SSH - dejanu/linux GitHub Wiki

(config)# hostname ceva
(config)# ip domain-name altceva.com //FQDN =Fully Qualified Domain Name (hostnam + domain name) after the two config above ceva.altceva.com
(config)# crypto key generate rsa 2048
response: %SSH-5-enabled: SSH 1.99
(config)# ip ssh version 2
//create local database with user and pwd
(config)# username popescu secret cisco //with md5
(config)# line vty 0 15
(config-line)#login local
//the default transport protocol is all
(config-line)#transport input ssh
(config-line)#transport output ssh

Which two steps are required before SSH can be enabled on a Cisco router
Give the router a host-name and domain name
Generate a set of secret keys to be used for encryption and decryption

The ssh daemon is started when init process executes the sshd init script, which is responsible for launching the sshd daemon.

SSH Login:

  • Password based:

  • Public key based:

! Only rw permissions for private key chmod 600 private_key or chmod 400 /home/youruser/keypair.pem to deny the file access to any other system users

To authenticate using SSH keys, a user must have an SSH key pair (Public and Private key).

On the remote server, the list of public keys is maintained (usually) in the ~/.ssh/authorized_keys . When the client connects to the remote server using the PRIVATE KEY ssh -v -i ~/.ssh/id_rsa [email protected].

PKI: Private Key (used for decryption) Public Key (used for encryption)

https://kb.sos-berlin.com/display/PKB/Authentication+methods+for+SSH

Types:

  • A number of crypto algo can be used to generate SSH keys, e.g. RSA,DSA and ECDSA. RSA keys are generally the default ones:
  • Generate PEM format -----BEGIN RSA PRIVATE KEY----:
ssh-keygen -t rsa -m PEM
  • Convert to PEM format -----BEGIN RSA PRIVATE KEY----:
ssh-keygen -p -N "" -m pem -f /home/username/.ssh/id_rsa
  • Add your SSH key to the ssh-agent:
eval "$(ssh-agent -s)"
ssh-add -K ~/.ssh/id_rsa
# -----BEGIN OPENSSH PRIVATE KEY----- is not suported by FTP adapter
# convert ssh key from openssh -----END OPENSSH PRIVATE KEY----- to pem format -----BEGIN RSA PRIVATE KEY-----

The SSH command execution shell is a non-interactive shell, whereas your normal shell is either a login shell or an interactive shell

  • Login using another port besides 22: ssh [email protected] -p 26

  • Login and specify the location of the identity file: ssh -i sshkey.private user@localhost

  • Copy public key (authorized key) on the server (sshd machine): ssh-copy-id -i sshkey.public user@host

  • SSH can use either "RSA" (Rivest-Shamir-Adleman) or "DSA" ("Digital Signature Algorithm") keys.

  • ssh-keygen -C "insert_comment" - generates RSA key (ask for a file in which will store the private key) and the public key is stored in a file with the same name, but with .pub appended.
    On the client side run ssh-keygen it will result ~/.ssh/id_rsa (private key) and /.ssh/id_rsa.pub (public key).
    On the client side run ssh-add ~/.ssh/private_key to add ssh priavate key into ssh-authentication agent.
    On the server side the public key goes on the server in the file .ssh/authorized_keys.

  • SSH clients store host keys for hosts they have ever connected to ssh-keyscan -H github.com >> ~/.ssh/known_hosts or a simple ssh user@host -p port. These stored host public keys are called known host keys, and the collection is often called known_hosts in ~/.ssh/ directory.

https://www.digitalocean.com/community/tutorials/how-to-configure-custom-connection-options-for-your-ssh-client

  1. First time client connects to a server a key fingerprint (identity of the server) which will be added into ~/.ssh/known_hosts
    ECDSA key fingerprint is SHA256: 09asdd9dsfd09d1

  2. From the server perspective the admin can control the sshd server (/etc/ssh/sshd_config) and configure ssh ports, allowing root login etc

Configuring OpenSSH server:

The ssh server uses /etc/ssh/sshd_config , general configurations:

Port 22
PermitRootLogin yes

# local address on which ssd should listen to
ListenAddress host|IPv4_addr|IPv6_addr #192.168.0.100

Configuring SSH Client:

  • The ssh client uses ~/.ssh/config to configure the ssh on the host to create aliases:
# config used to ssh using a jump-server, usage: `$ssh nfea21`

Host jumpserver.net 
                User us81jt
                Hostname 10.44.38.218
                IdentitiesOnly yes
                IdentityFile /home/user/.ssh/user

Host nfea21
                User stdby08
                Hostname server.domain.intranet
                ProxyCommand ssh -q -W %h:%p jumpserver.net
  • Proxy command through jumpserver:

$ ssh -q -J user@jumpserver user@remoteserver "curl http://localhost/health" .

In order to use -J flag, be sure tho have the version of OpenSSH 7.3p1 or later, otherwise you will get "unknown option – J".

  • Connect directly to the destination server passing through jumpserver:

#ssh -o ProxyCommand="ssh -i ~/.ssh/private_key -W %h:%p jumpserver" destinationserver .

  • Prevent timeout (client side) by sending a “null packet” every 10:
    ssh -o ServerAliveInterval=10 user@host
  • Prevent timeout (server side) vim /etc/ssh/sshd_config:
ClientAliveInterval 120
ClientAliveCountMax 720
  • sshpass - utility is designed to run SSH using the keyboard-interactive password authentication mode but in a NON-INTERACTIVE way.
#from shell
sshpass -p 'my_pass_here' ssh [email protected] 'df -h' 

# run script from local and execute over ssh
ssh <user>@<host> python3 < script_on_local_machine.py - arg1 argv2

#from script
sshpass -p 'my_pass_here' ssh -o StrictHostKeyChecking=no [email protected]

sshpass enables us to provide password (non-interactive password authentication) to the command prompt itself, so that automated shell scripts can be executed

ssh: Could not resolve hostname target1: Name or service not found

  • add in /etc/hosts/ the entry 192.168.0.59 target1 for static lookup method for resolution, /etc/hosts/ overrides all nameservers by mapping urls/shortnames to IPs, meanwhile etc/resolv.conf lists nameservers that are used by your host for DNS resolution. If you are using DHCP, etc/resolv.conf is automatically populated with DNS record issued by DHCP server.

Check all available keys on your host: for key in ~/.ssh/id_*; do ssh-keygen -l -f "${key}"; done | uniq

SSH Keys algorithms

  • DSA (unsupported since OpenSSH 7)
  • RSA (if the key has 1024-bit length or less it's considered unsafe)
  • ECDSA (ok: machine generates a random number that will be used to create a signature)
  • Ed25519 (ok)

Starting 2.19.2 Git for Windows comes with $ ssh -V OpenSSH v7.9p1 (from 7.7 before), and openssh 7.8 just changed the default ssh-keygen format, from a classic OpenSSL PEM 64-chars, to an OPENSSH 70-chars:

$ ssh-keygen -m PEM -t rsa -P "" -f id_rsa to generate the old key format

SSH port forwarding


# Local port forwarding lets you connect from your local computer to another server
ssh -L <source port>:<destination server>:<destination port> <localhost>

# Remote port forwarding
# |local host| <--> |jumpserver| <--> |SERVER|
ssh -L 3005:<SERVER>:3005 <USER>@<JUMPSERVER>
⚠️ **GitHub.com Fallback** ⚠️