SSH: Difference between revisions

From Anthony Pastor Wiki Notes - Verba volant, scripta manent
Jump to navigation Jump to search
No edit summary
No edit summary
 
(16 intermediate revisions by the same user not shown)
Line 3: Line 3:


Ensure this value in /etc/ssh/sshd_config:
Ensure this value in /etc/ssh/sshd_config:
<syntaxhighlight lang="bash">
  LogLevel VERBOSE
  LogLevel VERBOSE
</syntaxhighlight>


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
/etc/init.d/ssh restart
/etc/init.d/ssh restart
</syntaxhighlight>
</syntaxhighlight>


Line 18: Line 14:


<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
<nowiki>
while read l; do
while read l; do
   [[ -n $l && ${l###} = $l ]] && ssh-keygen -l -f /dev/stdin <<<$l;
   [[ -n $l && ${l###} = $l ]] && ssh-keygen -l -f /dev/stdin <<<$l;
done < /root/.ssh/authorized_keys
done < /root/.ssh/authorized_keys
  </nowiki>
</syntaxhighlight>
 
=To disable SSH host key checking=
<syntaxhighlight lang="bash">
for i in 172.16.1.{1..12} 172.17.1.{1..10} 172.18.1.{1..3}; do scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no /etc/scribe/scribe.conf root@$i:/etc/scribe/scribe.conf; done
</syntaxhighlight>
 
=Improve copy performance by changing Cipher=
<syntaxhighlight lang="bash">
scp -o Cipher=arcfour local-file user@remote.example.com:/path/
</syntaxhighlight>
 
= Convert OpenSSH keys to .ppk (Putty) on Linux with puttygen =
(Adapt rsa / dsa)
 
<syntaxhighlight lang="bash">
apt-get install putty-tools
cd ~/.ssh/
puttygen id_dsa -o id_dsa.ppk
</syntaxhighlight>
 
= Enter SSH Passphrase only once =
If you want to prevent to be asked for your passphrase everytime you try a SSH connection with this message:
 
<i>Enter passphrase for key '/home/username/.ssh/id_rsa'</i>
 
Add in your .ssh/config one line at the beginning:
 
  AddKeysToAgent yes
 
 
= Deprecated options when restarting OpenSSH in Debian Stretch (Ex: Deprecated option KeyRegenerationInterval) =
 
You can remove deprecated configuration lines with this:
 
<syntaxhighlight lang="bash">
sed -i '/KeyRegenerationInterval/d' /etc/ssh/sshd_config
sed -i '/ServerKeyBits/d' /etc/ssh/sshd_config
sed -i '/RSAAuthentication/d' /etc/ssh/sshd_config
sed -i '/RhostsRSAAuthentication/d' /etc/ssh/sshd_config
 
/etc/init.d/ssh restart
</syntaxhighlight>
</syntaxhighlight>

Latest revision as of 09:50, 27 September 2017

Display key fingerprints informations in /var/log/auth.log

If you have multiple users connecting to a single SSH account (ie: root) and you want to identify clearly who's connecting:

Ensure this value in /etc/ssh/sshd_config:

LogLevel VERBOSE
/etc/init.d/ssh restart

Everytime a new SSH connexion is completed you could list the fingerprint used: tail -f /var/log/auth.log

To identify a fingerprint's owner by listing all entries in /root/.ssh/authorized_keys

while read l; do
  [[ -n $l && ${l###} = $l ]] && ssh-keygen -l -f /dev/stdin <<<$l;
done < /root/.ssh/authorized_keys

To disable SSH host key checking

for i in 172.16.1.{1..12} 172.17.1.{1..10} 172.18.1.{1..3}; do scp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no /etc/scribe/scribe.conf root@$i:/etc/scribe/scribe.conf; done

Improve copy performance by changing Cipher

scp -o Cipher=arcfour local-file user@remote.example.com:/path/

Convert OpenSSH keys to .ppk (Putty) on Linux with puttygen

(Adapt rsa / dsa)

apt-get install putty-tools
cd ~/.ssh/
puttygen id_dsa -o id_dsa.ppk

Enter SSH Passphrase only once

If you want to prevent to be asked for your passphrase everytime you try a SSH connection with this message:

Enter passphrase for key '/home/username/.ssh/id_rsa'

Add in your .ssh/config one line at the beginning:

AddKeysToAgent yes


Deprecated options when restarting OpenSSH in Debian Stretch (Ex: Deprecated option KeyRegenerationInterval)

You can remove deprecated configuration lines with this:

sed -i '/KeyRegenerationInterval/d' /etc/ssh/sshd_config
sed -i '/ServerKeyBits/d' /etc/ssh/sshd_config
sed -i '/RSAAuthentication/d' /etc/ssh/sshd_config
sed -i '/RhostsRSAAuthentication/d' /etc/ssh/sshd_config

/etc/init.d/ssh restart