wiki.kamaradski.com

User Tools

Site Tools

Trace:
cheatsheet:ssh

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
cheatsheet:ssh [2023/02/14 09:27] – created kamaradskicheatsheet:ssh [2023/02/21 12:24] (current) kamaradski
Line 1: Line 1:
 ====== ssh command cheatsheet ====== ====== ssh command cheatsheet ======
 +
 +===== what are ssh and sshd =====
 +
 +SSH (Secure Shell) is a network protocol that provides secure communication between two computers, typically a client and a server. It is commonly used to enable remote access and management of a server or other networked device. The SSH protocol encrypts all traffic between the client and the server, making it resistant to eavesdropping, tampering, and other forms of network attacks.
 +
 +To establish an SSH connection, a client program sends a request to the server to initiate the SSH protocol. The server runs the SSH daemon (sshd) that listens for incoming SSH connections on a designated port (usually 22). Once a connection is established, the client and server negotiate the encryption algorithm and authentication method to be used for the session.
 +
 +The SSH protocol supports a variety of authentication methods, including password authentication and public key authentication. With password authentication, the client sends a username and password to the server to authenticate the user. Public key authentication uses a pair of cryptographic keys - a public key and a private key - to authenticate the user. The public key is stored on the server, and the private key is kept by the user.
 +
 +The SSH and SSHD services provide a secure way to manage remote systems, transfer files securely, and execute remote commands securely over the network. These services are widely used in various environments, including system administration, network management, and cloud computing. It's important to properly configure and secure SSH and SSHD to prevent unauthorized access and protect sensitive data.
 +
 +
 +===== connect to a remote server =====
 +<code bash>
 +$ ssh username@hostname
 +</code>
 +
 +===== connect using a non-default SSH port =====
 +<code bash>
 +$ ssh -p <port> username@hostname
 +</code>
 +
 +===== connect using a specific identity file =====
 +<code bash>
 +$ ssh -i /path/to/private/key username@hostname
 +</code>
 +
 +===== run a remote command =====
 +<code bash>
 +$ ssh username@hostname "command"
 +</code>
 +
 +===== keys and certificates =====
 +
 +==== create id_rsa ssh key ====
 +<code bash>
 +$ ssh-keygen -t rsa
 +or
 +$ ssh-keygen -t rsa -b 4096 -C "<comment>"
 +</code>
 +
 +==== copy local public key to remote "known_hosts" ====
 +<code bash>
 +$ ssh-copy-id -i ~/.ssh/id_rsa.pub -p 1234 user@host
 +</code>
 +
 +==== remove a specific host from the known_hosts file ====
 +<code bash>
 +$ ssh-keygen -f "/home/ubuntu/.ssh/known_hosts" -R "10.0.0.10"
 +
 +# Host 10.0.0.10 found: line 39
 +# Host 10.0.0.10 found: line 40
 +/home/ubuntu/.ssh/known_hosts updated.
 +Original contents retained as /home/ubuntu/.ssh/known_hosts.old
 +</code>
  
 ===== create "alias" configuration for a host ===== ===== create "alias" configuration for a host =====
Line 26: Line 81:
 $ scp /local/file.ext someothername:/remote/target/folder/ $ scp /local/file.ext someothername:/remote/target/folder/
 </code> </code>
 +
 +===== start/restart/stop ssh or sshd service =====
 +
 +Ubuntu, Debian, CentOS, Fedora and other systems that use systemd
 +<code bash>
 +sudo systemctl start|restart|stop ssh|sshd
 +</code>
 +
 +Systems that use SysV init:
 +<code bash>
 +sudo service ssh|sshd start|restart|stop
 +</code>
 +
 +
 +===== important files =====
 +
 +==== ~/.ssh/known_hosts ====
 +
 +Is a system file that contains a list of public keys for hosts that the user has previously connected to via SSH. When a user connects to a remote host using SSH for the first time, the remote host's public key is added to this file, and on subsequent connections, the client checks this file to ensure that it is connecting to the correct remote host. If the remote host's key has changed, the user is prompted to confirm the change before proceeding with the connection. Meaning: this keeps track of the outbound SSH calls when you connect to other hosts.
 +
 +==== ~/.ssh/authorized_keys ====
 +A file that contains a list of public keys that are authorized to access an SSH user account. When a user wants to set up passwordless authentication to a remote host, they can add their public key to the authorized_keys file on the remote host. When the user attempts to connect to the remote host via SSH, the remote host checks the authorized_keys file to see if the user's public key is listed. If the key is found, the user is granted access to the account without needing to enter a password. This file is a critical part of SSH security as it allows for secure remote access to a system without the need for password-based authentication. Meaning: this keeps track of the inbound SSH calls where you login to your own user from another machine.
 +
 +==== ~/.ssh/config ====
 +This is a configuration file that allows users to specify SSH options for various hosts, as well as create shortcuts for commonly used options. It provides a way to simplify the process of connecting to remote hosts by allowing users to set up SSH options once and reuse them for future connections. For example, users can specify options such as the hostname, port number, username, and identity file, as well as advanced options such as TCP keepalive and SSH agent forwarding.
 +
 +Additionally, the config file allows for the creation of host aliases, which enables users to assign nicknames to frequently used hostnames. With this feature, users can simply type the nickname instead of the full hostname when connecting to the remote host. The config file also supports conditional settings, which enables users to specify options based on the context of the connection, such as network location or originating machine. Overall, the config file provides a convenient and efficient way to manage SSH connections and simplify the process of remote access.
 +
 +==== /etc/ssh/ssh_config ====
 +This is a system-wide configuration file that sets the default options for the SSH client. It applies to all SSH connections initiated from the local machine, regardless of the user account used to establish the connection. The options set in this file can be overridden by user-specific options in the "~/.ssh/config" file.
 +
 +The ssh_config file includes a variety of configuration options that allow administrators to specify various parameters for SSH connections. For example, it allows setting options such as the default port number for SSH connections, the preferred key exchange algorithms, and the default login name to use when connecting to a remote host.
 +
 +This file also supports conditional settings, which enable administrators to specify different options based on the context of the connection. For example, options can be set based on the originating IP address, the hostname of the remote machine, or other criteria. Overall, the ssh_config file provides a powerful and flexible way to manage SSH connections and security settings across an entire system.
 +
 +==== /etc/ssh/sshd_config ====
 +sshd_config is the system-wide configuration file for the OpenSSH daemon (sshd) that listens for incoming SSH connections on a server. It sets the default options for the SSH server and applies to all incoming SSH connections, regardless of the user account used to establish the connection.
 +
 +The sshd_config file includes a wide range of configuration options that enable system administrators to specify various parameters for SSH server connections. For example, it allows setting options such as the default port number for SSH connections, the preferred key exchange algorithms, and the type of authentication allowed.
 +
 +The file also supports various security-related settings, such as setting restrictions on the users who can connect to the server, limiting the number of concurrent connections, and setting up chroot environments for specific users.
 +
 +Similar to the ssh_config file, the sshd_config file supports conditional settings that enable administrators to specify different options based on the context of the connection. For example, options can be set based on the originating IP address, the hostname of the remote machine, or other criteria.
 +
 +Overall, the sshd_config file is an essential tool for system administrators to manage and configure SSH server connections and maintain a secure and reliable remote access environment.
 +
 +
 +==== logfiles ====
 +
 +The related log files for SSH and SSHD can also vary depending on the operating system and version, but here are the common ones for several popular Linux distributions:
 +
 +Ubuntu, Debian, and other systems that use systemd:\\ 
 +The SSH log file is typically located at ''/var/log/auth.log'', and the SSHD log file is typically located at ''/var/log/syslog''.
 +
 +CentOS, Fedora, and other systems that use systemd:\\ 
 +The SSH log file is typically located at ''/var/log/secure'', and the SSHD log file is typically located at ''/var/log/secure''.
 +
 +Systems that use SysV init:\\ 
 +The SSH log file is typically located at ''/var/log/secure'', and the SSHD log file is typically located at ''/var/log/messages''.
 +
 +In general, the SSH log file records information about SSH client connections, including successful and failed login attempts, the time and date of the connection, and the IP address of the connecting client. The SSHD log file records information about the SSH server, including successful and failed connection attempts, system errors, and other server-related events.
 +
  
 ===== tunneling ===== ===== tunneling =====
 +The SSH command with the -L and -D options allows you to create secure connections between two computers, which can be useful in many situations.
 +
 +The -L option creates a secure tunnel that connects your computer to another computer through a third computer. This can be helpful when you need to access a computer that's behind a firewall or is not accessible from your computer directly.
 +
 +For example, imagine you need to access a computer at work, but it's only accessible from your work network. By creating an SSH tunnel with the -L option, you can connect to a different computer that is accessible from your computer, and that computer will connect to the work computer for you.
 +
 +The -D option creates a different type of tunnel that lets you use a remote computer as a proxy. This is useful if you want to access resources that are only available from a remote computer.
 +
 +For example, imagine you need to access a website that is only available from a computer in a different country. By creating an SSH tunnel with the -D option, you can use the remote computer as a proxy to access the website from your computer.
 +
 +Overall, the -L and -D options are powerful tools that allow you to securely connect to remote computers and access resources that might otherwise be unavailable to you.
 +
 +
 +==== -D option (dynamic port forwarding) (SOCKS proxy) ====
 +Let's say you're traveling abroad and need to access a website that's only accessible from your home country. By using the -D option, you can create a SOCKS proxy that routes all your web traffic through a remote computer in your home country.
  
-==== open SOCKS tunnel (used for browsing for example) ====+The command to create the proxy would look like this:
 <code bash> <code bash>
-ssh -D 6666 -vTCN username@sshserver.domain.com -p1234+ssh -D 1080 user@home.com
  
 # where: # where:
-# -D 6666 is the local port to use (pick open port at will) +# -D 1080 is the local port to use (pick any open port [above 1024] at will)
-# -p 1234 is the remote port at which the remote ssh-server is listening for you+
 </code> </code>
  
-==== tunnel specific local port to a specific remote port ====+In this example, you're connecting to the "home.com" computer and creating SOCKS proxy on port 1080. You can then configure your web browser to use the SOCKS proxy on your local computer (by specifying localhost:1080 as target), and all your web traffic will be securely routed through the "home.com" computer. This will make it appear as if you're accessing the web from your home country, even if you're physically located in different country.
  
-This is very useful is you want to tunnel into an ssh jumphost in a remote network, and then reach a service on another server 
-inside the target network. For example, you can tunnel a mail local mail client, via an ssh jumphost, to a private email server somewhere on the remote network. 
  
 +==== -L option (remote port forwarding) ====
 +Let's say you have a server that's only accessible from your office network, but you need to access it from your home computer. By using the -L option, you can create a secure tunnel that connects your home computer to the server through another computer that's accessible from your home computer.
 +
 +The command to create the tunnel would look like this:
 <code bash> <code bash>
-ssh -L 6666:192.168.1.100:1234 usnername@ssh-jumphost.domain.com -p 8080 -vTN+ssh -L 8888:server.example.com:22 user@accessible.com
  
 # where # where
-6666 is the local port to use (pick open port at will) +8888 is the local port to use (pick any open port [above 1024] at will) 
-192.168.1.100 is the ip-address of the remote server (reachable from the ssh jumphost) +server.example.com is the target server we want to reach 
-1234 is the remote port to use on the remote server +22 is the remote port we want to reach on the target server 
--p 1234 is the remote port at which the remote ssh-server is listening+accessible.com is the server in the middle (jumphost) 
 +</code>
  
-ssh -L opens local port. Everything that you send to that port is put through the ssh connection and leaves through the server. +In this example, you're connecting to the "accessible.com" computer and creating tunnel on port 8888Any traffic sent to port 8888 on your home computer will be securely forwarded to the "server.example.com" server through the "accessible.com" computer. This is commonly in use in secure networks where you only can or want to expose 1 server to the internetand you use this as jumphost to reach other services that are in the network behind.
-If you do, e.g., ssh -L 4444:google.com:80, if you open http://localhost:4444 on your browser, you'll actually see google's page.+
  
-ssh -D opens a local port, but it doesn'have a specific endpoint like with -L. Instead, it pretends to be SOCKS proxy. + 
-If you open, e.g., ssh -D 7777, when you tell your browser to use localhost:7777 as your SOCKS proxy, everything your browser  +===== SSHd settings ===== 
-requests goes through the ssh tunnel. To the public internet, it's as if you were browsing from your ssh server instead of from your computer.+ 
 +Related file: /etc/ssh/sshd_config 
 + 
 +==== disable the use of passwords to login ==== 
 +Note: make sure you have a working key-based login in place before doing this (or local access via real keyboard/monitor or KVM) 
 + 
 +<code> 
 +ChallengeResponseAuthentication no 
 +PasswordAuthentication no 
 +UsePAM no
 </code> </code>
 +
 +==== disable the root account from logging in ====
 +
 +<code>
 +PermitRootLogin no
 +#PermitRootLogin prohibit-password
 +</code>
 +
  
cheatsheet/ssh.1676366874.txt.gz · Last modified: 2023/02/14 09:27 by kamaradski

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki