Difference between revisions of "SSH"

From Indie IT Wiki
imported>Plittlefield
 
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
== '''HOWTO:''' ==
 
== '''HOWTO:''' ==
 +
 +
=== Remove Revoke A Known Hosts Key ===
 +
 +
ssh-keygen -f "/home/username/.ssh/known_hosts" -R "192.168.0.158"
 +
ssh-keygen -f "/home/username/.ssh/known_hosts" -R "server.mydomain.com"
 +
 +
=== Copy files that need root access with SCP ===
 +
 +
From server to local machine:
 +
 +
ssh user@server "sudo cat /etc/dir/file" > /home/user/file
 +
 +
From local machine to server:
 +
 +
cat /home/user/file | ssh user@server "sudo tee -a /etc/dir/file"
 +
 +
https://askubuntu.com/questions/208378/how-do-i-copy-files-that-need-root-access-with-scp
 +
 +
=== How to Run a Local Shell Script on a Remote SSH Server ===
 +
 +
ssh user@remotehost 'bash -s' < script.sh
 +
 +
https://www.cloudsavvyit.com/14216/how-to-run-a-local-shell-script-on-a-remote-ssh-server/amp/
 +
 +
=== Copy A Key To A Server While Using A Different Key To Log In ===
 +
 +
ssh-copy-id -i ~/.ssh/<your-new-id-to-install> -o 'IdentityFile ~/.ssh/<your-already-existing-id>' <servername>
  
 
=== Server Tweaks ===
 
=== Server Tweaks ===
Line 38: Line 65:
  
 
  ssh admin@localhost -p 6000
 
  ssh admin@localhost -p 6000
 +
 +
==== Auto Start and Auto SSH ====
 +
 +
https://www.it-react.com/index.php/2020/01/06/how-to-setup-reverse-ssh-tunnel-on-linux/
 +
 +
https://hobo.house/2016/06/20/fun-and-profit-with-reverse-ssh-tunnels-and-autossh/
 +
 +
[https://www.tunnelsup.com/raspberry-pi-phoning-home-using-a-reverse-remote-ssh-tunnel/ Hiding the Pi in an old Power Supply]
  
 
=== SFTP ===
 
=== SFTP ===
  
TO BE COMPLETED SOON
+
'''Using SSH Keys'''
 +
 
 +
#!/bin/sh
 +
cd /path/to/file/
 +
sftp -i /home/user/.ssh/private_keyname -o StrictHostKeyChecking=no -P 2222 user@server <<EOF
 +
cd upload/
 +
put file.csv
 +
bye
 +
EOF
 +
exit;
 +
 
 +
'''Using Password'''
 +
 
 +
#!/bin/sh
 +
cd /path/to/file/
 +
sshpass -p 'mYgrEatPassW0rd' sftp -oport=2222 user@server <<EOF
 +
lcd download/
 +
get -r .
 +
bye
 +
EOF
 +
exit;
 +
 
 +
'''Using A Batch File'''
 +
 
 +
So, you want to find out the name of a file so you can move it on the remote server?
 +
 
 +
# load the filename in a variable from the first sftp command
 +
# output that variable to an ftp batch file
 +
# run the sftp command using the batch file but tell ssh not to use batch mode
 +
 
 +
Yeah, I know, it's crazy... but it works.
 +
 
 +
#!/bin/bash
 +
filename=$( echo 'ls -1' | sshpass -p 'mYSuPeRpasSworD' sftp -q ftpuser@server.com | grep 'zip' )
 +
printf "get $filename\nrename $filename DONE/$filename\nbye\n" >sftp.batch
 +
sshpass -p 'mYSuPeRpasSworD' sftp -oBatchMode=no -b sftp.batch ftpuser@server.com
 +
exit;
 +
 
 +
https://hub.docker.com/r/atmoz/sftp
 +
 
 +
https://linuxize.com/post/how-to-use-linux-sftp-command-to-transfer-files/
  
 
https://blog.runcloud.io/2018/02/10/filezilla-sftp.html
 
https://blog.runcloud.io/2018/02/10/filezilla-sftp.html
Line 322: Line 397:
  
 
[https://github.com/feo-cz/win-sshfs Win-SSHFS] fork of the above and more up-to-date.
 
[https://github.com/feo-cz/win-sshfs Win-SSHFS] fork of the above and more up-to-date.
 +
 +
== Troubleshooting ==
 +
 +
=== ERROR: Too many authentication failures ===
 +
 +
If you see this error ...
 +
 +
ssh root@192.168.0.106
 +
Received disconnect from 192.168.0.106 port 22:2: '''Too many authentication failures'''
 +
Disconnected from 192.168.0.106 port 22
 +
 +
... then instruct ssh to only use the authentication identity files specified on the command line ...
 +
 +
ssh -o IdentitiesOnly=yes root@192.168.0.106
 +
 +
... or you can add it to your SSH config file ...
 +
 +
IdentitiesOnly yes
 +
 +
=== ERROR: [WARNING]: sftp transfer mechanism failed on ===
 +
 +
[WARNING]: sftp transfer mechanism failed on [130.130.0.232]. Use ANSIBLE_DEBUG=1 to see detailed information
 +
 +
https://fantashit.com/warning-sftp-transfer-mechanism-failed/
 +
 +
=== ERROR: access denied "we did not send a packet, disable method" ===
 +
 +
The SSH server software is too old to accept the newer crypt algorithms, so you must force it on the command line options ...
 +
 +
ssh -o "HostkeyAlgorithms +ssh-rsa" -o "PubkeyAcceptedAlgorithms +ssh-rsa" username@server
 +
 +
In your SSH client config file, add the relevant lines ...
 +
 +
Host myhost
 +
  User myusername
 +
  Port 22
 +
  HostName 123.456.789.0
 +
  '''HostkeyAlgorithms +ssh-rsa'''
 +
  '''PubkeyAcceptedAlgorithms +ssh-rsa'''
 +
 +
Thanks - https://serverfault.com/questions/1051002/pubkey-ssh-fails-with-we-did-not-send-a-packet-disable-method-in-freebsd-jail

Latest revision as of 11:18, 5 September 2024

HOWTO:

Remove Revoke A Known Hosts Key

ssh-keygen -f "/home/username/.ssh/known_hosts" -R "192.168.0.158"
ssh-keygen -f "/home/username/.ssh/known_hosts" -R "server.mydomain.com"

Copy files that need root access with SCP

From server to local machine: 

ssh user@server "sudo cat /etc/dir/file" > /home/user/file

From local machine to server: 

cat /home/user/file | ssh user@server "sudo tee -a /etc/dir/file"

https://askubuntu.com/questions/208378/how-do-i-copy-files-that-need-root-access-with-scp

How to Run a Local Shell Script on a Remote SSH Server

ssh user@remotehost 'bash -s' < script.sh

https://www.cloudsavvyit.com/14216/how-to-run-a-local-shell-script-on-a-remote-ssh-server/amp/

Copy A Key To A Server While Using A Different Key To Log In

ssh-copy-id -i ~/.ssh/<your-new-id-to-install> -o 'IdentityFile ~/.ssh/<your-already-existing-id>' <servername>

Server Tweaks

Disable IPv6 

sudo nano /etc/ssh/sshd_config
AddressFamily inet
sudo systemctl restart sshd.service

Disable Loads

  • DNS
  • Avahi
  • PAM
  • Authentication
  • etc

https://jrs-s.net/2017/07/01/slow-ssh-logins/

Show Free Priviledged Ports

Show Free Priviledged Ports

Retrieving the Public Key for Your Key Pair on Linux

ssh-keygen -y -f /path_to_key_pair/my-key-pair.pem

Reverse SSH

To connect to a remote laptop...

Get the laptop client to SSH in to a server and build a reverse port forward... 

ssh user@123.456.789.0 -p 222 -R 6000:localhost:22

Then, the admin can SSH in to the same server, then SSH to the remote laptop via the reverse connection... 

ssh admin@localhost -p 6000

Auto Start and Auto SSH

https://www.it-react.com/index.php/2020/01/06/how-to-setup-reverse-ssh-tunnel-on-linux/

https://hobo.house/2016/06/20/fun-and-profit-with-reverse-ssh-tunnels-and-autossh/

Hiding the Pi in an old Power Supply

SFTP

Using SSH Keys 

#!/bin/sh
cd /path/to/file/
sftp -i /home/user/.ssh/private_keyname -o StrictHostKeyChecking=no -P 2222 user@server <<EOF
cd upload/
put file.csv
bye
EOF
exit;

Using Password 

#!/bin/sh
cd /path/to/file/
sshpass -p 'mYgrEatPassW0rd' sftp -oport=2222 user@server <<EOF
lcd download/
get -r .
bye
EOF
exit;

Using A Batch File

So, you want to find out the name of a file so you can move it on the remote server?

  1. load the filename in a variable from the first sftp command
  2. output that variable to an ftp batch file
  3. run the sftp command using the batch file but tell ssh not to use batch mode

Yeah, I know, it's crazy... but it works. 

#!/bin/bash
filename=$( echo 'ls -1' | sshpass -p 'mYSuPeRpasSworD' sftp -q ftpuser@server.com | grep 'zip' )
printf "get $filename\nrename $filename DONE/$filename\nbye\n" >sftp.batch
sshpass -p 'mYSuPeRpasSworD' sftp -oBatchMode=no -b sftp.batch ftpuser@server.com
exit;

https://hub.docker.com/r/atmoz/sftp

https://linuxize.com/post/how-to-use-linux-sftp-command-to-transfer-files/

https://blog.runcloud.io/2018/02/10/filezilla-sftp.html

https://linuxconfig.org/how-to-setup-sftp-server-on-ubuntu-18-04-bionic-beaver-with-vsftpd

https://community.spiceworks.com/scripts/show/4476-setup-sftp-access-to-lightsail-in-aws

https://askubuntu.com/questions/644020/how-to-generate-openssl-pem-file-and-where-we-have-to-place-it

https://www.thegeekdiary.com/how-to-configure-separate-port-for-ssh-and-sftp-on-centos-rhel/

Delete Remote Host Known Key

Because of server upgrade or whatever... 

ssh-keygen -f "/home/user/.ssh/known_hosts" -R [server.domain.com]:2212

Rsync Over SSH

Copy from remote (on a non-standard port) to local, just 1 file... 

/usr/bin/rsync -v -h -a --include=filename.ext --exclude=* -e "ssh -p 2222" user@123.456.789.0:~/remotedir/ ~/localdir/

Copy from local to remote 

/usr/bin/rsync -a -e ssh ~/my/local/folder/ username@192.168.0.x:~/path/to/folder/

Copy from local to remote, with extra options (e.g. disable host checking) wrapped with ' single quotes 

/usr/bin/rsync -a -e 'ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no' ~/my/local/folder/ username@192.168.0.x:~/path/to/folder/

Copy from remote to local 

/usr/bin/rsync -a -e ssh username@192.168.0.x:~/path/to/folder/ ~/my/local/folder/

See Limit Bandwidth below...

Spaces In File Or Folder Name

If you want to rsync a file or folder with spaces in the file name, you have to escape and put double-quotes around both the local and remote shell parts of the command.

e.g. 

/usr/bin/rsync -a -e ssh "username@192.168.0.x:\"~/path/to/folder/with spaces\"" ~/my/local/folder/

e.g. 

rsync -v -a --exclude='*FLAC*' -e ssh "username@server:\"Music/Dream Theater\"" /home/username/Music/

Limit Bandwidth

Option 1 - use the rsync option to limit I/O bandwidth, in KB per second... 

/usr/bin/rsync --bwlimit=2000 -a -e ssh ~/my/local/folder/ user@remote:~/path/to/folder/

https://www.dalemacartney.com/2012/09/08/bandwidth-throttling-with-rsync/

Option 2 - use the lightweight userspace bandwidth shaper trickle, also in KB per second... 

/usr/bin/rsync -a -e trickle -d 2000 ssh ~/my/local/folder/ user@remote:~/path/to/folder/

Option 3 - use both rsync and trickle maybe, just remember that trickle has up and down limits... 

/usr/bin/rsync --bwlimit=2000 -a -e trickle -d 2000 ssh ~/my/local/folder/ user@remote:~/path/to/folder/

Generate SSH Private Key

cd .ssh # There is no actual need to change directory, this is more to show where the key is stored.

ssh-keygen # Pressing enter will display the two lines shown below, if the file location is correct press enter again.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/fdibnah/.ssh/id_rsa):

Follow prompts.

Copy Key To Server

ssh-copy-id -i ~/.ssh/id_rsa.pub username@ipaddress [-p 3313] # optional port number, omit brackets

or 

cat ~/.ssh/my_id_rsa.pub | ssh -i ~/.ssh/lightsail.pem bitnami@1.2.3.4 "cat >> ~/.ssh/authorized_keys"

Remove The SSH Last Login Information

Edit the following in the SSH config file: 

sudo nano /etc/ssh/sshd_config

PrintLastLog no

Save and exit.

Thanks Superuser.com.

Change The SSH Port Used By The Server

sudo nano /etc/ssh/sshd_config

Find and edit the following section: 

# What ports, IPs and protocols we listen for
Port 22 # Change port to meet your requirements.

Save change and exit the file, then restart the SSH service: 

sudo service ssh restart

Create 'config' File #1

touch ~/.ssh.config
chmod 0600 ~/.ssh/config
nano ~/.ssh/config

Host *
       AddressFamily inet
       ControlMaster auto
       ControlPath /tmp/ssh-%r@%h:%p
       StrictHostKeyChecking no
Host myserver
       User ubuntu
       Port 22
       HostName 123.456.789.0
       IdentityFile ~/.ssh/myserver.pem
Host client2server
       User joe
       Port 2212
       HostName myserver.com
       LocalForward 8207 192.168.0.207:8006

ssh myserver

Create 'config' File #2

The following will generate a new file allowing you to assign shortcut SSH logins instead of having to type "username@server1.mydomain.com". 

nano ~/.ssh/config

Host *
   AddressFamily inet

Host <shortcut name> # For example: No1 - for server1.mydomain.com
        User <username> # Your username, i.e. jbloggs
        Port 22 # Unless otherwise configured
        HostName name.of.machine # For example: server1.mydomain.com

CTRL+o to save, then CTRL+x to exit.

AutoSSH Keep SSH Session Alive

Normal

autossh -M 0 -o "ServerAliveInterval 45" -o "ServerAliveCountMax 2" username@example.com

SSHFS

Example of sshfs combined with autossh to keep a persitant tunnel alive. This is great for those that experience dodgy internet connectivity :-) 

sshfs -o IdentityFile=/home/localuser/.ssh/server,port=16482,idmap=user,reconnect,compression=yes,transform_symlinks,ServerAliveInterval=45,ServerAliveCountMax=2,ssh_command='autossh -M 0' user@server.com:/home/user/subfolder/ /home/localuser/mountpoint/

Thanks - https://wiki.archlinux.org/index.php/Secure_Shell#Autossh_-_automatically_restarts_SSH_sessions_and_tunnels

SSH File System

As it sounds, this will allow you to access a remote server's file system as if it were your own.

1. Install the software... 

sudo apt-get install sshfs

2. Create the directory to mount your remote server's file system... 

mkdir ~/myremoteserver

3. Generate a new SSH key (and give it a useful name like 'myremoteserver')... 

ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/myremoteserver
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/myremoteserver.
Your public key has been saved in /home/user/.ssh/myremoteserver.pub.

4. Copy that key to the remote server... 

ssh-copy-id -i ~/.ssh/myremoteserver.pub user@123.456.789.0 -p 12345

5. Test that you can log in without a prompt... 

ssh -i ~/.ssh/myremoteserver user@123.456.789.0 -p 12345

6. Add an entry to your SSH config file for ease of use... 

nano ~/.ssh/config

Host myremoteserver
       User username
       Port 12345
       HostName 123.456.789.0
       IdentityFile ~/.ssh/myremoteserver

7. Test that you can log in even easier... 

ssh myremoteserver

8. Mount the remote file system to your own directory... 

sshfs myremoteserver:~/path/to/data/ ~/myremoteserver/

9. Check you can read and write to it... 

echo "test" >~/myremoteserver/test.txt
ls -lah ~/myremoteserver/

Job, done.

Unmounting Disconnecting SSHFS

fusermount -u /path/to/mountpoint/

Port Forwarding

ssh -p remotesshport user@remoteexternalip -L myport:remotelocalip:remotelocalport

e.g. 

ssh -p 22 user@01.23.456.789 -L 9999:192.168.1.229:8006

Then, point your web browser at http://127.0.0.1:9999 to see the magic. If the remote local web page is on https then you will need to change your web browser to that as well, e.g. https://127.0.0.1:8081

Personal VPN

Use a VM in another country and then SSH in to forward your browser's traffic using SOCK5 proxy. 

ssh -D 9999 me@myserver.com

Then just point your browser’s SOCKS proxy settings to localhost:9999. Done! 

Firefox > Preferences > Advanced > Network > Connection > Settings > Manual Proxy Configuration > SOCKS Host: 127.0.0.1 > Port: 9999 > Remote DNS

Now go to http://whatismyipaddress.com or https://www.dnsleaktest.com to test your 'IP' address :-)

INFO:

Password Generators

Seahorse

Seahorse provides a GUI front-end to the gnome-keyring-daemon.

Troubleshooting

no matching cipher found. Their offer: aes256-cbc

ssh -c aes256-cbc user@server

Error agent admitted failure to sign

https://help.github.com/articles/error-agent-admitted-failure-to-sign/

SSH Agent

Windows Install

https://www.digitalocean.com/community/tutorials/how-to-use-sshfs-to-mount-remote-file-systems-over-ssh

Microsoft Visual C++

Dokan

Win-SSHFS

Win-SSHFS fork of the above and more up-to-date.

Troubleshooting

ERROR: Too many authentication failures

If you see this error ... 

ssh root@192.168.0.106
Received disconnect from 192.168.0.106 port 22:2: Too many authentication failures
Disconnected from 192.168.0.106 port 22

... then instruct ssh to only use the authentication identity files specified on the command line ... 

ssh -o IdentitiesOnly=yes root@192.168.0.106

... or you can add it to your SSH config file ... 

IdentitiesOnly yes

ERROR: [WARNING]: sftp transfer mechanism failed on

[WARNING]: sftp transfer mechanism failed on [130.130.0.232]. Use ANSIBLE_DEBUG=1 to see detailed information

https://fantashit.com/warning-sftp-transfer-mechanism-failed/

ERROR: access denied "we did not send a packet, disable method"

The SSH server software is too old to accept the newer crypt algorithms, so you must force it on the command line options ... 

ssh -o "HostkeyAlgorithms +ssh-rsa" -o "PubkeyAcceptedAlgorithms +ssh-rsa" username@server

In your SSH client config file, add the relevant lines ... 

Host myhost
  User myusername
  Port 22
  HostName 123.456.789.0
  HostkeyAlgorithms +ssh-rsa
  PubkeyAcceptedAlgorithms +ssh-rsa

Thanks - https://serverfault.com/questions/1051002/pubkey-ssh-fails-with-we-did-not-send-a-packet-disable-method-in-freebsd-jail

Retrieved from ‘https://wiki.indie-it.com/index.php?title=SSH&oldid=3400