SSH

From Alessandro's Wiki

Server configuration paramenters

  • file to edit
/etc/ssh/sshd_config
  • Allowed users
AllowUsers username username@ipaddress user@hostname
  • Client keep alive
ClientAliveInterval 6000
  • subsystems
Subsystem       sftp    /usr/lib64/misc/sftp-server
  • X11 options
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost yes
  • Authentication
    • disable tunneled clear text passwords
PasswordAuthentication no
PermitEmptyPasswords no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys
    • use host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
    • similar for protocol version 2
HostbasedAuthentication no

Client configuration paramenters

System wide

don't just put all of them in your config file, the list is just informational

/etc/ssh/ssh_config
  • Timeout (keep alive)
ServerAliveInterval 50


  1. Host *
  2. ForwardAgent no
  3. ForwardX11 no
  4. RhostsRSAAuthentication no
  5. RSAAuthentication yes
  6. PasswordAuthentication yes
  7. HostbasedAuthentication no
  8. GSSAPIAuthentication no
  9. GSSAPIDelegateCredentials no
  10. BatchMode no
  11. CheckHostIP yes
  12. AddressFamily any
  13. ConnectTimeout 0
  14. StrictHostKeyChecking ask
  15. IdentityFile ~/.ssh/identity
  16. IdentityFile ~/.ssh/id_rsa
  17. IdentityFile ~/.ssh/id_dsa
  18. Port 22
  19. Protocol 2,1
  20. Cipher 3des
  21. Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
  22. MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
  23. EscapeChar ~
  24. Tunnel no
  25. TunnelDevice any:any
  26. PermitLocalCommand no
  27. VisualHostKey no
  28. ProxyCommand ssh -q -W %h:%p gateway.example.com

User Side

  • config file ~/.ssh/config.
  • matches wildcard domain
Host *.porcelinux.com
  • match any host in the 192.168.0.[0-9] network
Host 192.168.0.?
  • matches any 10.0.0.0/8
host 10.*
Host foo
HostName 192.168.0.1
Port 2200
User username
  • specify different key
Host 192.168.1.*
IdentityFile KeyFile
  • fix the
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

if you know what you're doing, the following command will remove the old known_host keys from the .ssh/known_hosts file

ssh-keygen -f "/home/username/.ssh/known_hosts" -R "computername"

Tunnel

  • Col comando qui sotto è possibile creare un tunnel dal server (dietro il firewall) al client attraverso cui far passare in senso contrario la connessione al servizio che ci occorre, in questo caso 'telnet'.

Sul server lanciare il comando per creare il tunnel fino al nostro client:

$ ssh -f -N -R 2333:localhost:23 guest@80.100.100.100
  • 2333 porta usata sul client
  • 23 porta del servizio sul server (telnet)
  • guest è un utente presente sul client
  • 80.100.100.100 indirizzo IP (su internet) del client
  • Il server si collega con il client usando ssh e gli dice di redirigere le richieste alla porta 2333 sul client alla porta 23 del server.
    • Se va tutto bene verrà chiesta la password per accedere sul client come utente guest (a meno che ci sia autenticazione con chiave criptata).
  • Ora sul client è possibile collegarsi via telnet al server:
$telnet localhost 2333

(ssh -f -N -R 2333:localhost:22 user@dyndns-ip)

ssh -f -N -R 2333:localhost:22 -p22251 user@dyndns-ip

X11 forwarding

  • dependencies
dnf install xorg-x11-xauth
...
apt install xorg-x11-xauth
  • forwarding X11 from client to local machine
ssh -X user@host
  • insecure
ssh -X -Y ...

putty

  • ssh client for Windows

http://www.putty.org

putty -D 8080 -P 443 -ssh homeIP

Troubleshooting

send_pubkey_test: no mutual signature algorithm

  • must re-enable ssh-rsa support to connect to server

add to client's config:

PubkeyAcceptedKeyTypes +ssh-rsa