Links
- See also: corkscrew
- corkscrew is a tool for tunneling SSH through HTTP proxies.
- manpage
- Fail2ban
- Forced Commands
- 9 Awesome SSH Tricks
- ssh-copy-id
- Two Factor SSH with Google Authenticator
- Comments on Reddit
- Comments on Hacker News
- eBook: SSH, The Secure Shell: The Definitive Guide (First Edition)
- How to extract a public/private key from a PKCS12
- SSH Can Do That? Productivity Tips
Files
| File | Description |
|---|---|
~/.ssh/identity |
Contains the protocol version 1 RSA authentication identity of the user. |
~/.ssh/id_dsa |
Contains the protocol version 2 DSA authentication identity of the user. |
~/.ssh/id_ecdsa |
Contains the protocol version 2 ECDSA authentication identity of the user. |
~/.ssh/id_rsa |
Contains the protocol version 2 RSA authentication identity of the user. |
$TMPDIR/ssh-XXXXXXXXXX/agent.<ppid> |
UNIX-domain sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the agent exits. |
Environment Variables
| Var | Description |
|---|---|
| SSH_AUTH_SOCK | A UNIX-domain socket is created and the name of this socket is stored in the SSH_AUTH_SOCK environment variable. The socket is made accessible only to the current user. This method is easily abused by root or another instance of the same user. |
| SSH_AGENT_PID | SSH_AGENT_PID environment variable holds the agent's process ID. |
Misc
- For seamless but secure remote execution: generate a new
ssh key (ssh-keygen) without a pass-phrase; put the id
and id.pub files on each "client" machine; add the
id.pub to the authorized_keys file under the username
used for the "server" end. Here's the trick: Insert
restrictions before the public key, but all on the one
long line. So instead of
"ssh-dss AAAAB3blahblahblah..."
in the authorized_keys, use
"no-port-forwarding,no-X11-forwarding,command="/the/specific/command",from="client1.ip.addr,*.other.clients" ssh-dss AAAAB3blahblahblah..."
Prefer password login
ssh -o PreferredAuthentications=password machine
Keywords versus command-line options
Any configuration line of the form: Keyword Value can be
specified on the command line with -o (use multiple for
multiple options) like so: ssh -o "Keyword Value".
For example, the configuration lines:
User sally Port 220
can be specified as
ssh -o "User sally" -o "Port 220" server.example.com
SSH1 additionally permits an equals sign between the keyword
and the value (so doublequotes are optional with that
syntax) – ssh1 -o User=sally -o Port=220 server.example.com
ProxyCommand
Specifies the command to use to connect to the server. The
command string extends to the end of the line, and is
executed with /bin/sh. In the command string, '%h' will be
substituted by the host name to connect and '%p' by the
port. The command can be basically anything, and should read
from its standard input and write to its standard output. It
should eventually connect an sshd(8) server running on some
machine, or execute sshd -i somewhere. Host key management
will be done using the HostName of the host being connected
(defaulting to the name typed by the user). Setting the
command to 'none' disables this option entirely. Note that
CheckHostIP is not available for connects with a proxy
command.
For example, the following directive would connect via an HTTP proxy at 192.0.2.0:
ProxyCommand /usr/bin/nc -X connect -x 192.0.2.0:8080 %h %p
Should you use a nohup in the ProxyCommand? I've never
needed one. This link
shows it solving a problem, but -w 1 to nc is really a
timeout like the manpage says so I'm skeptical of that
advice.
Another example (thanks to the -W option to ssh - this
needs a recent version of OpenSSH)
Host a.b.c.tld ProxyCommand none Host *.foo.domain.tld ProxyCommand ssh my.ssh.gateway.tld -W %h:%p
Extracting the private / public keys from a pem file.
# Extract the private key.
openssl rsa -in key.pem -pubout > key.pub
Logging in with a custom private key
ssh -i <IdentityFile> user@host ssh -i ~/.ssh/id_rsa user@host ssh -o 'IdentityFile '~/.ssh/id_rsa user@host # Or use # # IdentityFile ~/..../id_rsa # # in ~/.ssh/config for specific hosts.
Enabling public key authentication
If you're not able to login with a keypair, maybe sshd
doesn't allow it.
To fix, edit /etc/sshd/sshd_config and
- either change,
PubkeyAuthentication notoPubkeyAuthentication yes, or - Add an entry for just your username to allow it. e.g.
Match User chirayu PubkeyAuthentication yes
Now make sshd reload the config file by sending it a
SIGHUP.
sudo kill -HUP $(cat /var/run/sshd.pid)
You should now be able to login with a keypair.