Difference between revisions of "SSH"
Plittlefield (talk | contribs) |
Plittlefield (talk | contribs) |
||
(4 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== '''HOWTO:''' == | == '''HOWTO:''' == | ||
+ | |||
+ | === Remove Revoke A Known Hosts Key === | ||
+ | |||
+ | ssh-keygen -f "/home/username/.ssh/known_hosts" -R "192.168.0.158" | ||
+ | ssh-keygen -f "/home/username/.ssh/known_hosts" -R "server.mydomain.com" | ||
=== Copy files that need root access with SCP === | === Copy files that need root access with SCP === | ||
Line 64: | Line 69: | ||
https://www.it-react.com/index.php/2020/01/06/how-to-setup-reverse-ssh-tunnel-on-linux/ | https://www.it-react.com/index.php/2020/01/06/how-to-setup-reverse-ssh-tunnel-on-linux/ | ||
+ | |||
+ | https://hobo.house/2016/06/20/fun-and-profit-with-reverse-ssh-tunnels-and-autossh/ | ||
+ | |||
+ | [https://www.tunnelsup.com/raspberry-pi-phoning-home-using-a-reverse-remote-ssh-tunnel/ Hiding the Pi in an old Power Supply] | ||
=== SFTP === | === SFTP === | ||
Line 412: | Line 421: | ||
https://fantashit.com/warning-sftp-transfer-mechanism-failed/ | https://fantashit.com/warning-sftp-transfer-mechanism-failed/ | ||
+ | |||
+ | === ERROR: access denied "we did not send a packet, disable method" === | ||
+ | |||
+ | The SSH server software is too old to accept the newer crypt algorithms, so you must force it on the command line options ... | ||
+ | |||
+ | ssh -o "HostkeyAlgorithms +ssh-rsa" -o "PubkeyAcceptedAlgorithms +ssh-rsa" username@server | ||
+ | |||
+ | In your SSH client config file, add the relevant lines ... | ||
+ | |||
+ | Host myhost | ||
+ | User myusername | ||
+ | Port 22 | ||
+ | HostName 123.456.789.0 | ||
+ | '''HostkeyAlgorithms +ssh-rsa''' | ||
+ | '''PubkeyAcceptedAlgorithms +ssh-rsa''' | ||
+ | |||
+ | Thanks - https://serverfault.com/questions/1051002/pubkey-ssh-fails-with-we-did-not-send-a-packet-disable-method-in-freebsd-jail |
Latest revision as of 11:18, 5 September 2024
HOWTO:
Remove Revoke A Known Hosts Key
ssh-keygen -f "/home/username/.ssh/known_hosts" -R "192.168.0.158" ssh-keygen -f "/home/username/.ssh/known_hosts" -R "server.mydomain.com"
Copy files that need root access with SCP
From server to local machine:
ssh user@server "sudo cat /etc/dir/file" > /home/user/file
From local machine to server:
cat /home/user/file | ssh user@server "sudo tee -a /etc/dir/file"
https://askubuntu.com/questions/208378/how-do-i-copy-files-that-need-root-access-with-scp
How to Run a Local Shell Script on a Remote SSH Server
ssh user@remotehost 'bash -s' < script.sh
https://www.cloudsavvyit.com/14216/how-to-run-a-local-shell-script-on-a-remote-ssh-server/amp/
Copy A Key To A Server While Using A Different Key To Log In
ssh-copy-id -i ~/.ssh/<your-new-id-to-install> -o 'IdentityFile ~/.ssh/<your-already-existing-id>' <servername>
Server Tweaks
Disable IPv6
sudo nano /etc/ssh/sshd_config AddressFamily inet sudo systemctl restart sshd.service
Disable Loads
- DNS
- Avahi
- PAM
- Authentication
- etc
https://jrs-s.net/2017/07/01/slow-ssh-logins/
Show Free Priviledged Ports
Retrieving the Public Key for Your Key Pair on Linux
ssh-keygen -y -f /path_to_key_pair/my-key-pair.pem
Reverse SSH
To connect to a remote laptop...
Get the laptop client to SSH in to a server and build a reverse port forward...
ssh user@123.456.789.0 -p 222 -R 6000:localhost:22
Then, the admin can SSH in to the same server, then SSH to the remote laptop via the reverse connection...
ssh admin@localhost -p 6000
Auto Start and Auto SSH
https://www.it-react.com/index.php/2020/01/06/how-to-setup-reverse-ssh-tunnel-on-linux/
https://hobo.house/2016/06/20/fun-and-profit-with-reverse-ssh-tunnels-and-autossh/
Hiding the Pi in an old Power Supply
SFTP
Using SSH Keys
#!/bin/sh cd /path/to/file/ sftp -i /home/user/.ssh/private_keyname -o StrictHostKeyChecking=no -P 2222 user@server <<EOF cd upload/ put file.csv bye EOF exit;
Using Password
#!/bin/sh cd /path/to/file/ sshpass -p 'mYgrEatPassW0rd' sftp -oport=2222 user@server <<EOF lcd download/ get -r . bye EOF exit;
Using A Batch File
So, you want to find out the name of a file so you can move it on the remote server?
- load the filename in a variable from the first sftp command
- output that variable to an ftp batch file
- run the sftp command using the batch file but tell ssh not to use batch mode
Yeah, I know, it's crazy... but it works.
#!/bin/bash filename=$( echo 'ls -1' | sshpass -p 'mYSuPeRpasSworD' sftp -q ftpuser@server.com | grep 'zip' ) printf "get $filename\nrename $filename DONE/$filename\nbye\n" >sftp.batch sshpass -p 'mYSuPeRpasSworD' sftp -oBatchMode=no -b sftp.batch ftpuser@server.com exit;
https://hub.docker.com/r/atmoz/sftp
https://linuxize.com/post/how-to-use-linux-sftp-command-to-transfer-files/
https://blog.runcloud.io/2018/02/10/filezilla-sftp.html
https://linuxconfig.org/how-to-setup-sftp-server-on-ubuntu-18-04-bionic-beaver-with-vsftpd
https://community.spiceworks.com/scripts/show/4476-setup-sftp-access-to-lightsail-in-aws
https://www.thegeekdiary.com/how-to-configure-separate-port-for-ssh-and-sftp-on-centos-rhel/
Delete Remote Host Known Key
Because of server upgrade or whatever...
ssh-keygen -f "/home/user/.ssh/known_hosts" -R [server.domain.com]:2212
Rsync Over SSH
Copy from remote (on a non-standard port) to local, just 1 file...
/usr/bin/rsync -v -h -a --include=filename.ext --exclude=* -e "ssh -p 2222" user@123.456.789.0:~/remotedir/ ~/localdir/
Copy from local to remote
/usr/bin/rsync -a -e ssh ~/my/local/folder/ username@192.168.0.x:~/path/to/folder/
Copy from local to remote, with extra options (e.g. disable host checking) wrapped with ' single quotes
/usr/bin/rsync -a -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' ~/my/local/folder/ username@192.168.0.x:~/path/to/folder/
Copy from remote to local
/usr/bin/rsync -a -e ssh username@192.168.0.x:~/path/to/folder/ ~/my/local/folder/
See Limit Bandwidth below...
Spaces In File Or Folder Name
If you want to rsync a file or folder with spaces in the file name, you have to escape and put double-quotes around both the local and remote shell parts of the command.
e.g.
/usr/bin/rsync -a -e ssh "username@192.168.0.x:\"~/path/to/folder/with spaces\"" ~/my/local/folder/
e.g.
rsync -v -a --exclude='*FLAC*' -e ssh "username@server:\"Music/Dream Theater\"" /home/username/Music/
Limit Bandwidth
Option 1 - use the rsync option to limit I/O bandwidth, in KB per second...
/usr/bin/rsync --bwlimit=2000 -a -e ssh ~/my/local/folder/ user@remote:~/path/to/folder/
https://www.dalemacartney.com/2012/09/08/bandwidth-throttling-with-rsync/
Option 2 - use the lightweight userspace bandwidth shaper trickle, also in KB per second...
/usr/bin/rsync -a -e trickle -d 2000 ssh ~/my/local/folder/ user@remote:~/path/to/folder/
Option 3 - use both rsync and trickle maybe, just remember that trickle has up and down limits...
/usr/bin/rsync --bwlimit=2000 -a -e trickle -d 2000 ssh ~/my/local/folder/ user@remote:~/path/to/folder/
Generate SSH Private Key
cd .ssh # There is no actual need to change directory, this is more to show where the key is stored. ssh-keygen # Pressing enter will display the two lines shown below, if the file location is correct press enter again. Generating public/private rsa key pair. Enter file in which to save the key (/home/fdibnah/.ssh/id_rsa):
Follow prompts.
Copy Key To Server
ssh-copy-id -i ~/.ssh/id_rsa.pub username@ipaddress [-p 3313] # optional port number, omit brackets
or
cat ~/.ssh/my_id_rsa.pub | ssh -i ~/.ssh/lightsail.pem bitnami@1.2.3.4 "cat >> ~/.ssh/authorized_keys"
Remove The SSH Last Login Information
Edit the following in the SSH config file:
sudo nano /etc/ssh/sshd_config PrintLastLog no
Save and exit.
Thanks Superuser.com.
Change The SSH Port Used By The Server
sudo nano /etc/ssh/sshd_config
Find and edit the following section:
# What ports, IPs and protocols we listen for Port 22 # Change port to meet your requirements.
Save change and exit the file, then restart the SSH service:
sudo service ssh restart
Create 'config' File #1
touch ~/.ssh.config chmod 0600 ~/.ssh/config nano ~/.ssh/config
Host * AddressFamily inet ControlMaster auto ControlPath /tmp/ssh-%r@%h:%p StrictHostKeyChecking no Host myserver User ubuntu Port 22 HostName 123.456.789.0 IdentityFile ~/.ssh/myserver.pem Host client2server User joe Port 2212 HostName myserver.com LocalForward 8207 192.168.0.207:8006
ssh myserver
Create 'config' File #2
The following will generate a new file allowing you to assign shortcut SSH logins instead of having to type "username@server1.mydomain.com".
nano ~/.ssh/config Host * AddressFamily inet Host <shortcut name> # For example: No1 - for server1.mydomain.com User <username> # Your username, i.e. jbloggs Port 22 # Unless otherwise configured HostName name.of.machine # For example: server1.mydomain.com
CTRL+o to save, then CTRL+x to exit.
AutoSSH Keep SSH Session Alive
Normal
autossh -M 0 -o "ServerAliveInterval 45" -o "ServerAliveCountMax 2" username@example.com
SSHFS
Example of sshfs combined with autossh to keep a persitant tunnel alive. This is great for those that experience dodgy internet connectivity :-)
sshfs -o IdentityFile=/home/localuser/.ssh/server,port=16482,idmap=user,reconnect,compression=yes,transform_symlinks,ServerAliveInterval=45,ServerAliveCountMax=2,ssh_command='autossh -M 0' user@server.com:/home/user/subfolder/ /home/localuser/mountpoint/
SSH File System
As it sounds, this will allow you to access a remote server's file system as if it were your own.
1. Install the software...
sudo apt-get install sshfs
2. Create the directory to mount your remote server's file system...
mkdir ~/myremoteserver
3. Generate a new SSH key (and give it a useful name like 'myremoteserver')...
ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/myremoteserver Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/myremoteserver. Your public key has been saved in /home/user/.ssh/myremoteserver.pub.
4. Copy that key to the remote server...
ssh-copy-id -i ~/.ssh/myremoteserver.pub user@123.456.789.0 -p 12345
5. Test that you can log in without a prompt...
ssh -i ~/.ssh/myremoteserver user@123.456.789.0 -p 12345
6. Add an entry to your SSH config file for ease of use...
nano ~/.ssh/config Host myremoteserver User username Port 12345 HostName 123.456.789.0 IdentityFile ~/.ssh/myremoteserver
7. Test that you can log in even easier...
ssh myremoteserver
8. Mount the remote file system to your own directory...
sshfs myremoteserver:~/path/to/data/ ~/myremoteserver/
9. Check you can read and write to it...
echo "test" >~/myremoteserver/test.txt ls -lah ~/myremoteserver/
Job, done.
Unmounting Disconnecting SSHFS
fusermount -u /path/to/mountpoint/
Port Forwarding
ssh -p remotesshport user@remoteexternalip -L myport:remotelocalip:remotelocalport
e.g.
ssh -p 22 user@01.23.456.789 -L 9999:192.168.1.229:8006
Then, point your web browser at http://127.0.0.1:9999 to see the magic. If the remote local web page is on https then you will need to change your web browser to that as well, e.g. https://127.0.0.1:8081
Personal VPN
Use a VM in another country and then SSH in to forward your browser's traffic using SOCK5 proxy.
ssh -D 9999 me@myserver.com
Then just point your browser’s SOCKS proxy settings to localhost:9999. Done!
Firefox > Preferences > Advanced > Network > Connection > Settings > Manual Proxy Configuration > SOCKS Host: 127.0.0.1 > Port: 9999 > Remote DNS
Now go to http://whatismyipaddress.com or https://www.dnsleaktest.com to test your 'IP' address :-)
INFO:
Password Generators
Seahorse
Seahorse provides a GUI front-end to the gnome-keyring-daemon.
Troubleshooting
no matching cipher found. Their offer: aes256-cbc
ssh -c aes256-cbc user@server
Error agent admitted failure to sign
https://help.github.com/articles/error-agent-admitted-failure-to-sign/
SSH Agent
Windows Install
Win-SSHFS fork of the above and more up-to-date.
Troubleshooting
ERROR: Too many authentication failures
If you see this error ...
ssh root@192.168.0.106 Received disconnect from 192.168.0.106 port 22:2: Too many authentication failures Disconnected from 192.168.0.106 port 22
... then instruct ssh to only use the authentication identity files specified on the command line ...
ssh -o IdentitiesOnly=yes root@192.168.0.106
... or you can add it to your SSH config file ...
IdentitiesOnly yes
ERROR: [WARNING]: sftp transfer mechanism failed on
[WARNING]: sftp transfer mechanism failed on [130.130.0.232]. Use ANSIBLE_DEBUG=1 to see detailed information
https://fantashit.com/warning-sftp-transfer-mechanism-failed/
ERROR: access denied "we did not send a packet, disable method"
The SSH server software is too old to accept the newer crypt algorithms, so you must force it on the command line options ...
ssh -o "HostkeyAlgorithms +ssh-rsa" -o "PubkeyAcceptedAlgorithms +ssh-rsa" username@server
In your SSH client config file, add the relevant lines ...
Host myhost User myusername Port 22 HostName 123.456.789.0 HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa