fabrice/scripts-fabq
fabrice/scripts-fabq
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add SSH notes to repository

Browse Source 
This commit introduces comprehensive SSH documentation, covering key management, connection methods, firewall configurations, and secure file transfer protocols. The new section includes:

- Instructions for connecting using specific SSH keys.
- Detailed SSH key management processes, including key generation and public key installation.
- Verbose mode usage for connection troubleshooting.
- Configuration guidelines for enabling root login and firewall settings with firewalld.
- Examples of SCP (Secure Copy Protocol) for secure file transfers.
- Commands for executing remote commands and testing SSH connections.
- Best practices for managing SSH aliases and updating known hosts.
- Steps for removing offending SSH keys from the known_hosts file.

These notes serve as a resource for efficient SSH usage and management, enhancing the overall functionality of the repository.
This commit is contained in:
Fabrice Quenneville 2024-10-23 13:28:34 -04:00
parent 069db4061b
commit 173bffb260
1 changed files with 414 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

414
notes/ssh.md Normal file
View File

@ -0,0 +1,414 @@
# SSH
## Table of Contents
- [SSH](#ssh)
- [Table of Contents](#table-of-contents)
- [Connect with specific key](#connect-with-specific-key)
- [SSH Key Management](#ssh-key-management)
- [Verbose](#verbose)
- [Enable root login](#enable-root-login)
- [Firewall Configuration with firewalld](#firewall-configuration-with-firewalld)
- [SCP (Secure Copy Protocol)](#scp-secure-copy-protocol)
- [Send Remote Commands](#send-remote-commands)
- [Test Connection, Add Alias, and Update Known Hosts](#test-connection-add-alias-and-update-known-hosts)
- [Remove Offending SSH Keys](#remove-offending-ssh-keys)
- [Change SSH Port](#change-ssh-port)
- [Restart ssh](#restart-ssh)
## Connect with specific key
```bash
ssh -i /home/fabrice/.ssh/fabquenneville root@servername.fabq.ca
ssh -i /home/fabrice/.ssh/fabquenneville fabrice@servername.fabq.ca
```
## SSH Key Management
**Generate a new RSA SSH key pair with a 4096-bit key length**
```bash
ssh-keygen -t rsa -b 4096 -C "fabrice@fabq.ca" -f ~/.ssh/fabrice@fabq.ca
```
- `ssh-keygen -t rsa -b 4096`: This command generates a new RSA SSH key pair with a key size of 4096 bits for enhanced security.
- `-C "fabrice@fabq.ca"`: This option adds a comment to the key, usually the email address of the key owner.
- `-f ~/.ssh/fabrice@fabq.ca`: This specifies the filename for the private key; the public key will be saved with the same name but with a `.pub` extension.
**Copy the generated SSH keys to the remote server**
```bash
scp ~/.ssh/fabrice@fabq.ca* fabrice@servername.fabq.ca:~/.ssh/
```
- `scp ~/.ssh/fabrice@fabq.ca*`: This command securely copies both the private and public keys to the remote server.
- `fabrice@servername.fabq.ca:~/.ssh/`: Specifies the destination path on the remote server where the keys will be copied.
**Install the public key on the remote server for passwordless authentication**
```bash
ssh-copy-id fabrice@192.168.1.100
ssh-copy-id fabrice@servername.fabq.ca
```
- `ssh-copy-id "fabrice@servername.fabq.ca"`: This command installs the public key on the specified remote server, allowing for passwordless SSH login.
**Install the public key on multiple servers using specific private key**
```bash
ssh-copy-id -i /home/fabrice/.ssh/fabquenneville root@192.168.1.100
ssh-copy-id -i /home/fabrice/.ssh/fabquenneville fabrice@servername.fabq.ca
```
- `ssh-copy-id -i /home/fabrice/.ssh/fabquenneville`: This specifies which private key to use for authentication when copying the public key.
- `root@192.168.1.100` and `fabrice@servername.fabq.ca`: These commands install the public key on the respective remote servers, allowing for secure, passwordless access.
## Verbose
- Use the 'ssh' command with the '-v' option to enable verbose mode, which provides detailed information about the connection process.
```bash
ssh -i /home/fabrice/.ssh/fabquenneville -v root@servername.fabq.ca
ssh -i /home/fabrice/.ssh/fabquenneville -v fabrice@servername.fabq.ca
```
## Enable root login
- Modify the SSH configuration file to allow root login.
```bash
nano /etc/ssh/sshd_config
```
**Edit the configuration as follows:**
```ini
PermitRootLogin prohibit-password
PermitRootLogin yes
```
## Firewall Configuration with firewalld
**Allow SSH service through the firewall**
```bash
firewall-cmd --permanent --zone=public --add-service=ssh
```
- `firewall-cmd`: This is the command-line tool used to manage `firewalld`.
- `--permanent`: This option ensures that the change persists across reboots.
- `--zone=public`: Specifies the zone to which the rule applies. The "public" zone is typically used for untrusted networks.
- `--add-service=ssh`: This adds the SSH service to the specified zone, allowing incoming SSH connections.
**Examples of configuring other Linux firewalls**
1. **Using UFW (Uncomplicated Firewall)**
**Allow SSH traffic**
```bash
ufw allow ssh
```
- This command allows incoming SSH traffic through the firewall. UFW is designed to simplify the process of managing a firewall.
2. **Using iptables**
**Allow SSH traffic**
```bash
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
```
- `iptables`: This is a low-level tool for managing Linux firewalls.
- `-A INPUT`: Appends the rule to the INPUT chain.
- `-p tcp`: Specifies that this rule applies to TCP packets.
- `--dport 22`: Indicates that this rule applies to traffic on port 22 (the default SSH port).
- `-j ACCEPT`: Instructs the firewall to accept the specified traffic.
3. **Using nftables**
**Allow SSH traffic**
```bash
nft add rule ip filter input tcp dport 22 accept
```
- `nft`: The command-line tool for interacting with the nftables framework.
- `add rule ip filter input`: Adds a new rule to the input chain of the filter table.
- `tcp dport 22`: Matches TCP packets directed to port 22.
- `accept`: Specifies that the matching packets should be accepted.
**Note:** Be sure to reload or restart the firewall service after making changes to apply the new rules effectively.
## SCP (Secure Copy Protocol)
- The `scp` command is used to securely transfer files and directories between local and remote systems over SSH.
**Copy Local File to Remote Server**
To copy a file from your local machine to a remote server, use the following syntax:
```bash
scp /local/file/path fabrice@servername.fabq.ca:/remote/file/path
```
- `/local/file/path`: Specify the path to the local file you want to copy.
- `fabrice@servername.fabq.ca`: This is the user and remote server where the file will be copied.
- `/remote/file/path`: This is the destination path on the remote server.
**Copy a Directory**
To copy an entire directory, use the `-r` option, which stands for "recursive":
```bash
scp -r /home/fabrice/foldername/ root@servername.fabq.ca:/remote/parent/
```
- `-r`: This option enables recursive copying of directories and their contents.
- `/home/fabrice/foldername/`: The path to the local directory you wish to copy.
- `root@servername.fabq.ca:/remote/parent/`: The destination path on the remote server where the directory will be copied.
**Copy a Configuration File Using a Specific SSH Key**
To copy a configuration file while specifying a particular SSH key for authentication, use the following command:
```bash
scp -i /home/fabrice/.ssh/fabquenneville /mnt/workbench/webserver/projectname/config.ini fabrice@servername.fabq.ca:/mnt/workbench/projectname/
```
- `-i /home/fabrice/.ssh/fabquenneville`: This option specifies the identity file (private key) for authentication.
- `/mnt/workbench/webserver/projectname/config.ini`: The path to the local configuration file being transferred.
- `fabrice@servername.fabq.ca`: The user and server to which the file is being copied.
- `/mnt/workbench/projectname/`: The destination path on the remote server where the file will be stored.
## Send Remote Commands
**Execute Commands Directly on a Remote Server**
You can use the `ssh` command to execute various commands on a remote server. Here are some examples:
**Run a Local Script on a Remote Server**
```bash
ssh fabrice@servername.fabq.ca 'bash -s' < /local/path/to/script.sh
```
- This command will execute the local script located at `/local/path/to/script.sh` on the remote server.
**Remove a file:**
```bash
ssh fabrice@192.168.1.100 "rm /home/fabrice/filename.log"
```
**Mount all filesystems:**
```bash
ssh root@servername.fabq.ca "mount -a"
```
**Reboot the remote server:**
```bash
ssh root@servername.fabq.ca "reboot -h now"
```
**Connect using a host key alias:**
```bash
ssh -o "HostKeyAlias=servername" root@192.168.1.100
```
## Test Connection, Add Alias, and Update Known Hosts
**Test Connection with Host Key Alias**
Use the following commands to establish an SSH connection while specifying a host key alias. This helps avoid conflicts with existing entries in the `known_hosts` file.
```bash
ssh -o 'HostKeyAlias=servername.fabq.ca' fabrice@192.168.1.100
ssh -o 'HostKeyAlias=servername' fabrice@192.168.1.100
```
**Test Host Identity without Authenticating**
To test the identity of a remote server without fully authenticating and to check connectivity, use the following command:
```bash
ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=servername' fabrice@192.168.1.100 /bin/true
```
- `-e none`: Disables encryption for this command, which is useful in specific testing scenarios.
- `-o 'BatchMode=yes'`: Ensures that SSH does not prompt for user interaction, making it suitable for scripts.
- `/bin/true`: Executes a simple command that always returns success, confirming the connection without further actions.
This command allows you to verify that you can connect to the server while avoiding any authentication prompts.
**Retrieve Public SSH Keys**
To retrieve the public SSH keys from a remote server, use the following command:
```
ssh-keyscan -H servername.fabq.ca
```
- This command fetches the public SSH keys from the specified server, allowing you to add them to your `known_hosts` file.
- It does not establish a full SSH session and is primarily used for key retrieval, which helps ensure secure connections in future interactions.
By using both commands, you can test connectivity to a remote server and gather its public SSH keys for secure authentication later.
**Add Alias to SSH Config for Easy Access**
To simplify your SSH connections, you can create an alias for your SSH connections by editing the `~/.ssh/config` file:
```ini
Host servername
HostName servername.fabq.ca
User fabrice
IdentityFile ~/.ssh/fabquenneville
```
- `Host servername`: This defines the alias you will use for the SSH connection.
- `HostName servername.fabq.ca`: This is the actual hostname of the remote server.
- `User fabrice`: This specifies the user to log in as.
- `IdentityFile ~/.ssh/fabquenneville`: This indicates the SSH key file to use for authentication.
## Remove Offending SSH Keys
When you encounter an "offending key" warning when connecting to a server, you can remove the old key from the `known_hosts` file. This is necessary if the server's host key has changed.
**View Known Hosts**
To view the contents of your `known_hosts` file, use:
```bash
cat ~/.ssh/known_hosts
```
**Edit Known Hosts Manually (Optional)**
You can edit the `known_hosts` file manually if you prefer:
```bash
nano ~/.ssh/known_hosts
```
**Update Known Hosts File with SSH Key**
```bash
ssh-keyscan -H servername.fabq.ca >> ~/.ssh/known_hosts
```
- This command retrieves the public key of the specified server and appends it to your `known_hosts` file, allowing SSH to recognize the server during subsequent connections.
**Remove Offending Key by Hostname**
You can use the `ssh-keygen` command to remove specific keys from your `known_hosts` file. Here are examples for different scenarios:
- To remove the offending key for a specific server:
```bash
ssh-keygen -R "servername.fabq.ca"
ssh-keygen -R "192.168.1.100"
```
- To specify the `known_hosts` file directly:
```bash
ssh-keygen -f "/home/fabrice/.ssh/known_hosts" -R "servername.fabq.ca"
ssh-keygen -f "/root/.ssh/known_hosts" -R "192.168.1.100"
ssh-keygen -f "/etc/ssh/ssh_known_hosts" -R "servername.fabq.ca"
```
**Summary of Key Removal**
You can also use a shorthand command to remove the offending key without specifying the file:
```bash
ssh-keygen -R servername.fabq.ca
```
This will automatically target the correct `known_hosts` file based on your user and system configuration.
## Change SSH Port
To enhance security, you may want to change the default SSH port (22) to a custom port. Follow these steps:
**1. Edit the SSH Configuration File**
Open the SSH daemon configuration file using a text editor:
```bash
nano /etc/ssh/sshd_config
```
Edit the following line to set a new port (e.g., port 2222):
```ini
Port 2222
```
- Locate the line that specifies the port (usually `#Port 22`) and change it to your desired port number (e.g., `Port 2222`).
- Make sure to uncomment the line by removing the `#`.
**2. Create Directory for Systemd Override**
If you're using systemd, create a directory for the SSH socket override:
```bash
mkdir -p /etc/systemd/system/ssh.socket.d
```
**3. Create an Override Configuration File**
Create or edit the override configuration file for the SSH socket:
```bash
nano /etc/systemd/system/ssh.socket.d/override.conf
```
- Add the following lines to specify the custom port:
```ini
[Socket]
ListenPort=2222 # Replace with your desired port number
```
**4. (Optional) Edit the Sockets Target Configuration**
You may also want to edit the sockets target configuration to ensure it points to the correct SSH socket:
```bash
nano /etc/systemd/system/sockets.target.wants/ssh.socket
```
- Make any necessary adjustments based on your custom port.
**5. Restart the SSH service to apply the changes**
After making changes, restart the SSH service to apply the new configuration:
```bash
systemctl restart sshd
```
**6. (Optional) Verify the New Port**
To verify that SSH is listening on the new port, you can use:
```bash
netstat -tuln | grep LISTEN
```
This will display the ports currently being listened to, allowing you to confirm that your changes were successful.
## Restart ssh
**Restart the SSH service to apply changes**
To restart the SSH service, use the following command:
```bash
systemctl restart sshd
```