SSH Notes
These notes apply to OpenSSH
- SSH sessions
- Initiate a session
- Use
ssh user@domain.com
to initiate an ssh session (can alternatively usessh -l user domain.com
)
- Use
- Files stored locally in
~/.ssh
- Known hosts
- The first time you connect to a remote server via SSH, you are asked if you want to continue--if you do, that server is added to the known_hosts file
- Permissions: recommended is
700
for the.ssh
folder and600
for ssh files
- Known hosts
- Useful commands
- Type
ssh --help
,scp --help
, orssh-keygen -help
to see possible options -v
for verbose output-C
compress a session (for slow connections) - Ex: ssh -C domain.com-o
PubkeyAuthentication=no- Useful for when you receive the following error: Too many authentication failures for username
- Bypasses key authentication and goes straight to username/password
-o
PreferredAuthentications=hostbased,publickey,keyboard-interactive,password
- List the order of preferred authentication methods
- Type
- Escape character
- Alerts ssh that there are special commands to follow, which aren't sent immediately to the server
- Usage
- Default is
~
- Must be the first character on the command line to be treated as an escape character
- Next character determines the effect--Ex:
Ctrl-Z
will suspend ssh, like any other shell job -e "new-character"
will change the escape character, when initializing an ssh session; Ex -ssh -e "%" user@domain.com
- Default is
- Initiate a session
- SSH keys
- Generate a new DSA or RSA key:
ssh-keygen
-t
lets you specify either a dsa or rsa key (rsa is default and preferred) -- Ex:ssh-keygen -t rsa
-b
specifies the number of bits in the key (default is 2048) -- Ex:ssh-keygen -t dsa -b 2048
-f
specifies the name relative to your current directory- Ex:
ssh-keygen -t dsa -f mykey
- If you omit,
-f
, you are prompted for a name - Default name is
id_dsa
andid_rsa
- Ex:
-N
specifies the passphrase- Ex:
ssh-keygen -t dsa -N secretword
- If you omit this, you'll be prompted later
- Ex:
-C
specifies a comment- Defaults to
username@host
where host is the local host name - Ex:
ssh-keygen -t rsa -C "This is a comment"
- Defaults to
- Be careful using the above flags if your command line is logged!!!
- Passphrase (password) - always provide this because it encrypts the key; should be 10-15 characters long and not a grammatical sentence
-p
to change the passphrase of an existing key- Also specify the filename with
-f
and the old and new passphrases with-P
and-N
- Ex:
ssh-keygen -t dsa -p -f mykey -P secretword -N newword
- (If you omit the flags, you'll be prompted to enter the information)
- Benefit of this is that it doesn't change the file, just the passphrase for encryption, so no new public key uploads are needed
- Also specify the filename with
ssh-add [key-name]
adds private key identities to the authentication agent (necessary for some OS programs)-d
removes specified identities from the agent-D
deletes all identities from the agent-l
lists fingerprints of all registered identities-L
lists public key parameters of all registered identities-K
add passphrase in your keychain when adding identity (Mac OS)-c
subjects added identities to confirmation
- Authorized keys
- Public keys go in a file called
~/.ssh/authorized_keys
--transfer the contents of your public key into this file, all on one line - When using ssh2, the name of this file can be
authorized_keys2
ssh-copy-id
is a script that copies local key files onto a server in~/.ssh./authorized_keys
ssh-copy-id -i key_file user@domain.com
- Ex:
ssh-copy-id -i mykey grant@grantkinney.com
(don't need .pub extension for key file) - Creates a new
authorized_keys
file on the server or appends a new line to one - Does not create a new line before the key, so make sure there's one there already
- Does create a new line at the end of the key, to prepare for the next one
- Public keys go in a file called
- SSH agent
- Tracks keys for you so you don't have to repeatedly enter a passphrase
ssh-agent $SHELL
- Invokes ssh agent with the specified shell
- Ex:
ssh-agent $bash
- ssh-add
- Generate a new DSA or RSA key:
- Configuration files
- Syntax
- Set with a combination of keywords and values
- Can use Keyword value or Keyword = value
- Can use the
-o
flag to set individual configuration options- Ex:
ssh -o "User sally"
or ssh-o User=sally
- Use multiple
-o "Keyword value"
inline to set multiple options
- Ex:
- File usually stored as
~/.ssh/config
-F
will specify a different configuration file than the default- Ex:
ssh -F /usr/local/ssh/other_config
- Ex:
- Host myserver
- Allows you to set host specific configuration
- Indent configuration values under this line (not required, but easier to read)
- myserver can be a server name, an ip address, or a nickname
- Wildcards are allowed - Ex:
Host *.example.com
- If multiple wildcards match the same server, all settings that match apply; if there are duplicate settings, the earliest setting is applied
- Host settings keywords
User
HostName
IdentityFile
ForwardAgent
Port
Cipher
- Syntax
- Transferring files
scp [source] [destination]
scp user@remote-source-domain.com:filename new-local-filename
- Leaving the user name off of the source domain indicates that the remote name is the same as the local one
- SSH server configuration
- Configuration file located in
/etc/ssh/sshd_config
- Change port number to something other than the default
- Restart
ssh deamon /etc/init.d/ssh reload
- Configuration file located in