ssh
Contents
directory structure
openssh creates a directory $HOME/.ssh in your home-directory typically with the following files
authorized_keys contains public keys for public key authentication
config user's configuration file for OpenSSH client
id_rsa PRIVATE KEY: Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA authentication identity of the user.
id_rsa.pub PUBLIC KEY: Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA public key for authentication.
known_hosts Contains host public keys for all known hosts.
shell aliases
Check SSH-HostKey
See man page
1 man -P "less -p '^VERIFYING HOST KEYS'" ssh
Login via TTY and
1 ssh-keygen -l -v -f /etc/ssh/ssh_host_rsa_key.pub
Check with little ASCII-"Art"
1 ssh -o "VisualHostKey yes" "$REMOTE_HOST"
Check SSHFP record in DNS (if published)
1 ssh -o "VerifyHostKeyDNS ask"
Persist config in
~/.ssh/config"
HostKey changed
Probably the ssh hostkey did not change, but your
- Routing is different (still in a VPN?)
- DNS resolution is different
Check SSHFP
Log in as root
Logging in as root over ssh by password is disabled by the default configuration. Because it is
- not accountable and therefore a security issue.
- target to brute-force attacks.
- using a shared secret (password of root).
probably unnecessary.
Instead it's recommended at this point to log in to your personal account and elevate privileges using sudo.
pubkey auth
The private key
FOR YOUR EYES ONLY!
Safety Rules
Make sure storage of your private key meets all of the following criteria.
The file
- owner is set to yourself
- group is set to your own
only readable by yourself (only 0600 )
- and is always encrypted
- is stored on a non-public accessible storage
- has a backup which is stored secure to
is never in the hands of other people (no matter how trustworthy they are).
Be careful, the private key simply misses the .pub extension.
PubKey Auth on Linux and Unix
Generate a key pair for pubkey auth.
- RSA or
length >= 2048, recommendation: length = 4096bit
- ECDSA
you may specify the curve with -b (256, 384 or 521).
Use ssh-keygen to generate a key-pair
Now you can prepare pubkey auth. Therefore the pubkey needs to be appended to the list of authorized keys on the target system. Be careful not to leak you private key!
Example on localhost
1 cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
You can test it by logging in to localhost via ssh.
1 ssh localhost
If you are using the key a lot, it is more convenient to unlock/decrypt your private key and copy it to RAM using a ssh-agent. Just type ssh-add and you will be asked to provide a pass-phrase to decrypt the key. You may delete all keys from the ssh-agent with ssh-add -D.
You also may copy your pubkey to systems, that reachable via ssh and you are able to login.
1 ssh-copy-id $REMOTE_USER@$REMOTE-SYSTEM
You now may login without password prompt by the remote system.
1 ssh $REMOTE_USER@$REMOTE-SYSTEM
PubKey Auth on Win10
There is a nice article on docs.microsoft.com OpenSSH key management
Install the powershell module for openssh and start the ssh-service (probably for this session only) from a elevated shell.
Create a key-pair (make sure the private key is encrypted)
Check agent status and import keys
Now log in to your favorite host… :-D
Bugs in OpenSSH for Win32
If you are using ssh with a JumpHost you might run in to a bug with older ssh versions (<8.1). https://github.com/PowerShell/Win32-OpenSSH/issues/1172
1 posix_spawn: No such file or directory”
Please update to the latest Version of Windows first! But this is not fixed in Windows 10 v2004…
Here are some links to a installation advisory on
You'll probably need the latest ssh-version OpenSSH-Win64.zip from https://github.com/PowerShell/Win32-OpenSSH/releases
Please use the script install-sshd.ps1 with administrative permissions. powershell.exe -ExecutionPolicy Bypass -File install-sshd.ps1
Check it with ssh -V
You may be forced to list the new openssh-directory in the PATH variable in front of %SYSTEMROOT%\System32\OpenSSH\.
ssh escape characters
A little, often unknown, but very useful feature of openssh!
1 ESCAPE CHARACTERS
2 When a pseudo-terminal has been requested, ssh supports a number of func‐
3 tions through the use of an escape character.
4
5 A single tilde character can be sent as ~~ or by following the tilde by a
6 character other than those described below. The escape character must
7 always follow a newline to be interpreted as special. The escape charac‐
8 ter can be changed in configuration files using the EscapeChar configura‐
9 tion directive or on the command line by the -e option.
10
11 The supported escapes (assuming the default ‘~’) are:
12
13 ~. Disconnect.
14
15 ~^Z Background ssh.
16
17 ~# List forwarded connections.
18
19 ~& Background ssh at logout when waiting for forwarded connection /
20 X11 sessions to terminate.
21
22 ~? Display a list of escape characters.
23
24 ~B Send a BREAK to the remote system (only useful if the peer sup‐
25 ports it).
26
27 ~C Open command line. Currently this allows the addition of port
28 forwardings using the -L, -R and -D options (see above). It also
29 allows the cancellation of existing port-forwardings with
30 -KL[bind_address:]port for local, -KR[bind_address:]port for re‐
31 mote and -KD[bind_address:]port for dynamic port-forwardings.
32 !command allows the user to execute a local command if the
33 PermitLocalCommand option is enabled in ssh_config(5). Basic
34 help is available, using the -h option.
35
36 ~R Request rekeying of the connection (only useful if the peer sup‐
37 ports it).
38
39 ~V Decrease the verbosity (LogLevel) when errors are being written
40 to stderr.
41
42 ~v Increase the verbosity (LogLevel) when errors are being written
43 to stderr.
keyboard-interactive authentication
sshpass
- Please try pubkey-authentication first, before trying keyboard-interactive auth with sshpass.
Never use option -ppassword, because everybody can read it the password ps or top (using a race condition before obfuscation by sshpass).
Install ssh-pass
1 aptitude install sshpass
via file descriptor
Source: Serverfault: How to automate ssh login with password
Example
1 #!/bin/bash
2 # Generate a name for a pipe (-u|--dry-run)
3 PIPE="$(mktemp -u)"
4 # Create FIFO pipe
5 mkfifo -m 600 "$PIPE"
6 # Opened pipe for both reading and writing on file descriptor 3
7 exec 3<>"$PIPE"
8 # Delete the directory entry
9 rm "$PIPE"
10 UIDNAME="user"
11 HOST="host"
12 FILE="path/to/file"
13 # Write your password to the pipe.
14 # You may even use gpg at this point.
15 echo 'my_secret_password' >&3
16 # Read password with sshpass from file descriptor 3 and
17 # connect via sftp
18 sshpass -d3 sftp "$UIDNAME"@"$HOST":"$FILE"
19 # Close the pipe when done
20 exec 3>&-
environment variable
1 #!/bin/bash
2 # MAKE VARIABLE SSHPASS AVAILABLE
3 # IN THE ENVIRONMENT OF ANY SUBSEQUENT COMMAND
4 export SSHPASS="my_secret_password"
5 # SSHPASS ENVIRONMENT VARIABLE MAY BE READ
6 # FROM "/proc/$PID/environ"
7 # BY THE INVOKING USER AND ROOT
8 sshpass -e sftp user@host:path/to/file
9 unset SSHPASS
password file
Make sure Unix-permissions are set correctly (replace "$OWNER")!
Old remote ssh-server
The cure is to upgrade the remote software, but if there is no other choice…
no matching cipher
The error
The man page
1 man -P "less -p '^\s*Ciphers'" 5 ssh_config
Specify the options manually on the cmdline
1 ssh -o "ciphers +3des-cbc" remote-host
You may prefer a permanent solution in
~/.ssh/config
no matching key exchange method
The error
The man page
1 man -P "less -p '^\s*KexAlgorithms'" 5 ssh_config
Specify the options manually on the cmdline
1 ssh -o "KexAlgorithms +diffie-hellman-group14-sha1" remote-host
You may prefer a permanent solution in
~/.ssh/config
X11 Forwarding
Add options -X or -Y to you ssh cmdline. If you are on a low bandwidth connection, it's a good idea to add -C to enable compression, But it's generally a good idea on todays high performance machines.
Or make it permanent in
~/.ssh/config
cannot open display
Please check that X11Forwarding yes is enabled on the server side, too. Default is no.
grep '^[^#]' /etc/ssh/sshd_config
The package xauth has to be installed to set the magic cookie.
sshuttle
Sshuttle makes it possible to access remote networks using SSH. It creates a transparent proxy server, using iptables, that will forward all the traffic through an SSH tunnel to a remote copy of sshuttle.
Install
Install sshuttle
1 apt install sshuttle
Optionally create a sudoers.d file
/etc/sudoers.d/sshuttle_auto
Usage
Forward anything incl. DNS requests.
1 sshuttle --dns -r username@sshserver 0/0
Forward RFC1918 networks, networks automatically detected (from remote routing table), DNS requests to the remote host and honor remote /etc/hosts.
Configuration files sshuttle1.conf
Use the config with @.
The configuration file may be overidden on the cli.
1 sshuttle @sshuttle1.conf
Daemonizing
There is a init-script, which may be used with the configuration files in /etc/sshuttle to startup sshuttle as a daemon (e.g. on boot or manually) at
/usr/share/doc/sshuttle/sshuttle.conf