ssh

Contents

directory structure

openssh creates a directory $HOME/.ssh in your home-directory typically with the following files

   1 % ls -d1 .ssh/*  
   2 .ssh/authorized_keys
   3 .ssh/config
   4 .ssh/id_rsa
   5 .ssh/id_rsa.pub
   6 .ssh/known_hosts

authorized_keys contains public keys for public key authentication
config user's configuration file for OpenSSH client
id_rsa PRIVATE KEY: Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA authentication identity of the user.
id_rsa.pub PUBLIC KEY: Contains the DSA, ECDSA, authenticator-hosted ECDSA, Ed25519, authenticator-hosted Ed25519 or RSA public key for authentication.
known_hosts Contains host public keys for all known hosts.

pubkey auth

Generate a key pair for pubkey auth.

RSA or
- length >= 2048, recommendation: length = 4096bit
ECDSA
- you may specify the curve with -b (256, 384 or 521).

Use ssh-keygen for the purpose

   1 # CREATES .ssh/id_rsa*
   2 ssh-keygen -t rsa -b 4096
   3 # CREATES .ssh/id_ecdsa*
   4 ssh-keygen -t ecdsa -b 521

Make sure your private key is

owned by yourself
only readable by yourself
and is always encrypted!

Now you can prepare pubkey auth. Therefore pubkey needs to be appended to the list of authorized keys.

   1 cat .ssh/id_rsa >> .ssh/authorized_keys

You can test it by logging in to localhost via ssh.

   1 ssh localhost

If you are using the key a lot, it is more convenient to unlock/decrypt your private key and copy it to RAM using a ssh-agent. Just type ssh-add and you will be asked to provide a pass-phrase to decrypt the key. You may delete all keys from the ssh-agent with ssh-add -D.

You also may copy your pubkey to systems, that reachable via ssh and you are able to login.

   1 ssh-copy-id $REMOTE_USER@$REMOTE-SYSTEM

You now may login without password prompt by the remote system.

   1 ssh $REMOTE_USER@$REMOTE-SYSTEM

ssh escape characters

A little, often unknown but very useful feature of openssh!

   1 ESCAPE CHARACTERS
   2      When a pseudo-terminal has been requested, ssh supports a number of func‐
   3      tions through the use of an escape character.
   4 
   5      A single tilde character can be sent as ~~ or by following the tilde by a
   6      character other than those described below.  The escape character must
   7      always follow a newline to be interpreted as special.  The escape charac‐
   8      ter can be changed in configuration files using the EscapeChar configura‐
   9      tion directive or on the command line by the -e option.
  10 
  11      The supported escapes (assuming the default ‘~’) are:
  12 
  13      ~.      Disconnect.
  14 
  15      ~^Z     Background ssh.
  16 
  17      ~#      List forwarded connections.
  18 
  19      ~&      Background ssh at logout when waiting for forwarded connection /
  20              X11 sessions to terminate.
  21 
  22      ~?      Display a list of escape characters.
  23 
  24      ~B      Send a BREAK to the remote system (only useful if the peer sup‐
  25              ports it).
  26 
  27      ~C      Open command line.  Currently this allows the addition of port
  28              forwardings using the -L, -R and -D options (see above).  It also
  29              allows the cancellation of existing port-forwardings with
  30              -KL[bind_address:]port for local, -KR[bind_address:]port for re‐
  31              mote and -KD[bind_address:]port for dynamic port-forwardings.
  32              !command allows the user to execute a local command if the
  33              PermitLocalCommand option is enabled in ssh_config(5).  Basic
  34              help is available, using the -h option.
  35 
  36      ~R      Request rekeying of the connection (only useful if the peer sup‐
  37              ports it).
  38 
  39      ~V      Decrease the verbosity (LogLevel) when errors are being written
  40              to stderr.
  41 
  42      ~v      Increase the verbosity (LogLevel) when errors are being written
  43              to stderr.

keyboard-interactive authentication

sshpass

Please try pubkey-authentication first,

before trying keyboard-interactive auth with sshpass.

Never use option -ppassword because everybody can read it the password ps or top (using a race condition before obfuscation by sshpass)

   1 aptitude install sshpass

via file descriptor

Source: Serverfault: How to automate ssh login with password

   1 #!/bin/bash
   2 # Generate a name for a pipe (-u|--dry-run)
   3 PIPE="$(mktemp -u)"
   4 # Create FIFO pipe
   5 mkfifo -m 600 "$PIPE"
   6 # Opened pipe for both reading and writing on file descriptor 3
   7 exec 3<>"$PIPE"
   8 # Delete the directory entry
   9 rm "$PIPE"
  10 UIDNAME="user"
  11 HOST="host"
  12 FILE="path/to/file"
  13 # Write your password to the pipe.
  14 # You may even use gpg at this point.
  15 echo 'my_secret_password' >&3
  16 # Read password with sshpass from file descriptor 3 and
  17 # connect via sftp
  18 sshpass -d3 sftp "$UIDNAME"@"$HOST":"$FILE"
  19 # Close the pipe when done
  20 exec 3>&-

environment variable

   1 #!/bin/bash
   2 # MAKE VARIABLE SSHPASS AVAILABLE
   3 # IN THE ENVIRONMENT OF ANY SUBSEQUENT COMMAND
   4 export SSHPASS="my_secret_password"
   5 # SSHPASS ENVIRONMENT VARIABLE MAY BE READ
   6 # FROM "/proc/$PID/environ"
   7 # BY THE INVOKING USER AND ROOT
   8 sshpass -e sftp user@host:path/to/file
   9 unset SSHPASS

password file

Make sure Unix-permissions are correct (replace "$OWNER")!

   1 install -m 600 -o "$OWNER" path/to/password.file
   2 ### WRITE PASSWORD IN "password.file"
   3

   1 #!/bin/bash
   2 export PWFILE="path/to/password.file"
   3 sshpass -f"PWFILE" sftp user@host:path/to/file
   4 unset PWFILE

Configurations

Services

Sports

Navigation

ssh