SSH Practical Notes
Authors:
Vinicius Vielmo Cogo
Vitor Conrado Faria Gomes
1. Introduction
These notes are valid for general SSH interactions, since its based on Client-Server architecture.To make these notes more abrangent, we will consider the follow computational system:
2. SSH Authentication
2.1. Password Authentication
outside:~$ ssh username@server.domain.com
username@server's password:
username@server:~$
username@server's password:
username@server:~$
2.2. Public Key Authentication
outside:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
outside:~$ scp ~/.ssh/id_rsa.pub username@server.domain.com:/tmp/user_id_rsa.pub
username@server's password:
username@server's password:
outside:~$ ssh username@server.domain.com cat /tmp/user_id_rsa.pub >> ~/.ssh/authorized_keys
username@server's password:
username@server's password:
outside:~$ ssh username@server.domain.com
username@server:~$
username@server:~$
3. Best Practices
3.1. SSH Aliases and Proxies (client-side)
~/.ssh/config
...
Host alias
User username
HostName server.domain.com
Host *.alias
User username
ProxyCommand ssh username@server.domain.com "nc -q 10 \$(basename %h .alias) %p"
...
...
Host alias
User username
HostName server.domain.com
Host *.alias
User username
ProxyCommand ssh username@server.domain.com "nc -q 10 \$(basename %h .alias) %p"
...
outside:~$ ssh alias
outside:~$ ssh nodeN.alias
3.2. Tunnelling SSH (client-side)
outside:~$ ssh -f -N -L server:2020:nodeN:22 -l username nodeN
outside:~$ ssh -p 2020 username@server
3.3. Multiplexing SSH connection (client-side)
~/.ssh/config
...
ControlMaster auto
ControlPath ~/.ssh/some-dir/%r@%h:%p
...
...
ControlMaster auto
ControlPath ~/.ssh/some-dir/%r@%h:%p
...
Create the ~/.ssh/some-dir/ folder:
outside:~$ mkdir ~/.ssh/some-dir/
Change the permissions for the created folder:
outside:~$ chmod -R 700 ~/.ssh/some-dir/
Create the first connection and it will authenticate normally:
outside:~$ ssh username@server
Create another connection (without closing the first) and it will use the same channel without performing the authentication protocol again:
outside:~$ ssh username@server
If you close the first connection, then the multiplexed channel will be closed and the file that represents it will be deleted.
username@server:~$ logout
3.4. Authorized Users White-List (server-side)
/etc/ssh/sshd_config
...
AllowUsers username1 username2 username3
...
...
AllowUsers username1 username2 username3
...
root@server:~$ /etc/init.d/ssh restart
3.5. Root Access Prohibited (server-side)
/etc/ssh/sshd_config
...
PermitRootLogin no
...
...
PermitRootLogin no
...
root@server:~$ /etc/init.d/ssh restart
4. Troubleshooting
4.1. Remote Host Identification Has Changed (client side)
outside:~$ ssh username@server.domain.com
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the host key has just been changed.
Please contact your system administrator.
Add correct host key in /home/username/.ssh/known_hosts to get rid of this message.
Offending key in /home/username/.ssh/known_hosts:13
RSA host key for host has changed and you have requested strict checking.
Host key verification failed.
@ WARNING: HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the host key has just been changed.
Please contact your system administrator.
Add correct host key in /home/username/.ssh/known_hosts to get rid of this message.
Offending key in /home/username/.ssh/known_hosts:13
RSA host key for host has changed and you have requested strict checking.
Host key verification failed.
In your known hosts file (~/.ssh/known_hosts), remove just the line related to this host (in this case, line 13):
outside:~$ sed -i '13d' ~/.ssh/known_hosts
Or as last resource, delete the entire known hosts file:
outside:~$ rm -f ~/.ssh/known_hosts
5. References
- OpenBSD. Open SSH Manual Pages. Available in http://www.openssh.org/manual.html. Published in July, 2008. Accessed in July, 2010.
- Wikipedia. OpenSSH Article. Available in http://pt.wikipedia.org/wiki/OpenSSH. Last modifyed in July, 2010. Accessed in July, 2010.
- STAHNKE, Michael. Pro OpenSSH. Apress, New York, NY, USA. Published in October, 2005.
- BARRETT, Daniel J.; SILVERMAN, Richard E.; BYRNES, Robert G.. SSH, The Secure Shell: The Definitive Guide. O'Reilly Media, Sebastopol, CA, USA. Published in May, 2005.
If you faced some problem following this tutorial, see if there is any entry on Troubleshooting section related with your case. If there isn't, please mail us.