SSH

From Organic Design wiki
Revision as of 11:00, 17 October 2018 by Nad (talk | contribs)

Port forwarding with SSH

Use a remote port-forward for example so someone can give SSH access to their machine that's behind a firewall or router.

ssh -NR 1234:localhost:22 USER@SERVER

You can now ssh into their machine on port 1234 in the remote server instead.

A local port-forward would be used for example to create a local connection into a remote SQL server that's not available too external connections.

ssh -NL 1234:localhost:3306 USER@SERVER

Now you can access the database on the local machine on port 1234.

Lets say you're doing some maintenance on your site and you'd like to redirect all the requests on port 80 to another web-server (SERVER) on port 8080:

ssh -L 80:SERVER:8080 -N -o GatewayPorts=yes USER@SERVER

Browsing the net through a remote server with SSH

Sometimes you need to browse using an IP address that's in another location, for example if the content you want to access is only available to local users or if you're buying something and the prices are based on the buyers location. If you have access to a server in the required location, or someone you know in that location is willing to temporarily set up an SSH server that you can access, the you can use the following syntax to set up a local port that your browser can use as a proxy server.

ssh -NCD 1080 USER@SERVER
  • The N option means to use this SSH session only for tunnelling, not to open up a shell session as well.
  • The C option means to compress the data in the tunnel which is a good idea if you're on a slow connection
  • The D option is the main one that tells SSH to set up a tunnel connected to a local port with the port number specified

Next you need to configure your browser to connect via this local port. Chromium allows you to specify the proxy details as a command-line option, so there's no need to change the network configuration and then change it back afterwards. Simply open a shell window and use the following syntax (make sure there are no other Chromium windows open when you do this).

chromium-browser --proxy-server="socks5://localhost:1080"

In Firefox you need to change the Network Proxy setting in Preferences/General. The changes take effect instantly without needing a restart or anything, but you'll need to remember to change the setting back after the SSH connection is closed.

FF-proxy.jpg


Key fingerprints and passwords

It's common to see an RSA public key shown as just a fingerprint, e.g. eb:e9:47:99:b7:3b:46:fe:cf:73:04:ae:40:b8:3a:58. To generate such a fingerprint from a public key file, do the following:

ssh-keygen -E md5 -lf id_rsa.pub

To change the password of an existing RSA or DSA key:

ssh-keygen -p -f ~/.ssh/id_dsa

Or for a GPG key:

gpg --list-keys
gpg --edit-key <KEY-ID>
gpg> passwd
gpg> save

Disable password-based logins

If you want to restrict server logins to keys only, you can disable passwords for SSH access in /etc/ssh/sshd_config:

AllowUsers fred bob sam
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no


And don't forget to add your public RSA key to '~/.ssh/authorized_keys. Note that you'll probably need to create the directory since the account has just been created, and the owner and mode is important.

mkdir /home/USER/.ssh
echo "RSA_KEY" > /home/USER/.ssh/authorized_keys
chown USER:USER -R /home/USER/.ssh
chmod 644 /home/USER/.ssh/authorized_keys


Restart the SSH server and test that you can login from another terminal window before exiting the current session. You now login as your own user, not the root user, and then use sudo bash to gain a root shell.

service ssh restart

Password-protect an existing private key

To add a password to an existing private key, use the following openssl command:

openssl rsa -des3 -in your.key -out your.encrypted.key

Troubleshooting

expecting SSH2_MSG_KEX_ECDH_REPLY

Try changing the MTU of the client to 1400 as follows (change eth0 to the appropriate interface):

sudo ip li set mtu 1400 dev eth0

See also