ssh Cheatsheet
Useful Options
All options: http://manpages.ubuntu.com/manpages/bionic/en/man5/ssh_config.5.html
For staging/testing: ignore spoofing and unknown hosts warning.
Warning: don't use in production!
-
-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null
Exit if connection cannot be made after 5 seconds of trying
-
-o ConnectTimeout=5
Exit if port forwarding cannot be established
-
-o ExitOnForwardFailure=yes
Do not accept unknown hosts
Don't ask, Fail instead.
-
-o StrictHostKeyChecking=yes
Do not ask for password
Public key authentification only, fail if password prompt is offered
-
-o PasswordAuthentication=no
Similar, but sets also ServerAliveInterval=300
-
-o BatchMode=yes
Set ServerAliveInterval, after n seconds request a response from the server if still alive
-
-o ServerAliveInterval=300
Check ssh fingerprint of host
On the host:
-
ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub
Prevent Timeouts
- vi ~/.ssh/config
-
Host * ServerAliveInterval 60
-
Make life with non-standard ports easier
- vi .ssh/config
-
Host myhost.example.com Port 4321
-
Remote command
- ssh user@example.com 'ls -l; ps -aux; whoami'
Local and remote port forwarding / tunneling
@see https://www.ullright.org/ullWiki/show/ssh-port-forwarding
Chroot users into their home dir for sftp
Show keys, algorithms and key lengths
for keyfile in ~/.ssh/id_*; do ssh-keygen -l -f "${keyfile}"; done | uniq
Upgrade to safer, more recent SSH keys
https://blog.g3rt.nl/upgrade-your-ssh-keys.html
- ssh-keygen -o -a 100 -t ed25519
- for keyfile in ~/.ssh/id_*; do ssh-keygen -l -f "${keyfile}"; done | uniq
- ssh-add -l
Problems with gnome-keyring
- Does not expire ssh private key passphrases
- Does only work with rsa keys
- https://wiki.archlinux.org/index.php/SSH_keys#SSH_agents
- Expire open ssh passphrases
Show sshd configuration
- sshd -T
Use a separate, or no known_hosts file
- ssh -o UserKnownHostsFile=/dev/null
- ssh -o UserKnownHostsFile=/root/.ssh/known_hosts_custom1
Manually create known_hosts entry
Basically the known_hosts entry contains a hostname and the public host key of the remote server.
On the remote server server.example.com:
- cat /etc/ssh/ssh_host_rsa_key.pub
-
ssh-rsa AAAAB3... root@server
-
On the local machine:
- cat /home/joe/.ssh/known_hosts
- server.example.com ssh-rsa AAAAB3...
- known_hosts entries can be tied to ports
- [server.example.com]:1234 ssh-rsa AAAAB3...
- or even to remote ip addresses
- TODO: add example.
- These days, if created automatically, all the infos are hashed
- |1|xxx|yyy ssh-rsa AAAAB3...
Other ways:
Note: requires access to the remote server
With access to remote server:
- ssh-keyscan -H -t rsa -p 22 localhost
- |1|xxxxxx=|yyyyyy= ssh-rsa zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
- -H Hash all hostnames and addresses in the output
- -t Type “dsa”, “ecdsa”, “ed25519”, or “rsa”
- Note: ssh-keyscan outputs stuff to stderr...
# localhost:222 SSH-2.0-OpenSSH_7.6p1
Without access from localhost (vulnerable to man in the middle attacks):
- ssh-keyscan -H -t rsa -p 22 remote-server.example.com
Add known hosts line to localhost:
- vi /home/joe/.ssh/known_hosts
- remote-server.example.com ssh-rsa zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
authorized_keys
https://man.openbsd.org/OpenBSD-current/man8/sshd.8#AUTHORIZED_KEYS_FILE_FORMAT
Note: command="uptime" must have double quotes!
Copy a file without scp
-
cat file | ssh user@host.example.com "cat > /dir/file"