create SSH key
ssh-keygen -q -b 4096 -f ~/.ssh/id_rsa -N '' -C "${USER}@$(hostname -f)" ssh-keygen -q -t ed25519 -N '' -C "${USER}@$(hostname -f)" ssh-keygen -m PEM -b 4096 -C "rundeck@rundeck.dev.example.com"
Load SSH key
eval $(ssh-agent) && ssh-add ssh-add ~/.ssh/foo-key2
Copy public key to server (/home/foo/.ssh/authorized_keys)
ssh-copy-id foo@example.com ssh-import-id-gh foo # copy between remote hosts ssh www.dev.example.com cat /root/.ssh/id_rsa.pub | ssh www.prod.example.com 'cat >> /root/.ssh/authorized_keys -'
show log
journalctl -u ssh tail -f /var/log/auth.log journalctl _COMM=sshd -f # configuration ~/.ssh/config: user configuration /etc/ssh/ssh_config: system-wide client configuration /etc/ssh/sshd_config: system-wide server configurtion
http://www.panticz.de/SSH-server-enable-disable-password-authentication
http://www.panticz.de/ssh_pre-shared-key_authentication
Parameter
ssh \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyChecking=no \ root@192.168.1.2
Configuraton ~/.ssh/config
Include config.d/* Host 10.* User root StrictHostKeyChecking no UserKnownHostsFile /dev/null # exclude hosts Host * !example.com !192.168.0.? !*.local ... Host 192.168.0.* tunnel.example.com User foo BatchMode yes EscapeChar none Compression yes HostKeyAlias github-server-pool.github.com CheckHostIp no UserKnownHostsFile /dev/null StrictHostKeyChecking no AddKeysToAgent yes LogLevel error HostKeyAlgorithms=+ssh-dss Host 10.20.30.40 KexAlgorithms +diffie-hellman-group1-sha1 # jump host Host 192.168.254.46 ProxyCommand ssh root@192.168.1.42 -W %h:%p ForwardAgent yes
# batch mode (disable password authentification -o PasswordAuthentication=no -o KbdInteractiveAuthentication=no -o ChallengeResponseAuthentication=no -o BatchMode=yes -o HostKeyAlgorithms=ssh-rsa -o FingerprintHash=md5 scp -i ~/ssh_bkp/id_rsa.pub ~/.ssh/id_rsa.pub root@www.example.com:/tmp/id_rsa.pub cat ~/ssh_bkp/id_rsa.pub | ssh -i ~/ssh_bkp/id_rsa root@www.example.com 'cat >> .ssh/authorized_keys' ssh -i ~/ssh_bkp/id_rsa root@www.example.com cat ssh-keygen --if /tmp/id_rsa.pub >> ~/.ssh/authorized_keys # port forward sudo ssh -L 80:192.168.254.44:80 user@www.example.com -p 222 -N -i /home/${USER}/.ssh/id_rsa ssh -L 127.0.0.2:8080:localhost:80 user@host
Parameter
-N do not execute a remote command -f run in background -C compression -o ConnectTimeout=3 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ControlMaster=yes # permament connection # prevent SSH timeout -o ServerAliveInterval=30
Options
# force password authentication ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no foo@<ip-address>
http://linux.die.net/man/5/ssh_config
# test Host mysql.tunnel HostName some-ssh-server.com User ssh_username LocalForward 3307 127.0.0.1:3306 Host tunnel.production.site.com User ec2-user UserKnownHostsFile /dev/null StrictHostKeyChecking=no Host X01 X02 ... User my_username Compression yes Ciphers arcfour,blowfish-cbc Protocol 2 ControlMaster auto ControlPath ~/.ssh/%r@%h:%p LocalForward 3307 127.0.0.1:3306 # SendEnv LANG LC_* #HostKeyAlgorithms ssh-rsa # reverse tunnel # http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ ssh -fN -R 2222:localhost:22 user@www.example.com # connect back from www.example.com user@www.example.com:~$ ssh me@localhost -p 2222 # SSH config options ForwardAgent yes IdentitiesOnly yes IdentityFile /home/foo/.ssh/id_rsa Host * ForwardAgent yes SendEnv LANG LC_* StrictHostKeyChecking no # add defatult domain Host *.example.com HostName %h USER user Host * HostName %h.example.com USER user BatchMode yes # ssh forwarding to sudo sudo -E -s echo "Defaults env_keep+=SSH_AUTH_SOCK" >> /etc/sudoers.d/ssh service sudo restart # test if SSH agent is running env | grep SSH_AGENT_PID # starts SSH agent eval $(ssh-agent) ssh-add # remote X window with bash login ssh -X USER@REMOTE_HOST -C /bin/bash -l -c "COMMAND" # socket forward ssh -N -D 8080 root@192.168.0.1 chromium-browser --proxy-server="socks5://localhost:8080" ?? --proxy-server="https=proxyip:8443;http=proxyip:8080"
Enamble DNS forward in Firefox:
network.proxy.socks_remote_dns: true
# port forward ssh -N -L 8080:192.168.0.12:80 root@192.168.0.1 http://localhost:8080 # ssh forward to mailserver # cat /etc/hosts 127.0.0.1 imap.example.com 127.0.0.1 smtp.example.com sudo ssh -L 143:imap.example.com:143 -L 25:smtp.example.com:25 foo@vpn.example.com -i /home/foo/.ssh/id_rsa -N
deny SSH user
# /etc/ssh/sshd_config DenyUsers foo Match User test PasswordAuthentication no Host * ServerAliveInterval 30 LogLevel ERROR
Removes host keys from ~/.ssh/known_hosts by hostname or IP
ssh-keygen -R www.example.com
Update SSH know hosts
ssh-keyscan -t rsa web{1..5}.example.com >> ~/.ssh/known_hosts
Forward webserver over SSH
# on client #echo "GatewayPorts yes" >> /etc/ssh/sshd_config echo "GatewayPorts clientspecified" >> /etc/ssh/sshd_config service ssh restart # on server ssh -o StrictHostKeyChecking=no -N -R 80:192.168.0.1:80 -R 443:192.168.0.1:443 root@www.example.com
Get hostkey
ssh-keyscan SERVER
SendEnv noForwarding
DynamicForward 127.0.0.1:1080 RemoteForward 80 127.0.0.1:8000 LocalForward 1521 10.0.0.99:1521 GatewayPorts no # forward proxy # ~/.ssh/config.d/vm Host 10.0.1.* User ubuntu RemoteForward 3128 proxy.example.com:8080 https_proxy=http://localhost:3128 wget https://www.google.de -O- # double forward ssh -A -R 10080:forward_from.tld:80 user@forward_to.tld "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -g -N -L 80:localhost:10080 localhost" # Forward DB port by SSH tunnel and make public accessible ssh -A -R 10080:localhost:3306 root@db.example.com "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -g -N -L 3306:localhost:10080 localhost" # Forward port 80 from 10.0.21.3 to www.example.com:8080 ssh -A -R 12345:10.0.21.3:80 root@www.example.com "ssh -o UserKnoHostsFile=/dev/null -o StrictHostKeyChecking=no -g -N -L 8080:localhost:12345 localhost" # copy block device over network with SSH dd if=/dev/sdc | ssh -C user@host dd of=/dev/sdc cat file | ssh -e none remote-host 'cat > file' # show SSH status systemctl status ssh
SSH VPN
https://help.ubuntu.com/community/SSH_VPN
https://wiki.archlinux.org/index.php/VPN_over_SSH
# on SSH VPN server sudo sed -i 's/#GatewayPorts .*/GatewayPorts yes/g' /etc/ssh/sshd_config sudo service ssh restart # on SSH VPN client sudo ssh \ -i /home/foo/.ssh/id_rsa \ -o PermitLocalCommand=yes \ -o LocalCommand="sudo ifconfig tun0 192.168.99.2 pointopoint 192.168.99.1 netmask 255.255.255.0; sudo route add -net 192.168.100.0 gw 192.168.99.1 netmask 255.255.255.0" \ -o ServerAliveInterval=60 \ -w 0:0 root@gw.example.com -p 22022 \ 'sudo ifconfig tun0 192.168.99.1 pointopoint 192.168.99.2 netmask 255.255.255.0; echo tun0 ready' # v2 # client sudo ip tuntap add dev tun0 mode tun sudo ip link set tun0 up sudo ip addr add 192.168.10.100/32 peer 10.0.0.200 dev tun0 # sever ssh ubuntu@hypervisor.lab.i.ewcs.ch sudo ip tuntap add dev tun0 mode tun sudo ip link set tun0 up sudo ip addr add 192.168.10.200/32 peer 10.0.0.100 dev tun0 sudo ip tuntap del dev tun0 mode tun sudo ip tuntap del dev tap0 mode tap
Workarround / Fix
# slow ssh login systemctl restart systemd-logind # fix "mesg: ttyname failed: Inappropriate ioctl for device" by force pseudo-tty allocation ssh -t db.example.com "bash -l /path/to/cmd" ssh -tt db.example.com 'bash -l -c "sqlplus system/oracle @/tmp/query1.sql"' # sshfs sshfs -o ServerAliveInterval=15 root@www.example.com:/var/www/ /mnt # /etc/ssh/sshd_config Match User oli GatewayPorts yes # resolve dns on localhost ProxyCommand ssh db.example.com -W $(dig +short %h):%p
Jumphost
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts
https://tech.utzer.de/2019/04/14/ssh-config-ssh-via-jumphost-and-autossh-ssh-to-tor-hidden-service/
https://wiki.gentoo.org/wiki/SSH_jump_host
ssh -J jump.example.com foo@www.example.com # multiple jumphost ssh -J user1@host1:port1,user2@host2:port2 user3@host3
scp
# scp with sshpass sshpass -p <PASSWORD> scp <USER>@<HOST>:~/htdocs/*.gz /mnt/backup/
Create new key on client
#ssh-keygen -t rsa #(confirm with 3x with enter to leave passphrase empty) ssh-keygen -q -f ~/.ssh/id_rsa -N '' # Copy public key to server ssh-copy-id ${USER}@192.168.0.1 # Test login ssh -v ${USER}@192.168.0.1 # Login with private key ssh -i ./backup_ssh_key/id_rsa USER@YOUR_SERVER # Import own ssh key by using previous / master ssh key cat ~/.ssh/id_rsa.pub | ssh -i ./backup_ssh_key/id_rsa USER@YOUR_SERVER 'cat >> .ssh/authorized_keys'
OPTIONAL: Disable password login on server
http://www.panticz.de/SSH-server-enable-disable-password-authentication
Execute commands remotely using SSH
https://zaiste.net/a_few_ways_to_execute_commands_remotely_using_ssh/
ssh ${HOST} < ~/bin/script.sh
Access internal Git server over temporary SSH tunnel from public VM
# @www1 VM cat /home/local/.ssh/config Host git.i.example.com Hostname 127.0.0.1 Port 2222 #@workstation or deployment VM ssh -R 2222:git.i.example.com:22 service@www1.example.com "git -C /var/www/html pull"
SSH Server with Two-Factor Authentication
https://www.globo.tech/learning-center/setup-ssh-server-with-two-factor-authentication-ubuntu-debian/
Multi line command
ssh foo@example << EOF date hostname cat /etc/resolv.conf EOF ssh foo@example << ' date hostname cat /etc/resolv.conf '
Fix slow SSH login
systemctl restart systemd-logind
Fix Unable to negotiate with 192.168.1.111 port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.1.111 ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oPubkeyAcceptedKeyTypes=+ssh-rsa -oHostKeyAlgorithms=+ssh-rsa -c aes128-cbc root@192.168.178.53 # virtual serial port VSP # text console TEXTCONS
Certificate
ssh-keygen -L -f .ssh/id_rsa-cert.pub
cipher
# list avaiable cipher
ssh -Q cipher
Block access
sudo ufw deny from ${IP_FROM} port 22 sudo iptables -I INPUT -s ${IP_FROM} -p tcp --dport ssh -j DROP
Force password authentification
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no ${SERVER_IP}
The RSA SHA-1 hash algorithm is being quickly deprecated. There is a workaround for re-enabling RSA at
ssh -o PubkeyAcceptedKeyTypes=+ssh-rsa user@server # or on SSH server cat <<EOF>> /etc/ssh/sshd_config HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa EOF # or echo "PubkeyAcceptedAlgorithms=+ssh-rsa" > /etc/ssh/sshd_config.d/allow_ssh-rsa sudo systemctl restart sshd
Enable ssh-dss
ssh -o HostKeyAlgorithms=+ssh-dss root@192.168.8.109 Host nas HostName 192.168.8.109 HostKeyAlgorithms=+ssh-dss PubkeyAcceptedKeyTypes=+ssh-rsa # KexAlgorithms +diffie-hellman-group14-sha1
Old dropbear server
Host openwrt.example.com 192.168.1.111
PubkeyAcceptedKeyTypes +ssh-rsa
HostKeyAlgorithms=+ssh-dss
KexAlgorithms +diffie-hellman-group1-sha1Show SSH key type
ssh-keygen -lf ~/.ssh/id_rsa
Import public SSH key from GitHub
# https://github.com/panticz.keys ssh-import-id gh:cmars lp:panticz # Ansible: Using github URL as key source - authorized_key: user: charlie key: https://github.com/panticz.keys # user_ssh_keys: "{{ lookup('url', 'https://github.com/foo.keys', split_lines=True) }}" # cloud config cloud-init.user-data: | #cloud-config users: - name: foot ssh_import_id: - gh:foo
Forward http(s) traffic through socks5
ssh -D 8080 foo@my_server.com export http_proxy=socks5://127.0.0.1:8080 https_proxy=socks5://127.0.0.1:8080 curl example.com
Links
http://linuxproblem.org/art_9.html
http://www.pro-linux.de/work/rootserver/teil2.html
http://www.schlittermann.de/doc/ssh
http://ubuntuforums.org/showthread.php?t=625926
http://www.la-samhna.de/library/brutessh.html
http://linux.justinhartman.com/Secure_SSH_server_with_Public/Private_key_authentication
http://mikiwiki.org/wiki/ssh_%28Shell-Befehl%29
http://pentestmonkey.net/cheat-sheet/ssh-cheat-sheet
http://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts
http://matt.might.net/articles/ssh-hacks/