TEXT   12

ssh.txt

Guest on 6th July 2022 08:57:07 AM

  1. Current file is compiled by Edmund Laugasson.
  2.  
  3. OpenSSH installation in Ubuntu Linux
  4. ************************************
  5. sudo apt-get update #update repositories
  6. sudo apt-get install ssh openssh-blacklist* -y #install packages
  7. sudo apt-get clean #clear the APT cache
  8.  
  9. these commands can be combined into one line (next command will not be fulfilled if previous fails):
  10. sudo apt-get update && sudo apt-get install ssh openssh-blacklist* -y && sudo apt-get clean
  11.  
  12. check installed ssh version:
  13. ssh -V
  14.  
  15. ssh metapackage will install both the server and client software
  16. search for more information:
  17. apt-cache search openssh | grep ssh
  18. apt search openssh | grep -w openssh # -w to filter full words only
  19. apt search ssh | grep ssh
  20.  
  21. view packages description:
  22. apt show ssh - secure shell client and server (metapackage)
  23. apt show openssh-server - secure shell (SSH) server, for secure access from remote machines
  24. apt show openssh-client - secure shell (SSH) client, for secure access to remote machines
  25. apt show openssh-blacklist - list of default blacklisted OpenSSH RSA and DSA keys
  26. apt show openssh-blacklist-extra - list of non-default blacklisted OpenSSH RSA and DSA keys
  27.  
  28. for GUI:
  29. apt show hotssh - graphical interface to secure shell
  30. apt show remmina - remote desktop client for GNOME desktop environment; RDP, VNC, NX, XDMCP and SSH protocols are supported
  31. apt show putty - Telnet/SSH client for X
  32. apt show putty-tools - command-line tools for SSH, SCP, and SFTP
  33.  
  34. massive management:
  35. apt show mssh - tool to administrate multiple servers at once
  36. apt show mussh - MUltihost SSH Wrapper
  37. apt show clusterssh - administer multiple ssh or rsh shells simultaneously
  38. apt show pssh - parallel versions of SSH-based tools
  39.  
  40. other tools:
  41. apt show sshcommand - turn SSH into a thin client specifically for your command
  42. apt show scanssh - get SSH server versions for an entire network
  43. apt show sshuttle - transparent proxy server for VPN over SSH (search "Wise man VPN - sshuttle" to see further information below)
  44. apt show ssh-import-id - securely retrieve an SSH public key and install it locally
  45. apt show rssh - restricted shell allowing scp, sftp, cvs, svn, rsync or rdist
  46.  
  47. Please note the OpenSSH server key files fingerprint while installing it. Store them securely for later usage. Later by logging in, there can be compared the fingerprint got from server and the one offered on first login before answering yes to ensure you are logging into server you think and thus avoid MITM (man-in-the-middle) attacks https://en.wikipedia.org/wiki/Man-in-the-middle_attack
  48. Accepted host key will be added to ~/.ssh/known_hosts file. Search the title "Duplicates in ~/.ssh/known_hosts" to find out more below.
  49.  
  50. The OpenSSH settings and generated key files are in /etc/ssh/ folder. See below the title "Check server keys" (use CTRL+F to search) for further information and how to check keys later.
  51.  
  52. Disabling host key checking
  53. ---------------------------
  54. If you are sure that this is harmless, you can use either 1 of 2 methods below to trick openSSH to let you login. But be warned that you have become vulnerable to man-in-the-middle attacks.
  55.  
  56. ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no user@IP
  57.  
  58. also there is possible to add into ~/.ssh/config
  59. Host 192.168.0.*
  60.    StrictHostKeyChecking no
  61.    UserKnownHostsFile=/dev/null
  62.  
  63. http://linuxcommando.blogspot.com/2008/10/how-to-disable-ssh-host-key-checking.html
  64.  
  65. Using SSH key file log in
  66. *************************
  67.  
  68. Generate key pair
  69. -----------------
  70. Parameter -a (how many rounds, default value 16) adds salt to make brute-force attacks harder. More reading: man ssh-keygen.
  71. It would be always nice to add a comment (-C) to facilitate system administrator to manage people who have log in permission with key file.
  72.  
  73. When generating key pair, there will be (replace keyfile with your keyfile name):
  74. ~/.ssh/keyfile - private key
  75. ~/.ssh/keyfile.pub - public key
  76.  
  77. Usually there will be (default names):
  78. ~/.ssh/id_ed25519 - private key
  79. ~/.ssh/id_ed25519.pub - public key
  80. ~/.ssh/id_rsa - private key
  81. ~/.ssh/id_rsa.pub - public key
  82.  
  83. Check your ~/.ssh/ folder what keys you have:
  84. ls -la ~/.ssh
  85.  
  86. RSA is based on randomly chosen large prime number multiplication and factorisation problem. The key length shows how many bits prime numbers are used.
  87.  
  88. Ed25519 is based on elliptic curve and random straight line dots on that curve finding problem, discrete logarithm finding.
  89. OpenSSH Server v6.5 or newer is required to use Ed25519 and would be suggested to use.
  90.  
  91. --Ed25519--
  92. ssh-keygen -f ~/.ssh/keyfile -t ed25519 -a 1000 -C "FirstName SurName e-mail phone"
  93. .... replace keyfile with your desired key file name and also replace data between quotation marks with your real one.
  94.  
  95. Default rounds are 16
  96. https://github.com/openssh/openssh-portable/blob/94bc1e7ffba3cbdea8c7dcdab8376bf29283128f/sshkey.c#L69
  97.  
  98. --RSA--
  99. ssh-keygen -f ~/.ssh/keyfile -t rsa -o -a 1000 -b 4096 -C "FirstName SurName e-mail phone"
  100. .... replace keyfile with your desired key file name and also replace data between quotation marks with your real one.
  101.  
  102. -b bits - in case of RSA there would be suggested to generate at least 4096-bit key
  103.  
  104. Copy key to server
  105. ------------------
  106. ssh-copy-id -i ~/.ssh/keyfile user@IP
  107. ...replace keyfile with your keyfile name, user with your real username and IP with your real IP or domain name (if applicable)
  108.  
  109. the .pub file will be copied to remote server into file ~/.ssh/authorized_keys
  110.  
  111. Log in to server
  112. ----------------
  113. ssh -i ~/.ssh/keyfile user@IP
  114. ... the .pub key from that key pair will be used to log in.
  115. ...replace keyfile with your keyfile name, user with your real username and IP with your real IP or domain name (if applicable)
  116.  
  117. First time you log in, you have to accept server's public key, which will be written into ~/.ssh/known_hosts file in client machine.
  118.  
  119. Error "sign_and_send_pubkey: signing failed: agent refused operation"
  120. ---------------------------------------------------------------------
  121. add:
  122. eval $(ssh-agent -s)
  123. .. to the end of ~/.bashrc and reopen session or run with source command (source ~/.bashrc)
  124. more reading
  125. https://askubuntu.com/questions/762541/ubuntu-16-04-ssh-sign-and-send-pubkey-signing-failed-agent-refused-operation
  126.  
  127. Duplicates in ~/.ssh/known_hosts
  128. --------------------------------
  129. search host:
  130. ssh-keygen -F host.example.org #shows hash
  131. ssh-keygen -lF host.example.org #shows fingerprint on sha256
  132. ssh-keygen -lF host.example.org -E md5 #shows fingerprint on md5
  133.  
  134. ssh-keygen -R hostname
  135. ... will remove the entry for specified hostname
  136.  
  137. remove e.g. the 6th line
  138. sed -i '6d' ~/.ssh/known_hosts
  139.  
  140. sort ~/.ssh/known_hosts | uniq > ~/.ssh/known_hosts.uniq
  141. mv ~/.ssh/known_hosts{.uniq,}
  142.  
  143. Manage known_hosts hashing
  144. ---------------------------
  145. ~/.ssh/config or /etc/ssh/sshd_config
  146. HashKnownHosts yes
  147.  
  148. More about ~/.ssh/config file can be found at man ssh_config and https://linux.die.net/man/5/ssh_config
  149.  
  150. https://serverfault.com/questions/233855/why-should-i-use-hashknownhosts-yes-in-ssh-config
  151.  
  152. https://unix.stackexchange.com/questions/338535/how-to-clear-duplicated-entries-in-ssh-known-hosts-and-authorized-keys-files
  153. https://askubuntu.com/questions/446878/why-do-ive-two-entries-per-server-in-known-hosts-file
  154.  
  155. Host-based authentication - https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Host-based_Authentication
  156. Client configuration files https://en.wikibooks.org/wiki/OpenSSH/Client_Configuration_Files
  157.  
  158. Check server keys (fingerprints) - get information about existing SSH keys
  159. --------------------------------------------------------------------------
  160. Here you can retrieve your OpenSSH server key fingerprints.
  161. https://en.wikipedia.org/wiki/Public_key_fingerprint
  162. In public-key cryptography, a public key fingerprint is a short sequence of bytes used to identify a longer public key. Fingerprints are created by applying a cryptographic hash function to a public key. Since fingerprints are shorter than the keys they refer to, they can be used to simplify certain key management tasks. In Microsoft software, "thumbprint" is used instead of "fingerprint".
  163.  
  164. Local SSH keys
  165. --------------
  166. SHA 256-bit format (for Linux), server keys (default is SHA256, please see man ssh-keygen and search -E):
  167. for i in /etc/ssh/*.pub; do ssh-keygen -lf $i; done | uniq
  168. user keys:
  169. for i in ~/.ssh/*.pub; do ssh-keygen -lf $i; done | uniq
  170.  
  171. MD5 format (for MS Windows), server keys:
  172. for i in /etc/ssh/*.pub; do ssh-keygen -lf $i -E md5; done | uniq
  173. user keys:
  174. for i in ~/.ssh/*.pub; do ssh-keygen -lf $i -E md5; done | uniq
  175.  
  176. Please note that -E md5 was added in OpenSSH 6.8
  177. https://superuser.com/questions/929566/sha256-ssh-fingerprint-given-by-the-client-but-only-md5-fingerprint-known-for-se
  178.  
  179. SHA256 for old OpenSSH:
  180. for i in /etc/ssh/*.pub; do awk '{print $2}' $i | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | cut -d'=' -f1; done | uniq
  181.  
  182. the script for OpenSSH prior v6.8:
  183. http://enos.itcollege.ee/~edmund/materials/ssh/ssh-fingerprint-server-bbd-oldssh.sh
  184.  
  185. --
  186. awk '{print $2}' /etc/ssh/*.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64
  187.  
  188. cut "=" added via re-encoding:
  189. awk '{print $2}' /etc/ssh/*.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | cut -d'=' -f1
  190. https://stackoverflow.com/questions/5074893/how-to-remove-the-last-character-from-a-bash-grep-output
  191. ----
  192. Display easy to memorize bubblebabble digest (please see man ssh-keygen and search -B):
  193. for i in /etc/ssh/*.pub; do ssh-keygen -B -f $i; done #server keys
  194. for i in ~/.ssh/*.pub; do ssh-keygen -B -f $i; done #user keys
  195. . . .
  196.  
  197. There is also one script available to retrieve OpenSSH server key files fingerprint in two formats into nice table:
  198. wget -q http://enos.itcollege.ee/~edmund/materials/ssh-fingerprint-server.sh
  199.  
  200. run the script:
  201. source ssh-fingerprint-server.sh
  202. OR
  203. chmod +x ssh-fingerprint-server.sh #set execution bit
  204. ./ssh-fingerprint-server.sh #execute
  205.  
  206. combine into one line:
  207. wget -q http://enos.itcollege.ee/~edmund/materials/ssh-fingerprint-server.sh && source ssh-fingerprint-server.sh
  208.  
  209. you should see something like this:
  210. +---------+-----------------------------------------------------+
  211. | Cipher  | Fingerprint                                         |
  212. +---------+-----------------------------------------------------+
  213. | RSA     | MD5:e6:ea:b2:8a:6f:53:e5:97:91:ac:c5:c1:3d:e5:d7:65 |
  214. | RSA     | SHA256:ePQggSM04TG1/0ZliIY20wvrd6KR/ghDT6Ox0v1fclk  |
  215. +---------+-----------------------------------------------------+
  216. | DSA     | MD5:68:d8:9e:9e:18:62:06:6e:83:6d:71:b2:84:34:9c:e3 |
  217. | DSA     | SHA256:S3LTipzixBSl+2HDxJCfkYlHGK6xdUopfQmlY6K4BVk  |
  218. +---------+-----------------------------------------------------+
  219. | ECDSA   | MD5:cf:ac:75:e5:8a:f8:79:68:fa:b6:e7:d0:bd:46:17:c1 |
  220. | ECDSA   | SHA256:ZsGX+qLwymuHX4wVxQ9fN3YcR7+AEBhOnclVquvbky4  |
  221. +---------+-----------------------------------------------------+
  222. | ED25519 | MD5:9e:12:cc:f1:78:7f:9b:19:f7:bf:80:83:05:99:58:ec |
  223. | ED25519 | SHA256:DMEHOVEM+aHQf7ghkmcFuHAoHh2vb+2222ZepNKioF0  |
  224. +---------+-----------------------------------------------------+
  225.  
  226. another option:
  227. wget -q http://enos.itcollege.ee/~edmund/materials/ssh/ssh-fingerprint-server-bbd.sh && source ssh-fingerprint-server-bbd.sh
  228.  
  229. +---------+--------------------------------------------------------------------+
  230. | Cipher  | Fingerprint                                                        |
  231. +---------+--------------------------------------------------------------------+
  232. | RSA     | MD5:e6:ea:b2:8a:6f:53:e5:97:91:ac:c5:c1:3d:e5:d7:65                |
  233. | RSA     | SHA256:ePQggSM04TG1/0ZliIY20wvrd6KR/ghDT6Ox0v1fclk                 |
  234. | RSA     | xusoz-zacyz-nogen-hiven-helif-cefik-cecap-fobur-dehok-bopak-zaxux  |
  235. +---------+--------------------------------------------------------------------+
  236. | DSA     | MD5:68:d8:9e:9e:18:62:06:6e:83:6d:71:b2:84:34:9c:e3                |
  237. | DSA     | SHA256:S3LTipzixBSl+2HDxJCfkYlHGK6xdUopfQmlY6K4BVk                 |
  238. | DSA     | xiceb-tafem-maryc-gyvit-lymol-sufez-vonak-lusaf-rymym-mydem-vaxux  |
  239. +---------+--------------------------------------------------------------------+
  240. | ECDSA   | MD5:cf:ac:75:e5:8a:f8:79:68:fa:b6:e7:d0:bd:46:17:c1                |
  241. | ECDSA   | SHA256:ZsGX+qLwymuHX4wVxQ9fN3YcR7+AEBhOnclVquvbky4                 |
  242. | ECDSA   | xeras-fakiv-bosus-kusim-sabic-ninod-sybyp-rudil-hogyb-kupym-gyxux  |
  243. +---------+--------------------------------------------------------------------+
  244. | ED25519 | MD5:9e:12:cc:f1:78:7f:9b:19:f7:bf:80:83:05:99:58:ec                |
  245. | ED25519 | SHA256:DMEHOVEM+aHQf7ghkmcFuHAoHh2vb+2222ZepNKioF0                 |
  246. | ED25519 | xikel-devyg-cetop-ryced-hecuv-fopon-lyzec-bevek-gonuc-tysyb-voxyx  |
  247. +---------+--------------------------------------------------------------------+
  248.  
  249. The third line is easy to memorize bubblebabble digest. Please see man ssh-keygen and search bubblebabble
  250.  
  251. original script retrieved from https://superuser.com/questions/929566/sha256-ssh-fingerprint-given-by-the-client-but-only-md5-fingerprint-known-for-sex
  252.  
  253. . . .
  254.  
  255. Random art + fingerprint of keys:
  256. server keys:
  257. for i in /etc/ssh/*.pub; do ssh-keygen -lv -E sha256 -f $i; done
  258. for i in /etc/ssh/*.pub; do ssh-keygen -lv -E md5 -f $i; done
  259.  
  260. user keys:
  261. for i in ~/.ssh/*.pub; do ssh-keygen -lv -E sha256 -f $i; done
  262. for i in ~/.ssh/*.pub; do ssh-keygen -lv -E md5 -f $i; done
  263.  
  264. remote host keys stored locally:
  265. ssh-keygen -lv -f ~/.ssh/known_hosts -E sha256
  266. ssh-keygen -lv -f ~/.ssh/known_hosts -E md5
  267.  
  268. Random art only
  269. server keys:
  270. for i in /etc/ssh/*.pub; do ssh-keygen -lv -E sha256 -f $i | grep -v -w "256 SHA256" | grep -v -w "1024 SHA256" | grep -v -w "2048 SHA256" ; done
  271.  
  272. for i in /etc/ssh/*.pub; do ssh-keygen -lv -E md5 -f $i | grep -v "256 MD5" | grep -v "1024 MD5" | grep -v "2048 MD5" ; done
  273.  
  274. user keys:
  275. for i in ~/.ssh/*.pub; do ssh-keygen -lv -E sha256 -f $i | grep -v -w "256 SHA256" | grep -v -w "1024 SHA256" | grep -v -w "2048 SHA256" ; done
  276.  
  277. for i in ~/.ssh/*.pub; do ssh-keygen -lv -E md5 -f $i | grep -v "256 MD5" | grep -v "1024 MD5" | grep -v "2048 MD5" ; done
  278.  
  279. Querying SSH key fingerprints from server
  280. ------------------------------------------
  281. Retrieve all public keys (actually server keys) from remote host
  282. ssh-keyscan host.example.org
  283.  
  284. getting fingerprints from remote host:
  285. ssh-keyscan host.example.org | ssh-keygen -lf - #all keys
  286. ssh-keyscan -t ecdsa host.example.org | ssh-keygen -lf - #specifying type
  287.  
  288. specify types:
  289. ssh-keyscan -t rsa host.example.org #one type
  290. ssh-keyscan -t rsa,dsa,ecdsa,ed25519 host.example.org #all types
  291.  
  292. hashing hostname:
  293. ssh-keyscan -t rsa -H host.example.org
  294.  
  295. NB! If the ~/.ssh/known_hosts file is constructed using ssh-keyscan without verifying the keys, users will be vulnerable to man in the middle attacks.  On the other hand, if the security model allows such a risk, ssh-keyscan can help in the detection of tampered keyfiles or man in the middle attacks which have begun after the ~/.ssh/known_hosts file was created. (citation with corrections from man ssh-keyscan, search SECURITY)
  296.  
  297. Compare SSH hashes
  298. ------------------
  299. create a script, e.g. with name compare.sh
  300.  
  301. #!/bin/sh
  302. #
  303. # Script compiled by Edmund Laugasson
  304. #
  305. # The following script will compare hashes to ensure
  306. # we are logging into appropriate SSH server
  307. #
  308. # Run the current script by command
  309. # source script.sh (replace "script" with real file name)
  310. #
  311. # Usually querying from Linux will give the fingerprint using ECDSA algorithm
  312. # and from MS Windows MD5 fingerprint.
  313. # Compare fingerprints in same format and by same algorithm.
  314. # Same applies to key hashes or whatever else there will be compared.
  315. #
  316. # Querying the appropriate key fingerprint from server can be done e.g.:
  317. # ssh-keyscan -t <algorithm> <IP> | ssh-keygen -lf -
  318. # replace <algorithm> with ecdsa, rsa, ed25519 and <IP> with real server IP-address
  319. #
  320. # To query all available fingerprints:
  321. # ssh-keyscan <IP> | ssh-keygen -lf -
  322. #
  323. # Certainly you can compare whatever else, e.g. public key hashes
  324. # You can query all available public keys hash e.g.
  325. # ssh-keyscan <IP>
  326. #
  327. # or by specifying type:
  328. # ssh-keyscan -t <algorithm> <IP>
  329. # replace <algorithm> with ecdsa, rsa, ed25519 and <IP> with real server IP-address
  330. #
  331. # So, below the "hash" means either fingerprint or hash of SSH key.
  332. # Certainly there can be compared almost any strings.
  333. #
  334. #
  335. hash1="" #put the hash between quotation marks you got from server administrator
  336. hash2="" #put the hash between quotation marks you queried directly from server
  337. if [ "$hash1" == "$hash2" ]
  338. then
  339.   echo "Compared values are the same. If these were either fingerprints or hashes of remote computer then it is safe to log in!"
  340.   else
  341.   echo "Compared values are NOT the same, it must be investigated further!"
  342. fi
  343.  
  344.  
  345.  
  346. then run the script:
  347. source compare.sh
  348. or make it executable (chmod +x compare.sh) and run (./compare.sh)
  349.  
  350. * * *
  351.  
  352. Another option to check (compare) key fingerprints
  353. --------------------------------------------------
  354.  
  355. If the fingerprint has been already trusted then extract the trusted fingerprint from ~/.ssh/known_hosts file:
  356.  
  357. ssh-keygen -F host.example.org | ssh-keygen -lf - | cut -d':' -f2 | rev | cut -d'|' -f4 | rev
  358.  
  359. ... first part gives public key hash about host.example.org host stored in ~/.ssh/known_hosts
  360. ... second one gives fingerprint of that public key hash but it contains additional unnecessary fields
  361. ... third part removes unnecessary fields from beginning (-d is defining delimiter symbol and -f tells which field)
  362. ... fourth part will reverse the output
  363. ... fifth part will again remove unnecessary fields from beginning
  364. ... sixth part will reverse the output again to correct order
  365.  
  366. Determine public keys in known_hosts file
  367. ssh-keygen -lf ~/.ssh/known_hosts #will list strength in bit, hash algorithm, fingerprint, hash, key encryption algorithm
  368.  
  369. ssh-keygen -lf ~/.ssh/known_hosts -F host.example.org #will list only matching line(s) in SHA256
  370. ssh-keygen -lF host.example.org #will list only matching line(s) in SHA256
  371. ssh-keygen -lF host.example.org -E md5 #will list only matching line(s) in MD5
  372. ---
  373.  
  374. To remove key from trusted host list ~/.ssh/known_hosts:
  375.  
  376. ssh-keygen -R host.example.org
  377.  
  378. If to add into ~/.ssh/config file:
  379. HashKnownHosts no
  380. ... then all future accepted public keys will be recorded into ~/.ssh/known_hosts without hashing and hostnames will be readable
  381.  
  382. ssh-keygen -H #will hash the ~/.ssh/known_hosts content again
  383.  
  384. More reading
  385. https://blog.rootshell.be/2010/11/03/bruteforcing-ssh-known_hosts-files/
  386. https://unix.stackexchange.com/questions/175071/how-to-decrypt-hostnames-of-a-crypted-ssh-known-hosts-with-a-list-of-the-hostna
  387. ---
  388.  
  389. VARIANT 1
  390.  
  391. If you have not yet logged in and no entry is in ~/.ssh/known_hosts then you can query host fingerprint like described previously in chapter "Querying SSH key fingerprints from server":
  392.  
  393. ssh-keyscan -t ecdsa host.example.org | ssh-keygen -lf - | cut -d':' -f2 | rev | cut -d' ' -f3 | rev
  394.  
  395. To get only a fingerprint and not a comment, let's write result into temporary file:
  396. ssh-keyscan -t ecdsa host.example.org | ssh-keygen -lf - | cut -d':' -f2 | rev | cut -d' ' -f3 | rev > /tmp/var1
  397.  
  398. ---
  399.  
  400. VARIANT 2 (suggested)
  401.  
  402. Take server fingerprints from system administrator. It might happen that you are that person. So you might have your fingerprints publicly accessible to be able check them whenever needed. E.g. here are one example http://upload.itcollege.ee/edmund/ova/ubuntu/server-fingerprints.txt
  403.  
  404. wget -O- -q http://upload.itcollege.ee/edmund/ova/ubuntu/server-fingerprints.txt | grep ECDSA | grep SHA256 | cut -d':' -f2 | rev | cut -d' ' -f18 | rev
  405.  
  406. you may want to send its value to file for later variable creation:
  407.  
  408. wget -O- -q http://upload.itcollege.ee/edmund/ova/ubuntu/server-fingerprints.txt | grep ECDSA | grep SHA256 | cut -d':' -f2 | rev | cut -d' ' -f18 | rev > /tmp/var2
  409.  
  410. ... first part will download the given file and write it to specified file (-O) and where - means standard output and -q means quiet (do not display the downloaded file content on standard output and downloading dialog and possible errors). In that way we can display basically online file without storing it on the disk but displaying in standard output - this means in command-line.
  411. ... second part will filter with grep RSA part from downloaded file
  412. ... third part will in turn filter with grep SHA256 line
  413. ... fourth part will cut unnecessary part from beginning (-d is defining delimiter symbol and -f tells which column)
  414.  
  415. ---
  416.  
  417. Compare
  418. --------
  419. In current example we use enos.itcollege.ee as a server. Replace with real one you have.
  420. Trusted source of fingerprints http://enos.itcollege.ee/ssh-fingerprints.txt
  421.  
  422. var1
  423. from  ~/.ssh/known_hosts:
  424. ssh-keygen -F enos.itcollege.ee | ssh-keygen -lf - | cut -d':' -f2 | rev | cut -d'|' -f4 | rev
  425. OR
  426. from server directly
  427. ssh-keyscan -t ecdsa enos.itcollege.ee | ssh-keygen -lf - | cut -d':' -f2 | rev | cut -d' ' -f3 | rev > /tmp/var1
  428.  
  429. var2
  430. trusted source of server key fingerprints:
  431. wget -O- -q http://enos.itcollege.ee/ssh-fingerprints.txt | grep ECDSA | grep SHA256 | cut -d':' -f2 | rev | cut -d' ' -f18 | rev > /tmp/var2
  432.  
  433. ---
  434. Set temporary variables
  435.  
  436. var1=$( ssh-keygen -F enos.itcollege.ee | ssh-keygen -lf - | cut -d':' -f2 | rev | cut -d'|' -f4 | rev )
  437. OR
  438. var1=$( cat /tmp/var1 )
  439.  
  440. var2=$( cat /tmp/var2 )
  441.  
  442. Compare variables:
  443. if [ $var1 = $var2 ]; then clear; echo "Fingerprints CAN be trusted. It IS SUGGESTED to log in."; else clear; echo "Fingerprints CANNOT be trusted. It is NOT SUGGESTED to log in."; fi
  444.  
  445. Also can be used to directly log in:
  446. if [ $var1 = $var2 ]; then clear; echo "Fingerprints CAN be trusted. Logging in.\n"; ssh student@enos.itcollege.ee; else clear; echo "Fingerprints CANNOT be trusted. It is NOT SUGGESTED to log in."; fi
  447.  
  448. Clean up
  449. Later the created temporary files in /tmp/ folder can be deleted manually (e.g. rm /tmp/var*) or these will be deleted automatically on system reboot or shut down as /tmp folder content will be deleted in Ubuntu Linux during system reboot or shut down. Also temporary variables are not stored and already another terminal session does not recognize them. So no worry about them.
  450.  
  451. for scripts:
  452. test $var1 = $var2 #compare values
  453. echo $? #check result: if variables are same then value is 0, otherwise 1 - can be used in if statement
  454.  
  455. For final result, check the scripts:
  456.  
  457.  
  458. about exit codes:
  459. http://tldp.org/LDP/abs/html/exitcodes.html
  460. http://tldp.org/LDP/abs/html/exit-status.html
  461. https://www.gnu.org/software/bash/manual/html_node/Exit-Status.html
  462. http://bencane.com/2014/09/02/understanding-exit-codes-and-how-to-use-them-in-bash-scripts/
  463. https://askubuntu.com/questions/892604/meaning-of-exit-0-exit-1-and-exit-2-in-a-bash-script
  464. https://www.shellscript.sh/exitcodes.html
  465. https://unix.stackexchange.com/questions/308207/exit-code-at-the-end-of-a-bash-script
  466.  
  467. http://tldp.org/LDP/abs/html/comparison-ops.html
  468. https://stackoverflow.com/questions/7225745/why-is-my-bash-string-comparison-of-two-identical-strings-always-false
  469. https://www.ibm.com/developerworks/library/l-bash-test/
  470.  
  471. * * *
  472.  
  473. Combining together: remote key with random art
  474. ----------------------------------------------
  475. one key:
  476. sha256: ssh-keyscan -t rsa host.example.org | ssh-keygen -lv -f -
  477. md5:  ssh-keyscan -t rsa host.example.org | ssh-keygen -lv -E md5 -f -
  478.  
  479. all keys:
  480. ssh-keyscan -t rsa,dsa,ecdsa,ed25519 host.example.org | for i in -; do ssh-keygen -lv -E sha256 -f $i; done
  481.  
  482. ssh-keyscan -t rsa,dsa,ecdsa,ed25519 host.example.org | for i in -; do ssh-keygen -lv -E md5 -f $i; done
  483.  
  484. remote key without random art:
  485. one key:
  486. ssh-keyscan -t ecdsa host.example.org | ssh-keygen -lf -
  487. ssh-keyscan -t ecdsa host.example.org | ssh-keygen -lf - -E md5
  488.  
  489. all keys:
  490. sha256: ssh-keyscan -t rsa,dsa,ecdsa,ed25519 host.example.org | for i in -; do ssh-keygen -lf $i; done
  491.  
  492. md5: ssh-keyscan -t rsa,dsa,ecdsa,ed25519 host.example.org | for i in -; do ssh-keygen -lf $i -E md5; done
  493.  
  494. ---
  495.  
  496. Before you accept server public key fingerprint on first login, you should compare it with server one to avoid MITM (man-in-the-middle) cyber attacks.
  497.  
  498. Some parameters that could be used while connecting:
  499. ssh -o FingerprintHash=sha256 host.example.org
  500. ssh -o FingerprintHash=md5 host.example.org
  501. ssh -o VisualHostKey=yes host.example.org
  502. ssh -o VisualHostKey=yes -o FingerprintHash=sha256 host.example.org
  503. ssh -o VisualHostKey=yes -o FingerprintHash=md5 host.example.org
  504.  
  505. detailed information:
  506. man ssh_config
  507.  
  508. ERRORS
  509. ------
  510. When there is an error message "Too many authentication failures" then:
  511. ssh -o IdentitiesOnly=yes -i ~/.ssh/key user@host
  512. OR (for GUI clients like file managers)
  513. ~/.ssh/config
  514. Host server
  515.   IdentityFile ~/.ssh/key
  516.   IdentitiesOnly yes
  517.   Port 22
  518.   User username
  519.   HostName server.ee
  520.  
  521. Authenticated with partial success.
  522. https://kb.globalscape.com/KnowledgebaseArticle10471.aspx
  523. connect using -vvv for debugging
  524.  
  525. Via DNS verification
  526. dig -t SSHFP host.example.org #check whether domain supports
  527. ssh -o VerifyHostKeyDNS=ask host.example.org #logging in
  528.  
  529. More reading:
  530. http://www.phcomp.co.uk/Tutorials/Unix-And-Linux/ssh-check-server-fingerprint.html
  531. https://superuser.com/questions/929566/sha256-ssh-fingerprint-given-by-the-client-but-only-md5-fingerprint-known-for-sex
  532. https://en.wikibooks.org/wiki/OpenSSH
  533. https://en.wikipedia.org/wiki/Public_key_fingerprint
  534.  
  535. ---
  536. Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
  537. https://www.digitalocean.com/community/questions/ssh-failed-permission-denied-publickey-gssapi-keyex-gssapi-with-mic
  538. chmod 600 ~/.ssh/authorized_keys
  539. ---
  540. sign_and_send_pubkey: signing failed: agent refused operation
  541. https://askubuntu.com/questions/762541/ubuntu-16-04-ssh-sign-and-send-pubkey-signing-failed-agent-refused-operation
  542. SSH_AUTH_SOCK=0 ssh -i ~/.ssh/key -o IdentitiesOnly=yes user@server.ee -p 15822 #using custom port
  543. ...also relogin will forget wrongly remembered key password
  544.  
  545. * * *
  546.  
  547. We can obtain the public keys provided by a server without connecting to it by using the following command. There are usually more than one provided to retain compatibility:
  548. ssh-keyscan <ip> #also URL can be used
  549.  
  550. hosts file location in different systems:
  551. https://en.wikipedia.org/wiki/Hosts_(file)#Location_in_the_file_system
  552.  
  553. If you would like to run graphical apps from remote server, use -X parameter:
  554. ssh -i ~/.ssh/keyfile -X user@IP
  555. ...replace keyfile with your keyfile name, user with your real username and IP with your real IP or domain name (if applicable)
  556.  
  557. If you generated key pair with default name and you do not have more keys generated then you do not need to specify key file:
  558. ssh user@IP (or ssh -X user@IP in case you would like to run GUI apps from server)
  559. Specifying key file would be useful in case you have many (different) keys in ~/.ssh/ folder.
  560.  
  561. you can create also alias to make it even more easier:
  562. nano ~/.bash_aliases
  563. alias s1='ssh -i ~/.ssh/keyfile user@IP'
  564. alias s1-ping='ping IP'
  565. ... where 's1' is like 'server1' or whatever else describes the remote machine.
  566. ...replace keyfile with your keyfile name, user with your real username and IP with your real IP or domain name (if applicable)
  567.  
  568. then:
  569. source ~/.bash_aliases
  570.  
  571. .. and now you can type the s1 and this alias will run command(s) between upper commas.
  572.  
  573. # # #
  574.  
  575. SSH Timeout (keepalive)
  576. -----------------------
  577. client side prevention
  578.  
  579. add to file ~/.ssh/config the following lines:
  580.  
  581. Host *
  582.     TCPKeepAlive yes
  583.     ServerAliveInterval 300
  584.     ServerAliveCountMax 2
  585.  
  586. These settings will make the SSH client or server send a null packet to the other side every 300 seconds (5 minutes), and give up if it doesn’t receive any response after 2 tries, at which point the connection is likely to have been discarded anyway.
  587.  
  588. Another option per server:
  589. ServerAliveInterval 120
  590. This will send a “null packetâ€‌ every 120 seconds on your SSH connections to keep them alive.
  591.  
  592.  
  593. server side prevention
  594.  
  595. add to file /etc/ssh/sshd_config the following lines:
  596. TCPKeepAlive yes
  597. ClientAliveInterval 300
  598. ClientAliveCountMax 2
  599.  
  600. These settings will make the SSH client or server send a null packet to the other side every 300 seconds (5 minutes), and give up if it doesn’t receive any response after 2 tries, at which point the connection is likely to have been discarded anyway.
  601.  
  602. The "TCPKeepAlive no" will basically turn off the timeout.
  603.  
  604. Restart SSH server to take settings into effect.
  605. sudo service ssh restart
  606.  
  607. This will make the server send the clients a “null packetâ€‌ every 30 seconds and not disconnect them until the client have been inactive for 240 intervals (30 seconds * 240 = 7200 seconds = 2 hours).
  608.  
  609. Another option is to set these numbers a bit larger:
  610. ClientAliveInterval 120
  611. ClientAliveCountMax 720
  612. every 120 seconds and not disconnect them until the client have been inactive for 720 intervals (120 seconds * 720 = 86400 seconds = 24 hours).
  613.  
  614. More information:
  615. man sshd_config #server side
  616.  
  617. TCPKeepAlive
  618.              Specifies whether the system should send TCP keepalive messages to the
  619.              other side.  If they are sent, death of the connection or crash of one of
  620.              the machines will be properly noticed.  However, this means that connecâ€گ
  621.              tions will die if the route is down temporarily, and some people find it
  622.              annoying.  On the other hand, if TCP keepalives are not sent, sessions may
  623.              hang indefinitely on the server, leaving “ghostâ€‌ users and consuming
  624.              server resources.
  625.  
  626.              The default is “yesâ€‌ (to send TCP keepalive messages), and the server will
  627.              notice if the network goes down or the client host crashes.  This avoids
  628.              infinitely hanging sessions.
  629.  
  630.              To disable TCP keepalive messages, the value should be set to “noâ€‌.
  631.  
  632.              This option was formerly called KeepAlive.
  633.  
  634. ClientAliveCountMax
  635.              Sets the number of client alive messages (see below) which may be sent
  636.              without sshd(8) receiving any messages back from the client.  If this
  637.              threshold is reached while client alive messages are being sent, sshd will
  638.              disconnect the client, terminating the session.  It is important to note
  639.              that the use of client alive messages is very different from TCPKeepAlive
  640.              (below).  The client alive messages are sent through the encrypted channel
  641.              and therefore will not be spoofable.  The TCP keepalive option enabled by
  642.              TCPKeepAlive is spoofable.  The client alive mechanism is valuable when
  643.              the client or server depend on knowing when a connection has become inacâ€گ
  644.              tive.
  645.  
  646.              The default value is 3.  If ClientAliveInterval (see below) is set to 15,
  647.              and ClientAliveCountMax is left at the default, unresponsive SSH clients
  648.              will be disconnected after approximately 45 seconds.
  649.  
  650. ClientAliveInterval
  651.              Sets a timeout interval in seconds after which if no data has been
  652.              received from the client, sshd(8) will send a message through the
  653.              encrypted channel to request a response from the client.  The default is
  654.              0, indicating that these messages will not be sent to the client.
  655.  
  656.  
  657. man ssh_config #client side
  658.  
  659. ServerAliveCountMax
  660.              Sets the number of server alive messages (see below) which may be sent without ssh(1) receiving any messages
  661.              back from the server.  If this threshold is reached while server alive messages are being sent, ssh will
  662.              disconnect from the server, terminating the session.  It is important to note that the use of server alive
  663.              messages is very different from TCPKeepAlive (below).  The server alive messages are sent through the
  664.              encrypted channel and therefore will not be spoofable.  The TCP keepalive option enabled by TCPKeepAlive is
  665.              spoofable.  The server alive mechanism is valuable when the client or server depend on knowing when a conâ€گ
  666.              nection has become inactive.
  667.  
  668.              The default value is 3.  If, for example, ServerAliveInterval (see below) is set to 15 and
  669.              ServerAliveCountMax is left at the default, if the server becomes unresponsive, ssh will disconnect after
  670.              approximately 45 seconds.
  671.  
  672.      ServerAliveInterval
  673.              Sets a timeout interval in seconds after which if no data has been received from the server, ssh(1) will
  674.              send a message through the encrypted channel to request a response from the server.  The default is 0, indiâ€گ
  675.              cating that these messages will not be sent to the server, or 300 if the BatchMode option is set (Debian-
  676.              specific).  ProtocolKeepAlives and SetupTimeOut are Debian-specific compatibility aliases for this option.
  677.  
  678. # # #
  679.  
  680. SSH Server reinstallation
  681. -------------------------
  682. After the reinstallation of OpenSSH server also keys will be replaced with new ones. Certainly the server keys can be replaced also manually but this is not usually needed and happened. Certainly the safest way could be to ask from server administrator new keys fingerprints (all keys: DSA, ECDSA, Ed25519, RSA):
  683. SHA256 format:
  684. for i in /etc/ssh/*.pub; do ssh-keygen -lf $i; done
  685.  
  686. MD5 format (for MS Windows):
  687. for i in /etc/ssh/*.pub; do ssh-keygen -lf $i -E md5; done
  688.  
  689. If you cannot ask from server admin the new keys then there is possible to retrieve them while logging in:
  690. ssh-keyscan -t ecdsa server.address.ee | ssh-keygen -lv -f - && ssh -i ~/.ssh/key -o VisualHostKey=yes user@server.address.ee'
  691. ... replace "ecdsa" with appropriate algorithm offered while logging in.
  692. ... replace "server.address.ee" with real server address or IP-address
  693. ... replace "key" with real SSH key file name
  694.  
  695. When trying to log in, the following warning message appears:
  696.  
  697. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  698. @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
  699. @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  700. IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
  701. Someone could be eavesdropping on you right now (man-in-the-middle attack)!
  702. It is also possible that a host key has just been changed.
  703. The fingerprint for the ECDSA key sent by the remote host is
  704. SHA256:<hash>.
  705. Please contact your system administrator.
  706. Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
  707. Offending ECDSA key in /home/user/.ssh/known_hosts:1
  708.   remove with:
  709.   ssh-keygen -f "/home/user/.ssh/known_hosts" -R server.address.ee
  710. ECDSA host key for server.address.ee has changed and you have requested strict checking.
  711. Host key verification failed.
  712.  
  713. Now you can run the proposed command to remove all old keys of that host:
  714.   ssh-keygen -f "/home/user/.ssh/known_hosts" -R server.address.ee
  715.  
  716. Feedback comes as follows:
  717. # Host server.address.ee found: line 60
  718. /home/user/.ssh/known_hosts updated.
  719. Original contents retained as /home/user/.ssh/known_hosts.old
  720.  
  721. Now you can login again:
  722. Are you sure you want to continue connecting (yes/no)? yes
  723. Warning: Permanently added 'server.address.ee' (ECDSA) to the list of known hosts.
  724. Warning: the ECDSA host key for 'server.address.ee' differs from the key for the IP address 'xxx.xxx.xxx.xxx'
  725. Offending key for IP in /home/user/.ssh/known_hosts:10
  726. Are you sure you want to continue connecting (yes/no)? no
  727. Host key verification failed.
  728.  
  729. Here is the message that still on the line 10 is one more key with same host but IP-address has changed. Here would be the solution to delete that 10th line and then log in again:
  730. sed -i '10d' ~/.ssh/known_hosts
  731. .... or manually.
  732.  
  733. # # #
  734.  
  735. OpenSSH Server keys regeneration
  736. --------------------------------
  737. Following commands should be entered as superuser.
  738.  
  739. Firstly remove all current keys:
  740. rm /etc/ssh/ssh_host*
  741.  
  742. Then reconfigure OpenSSH server again:
  743. dpkg-reconfigure openssh-server
  744.  
  745. If you need regenerate server keys manually then:
  746. RSA1 - not suggested to use anymore but if you really need then:
  747. ssh-keygen -q -f /etc/ssh/ssh_host_key -N '' -t rsa1
  748.  
  749. Usual keys (DSA, ECDSA, Ed25519, RSA):
  750. ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N '' -t dsa #must be 1024 according FIPS 186-2 in man ssh-keygen
  751. ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa -b 521 #can be 256, 384 or 521 bits
  752. ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t ed25519 #-b is ignored but -a can be used (default a=16)
  753. ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -t rsa #default 2048 bit, up to 16 384 bit, at least 4096 bit would be suggested but this may change in time
  754.  
  755. # # #
  756.  
  757. Ubuntu Firewall
  758. https://help.ubuntu.com/community/UFW, also gufw (GUI) is available for desktops.
  759. sudo ufw allow ssh #allow ssh
  760. sudo ufw enable #enable firewall
  761. sudo ufw status verbose #check status
  762.  
  763. sudo ufw disable #when needed, disable and enable again
  764.  
  765. # # #
  766.  
  767. Change or set a passphrase for key:
  768. ssh-keygen -f ~/.ssh/keyfile -p -a 1000
  769. ... also ensure that -a value is 1000
  770. ...replace keyfile with your keyfile name
  771.  
  772. # # #
  773.  
  774. Check SSH public keys strength
  775. ------------------------------
  776. for i in ~/.ssh/*.pub; do ssh-keygen -lf $i; done
  777.  
  778. checking just one key:
  779. ssh-keygen -lf ~/.ssh/keyfile
  780. ssh-keygen -lf ~/.ssh/keyfile.pub
  781.  
  782. # # #
  783.  
  784. Checking ssh client supported key algorithm types:
  785. ssh -Q key
  786. (more: man ssh)
  787.  
  788. # # #
  789.  
  790. SSH config file
  791. ---------------
  792. Host alias1 alias2 #replace with short name you prefer
  793.   IdentityFile ~/.ssh/keyfile
  794.   IdentitiesOnly yes
  795.   Port 22
  796.   User user #replace with real username used to log in
  797.   HostName host.com #replace with real hostname or IP
  798.  
  799. then you can connect:
  800. ssh alias1
  801. ssh alias2
  802. etc
  803.  
  804. More reading:
  805. man ssh_config
  806. http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/
  807. https://www.startpage.com/do/search?q=ssh+config
  808.  
  809. # # #
  810.  
  811. SSH agent
  812. ---------
  813. https://wiki.archlinux.org/index.php/SSH_keys#SSH_agents
  814.  
  815. To make all ssh clients, including git store keys in the agent on first use, add the configuration setting AddKeysToAgent yes to ~/.ssh/config.
  816.  
  817. Add service:
  818. ~/.config/systemd/user/ssh-agent.service
  819. [Unit]
  820. Description=SSH key agent
  821.  
  822. [Service]
  823. Type=simple
  824. Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
  825. ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK
  826.  
  827. [Install]
  828. WantedBy=default.target
  829.  
  830. ' ' '
  831. Add SSH_AUTH_SOCK DEFAULT="${XDG_RUNTIME_DIR}/ssh-agent.socket" to ~/.pam_environment.
  832.  
  833. ' ' '
  834. systemctl --user enable ssh-agent.service
  835.  
  836. * * *
  837.  
  838. In order to start the agent automatically and make sure that only one ssh-agent process runs at a time, add the following to your ~/.bashrc:
  839. if ! pgrep -u "$USER" ssh-agent > /dev/null; then
  840.     ssh-agent > ~/.ssh-agent-thing
  841. fi
  842. if [[ "$SSH_AGENT_PID" == "" ]]; then
  843.     eval "$(<~/.ssh-agent-thing)"
  844. fi
  845.  
  846. ---
  847. https://mm0hai.net/blog/2016/11/28/ssh-agent-gnome-keyring-ubuntu.html
  848.  
  849.  
  850. * * *
  851.  
  852. If you have just one key or all with default names then just run:
  853. ssh-add
  854.  
  855. If you are using an agent, have also custom names manually point it to all your keys:
  856. ssh-add ~/.ssh/id_rsa ~/.ssh/id_rsa_legacy ~/.ssh/id_ed25519
  857.  
  858. Also specifying validity time can be specified:
  859. ssh-add -t 1h30m ~/.ssh/ed25519
  860. Identity added: ~/.ssh/ed25519 (/home/user/.ssh/ed25519)
  861. Lifetime set to 5400 seconds
  862.  
  863. List currently added keys:
  864. ssh-add -l
  865.  
  866. One example of GUI agent for desktops:
  867. sudo apt update && sudo apt install seahorse && sudo apt clean
  868. Application name is also "Passwords and keys" (Paroolid ja vأµtmed)
  869.  
  870. Specify key file per server:
  871. To facilitate logging in, you can specify a key file and other data:
  872. in ~/.ssh/config in Linux or %userprofile%\.ssh\config in Windows:
  873. host <ip> <name> #multiple names separate with space
  874.         user student
  875.         IdentityFile ~/.ssh/keyfile #or %userprofile%\.ssh\keyfile
  876.  
  877. https://wiki.archlinux.org/index.php/SSH_keys#SSH_agents
  878. https://unix.stackexchange.com/questions/48863/ssh-add-complains-could-not-open-a-connection-to-your-authentication-agent
  879. http://stackoverflow.com/questions/3466626/add-private-key-permanently-with-ssh-add-on-ubuntu
  880. https://wiki.archlinux.org/index.php/SSH_keys#Keychain
  881.  
  882. sudo apt update && sudo apt install keychain -y && sudo apt clean
  883.  
  884. add to ~/.profile (or ~/.bash_profile):
  885. eval $(keychain --eval --quiet --confhost keyfile1 keyfile2 keyfile3)
  886.  
  887. the --eval switch outputs lines to be evaluated by the opening eval command; this sets the necessary environments variables for SSH client to be able to find your agent.
  888. --quiet will limit output to warnings, errors, and user prompts. Multiple keys can be specified on the command line, as shown in the example. By default keychain will look for key pairs in the ~/.ssh/ directory, but absolute path can be used for keys in non-standard location. You may also use the --confhost option to inform keychain to look in  ~/.ssh/config for IdentityFile settings defined for particular hosts, and use these paths to locate keys. Because Keychain reuses the same ssh-agent process on successive logins, you should not have to enter your passphrase the next time you log in or open a new terminal. You will only be prompted for your passphrase once each time the machine is rebooted.
  889.  
  890. # # #
  891.  
  892. Too many authentication failures
  893. --------------------------------
  894. http://superuser.com/questions/187779/too-many-authentication-failures-for-username
  895. To prevent irrelevant keys from being offered, you have to explicitly specify this in every host entry in the ~/.ssh/config file by adding IdentitiesOnly like so:
  896.  
  897. host <ip> <name> #multiple names separate with space
  898.   IdentityFile ~/.ssh/key_for_somehost
  899.   IdentitiesOnly yes
  900.   Port 22
  901.  
  902. If you use the ssh-agent, it helps to run ssh-add -D to clear the identities.
  903.  
  904. If you are not using any ssh hosts configuration, you have to explicitly specify the correct key in the ssh command like so:
  905.  
  906. ssh -i some_id -o 'IdentitiesOnly=yes' user@IP:/path/
  907. Note: the 'IdentitiesOnly=yes' parameter needed to be between quotes.
  908.  
  909. or
  910.  
  911. ssh -i some_id -o IdentitiesOnly=yes user@IP:/path/
  912.  
  913. # # #
  914.  
  915. Keys security
  916. -------------
  917. It would be always good to ensure strict permissions:
  918. chmod 700 ~/.ssh/
  919. chmod 600 ~/.ssh/*
  920.  
  921. This applies to both: client and server machine.
  922.  
  923. http://unix.stackexchange.com/questions/36540/why-am-i-still-getting-a-password-prompt-with-ssh-with-public-key-authentication
  924.  
  925. CRON
  926. You can automate setting up correct permissions using scheduled tasks in UNIX-like systems - CRON.
  927. You can create a bash alias in ~/.bash_aliases file:
  928. alias cron='EDITOR=nano crontab -e'
  929. Run also source ~/.bash_aliases to take aliases effect immediately without logging out or reopening terminal.
  930. then run that alias and it will open the crontab file:
  931. SHELL=/bin/sh
  932. PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
  933. MAILTO=""
  934.  
  935. * * * * *       chmod 700 ~/.ssh/ && chmod 600 ~/.ssh/*
  936. ... this will run in every minute...
  937. more about generating CRON:
  938. http://crontab-generator.org/
  939. http://www.cronmaker.com/
  940. https://crontab.guru/ - quick and simple
  941.  
  942. # # #
  943.  
  944. Check whether your CPU supports Intel AES-NI.
  945. ---------------------------------------------
  946. More information about AES-NI - https://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni
  947. http://stackoverflow.com/questions/25284119/how-can-i-check-if-openssl-is-support-use-the-intel-aes-ni
  948.  
  949. grep -m1 -o aes /proc/cpuinfo
  950.  
  951. cpuid | grep -i aes | sort | uniq
  952.  
  953. ... is module loaded:
  954. sort -u /proc/crypto | grep module
  955.  
  956. # # #
  957.  
  958. 2 factor authentication
  959. -----------------------
  960. http://www.linuxjournal.com/content/two-factors-are-better-one
  961.  
  962. # # #
  963.  
  964. Passwords on key file
  965. ---------------------
  966. https://security.stackexchange.com/questions/129724/how-to-check-if-an-ssh-private-key-has-passphrase-or-not
  967.  
  968. ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
  969.  
  970. removing password:
  971. ssh-keygen -p -f id_rsa
  972. 2x Enter
  973.  
  974. check password existance:
  975.  
  976. protected key:
  977. ~/.ssh$ ssh-keygen -p -f id_rsa_password_protected
  978. Enter old passphrase:
  979.  
  980.  
  981. And with not protected:
  982.  
  983. ~/.ssh$ ssh-keygen -p -f id_rsa_not_protected
  984. Enter new passphrase (empty for no passphrase):
  985.  
  986. # # #
  987.  
  988. Running commands over SSH
  989. -------------------------
  990. usually possible by:
  991. ssh -i ~/.ssh/keyfile user@IP 'command1 && command2 && etc'
  992. when running just one command, apostrophes are not required
  993. in that way you can run simple (viewing) commands
  994. the output of the command(s) will be shown locally in client machine where the command were issued
  995.  
  996. GUI commands
  997. By default in file /etc/ssh/sshd_config is written: X11Forwarding yes
  998. ... so the GUI apps are allowed to run.
  999.  
  1000. If you would like to run graphical apps from remote server, use -X parameter:
  1001. ssh -i ~/.ssh/keyfile -X user@IP
  1002. ...replace keyfile with your keyfile name, user with your real username and IP with your real IP or domain name (if applicable)
  1003.  
  1004. CLI commands
  1005. Below are examples with root user. You can replace root with any other user (e.g. student) in order to run the command as different user.
  1006.  
  1007. When to copy authorized_keys file to superuser then also management commands that require interactive shell, can be used:
  1008. sudo mkdir /root/.ssh && sudo cp /home/student/.ssh/authorized_keys /root/.ssh/
  1009.  
  1010. -t parameter is to force pseudo-terminal allocation. This can be used to execute arbitrary screen-based programs on a remote machine. Basically it means to run commands that require interactive shell.
  1011.  
  1012. ssh -t -i ~/.ssh/keyfile root@server 'TERM=$TERM DEBIAN_FRONTEND=dialog apt update && apt full-upgrade && apt clean' #by default is suggested to use
  1013.  
  1014. some other options:
  1015. ssh -t -i ~/.ssh/keyfile root@server 'DEBIAN_FRONTEND=readline mc'
  1016. or also:
  1017. ssh -t -i ~/.ssh/keyfile root@server 'DEBIAN_FRONTEND=editor EDITOR=nano mc'
  1018.  
  1019. in such way also apps can be run:
  1020. ssh -t -i ~/.ssh/keyfile root@server 'DEBIAN_FRONTEND=editor EDITOR=nano editor /etc/sysctl.conf'
  1021. ssh -t -i ~/.ssh/keyfile student@server 'DEBIAN_FRONTEND=readline mc'
  1022.  
  1023. you can also run whole shell (e.g. bash) but then already logging in over SSH directly would be suggested:
  1024. ssh -t -i ~/.ssh/keyfile root@server 'TERM=$TERM DEBIAN_FRONTEND=dialog bash'
  1025.  
  1026. more reading:
  1027. https://askubuntu.com/questions/506158/unable-to-initialize-frontend-dialog-when-using-ssh
  1028. https://unix.stackexchange.com/questions/87405/how-can-i-execute-local-script-on-remote-machine-and-include-arguments
  1029. http://stackoverflow.com/questions/7114990/pseudo-terminal-will-not-be-allocated-because-stdin-is-not-a-terminal
  1030. https://askubuntu.com/questions/640960/running-command-on-remote-host-by-ssh-fails-when-running-inside-script
  1031.  
  1032. # # #
  1033.  
  1034. NoMachine NX
  1035. ------------
  1036. About the program - https://www.nomachine.com
  1037.  
  1038. From Ubuntu side
  1039. https://help.ubuntu.com/community/NomachineNX
  1040. https://help.ubuntu.com/community/FreeNX
  1041.  
  1042. Usually generate new keypair using ssh-keygen.
  1043. You can use also NX to generate key pair - https://www.nomachine.com/AR01C00126
  1044.  
  1045. How to set up key based authentication with NX protocol
  1046. https://www.nomachine.com/AR02L00785
  1047. cat ~/.ssh/keyfile.pub >> ~/.nx/config/authorized.crt
  1048.  
  1049. ... replace keyfile.pub with your keyfile.
  1050.  
  1051. Some references:
  1052. How authentication by SSH and 'NoMachine login' works
  1053. https://www.nomachine.com/AR02C00150
  1054. search: https://www.nomachine.com/articles?keys=ssh+key
  1055.  
  1056. # # #
  1057.  
  1058. Key conversion
  1059. --------------
  1060. MS Windows (puTTY) -> GNU/Linux (OpenSSH)
  1061. http://stackoverflow.com/questions/2224066/how-to-convert-ssh-keypairs-generated-using-puttygenwindows-into-key-pairs-use
  1062. http://linux-sxs.org/networking/openssh.putty.html
  1063. http://www.wellsi.com/sme/ssh/ssh.html
  1064. https://help.cloudforge.com/hc/en-us/articles/215242303-Converting-PuTTY-private-keys-to-OpenSSH-format
  1065. https://docs.oseems.com/general/application/putty/convert-ppk-to-ssh-key
  1066. https://tutorialinux.com/convert-ssh2-openssh/
  1067. https://superuser.com/questions/232362/how-to-convert-ppk-key-to-openssh-key-under-linux
  1068.  
  1069. Copy ssh-keygen generated key pair from Linux into MS Windows, e.g. ~/.ssh/ from Linux to MS Windows as %USERPROFILE%\.ssh\
  1070. Ensure that public key of that key pair is at server in ~/.ssh/authorized_keys file
  1071.  
  1072. You need latest version of putty in order to support new Ed25519 encryption
  1073. http://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
  1074.  
  1075. 32-bit https://the.earth.li/~sgtatham/putty/latest/w32/putty.zip
  1076. 64-bit https://the.earth.li/~sgtatham/putty/latest/w64/putty.zip
  1077.  
  1078. Use the latest puTTY or WinSCP to convert in Linux generated private key into puTTY .ppk format and save it under new name:
  1079. https://superuser.com/questions/1160544/winscp-authentication-with-an-openssh-created-ed25519-non-ppk-private-key-po
  1080.  
  1081. In WinSCP use the Advanced settings dialog to browse ssh-keygen generated private key file:
  1082. https://winscp.net/eng/docs/ui_login_authentication
  1083.  
  1084. puTTY docs https://tartarus.org/~simon/putty-snapshots/htmldoc/
  1085. WinSCP docs https://winscp.net/eng/docs/start
  1086.  
  1087. Settings are stored:
  1088. http://stackoverflow.com/questions/13012700/where-does-putty-stores-its-sessions
  1089. HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions
  1090.  
  1091. WinSCP - https://winscp.net/eng/docs/session_configuration
  1092.  
  1093. create puTTY icon that launches automatically selected profile
  1094. https://superuser.com/questions/248099/a-putty-shortcut-that-automatically-launches-a-profile
  1095. create a shortcut to puTTY with Target:
  1096. \path\to\putty.exe -load "my session"
  1097.  
  1098. Key conversion in Linux: from puTTY to OpenSSH
  1099. ----------------------------------------------
  1100. Only needed whenever a puTTY or similar would be used.
  1101. When using OpenSSH in both Linux and Windows, key conversion is not needed.
  1102.  
  1103. sudo apt update && sudo apt install putty putty-tools -y && sudo apt clean
  1104.  
  1105. private key conversion:
  1106. puttygen keyfile.ppk -O private-openssh -o keyfile
  1107.  
  1108. public key conversion
  1109. puttygen keyfile.ppk -O public-openssh -o keyfile.pub
  1110.  
  1111. To add the OpenSSH-format public half of a key to your authorised keys file:
  1112. puttygen -L keyfile.ppk >> $HOME/.ssh/authorized_keys
  1113.  
  1114. please see also man puttygen examples
  1115.  
  1116. from OpenSSH to puTTY
  1117. ---------------------
  1118. puttygen keyfile -o keyfile.ppk
  1119. ... this assumes that keyfile.pub is located in same ~/.ssh/ folder together with private key
  1120.  
  1121. # # #
  1122.  
  1123. PEM format
  1124.  
  1125. 1st option
  1126. generate directly:
  1127. ssh-keygen -m PEM -t rsa -b 16384
  1128.  
  1129. 2nd option
  1130. convert key pair from OpenSSH to puTTY format
  1131. puttygen keyfile -o keyfile.ppk
  1132. then private and public separately back to OpenSSH format
  1133. puttygen keyfile.ppk -O private-openssh -o keyfile
  1134. puttygen keyfile.ppk -O public-openssh -o keyfile.pub
  1135.  
  1136. 3rd option
  1137. ssh-keygen
  1138.  
  1139. man ssh-keygen
  1140. ssh-keygen -f rsa.pub -e -m pem
  1141.  
  1142.      -e      This option will read a private or public OpenSSH key file and print to stdout the key in one of the formats speciâ€گ
  1143.              fied by the -m option.  The default export format is “RFC4716â€‌.  This option allows exporting OpenSSH keys for use
  1144.              by other programs, including several commercial SSH implementations.
  1145.  
  1146.      -m key_format
  1147.              Specify a key format for the -i (import) or -e (export) conversion options.  The supported key formats are:
  1148.              â€œRFC4716â€‌ (RFC 4716/SSH2 public or private key), “PKCS8â€‌ (PEM PKCS8 public key) or “PEMâ€‌ (PEM public key).  The
  1149.              default conversion format is “RFC4716â€‌.
  1150.  
  1151. # # #
  1152.  
  1153. MS Windows OpenSSH Server
  1154. https://github.com/PowerShell/Win32-OpenSSH/releases/
  1155. unpack to C:\Program Files\OpenSSH
  1156.  
  1157. install (open cmd as administrator):
  1158. https://github.com/PowerShell/Win32-OpenSSH/wiki/Install-Win32-OpenSSH
  1159. https://winscp.net/eng/docs/guide_windows_openssh_server
  1160.  
  1161. Add bash-like CLI to Windows
  1162. -----------------------------
  1163. http://mridgers.github.io/clink/ - download and install.
  1164. manually can be installed:
  1165. clink autorun --install
  1166.  
  1167. Autocomplete can be added also from registry:
  1168. http://www.online-tech-tips.com/computer-tips/how-to-turn-on-auto-complete-in-the-command-prompt/
  1169. ---
  1170. Runas command in MS Windows:
  1171. http://stackoverflow.com/questions/8249705/how-to-run-an-application-as-run-as-administrator-from-the-command-prompt
  1172. https://ss64.com/nt/runas.html
  1173.  
  1174. From a command prompt:
  1175. runas /user:<localmachinename>\administrator cmd
  1176.  
  1177. Or, if you're connected to a domain:
  1178. runas /user:<DomainName>\<AdministratorAccountName> cmd
  1179.  
  1180. SUDO for Windows:
  1181. https://serverfault.com/questions/7620/windows-run-as-without-knowing-the-password
  1182. http://helpdeskgeek.com/free-tools-review/5-windows-alternatives-linux-sudo-command/
  1183. https://social.technet.microsoft.com/Forums/windows/en-US/05cce5f6-3c3a-4bb8-8b72-8c1ce4b5eff1/how-to-run-a-program-as-adminitrator-via-the-command-line
  1184. create a file %systemroot%\system32\SUDO.cmd
  1185. @echo Set objShell = CreateObject("Shell.Application") > %temp%\sudo.tmp.vbs
  1186. @echo args = Right("%*", (Len("%*") - Len("%1"))) >> %temp%\sudo.tmp.vbs
  1187. @echo objShell.ShellExecute "%1", args, "", "runas" >> %temp%\sudo.tmp.vbs
  1188. @cscript %temp%\sudo.tmp.vbs
  1189.  
  1190. IP-alias
  1191. --------
  1192. https://en.wikipedia.org/wiki/Hosts_(file)#Location_in_the_file_system
  1193. add remote host file IP to hosts file.
  1194. open Notepad as administrator
  1195. %SystemRoot%\System32\drivers\etc\hosts
  1196. 172.16.10.2 server #add IP and corresponding alias or aliases by separating them with spaces
  1197.  
  1198. later view:
  1199. http://stackoverflow.com/questions/17217476/how-to-display-text-file-content-in-cmd
  1200. type c:\Windows\System32\drivers\etc\hosts #like cat
  1201. more c:\Windows\System32\drivers\etc\hosts #like less
  1202. alternatively:
  1203. type %systemroot%\System32\drivers\etc\hosts
  1204.  
  1205. https://superuser.com/questions/300815/grep-equivalent-for-windows-7
  1206. findstr is like grep alias for MS Windows
  1207. dir | findstr filename
  1208. type %systemroot%\System32\drivers\etc\hosts | findstr <search-string>
  1209.  
  1210. SSH keyfile configuration in MS Windows
  1211. ---------------------------------------
  1212. To facilitate logging in, you can specify a key file and other data:
  1213. in %userprofile%\.ssh\config:
  1214. host www.somehost.com (or IP)
  1215.         user student
  1216.         IdentityFile %userprofile%\.ssh\keyfile
  1217.  
  1218.  
  1219. Command alias in MS Windows
  1220. ---------------------------
  1221. http://stackoverflow.com/questions/20530996/aliases-in-windows-command-prompt
  1222.  
  1223. Create a folder called C:\aliases
  1224. Add %systemdrive%\aliases to your path (so any files in it will be found every time)
  1225. Create a .bat file in C:\Aliases for each of the aliases you want
  1226.  
  1227. %systemdrive%\aliases\np.bat
  1228. @echo off
  1229. notepad++.exe %1
  1230.  
  1231. %systemdrive%\aliases\server
  1232. @echo off
  1233. set TERM=xterm-color #required when want to run mc, nano etc
  1234. ssh student@server
  1235.  
  1236. this requires that there has been created beforehand: IP-alias server, SSH keyfile configuration
  1237.  
  1238. Error message: "TERM environment variable unset!" (trying to run mc, nano etc)
  1239. https://superuser.com/questions/495554/term-enviroment-variable-not-set-when-executing-a-bash-file-via-ssh
  1240. https://unix.stackexchange.com/questions/198794/where-does-the-term-environment-variable-default-get-set
  1241. ---
  1242. yet another almost true bash terminal for MS Windows https://github.com/cmderdev/cmder
  1243. https://github.com/cmderdev/cmder/releases/ (unpacked: ~240 MB, has UNIX commands)
  1244. see also:
  1245. aliases not working build 1703:
  1246. https://github.com/cmderdev/cmder/issues/1361
  1247. https://github.com/cmderdev/cmder/issues/1325
  1248. alternatives
  1249. http://alternativeto.net/software/cmder/?license=opensource&platform=windows
  1250. https://github.com/cbucher/console/releases - ConsoleZ (unpacked: ~18MB)
  1251.  
  1252. ---
  1253.  
  1254. Turn Windows firewall off for testing purposes whenever needed.
  1255.  
  1256. Add OpenSSH path to MS Windows environment variable
  1257. ------------------------------------------------
  1258. http://stackoverflow.com/questions/9546324/adding-directory-to-path-environment-variable-in-windows
  1259. https://ss64.com/nt/syntax-variables.html
  1260. "My Computer" > "Properties" > "Advanced" > "Environment Variables" > "Path"
  1261. or
  1262. Super+R
  1263. systempropertiesadvanced
  1264.  
  1265. Environment Variables...
  1266. System Variables -> Path -> Edit...
  1267. New
  1268. %ProgramFiles%\OpenSSH
  1269. OK->OK->OK
  1270. reopen terminal (cmd)
  1271. path #check whether new path has loaded
  1272.  
  1273. view current environment variables in MS Windows:
  1274. set
  1275. set | more >view one page at time
  1276. set > output.txt #redirect into file
  1277. set <variable name> #view only one variable
  1278. echo %variable% #view only one variable
  1279.  
  1280. http://stackoverflow.com/questions/5327495/list-all-environment-variables-from-command-line
  1281. https://superuser.com/questions/341192/how-can-i-display-the-contents-of-an-environment-variable-from-the-command-promp
  1282. ---
  1283.  
  1284. OpenSSH installation in Windows
  1285.  
  1286. RunAs administrator cmd
  1287. cd %programfiles%\OpenSSH
  1288. powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1 #install
  1289.  
  1290. successful messages by system:
  1291. [SC] SetServiceObjectSecurity SUCCESS
  1292. [SC] ChangeServiceConfig SUCCESS
  1293. sshd and ssh-agent services successfully installed
  1294.  
  1295. ssh-keygen.exe -A #generate keys
  1296. message:
  1297. ssh-keygen.exe: generating new host keys: RSA DSA ECDSA ED25519
  1298.  
  1299. Computer Management->Services #run as administrator
  1300. sshd #automatic
  1301. ssh-agent #automatic
  1302.  
  1303. download https://technet.microsoft.com/en-us/sysinternals/pstools
  1304.  
  1305. cmd #run as administrator
  1306. cd %programfiles%\PSTools\
  1307. psexec.exe -i -s cmd.exe # run as SYSTEM user
  1308. cd %programfiles%\OpenSSH
  1309. ssh-add ssh_host_dsa_key
  1310. ssh-add ssh_host_rsa_key
  1311. ssh-add ssh_host_ecdsa_key
  1312. ssh-add ssh_host_ed25519_key
  1313.  
  1314. Firewall:
  1315. netsh advfirewall firewall add rule name='SSH Port' dir=in action=allow protocol=TCP localport=22
  1316. ... or add graphically into Inbound Rules 22/tcp port.
  1317.  
  1318. Check service status:
  1319. netstat -anop TCP
  1320.   Proto  Local Address          Foreign Address        State           PID
  1321.   TCP    0.0.0.0:22             0.0.0.0:0              LISTENING       4216
  1322.  
  1323. Usage examples
  1324. https://github.com/PowerShell/Win32-OpenSSH/wiki/ssh.exe-examples
  1325.  
  1326. Key generation
  1327. --------------
  1328. mkdir %userprofile%\.ssh\
  1329. cd %programfiles%\OpenSSH #not needed if added into path
  1330. ssh-keygen.exe -t ed25519 -a 1000 -f %userprofile%\.ssh\keyfile -C "Name mail@address phone"
  1331.  
  1332. register a key in ssh-agent (so you do not need enter password each time):
  1333. net start ssh-agent #if it is not yet started (set appropriate service as automatic)
  1334. ssh-add keyfile
  1335.  
  1336. you can write all keyfiles into one .bat file to add them at once
  1337.  
  1338. Copy key files from Windows to Linux machine:
  1339. scp %userprofile%\.ssh\keyfile student@172.16.10.2:/home/student/.ssh
  1340. scp %userprofile%\.ssh\keyfile.pub student@172.16.10.2:/home/student/.ssh
  1341.  
  1342. in Linux machine
  1343. cat $HOME/.ssh/keyfile.pub >> $HOME/.ssh/authorized_keys
  1344.  
  1345. in Windows machine grant also permissions:
  1346. cmd #run as administrator
  1347. icacls %userprofile%\.ssh /grant "NT Service\sshd":R /T
  1348.  
  1349. Verify key in Windows host:
  1350. https://winscp.net/eng/docs/ssh_verifying_the_host_key
  1351. %programfiles%\OpenSSH>ssh-keygen.exe -l -f %userprofile%\.ssh\keyfile -E md5
  1352. When logging first time to server, you will see a prompt with new key.
  1353.  
  1354. Try to log in from Windows to Linux and vice versa using keyfile:
  1355. from Windows to Linux:
  1356. cd %programfiles%\OpenSSH && ssh -i %userprofile%\.ssh\keyfile student@172.16.10.2
  1357. ...where the user "student" and IP are in Linux machine
  1358.  
  1359. from Linux to Windows:
  1360. ssh -i ~/.ssh/keyfile user@172.16.10.3
  1361. ...where that IP is MS Windows machine IP
  1362.  
  1363. For more convenient SSH usage under MS Windows, please use (these support also Ed25519):
  1364. KiTTY - http://kitty.9bis.net/
  1365. puTTY dev - http://www.chiark.greenend.org.uk/~sgtatham/putty/snapshot.html
  1366.  
  1367. Linux:
  1368. install OpenSSH server and some additional packages by using:
  1369. sudo apt update && sudo apt install ssh openssh-blacklist*  -y && sudo apt clean
  1370.  
  1371. Key pair generation, firewall configuration in Ubuntu and ssh usage please see upwards.
  1372.  
  1373. # # #
  1374.  
  1375. ---
  1376.  
  1377. GNU/Linux (OpenSSH) -> MS Windows (puTTY)
  1378. https://kb.site5.com/shell-access-ssh/how-to-convert-ssh-keys-to-ppk-format/
  1379. https://devops.profitbricks.com/tutorials/use-ssh-keys-with-putty-on-windows/
  1380. https://www.nextofwindows.com/how-to-convert-rsa-private-key-to-ppk-allow-putty-ssh-without-password
  1381. https://www.virag.si/2010/02/convert-openssh-private-key-to-putty-private-key-for-github/
  1382.  
  1383. in Linux:
  1384. sudo apt update && sudo apt install putty putty-tools -y && sudo apt clean
  1385. puttygen keyfile -o keyfile.ppk
  1386.  
  1387. please see also man puttygen examples
  1388.  
  1389. # # #
  1390.  
  1391. Wise man VPN - sshuttle
  1392. -------------------------
  1393. https://sshuttle.readthedocs.io/en/stable/overview.html
  1394. https://sshuttle.readthedocs.io/en/stable/requirements.html
  1395. https://sshuttle.readthedocs.io/en/stable/usage.html
  1396.  
  1397. EST - https://wiki.itcollege.ee/index.php/Sshuttle
  1398.  
  1399. Usually you can install sshuttle:
  1400. sudo apt update && sudo apt install sshuttle -y && sudo apt clean
  1401.  
  1402. Usual run:
  1403. sudo sshuttle --dns -Nvr user@server 0.0.0.0/0
  1404.  
  1405. Log in using keyfile:
  1406. sudo sshuttle --dns -Nvr user@server 0.0.0.0/0 -e "ssh -i /home/user/.ssh/keyfile user@server"
  1407.  
  1408. adding -H will scan remote hosts and add them into /etc/hosts file while connected, original state of /etc/hosts will be restored by disconnecting
  1409. sudo sshuttle --dns -HNvr user@server 0.0.0.0/0 -e "ssh -i /home/user/.ssh/keyfile user@server"
  1410.  
  1411. You can create also alias to facilitate usage:
  1412. nano ~/.bash_aliases
  1413. alias vpn='sudo sshuttle --dns -Nvr user@server 0.0.0.0/0'
  1414. ... save and run:
  1415. source ~/.bash_aliases
  1416. ... or reopen, relogin to terminal.
  1417. Then you can use the alias to run: vpn
  1418.  
  1419. Actually as there is sudo required to run sshuttle then it would be better to copy key pair into /root/.ssh/ folder and use agent to hold credentials, e.g. keychain. First time you log in, agent will ask key(s) password(s). There is possible to configure so that passwords are asked when first time appropriate key will be used. Also there is possible to use a key file without password.
  1420.  
  1421. When key pair is at /root/.ssh/ then you can write:
  1422. sudo sshuttle --dns -Nvr user@server 0.0.0.0/0 -e "ssh -i ~/.ssh/keyfile user@server"
  1423.  
  1424. To allow run sshuttle for regular user(s) without entering a password every time:
  1425. create a file:
  1426. sudo nano /etc/sudoers.d/permissions #this filename could any name
  1427. Cmnd_Alias VPN=/usr/bin/sshuttle
  1428. ALL ALL=(ALL) NOPASSWD:VPN
  1429.  
  1430. or allowing just one user:
  1431. username ALL=(ALL) NOPASSWD: /usr/bin/sshuttle
  1432.  
  1433. More reading at:
  1434. https://help.ubuntu.com/community/Sudoers
  1435. ---
  1436.  
  1437. https://unix.stackexchange.com/questions/74545/what-difference-between-openssh-key-and-putty-key
  1438. https://the.earth.li/~sgtatham/putty/0.67/htmldoc/Chapter8.html#puttygen-conversions
  1439. https://www.ssh.com/ssh/putty/linux/puttygen
  1440.  
  1441. Test your SSH server
  1442. sshd -T #test configuration
  1443. sshd -t #test server keys, should not show any warning
  1444.  
  1445. # # #
  1446.  
  1447. Debug SSH connection
  1448. --------------------
  1449. different verbose levels:
  1450. ssh -vvv user@IP
  1451. ssh -vv user@IP
  1452. ssh -v user@IP
  1453.  
  1454. ... prepare to see lots of output
  1455.  
  1456. # # #
  1457. Limiting access
  1458. ~/.ssh/authorized_keys
  1459. command="rsync --server -vre.iLsfxC --partial . ." ssh-rsa KEY me@host
  1460.  
  1461. # # #
  1462.  
  1463. Multiple hop tunneling
  1464. ----------------------
  1465. ssh -At user@server -L 8011:127.0.0.1:8011 'ssh -At -L 8011:192.168.x.x:443 user@192.168.xxx.xxx'
  1466.  
  1467. user@server                     initial server to connect (has connection with jump server and accessible outside from Internet)
  1468. 192.168.x.x:443         destination server web interface with https (port 443) in internal network
  1469. 192.168.xxx.xxx         jump server connect to destination in internal network
  1470. 127.0.0.1:8011          destination address to open at localhost browser, will show destination server web interface
  1471.  
  1472. then https://localhost:8011 can be opened and that will redirect through 'server' and '192.168.xxx.xxx' to final destination at '192.168.x.x:443'
  1473.  
  1474. man ssh
  1475. -L [bind_address:]port:host:hostport
  1476. -L [bind_address:]port:remote_socket
  1477. -L local_socket:host:hostport
  1478. -L local_socket:remote_socket
  1479.  
  1480. * * *
  1481.  
  1482. SSH command-line multiple hop connection with Agent Forwarding
  1483. --------------------------------------------------------------
  1484. Useful when logging in sequentially to multiple servers.
  1485. With -A also key will be forwarded (called: Agent Forwarding)
  1486. You need to copy your public key to all of these remote machines.
  1487. Starting machine should have also private key.
  1488. Hop machines should have public key.
  1489.  
  1490. key file with default name (all commands in one line)
  1491. ssh -At user@server ssh -At student@192.168.xxx.xxx ssh -At user@192.168.x.x
  1492.  
  1493. key file with custom name (all commands in one line)
  1494. ssh -At -i ~/.ssh/key user@server ssh -At -i ~/.ssh/key user@192.168.xxx.xxx ssh -At -i ~/.ssh/key user@192.168.x.x
  1495.  
  1496. user@server initial server to connect (has connection with jump server and accessible outside)
  1497. 192.168.xxx.xxx         server used to jump to destination in internal network
  1498. 192.168.x.x                     destination server in internal network
  1499. ~/.ssh/key replace with proper location/name (if used)
  1500.  
  1501. if needed to define also port:
  1502. ssh -At user1@server1 -p xxxx
  1503.  
  1504. Links
  1505. -----
  1506. EST https://www.ria.ee/public/RIA/Kruptograafiliste_algoritmide_uuring_2015.pdf
  1507. - copy: http://enos.itcollege.ee/~edmund/materials/security/kryptoalgoritmide_elutsykli_uuring_15-07-2011.pdf
  1508. ENG https://www.ria.ee/public/RIA/Cryptographic_Algorithms_Lifecycle_Report_2016.pdf
  1509. - copy: http://enos.itcollege.ee/~edmund/materials/security/Cryptographic_Algorithms_Lifecycle_Report_2016.pdf
  1510.  
  1511. https://help.ubuntu.com/community/SSH/OpenSSH/Configuring
  1512. https://help.ubuntu.com/community/SSH/OpenSSH/Keys
  1513.  
  1514. https://en.wikibooks.org/wiki/OpenSSH
  1515. https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Public_Key_Authentication
  1516.  
  1517. https://en.wikipedia.org/wiki/RSA_(cryptosystem)
  1518. https://en.wikipedia.org/wiki/EdDSA
  1519. https://ed25519.cr.yp.to/
  1520.  
  1521. https://patrickmn.com/aside/how-to-keep-alive-ssh-sessions/
  1522.  
  1523. http://crypto.stackexchange.com/questions/40311/how-many-kdf-rounds-for-an-ssh-key
  1524.  
  1525. http://ask.xmodulo.com/check-ssh-protocol-version-linux.html
  1526.  
  1527. https://blog.g3rt.nl/upgrade-your-ssh-keys.html
  1528. http://www.reddit.com/r/linux/comments/543guz/upgrade_your_ssh_keys/
  1529.  
  1530. RSA key length
  1531. http://crypto.stackexchange.com/questions/1182/are-there-practical-upper-limits-of-rsa-key-lengths
  1532. http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml
  1533. http://crypto.stackexchange.com/questions/1978/how-big-an-rsa-key-is-considered-secure-today
  1534. https://www.keylength.com/
  1535.  
  1536. http://oletange.blogspot.com.ee/2013/09/choosing-gnupg-rsa-key-size.html
  1537. http://oletange.blogspot.com.ee/2013/09/problems-using-10kbit-keys-in-gnupg.html
  1538.  
  1539. additional reading:
  1540. http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-57-Part%201 - nov 2016
  1541. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf
  1542. http://csrc.nist.gov/groups/ST/key_mgmt/
  1543.  
  1544. http://serverfault.com/questions/471327/how-to-change-a-ssh-host-key
  1545. http://stackoverflow.com/questions/20840012/ssh-remote-host-identification-has-changed
  1546. https://www.digitalocean.com/community/tutorials/ssh-essentials-working-with-ssh-servers-clients-and-keys
  1547. https://blog.urfix.com/25-ssh-commands-tricks/
  1548. https://stribika.github.io/2015/01/04/secure-secure-shell.html
  1549.  
  1550. Incompatibilities
  1551. http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html
  1552. http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html
  1553. If you're importing a certificate into ACM, the length of the public key must be 1024 or 2048 bits.
  1554. If you're uploading a certificate to the IAM certificate store, the maximum size of the public key is 2048 bits.
  1555.  
  1556. Custom options
  1557. https://www.digitalocean.com/community/tutorials/how-to-configure-custom-connection-options-for-your-ssh-client
  1558.  
  1559. Security
  1560. https://www.linux.com/learn/5-ssh-hardening-tips
  1561. https://askubuntu.com/questions/2271/how-to-harden-an-ssh-server
  1562. https://linux-audit.com/audit-and-harden-your-ssh-configuration/
  1563. https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
  1564. https://lauri.xn--vsandi-pxa.com/2017/03/yubikey-for-ssh-auth.html
  1565. https://wiki.itcollege.ee/index.php/SSH_Encryption
  1566.  
  1567. SSH accounts
  1568. https://www.fastssh.com/
  1569. http://free-ssh.xyz/ , http://createssh.com/ , http://myssh.info/
  1570. https://www.facebook.com/freesshvps
  1571. https://shells.red-pill.eu/ - list of choices
  1572.  
  1573. SSH, VPN
  1574. http://contassh.com/
  1575. http://www.skyssh.com/
  1576. http://www.sshudp.com/
  1577. http://www.sshagan.net/
  1578.  
  1579. http://www.bost-ssh.cf/
  1580. https://www.facebook.com/bostssh
  1581.  
  1582. SSH
  1583. ---
  1584. EST
  1585. http://kuutorvaja.eenet.ee/wiki/OpenSSH_kasutamine
  1586.  
  1587. ENG
  1588. https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process
  1589. http://www.openssh.com/manual.html
  1590. https://www.itworld.com/article/2827172/it-management/16-ultimate-ssh-hacks.html
  1591.  
  1592. LDAP authentication for SSH keys
  1593. https://serverfault.com/questions/653792/ssh-key-authentication-using-ldap
  1594.  
  1595. 2FA for SSH
  1596. https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-two-factor-authentication
  1597. https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04
  1598. https://sysconfig.org.uk/two-factor-authentication-with-ssh.html
  1599. https://authy.com/blog/add-2fa-to-your-ssh-in-30-seconds/
  1600. https://duo.com/docs/duounix
  1601. https://medium.com/@james_poole/yubikey-2fa-on-ubuntu-ssh-e09b4e91bfc8
  1602. https://jonarcher.info/2015/07/hardening-ssh-with-otp-for-2-factor-authentication/ - FreeOTP usage with SSH
  1603.  
  1604. SSH connection
  1605. https://www.cisco.com/c/en/us/about/press/internet-protocol-journal/back-issues/table-contents-46/124-ssh.html
  1606. https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process
  1607. https://www.digitalocean.com/community/tutorials/ssh-essentials-working-with-ssh-servers-

Raw Paste


Login or Register to edit or fork this paste. It's free.