• Edit
  • Delete

ssh Cheatsheet

Check ssh fingerprint of host

On the host:

  • cd /etc/ssh;for file in *sa_key.pub;do ssh-keygen -E md5 -lf $file;done

Prevent Timeouts

  • vi ~/.ssh/config
    • Host *
        ServerAliveInterval 60

 Make life with non-standard ports easier

  • vi .ssh/config
    • Host myhost.example.com
        Port 4321

Remote command

For staging ignore spoofing and unknown hosts warning

  • ssh -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null" user@example.com

Chroot users into their home dir for sftp

https://www.techrepublic.com/blog/linux-and-open-source/chroot-users-with-openssh-an-easier-way-to-confine-users-to-their-home-directories/

Show keys, algorithms and key lengths

for keyfile in ~/.ssh/id_*; do ssh-keygen -l -f "${keyfile}"; done | uniq

Upgrade to safer, more recent SSH keys

https://blog.g3rt.nl/upgrade-your-ssh-keys.html

  • ssh-keygen -o -a 100 -t ed25519
  • for keyfile in ~/.ssh/id_*; do ssh-keygen -l -f "${keyfile}"; done | uniq
  • ssh-add -l

Problems with gnome-keyring

Show sshd configuration

  • sshd -T

Use a separate, or no known_hosts file

  • ssh -o UserKnownHostsFile=/dev/null
  • ssh -o UserKnownHostsFile=/root/.ssh/known_hosts_custom1

Do not accept unknown hosts (don't ask)

Fail instead.

  • ssh -o StrictHostKeyChecking=yes user@example.com
    • No xxx host key is known for [example.com]:22 and you have requested strict checking.
      Host key verification failed.

Don not ask for password (key auth only)

Fail instead

Manually create known_hosts entry

Basically the known_hosts entry contains a hostname and the public host key of the remote server.

On the remote server server.example.com:

  • cat /etc/ssh/ssh_host_rsa_key.pub
  • ssh-rsa AAAAB3... root@server

On the local machine:

  • cat /home/joe/.ssh/known_hosts
    • server.example.com ssh-rsa AAAAB3...
  • known_hosts entries can be tied to ports
    • [server.example.com]:1234 ssh-rsa AAAAB3...
  • or even to remote ip addresses
    • TODO: add example.
  • These days, if created automatically, all the infos are hashed
    • |1|xxx|yyy ssh-rsa AAAAB3...

Other ways:

Note: requires access to the remote server

With access to remote server:

  • ssh-keyscan -H -t rsa -p 22 localhost
    • |1|xxxxxx=|yyyyyy= ssh-rsa zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
    • -H      Hash all hostnames and addresses in the output
    • -t       Type “dsa”, “ecdsa”, “ed25519”, or “rsa”
    • Note: ssh-keyscan outputs stuff to stderr...
      # localhost:222 SSH-2.0-OpenSSH_7.6p1

Without access from localhost (vulnerable to man in the middle attacks):

  • ssh-keyscan -H -t rsa -p 22 remote-server.example.com

Add known hosts line to localhost:

  • vi /home/joe/.ssh/known_hosts
    • remote-server.example.com ssh-rsa zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz