Difference between revisions of "SSH"

From Organic Design wiki
(See also: Using SSH's TUN/TAP support to configure it as a VPN)
Line 1: Line 1:
 +
== Port forwarding with SSH ==
 +
<includeonly>
 +
Use a remote port-forward for example so someone can give SSH access to their machine that's behind a firewall or router.
 +
<source lang="bash">
 +
ssh -NR 1234:localhost:22 USER@SERVER
 +
</source>
 +
You can now ssh into their machine on port 1234 in the remote server instead.
 +
 +
A local port-forward would be used for example to create a local connection into a remote SQL server that's not available too external connections.
 +
<source lang="bash">
 +
ssh -NL 1234:localhost:3306 USER@SERVER
 +
</source>
 +
Now you can access the database on the local machine on port 1234.
 +
 +
Lets say you're doing some maintenance on your site and you'd like to redirect all the requests on port 80 to another web-server (SERVER) on port 8080:
 +
<source lang="bash">
 +
ssh -L 80:SERVER:8080 -N -o GatewayPorts=yes USER@SERVER
 +
</source>
 +
</includeonly>
 +
 
== Disable password-based logins ==
 
== Disable password-based logins ==
 
If you want to restrict server logins to keys only, you can disable passwords for SSH access in ''/etc/ssh/sshd_config'':
 
If you want to restrict server logins to keys only, you can disable passwords for SSH access in ''/etc/ssh/sshd_config'':

Revision as of 10:53, 17 October 2018

Port forwarding with SSH

Disable password-based logins

If you want to restrict server logins to keys only, you can disable passwords for SSH access in /etc/ssh/sshd_config:

AllowUsers fred bob sam
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no


And don't forget to add your public RSA key to '~/.ssh/authorized_keys. Note that you'll probably need to create the directory since the account has just been created, and the owner and mode is important.

mkdir /home/USER/.ssh
echo "RSA_KEY" > /home/USER/.ssh/authorized_keys
chown USER:USER -R /home/USER/.ssh
chmod 644 /home/USER/.ssh/authorized_keys


Restart the SSH server and test that you can login from another terminal window before exiting the current session. You now login as your own user, not the root user, and then use sudo bash to gain a root shell.

service ssh restart

Password-protect an existing private key

To add a password to an existing private key, use the following openssl command:

openssl rsa -des3 -in your.key -out your.encrypted.key

Troubleshooting

expecting SSH2_MSG_KEX_ECDH_REPLY

Try changing the MTU of the client to 1400 as follows (change eth0 to the appropriate interface):

sudo ip li set mtu 1400 dev eth0

See also