• Edit
  • Delete

ssh Cheatsheet

Useful Options

All options: http://manpages.ubuntu.com/manpages/bionic/en/man5/ssh_config.5.html

For staging/testing: ignore spoofing and unknown hosts warning.

Warning: don't use in production!

  • -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

Exit if connection cannot be made after 5 seconds of trying

  • -o ConnectTimeout=5

Exit if port forwarding cannot be established

  • -o ExitOnForwardFailure=yes

Do not accept unknown hosts

Don't ask, Fail instead.

  • -o StrictHostKeyChecking=yes

Do not ask for password

Public key authentification only, fail if password prompt is offered

  • -o PasswordAuthentication=no

Similar, but sets also ServerAliveInterval=300

  • -o BatchMode=yes

Set ServerAliveInterval, after n seconds request a response from the server if still alive

  • -o ServerAliveInterval=300

Check ssh fingerprint of host

On the host:

  • cd /etc/ssh;for file in *sa_key.pub;do ssh-keygen -E md5 -lf $file;done

Prevent Timeouts

  • vi ~/.ssh/config
    • Host *
        ServerAliveInterval 60

 Make life with non-standard ports easier

  • vi .ssh/config
    • Host myhost.example.com
        Port 4321

Remote command

 

Local and remote port forwarding / tunneling

@see https://www.ullright.org/ullWiki/show/ssh-port-forwarding

Chroot users into their home dir for sftp

https://www.techrepublic.com/blog/linux-and-open-source/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/

Show keys, algorithms and key lengths

for keyfile in ~/.ssh/id_*; do ssh-keygen -l -f "${keyfile}"; done | uniq

Upgrade to safer, more recent SSH keys

https://blog.g3rt.nl/upgrade-your-ssh-keys.html

  • ssh-keygen -o -a 100 -t ed25519
  • for keyfile in ~/.ssh/id_*; do ssh-keygen -l -f "${keyfile}"; done | uniq
  • ssh-add -l

Problems with gnome-keyring

Show sshd configuration

  • sshd -T

Use a separate, or no known_hosts file

  • ssh -o UserKnownHostsFile=/dev/null
  • ssh -o UserKnownHostsFile=/root/.ssh/known_hosts_custom1

 

Manually create known_hosts entry

Basically the known_hosts entry contains a hostname and the public host key of the remote server.

On the remote server server.example.com:

  • cat /etc/ssh/ssh_host_rsa_key.pub
    • ssh-rsa AAAAB3... root@server

On the local machine:

  • cat /home/joe/.ssh/known_hosts
    • server.example.com ssh-rsa AAAAB3...
  • known_hosts entries can be tied to ports
    • [server.example.com]:1234 ssh-rsa AAAAB3...
  • or even to remote ip addresses
    • TODO: add example.
  • These days, if created automatically, all the infos are hashed
    • |1|xxx|yyy ssh-rsa AAAAB3...

Other ways:

Note: requires access to the remote server

With access to remote server:

  • ssh-keyscan -H -t rsa -p 22 localhost
    • |1|xxxxxx=|yyyyyy= ssh-rsa zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
    • -H      Hash all hostnames and addresses in the output
    • -t       Type “dsa”, “ecdsa”, “ed25519”, or “rsa”
    • Note: ssh-keyscan outputs stuff to stderr...
      # localhost:222 SSH-2.0-OpenSSH_7.6p1

Without access from localhost (vulnerable to man in the middle attacks):

  • ssh-keyscan -H -t rsa -p 22 remote-server.example.com

Add known hosts line to localhost:

  • vi /home/joe/.ssh/known_hosts
    • remote-server.example.com ssh-rsa zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

authorized_keys

https://man.openbsd.org/OpenBSD-current/man8/sshd.8#AUTHORIZED_KEYS_FILE_FORMAT

Note: command="uptime" must have double quotes!

Copy a file without scp