ssh Cheatsheet

Useful Options

All options: http://manpages.ubuntu.com/manpages/bionic/en/man5/ssh_config.5.html

For staging/testing: ignore spoofing and unknown hosts warning.

Warning: don't use in production!

• -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null

Exit if connection cannot be made after 5 seconds of trying

• -o ConnectTimeout=5

Exit if port forwarding cannot be established

• -o ExitOnForwardFailure=yes

Do not accept unknown hosts

Don't ask, Fail instead.

• -o StrictHostKeyChecking=yes

Do not ask for password

Public key authentification only, fail if password prompt is offered

• -o PasswordAuthentication=no

Similar, but sets also ServerAliveInterval=300

• -o BatchMode=yes

Set ServerAliveInterval, after n seconds request a response from the server if still alive

• -o ServerAliveInterval=300

Check ssh fingerprint of host

On the host:

• ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub

Prevent Timeouts

• vi ~/.ssh/config

  • Host *
      ServerAliveInterval 60

 Make life with non-standard ports easier

• vi .ssh/config

  • Host myhost.example.com
      Port 4321

Remote command

• ssh user@example.com  'ls -l; ps -aux; whoami'

Local and remote port forwarding / tunneling

@see https://www.ullright.org/ullWiki/show/ssh-port-forwarding

Chroot users into their home dir for sftp

https://www.techrepublic.com/blog/linux-and-open-source/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/

Show keys, algorithms and key lengths

for keyfile in ~/.ssh/id_*; do ssh-keygen -l -f "${keyfile}"; done | uniq

Upgrade to safer, more recent SSH keys

https://blog.g3rt.nl/upgrade-your-ssh-keys.html

• ssh-keygen -o -a 100 -t ed25519
• for keyfile in ~/.ssh/id_*; do ssh-keygen -l -f "${keyfile}"; done | uniq
• ssh-add -l

Problems with gnome-keyring

• Does not expire ssh private key passphrases
• Does only work with rsa keys
• https://wiki.archlinux.org/index.php/SSH_keys#SSH_agents
• Expire open ssh passphrases
  • ssh-add -D
  • https://spwhitton.name/blog/entry/gnomesshclear/
•  

Show sshd configuration

• sshd -T

Use a separate, or no known_hosts file

• ssh -o UserKnownHostsFile=/dev/null
• ssh -o UserKnownHostsFile=/root/.ssh/known_hosts_custom1

Manually create known_hosts entry

Basically the known_hosts entry contains a hostname and the public host key of the remote server.

On the remote server server.example.com:

• cat /etc/ssh/ssh_host_rsa_key.pub

  • ssh-rsa AAAAB3... root@server

On the local machine:

• cat /home/joe/.ssh/known_hosts
  • server.example.com ssh-rsa AAAAB3...
• known_hosts entries can be tied to ports
  • [server.example.com]:1234 ssh-rsa AAAAB3...
• or even to remote ip addresses
  • TODO: add example.
• These days, if created automatically, all the infos are hashed
  • |1|xxx|yyy ssh-rsa AAAAB3...

Other ways:

Note: requires access to the remote server

With access to remote server:

• ssh-keyscan -H -t rsa -p 22 localhost
  • |1|xxxxxx=|yyyyyy= ssh-rsa zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
  • -H      Hash all hostnames and addresses in the output
  • -t       Type “dsa”, “ecdsa”, “ed25519”, or “rsa”
  • Note: ssh-keyscan outputs stuff to stderr...
    # localhost:222 SSH-2.0-OpenSSH_7.6p1

Without access from localhost (vulnerable to man in the middle attacks):

• ssh-keyscan -H -t rsa -p 22 remote-server.example.com

Add known hosts line to localhost:

• vi /home/joe/.ssh/known_hosts
  • remote-server.example.com ssh-rsa zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

authorized_keys

https://man.openbsd.org/OpenBSD-current/man8/sshd.8#AUTHORIZED_KEYS_FILE_FORMAT

Note: command="uptime" must have double quotes!

Copy a file without scp

• cat file | ssh user@host.example.com "cat > /dir/file"