Match block!
 Match all

The ChrootDirectory must be owned by root.root with permissons 755. If you want group based access rights, you can do that in subdirectories.

 

ssh tunnel

ssh -L 1234:192.168.100.2:80 remotehost

And then connect to localhost:1234

 


FAQ

Server side

key type ssh-rsa not in PubkeyAcceptedAlgorithms

PubkeyAcceptedKeyTypes +ssh-rsa


ssh multiplexing

https://www.cyberciti.biz/faq/linux-unix-reuse-openssh-connection

remember key passphrase

ssh-agent bash
ssh-add ~/.ssh/id_rsa

root access from single host

Match Address 192.168.1.100
       PermitRootLogin yes

multihop tunnel

ssh -A -t -l user jump-host \
-L 8080:localhost:8080 \
ssh -A -t -l user webserver.dmz \
-L 8080:localhost:8080

OR in .ssh/config define

Host targethost
ProxyCommand ssh jumphost -W %h:%p

and then just

ssh -L 1234:<LAN address>:<port> targethost

SSH tunnel with putty

https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/

Failed publickey

  • acccess rights?

14: No supported authentication methods available [preauth]

Putty not configured to look at correct private key?

 


bind Cannot assign requested address

Maybe try ssh -4

Unable to negotiate with 192.168.100.4 port 22: no matching cipher found.

passing old cipher, like -o arcfour??

no matching host key type found

their offer: ssh-rsa:

HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

in .ssh/config

rsync only as root

scp: no matching key exchange method found.

scp seems to ignore .ssh/config, so use

scp -o Ciphers=xxx

 

kex_exchange_identification: read: Connection reset by peer

only way to find out about that is look on server

Reverse tunnel with autossh

  1. https://superuser.com/questions/37738/how-to-reliably-keep-an-ssh-tunnel-open
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -fgNR :10023:localhost:22 the.server

And in the.server:/etc/ssh/sshd_config

GatewayPorts clientspecified

to allow connecting to 10023 from outside

As systemd service: In /etc/systemd/system/sshtunnel.service

[Unit]
Description=SSH Tunnel
After=network.target
[Service]
Restart=always
RestartSec=20
User=root
ExecStart=/bin/ssh -o ServerAliveInterval=30 -o ServerAliveCountMax=6 -gNR :10023:localhost:22 user@ssh.example.com
[Install]
WantedBy=multi-user.target

The RSA host key for host has changed

If you're migrating to a new server: copy /etc/ssh/ssh_host_rsa_key* to the new server


ssh require both key and user password

In sshd_config
 AuthenticationMethods "publickey,password"
# do not just set to no!
#PasswordAuthentication yes

add your key to remote authorized_keys

ssh-copy-id remotehost

or, if not installed:

cat ~/.ssh/rsa_pub.id | ssh remotehost "cat >> ~/.ssh/authorized_keys"

Show key fingerprint

ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub


SSH Client side

no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

kex_exchange_identification: banner line contains invalid characters

Sure you're talking to an ssh service?