From 173bffb26031e07d02eea45c9b86be96648940e5 Mon Sep 17 00:00:00 2001 From: Fabrice Quenneville Date: Wed, 23 Oct 2024 13:28:34 -0400 Subject: [PATCH] Add SSH notes to repository This commit introduces comprehensive SSH documentation, covering key management, connection methods, firewall configurations, and secure file transfer protocols. The new section includes: - Instructions for connecting using specific SSH keys. - Detailed SSH key management processes, including key generation and public key installation. - Verbose mode usage for connection troubleshooting. - Configuration guidelines for enabling root login and firewall settings with firewalld. - Examples of SCP (Secure Copy Protocol) for secure file transfers. - Commands for executing remote commands and testing SSH connections. - Best practices for managing SSH aliases and updating known hosts. - Steps for removing offending SSH keys from the known_hosts file. These notes serve as a resource for efficient SSH usage and management, enhancing the overall functionality of the repository. --- notes/ssh.md | 414 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 414 insertions(+) create mode 100644 notes/ssh.md diff --git a/notes/ssh.md b/notes/ssh.md new file mode 100644 index 0000000..8a1c125 --- /dev/null +++ b/notes/ssh.md @@ -0,0 +1,414 @@ +# SSH + +## Table of Contents + +- [SSH](#ssh) + - [Table of Contents](#table-of-contents) + - [Connect with specific key](#connect-with-specific-key) + - [SSH Key Management](#ssh-key-management) + - [Verbose](#verbose) + - [Enable root login](#enable-root-login) + - [Firewall Configuration with firewalld](#firewall-configuration-with-firewalld) + - [SCP (Secure Copy Protocol)](#scp-secure-copy-protocol) + - [Send Remote Commands](#send-remote-commands) + - [Test Connection, Add Alias, and Update Known Hosts](#test-connection-add-alias-and-update-known-hosts) + - [Remove Offending SSH Keys](#remove-offending-ssh-keys) + - [Change SSH Port](#change-ssh-port) + - [Restart ssh](#restart-ssh) + +## Connect with specific key + +```bash +ssh -i /home/fabrice/.ssh/fabquenneville root@servername.fabq.ca +ssh -i /home/fabrice/.ssh/fabquenneville fabrice@servername.fabq.ca +``` + +## SSH Key Management + +**Generate a new RSA SSH key pair with a 4096-bit key length** + +```bash +ssh-keygen -t rsa -b 4096 -C "fabrice@fabq.ca" -f ~/.ssh/fabrice@fabq.ca +``` + +- `ssh-keygen -t rsa -b 4096`: This command generates a new RSA SSH key pair with a key size of 4096 bits for enhanced security. +- `-C "fabrice@fabq.ca"`: This option adds a comment to the key, usually the email address of the key owner. +- `-f ~/.ssh/fabrice@fabq.ca`: This specifies the filename for the private key; the public key will be saved with the same name but with a `.pub` extension. + +**Copy the generated SSH keys to the remote server** + +```bash +scp ~/.ssh/fabrice@fabq.ca* fabrice@servername.fabq.ca:~/.ssh/ +``` + +- `scp ~/.ssh/fabrice@fabq.ca*`: This command securely copies both the private and public keys to the remote server. +- `fabrice@servername.fabq.ca:~/.ssh/`: Specifies the destination path on the remote server where the keys will be copied. + +**Install the public key on the remote server for passwordless authentication** + +```bash +ssh-copy-id fabrice@192.168.1.100 +ssh-copy-id fabrice@servername.fabq.ca +``` + +- `ssh-copy-id "fabrice@servername.fabq.ca"`: This command installs the public key on the specified remote server, allowing for passwordless SSH login. + +**Install the public key on multiple servers using specific private key** + +```bash +ssh-copy-id -i /home/fabrice/.ssh/fabquenneville root@192.168.1.100 +ssh-copy-id -i /home/fabrice/.ssh/fabquenneville fabrice@servername.fabq.ca +``` + +- `ssh-copy-id -i /home/fabrice/.ssh/fabquenneville`: This specifies which private key to use for authentication when copying the public key. +- `root@192.168.1.100` and `fabrice@servername.fabq.ca`: These commands install the public key on the respective remote servers, allowing for secure, passwordless access. + +## Verbose + +- Use the 'ssh' command with the '-v' option to enable verbose mode, which provides detailed information about the connection process. + +```bash +ssh -i /home/fabrice/.ssh/fabquenneville -v root@servername.fabq.ca +ssh -i /home/fabrice/.ssh/fabquenneville -v fabrice@servername.fabq.ca +``` + +## Enable root login + +- Modify the SSH configuration file to allow root login. + +```bash +nano /etc/ssh/sshd_config +``` + +**Edit the configuration as follows:** + +```ini +PermitRootLogin prohibit-password +PermitRootLogin yes +``` + +## Firewall Configuration with firewalld + +**Allow SSH service through the firewall** + +```bash +firewall-cmd --permanent --zone=public --add-service=ssh +``` + +- `firewall-cmd`: This is the command-line tool used to manage `firewalld`. +- `--permanent`: This option ensures that the change persists across reboots. +- `--zone=public`: Specifies the zone to which the rule applies. The "public" zone is typically used for untrusted networks. +- `--add-service=ssh`: This adds the SSH service to the specified zone, allowing incoming SSH connections. + +**Examples of configuring other Linux firewalls** + +1. **Using UFW (Uncomplicated Firewall)** + + **Allow SSH traffic** + + ```bash + ufw allow ssh + ``` + + - This command allows incoming SSH traffic through the firewall. UFW is designed to simplify the process of managing a firewall. + +2. **Using iptables** + + **Allow SSH traffic** + + ```bash + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + ``` + + - `iptables`: This is a low-level tool for managing Linux firewalls. + - `-A INPUT`: Appends the rule to the INPUT chain. + - `-p tcp`: Specifies that this rule applies to TCP packets. + - `--dport 22`: Indicates that this rule applies to traffic on port 22 (the default SSH port). + - `-j ACCEPT`: Instructs the firewall to accept the specified traffic. + +3. **Using nftables** + + **Allow SSH traffic** + + ```bash + nft add rule ip filter input tcp dport 22 accept + ``` + + - `nft`: The command-line tool for interacting with the nftables framework. + - `add rule ip filter input`: Adds a new rule to the input chain of the filter table. + - `tcp dport 22`: Matches TCP packets directed to port 22. + - `accept`: Specifies that the matching packets should be accepted. + +**Note:** Be sure to reload or restart the firewall service after making changes to apply the new rules effectively. + +## SCP (Secure Copy Protocol) + +- The `scp` command is used to securely transfer files and directories between local and remote systems over SSH. + +**Copy Local File to Remote Server** + +To copy a file from your local machine to a remote server, use the following syntax: + +```bash +scp /local/file/path fabrice@servername.fabq.ca:/remote/file/path +``` + +- `/local/file/path`: Specify the path to the local file you want to copy. +- `fabrice@servername.fabq.ca`: This is the user and remote server where the file will be copied. +- `/remote/file/path`: This is the destination path on the remote server. + +**Copy a Directory** + +To copy an entire directory, use the `-r` option, which stands for "recursive": + +```bash +scp -r /home/fabrice/foldername/ root@servername.fabq.ca:/remote/parent/ +``` + +- `-r`: This option enables recursive copying of directories and their contents. +- `/home/fabrice/foldername/`: The path to the local directory you wish to copy. +- `root@servername.fabq.ca:/remote/parent/`: The destination path on the remote server where the directory will be copied. + +**Copy a Configuration File Using a Specific SSH Key** + +To copy a configuration file while specifying a particular SSH key for authentication, use the following command: + +```bash +scp -i /home/fabrice/.ssh/fabquenneville /mnt/workbench/webserver/projectname/config.ini fabrice@servername.fabq.ca:/mnt/workbench/projectname/ +``` + +- `-i /home/fabrice/.ssh/fabquenneville`: This option specifies the identity file (private key) for authentication. +- `/mnt/workbench/webserver/projectname/config.ini`: The path to the local configuration file being transferred. +- `fabrice@servername.fabq.ca`: The user and server to which the file is being copied. +- `/mnt/workbench/projectname/`: The destination path on the remote server where the file will be stored. + +## Send Remote Commands + +**Execute Commands Directly on a Remote Server** + +You can use the `ssh` command to execute various commands on a remote server. Here are some examples: + +**Run a Local Script on a Remote Server** + +```bash +ssh fabrice@servername.fabq.ca 'bash -s' < /local/path/to/script.sh +``` + +- This command will execute the local script located at `/local/path/to/script.sh` on the remote server. + +**Remove a file:** + +```bash +ssh fabrice@192.168.1.100 "rm /home/fabrice/filename.log" +``` + +**Mount all filesystems:** + +```bash +ssh root@servername.fabq.ca "mount -a" +``` + +**Reboot the remote server:** + +```bash +ssh root@servername.fabq.ca "reboot -h now" +``` + +**Connect using a host key alias:** + +```bash +ssh -o "HostKeyAlias=servername" root@192.168.1.100 +``` + +## Test Connection, Add Alias, and Update Known Hosts + +**Test Connection with Host Key Alias** + +Use the following commands to establish an SSH connection while specifying a host key alias. This helps avoid conflicts with existing entries in the `known_hosts` file. + +```bash +ssh -o 'HostKeyAlias=servername.fabq.ca' fabrice@192.168.1.100 +ssh -o 'HostKeyAlias=servername' fabrice@192.168.1.100 +``` + +**Test Host Identity without Authenticating** + +To test the identity of a remote server without fully authenticating and to check connectivity, use the following command: + +```bash +ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=servername' fabrice@192.168.1.100 /bin/true +``` + +- `-e none`: Disables encryption for this command, which is useful in specific testing scenarios. +- `-o 'BatchMode=yes'`: Ensures that SSH does not prompt for user interaction, making it suitable for scripts. +- `/bin/true`: Executes a simple command that always returns success, confirming the connection without further actions. + +This command allows you to verify that you can connect to the server while avoiding any authentication prompts. + +**Retrieve Public SSH Keys** + +To retrieve the public SSH keys from a remote server, use the following command: + +``` +ssh-keyscan -H servername.fabq.ca +``` + +- This command fetches the public SSH keys from the specified server, allowing you to add them to your `known_hosts` file. +- It does not establish a full SSH session and is primarily used for key retrieval, which helps ensure secure connections in future interactions. + +By using both commands, you can test connectivity to a remote server and gather its public SSH keys for secure authentication later. + +**Add Alias to SSH Config for Easy Access** + +To simplify your SSH connections, you can create an alias for your SSH connections by editing the `~/.ssh/config` file: + +```ini +Host servername + HostName servername.fabq.ca + User fabrice + IdentityFile ~/.ssh/fabquenneville +``` + +- `Host servername`: This defines the alias you will use for the SSH connection. +- `HostName servername.fabq.ca`: This is the actual hostname of the remote server. +- `User fabrice`: This specifies the user to log in as. +- `IdentityFile ~/.ssh/fabquenneville`: This indicates the SSH key file to use for authentication. + +## Remove Offending SSH Keys + +When you encounter an "offending key" warning when connecting to a server, you can remove the old key from the `known_hosts` file. This is necessary if the server's host key has changed. + +**View Known Hosts** + +To view the contents of your `known_hosts` file, use: + +```bash +cat ~/.ssh/known_hosts +``` + +**Edit Known Hosts Manually (Optional)** + +You can edit the `known_hosts` file manually if you prefer: + +```bash +nano ~/.ssh/known_hosts +``` + +**Update Known Hosts File with SSH Key** + +```bash +ssh-keyscan -H servername.fabq.ca >> ~/.ssh/known_hosts +``` + +- This command retrieves the public key of the specified server and appends it to your `known_hosts` file, allowing SSH to recognize the server during subsequent connections. + +**Remove Offending Key by Hostname** + +You can use the `ssh-keygen` command to remove specific keys from your `known_hosts` file. Here are examples for different scenarios: + +- To remove the offending key for a specific server: + +```bash +ssh-keygen -R "servername.fabq.ca" +ssh-keygen -R "192.168.1.100" +``` + +- To specify the `known_hosts` file directly: + +```bash +ssh-keygen -f "/home/fabrice/.ssh/known_hosts" -R "servername.fabq.ca" +ssh-keygen -f "/root/.ssh/known_hosts" -R "192.168.1.100" +ssh-keygen -f "/etc/ssh/ssh_known_hosts" -R "servername.fabq.ca" +``` + +**Summary of Key Removal** + +You can also use a shorthand command to remove the offending key without specifying the file: + +```bash +ssh-keygen -R servername.fabq.ca +``` + +This will automatically target the correct `known_hosts` file based on your user and system configuration. + +## Change SSH Port + +To enhance security, you may want to change the default SSH port (22) to a custom port. Follow these steps: + +**1. Edit the SSH Configuration File** + +Open the SSH daemon configuration file using a text editor: + +```bash +nano /etc/ssh/sshd_config +``` + +Edit the following line to set a new port (e.g., port 2222): + +```ini +Port 2222 +``` + +- Locate the line that specifies the port (usually `#Port 22`) and change it to your desired port number (e.g., `Port 2222`). +- Make sure to uncomment the line by removing the `#`. + +**2. Create Directory for Systemd Override** + +If you're using systemd, create a directory for the SSH socket override: + +```bash +mkdir -p /etc/systemd/system/ssh.socket.d +``` + +**3. Create an Override Configuration File** + +Create or edit the override configuration file for the SSH socket: + +```bash +nano /etc/systemd/system/ssh.socket.d/override.conf +``` + +- Add the following lines to specify the custom port: + +```ini +[Socket] +ListenPort=2222 # Replace with your desired port number +``` + +**4. (Optional) Edit the Sockets Target Configuration** + +You may also want to edit the sockets target configuration to ensure it points to the correct SSH socket: + +```bash +nano /etc/systemd/system/sockets.target.wants/ssh.socket +``` + +- Make any necessary adjustments based on your custom port. + +**5. Restart the SSH service to apply the changes** + +After making changes, restart the SSH service to apply the new configuration: + +```bash +systemctl restart sshd +``` + +**6. (Optional) Verify the New Port** + +To verify that SSH is listening on the new port, you can use: + +```bash +netstat -tuln | grep LISTEN +``` + +This will display the ports currently being listened to, allowing you to confirm that your changes were successful. + +## Restart ssh + +**Restart the SSH service to apply changes** + +To restart the SSH service, use the following command: + +```bash +systemctl restart sshd +```