ssh - bunnyamin/bunnix GitHub Wiki

Server

Configuration

  • /etc/ssh/sshd_config
  • sshd -t "Test mode. Only check the validity of the configuration file and sanity of the keys. This is useful for updating SSHD reliably as configuration options may change.".

Connection

Keep connection alive; prevent freezing.

# On server `/etc/ssh/sshd_config`
TCPKeepAlive yes
ClientAliveInterval 500
ClientAliveCountMax 1000

# On client `~/.ssh/ssh_config`
Host *
  ServerAliveInterval 100

If the value of ClientAliveInterval is greater than ServerAliveInterval then the server sends messages to the client console.

Permission

  • The user home directory should not allow write permission for group "other" chmod go-w
  • The directory .ssh should be 700
  • The file .ssh/authorized_keys should be 600
  • The private key files should be 600

SystemD

  • /lib/systemd/system/sshd.service

The systemctl enable sshd.socket only invokes SSH when a connection is attempted to be established. As described in Arch Linux Wiki article on SSH

OpenSSH 8.0p1-3 has removed support for the /systemd/system/sshd.socket due to it being susceptible to denial of service.

Event Error Cause Remedy
Starting service Bind to port <PORT> on <IP> failed: Cannot assign requested address. The IP address is not available. Wait for the network to assign an IP or allow non-local addresses. Answer by phemmer to question sshd failed due to network not yet available. For example, in sshd.service change After=network.target to After=network-online.target.

Setup

Proxy-jump, Multi-hop, jump connections

One-to-one connection

Server-side

  1. Configure the server .ssh/sshd_config
  2. Login to the user client account that is to use SSH on the server.
    • Create file .ssh/authorized_keys if it does not exist.
    • Create the key pairs if not using an existing key pair.
  3. Add the user's public key to ~/.ssh/authorized_keys for the user's account on the server.
    • If no terminal access to the server and the client at the same time:
      • ssh-copy-id -i ~/.ssh/pub/key user@<SERVER IP>
    • If terminal access to the server and the client at the same time:
      • Create or overwrite existing file cat <PUBLIC KEY> > ~/.ssh/authorized_keys
      • Append to existing file cat <PUBLIC KEY> >> ~/.ssh/authorized_keys
      • Open file and paste the public key into it. Each row represents a public key. The format for each row is the same as the public key: ssh-ed25519 <PUBLIC KEY> <COMMENT>
  4. Ensure server keys are generated for each algorithm used.
  • Directory /etc/ssh/
  • If one or more key types already exist, and is to be updated, remove them and then re-generate new keys.
    • ssh-keygen -A or systemctl restart sshdgenkeys.service
  1. Print the applicable server key. For example:
    • ssh-keygen -lf /etc/ssh/ssh_host_ed25519_key.pub

Key

Command Example Comment
Key, change password $ ssh-keygen -p [-P old_passphrase] [-N new_passphrase] -f ~/<FILE>
Key, copy to server $ ssh-copy-id -n -i ~/<FILE> -p <PORT> <USER>@<IP, DOMAIN NAME>.
Key, generate ED25519 $ ssh-keygen -t ed25519 -C "<COMMENT>" -f "<FILE>" ED25519 when backward compatibility is not required.
Key, generate fingerprint ssh-keygen -lf ~/.ssh/key.pub
Key, generate public key from private key Read a private OpenSSH format file and print an OpenSSH public key to stdout ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub.
Key, generate RSA $ ssh-keygen -t rsa -b 4096 -C "<COMMENT>" -f "<FILE>" RSA when backward compatibility is required.
Server keys, delete all rm /etc/ssh/ssh_host_*_key*
Server keys, generate ssh-keygen -A or systemctl restart sshdgenkeys.service

Ensure permission is read-only to all keys stored locally:

  • $ chmod 400 <PRIVATE KEY>
  • $ chmod 400 <PUBLIC KEY>

The keys could be read and write (6), but removed write in order to prevent accidentally overwriting.

Client-side

  • Encrypted SOCKS tunnel -TND

  • $ chmod 700 ~/.ssh/

Config

  • ~/.ssh/config
  Host user
    HostName server.local
    User user
    Port 22

Connect: ssh user

  • ~/.ssh/sshd_config
HashKnownHosts no
StrictHostKeyChecking yes
  • ~/.ssh/authorized_hosts
    • chmod 400

Connect to server

  1. Verify server fingerprint
    • Retrieve the server public key ssh-keyscan -p <PORT> <SERVER>.
    • Retrieve the server fingerprint from the public key (OpenSSH >= 7.2) ssh-keyscan -p <PORT> <SERVER> | ssh-keygen -lf -.
    • Add the server fingerprint to known hosts ~/.ssh/known_hosts:
      • ssh-keyscan -H -p <PORT> <SERVER> >> ~/.ssh/known_hosts or
      • if HashKnownHosts yes then re-hash the known hosts ssh-keygen -Hf ~/.ssh/known_hosts
  2. Login to server. For example:
    • ssh [email protected] -p <PORT>
    • ssh -F /<PATH TO ssh_config> -i /<PATH TO PRIVATE KEY> -p <PORT> <USER>@<IP, DOMAIN NAME>
    • ssh <NAME DEFINED IN ~/.ssh/config>

Copy file

Destination must have permission of user@<IP> scp -i .ssh/prv/user\@<IP> -P 49999 /path/to/local/file/to.copy user@<IP>:/home/user

Mount as filesystem

sshfs -p <PORT>          \
  -F ~/.ssh/ssh_config   \
  -o debug               \
  -o IdentityFile=~/.ssh/prv/key \
  -o UserKnownHostsFile=~/.ssh/known_hosts \
  user@<IP>:/   \
  /mnt/

Unmount:

  • fusermount -u /mnt/

X11

Render a program on a remote server with no graphic output on a local client with graphic output.

ForwardX11 yes ~/.ssh/ssh_config on both local and remote computer. SSH with -X or -Y

Debug

test example
Is SSH server port open? $ nc -zv <IP> <PORT>

Error, problem, troubleshooting

Event Error Cause Remedy
Boot Bind to port <PORT> on <IP> failed: Cannot assign requested address. The SSHD cannot assign the ListenAddress because the network routing is not set up. Remove the ListenAddress or set up network routing.
Connection Authentication refused: bad ownership or modes for directory ... Modify the Permission for the directory.
mkdir: cannot create directory '.ssh': Permission denied The permission to and/or ownership of the directory to the user account or .ssh is restricted or does not belong to the user.
sh: .ssh/authorized_keys: Permission denied) The permission to and/or ownership of the directory to the user account or .ssh is restricted or does not belong to the user.
copy key to server Permission denied (publickey). The server prevents PasswordAuthentication, which prevents remote login. If a user is to copy their key to their account then they must be able to log in to their account. Ensure that the username is a valid account on the server. For example. user@server.
login WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:abcdef0123456789abcdef0123456789abcdef01234.
Please contact your system administrator.
Add correct host key in ~/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in ~/.ssh/known_hosts:4
ED25519 host key for [<SERVER IP>]:<PORT> has changed and you have requested strict checking.
Host key verification failed. 		# ssh-keygen -R [<SERVER IP>]:<PORT> -> # Host [<SERVER IP>]:<PORT> found: line 4
~/.ssh/known_hosts updated.
Original contents retained as ~/.ssh/known_hosts.old
login Agent admitted failure to sign using the key.<br/>debug1: No more authentication methods to try.</br/>Permission denied (publickey). ssh -T <~/.ssh/config name, alias>, and make sure the IdentityFile path to the public key is correct.
login No route to host. The server is down. For example, sleeping. Restart the server.
ssh -p user@server Connection refused Ensure that the IP and port is not restricted in /etc/ssh/sshd_config and is not blocked by firewall rules.

[back to top]

⚠️ **GitHub.com Fallback** ⚠️