# SSH ## Table of Contents - [SSH](#ssh) - [Table of Contents](#table-of-contents) - [Connect with specific key](#connect-with-specific-key) - [SSH Key Management](#ssh-key-management) - [Verbose](#verbose) - [Enable root login](#enable-root-login) - [Firewall Configuration with firewalld](#firewall-configuration-with-firewalld) - [SCP (Secure Copy Protocol)](#scp-secure-copy-protocol) - [Send Remote Commands](#send-remote-commands) - [Test Connection, Add Alias, and Update Known Hosts](#test-connection-add-alias-and-update-known-hosts) - [Remove Offending SSH Keys](#remove-offending-ssh-keys) - [Change SSH Port](#change-ssh-port) - [Restart ssh](#restart-ssh) ## Connect with specific key ```bash ssh -i /home/fabrice/.ssh/fabquenneville root@servername.fabq.ca ssh -i /home/fabrice/.ssh/fabquenneville fabrice@servername.fabq.ca ``` ## SSH Key Management **Generate a new RSA SSH key pair with a 4096-bit key length** ```bash ssh-keygen -t rsa -b 4096 -C "fabrice@fabq.ca" -f ~/.ssh/fabrice@fabq.ca ``` - `ssh-keygen -t rsa -b 4096`: This command generates a new RSA SSH key pair with a key size of 4096 bits for enhanced security. - `-C "fabrice@fabq.ca"`: This option adds a comment to the key, usually the email address of the key owner. - `-f ~/.ssh/fabrice@fabq.ca`: This specifies the filename for the private key; the public key will be saved with the same name but with a `.pub` extension. **Copy the generated SSH keys to the remote server** ```bash scp ~/.ssh/fabrice@fabq.ca* fabrice@servername.fabq.ca:~/.ssh/ ``` - `scp ~/.ssh/fabrice@fabq.ca*`: This command securely copies both the private and public keys to the remote server. - `fabrice@servername.fabq.ca:~/.ssh/`: Specifies the destination path on the remote server where the keys will be copied. **Install the public key on the remote server for passwordless authentication** ```bash ssh-copy-id fabrice@192.168.1.100 ssh-copy-id fabrice@servername.fabq.ca ``` - `ssh-copy-id "fabrice@servername.fabq.ca"`: This command installs the public key on the specified remote server, allowing for passwordless SSH login. **Install the public key on multiple servers using specific private key** ```bash ssh-copy-id -i /home/fabrice/.ssh/fabquenneville root@192.168.1.100 ssh-copy-id -i /home/fabrice/.ssh/fabquenneville fabrice@servername.fabq.ca ``` - `ssh-copy-id -i /home/fabrice/.ssh/fabquenneville`: This specifies which private key to use for authentication when copying the public key. - `root@192.168.1.100` and `fabrice@servername.fabq.ca`: These commands install the public key on the respective remote servers, allowing for secure, passwordless access. **Install the public key on the remote server for passwordless authentication manually** This process is useful when ssh-copy-id is unavailable, or when you want more granular control over the manual setup of passwordless SSH authentication. The ssh-copy-id tool automatically installs your public key on the remote machine, but if you prefer or need to do it manually, these are the steps: 1. Create the .ssh directory if it doesn't exist and set proper permissions ```bash mkdir -p /home/fabrice/.ssh chmod 700 /home/fabrice/.ssh ``` 2. Open the authorized_keys file in an editor and paste the public key (usually from ~/.ssh/id_rsa.pub on the local machine) ```bash nano /home/fabrice/.ssh/authorized_keys ``` 3. Set the correct permissions for the authorized_keys file ```bash chmod 600 /home/fabrice/.ssh/authorized_keys ``` 4. Ensure the ownership of the .ssh directory and its contents is set to the correct user ```bash chown -R fabrice:fabrice /home/fabrice/.ssh ``` ## Verbose - Use the 'ssh' command with the '-v' option to enable verbose mode, which provides detailed information about the connection process. ```bash ssh -i /home/fabrice/.ssh/fabquenneville -v root@servername.fabq.ca ssh -i /home/fabrice/.ssh/fabquenneville -v fabrice@servername.fabq.ca ``` ## Enable root login - Modify the SSH configuration file to allow root login. ```bash nano /etc/ssh/sshd_config ``` **Edit the configuration as follows:** ```ini PermitRootLogin prohibit-password PermitRootLogin yes ``` ## Firewall Configuration with firewalld **Allow SSH service through the firewall** ```bash firewall-cmd --permanent --zone=public --add-service=ssh ``` - `firewall-cmd`: This is the command-line tool used to manage `firewalld`. - `--permanent`: This option ensures that the change persists across reboots. - `--zone=public`: Specifies the zone to which the rule applies. The "public" zone is typically used for untrusted networks. - `--add-service=ssh`: This adds the SSH service to the specified zone, allowing incoming SSH connections. **Examples of configuring other Linux firewalls** 1. **Using UFW (Uncomplicated Firewall)** **Allow SSH traffic** ```bash ufw allow ssh ``` - This command allows incoming SSH traffic through the firewall. UFW is designed to simplify the process of managing a firewall. 2. **Using iptables** **Allow SSH traffic** ```bash iptables -A INPUT -p tcp --dport 22 -j ACCEPT ``` - `iptables`: This is a low-level tool for managing Linux firewalls. - `-A INPUT`: Appends the rule to the INPUT chain. - `-p tcp`: Specifies that this rule applies to TCP packets. - `--dport 22`: Indicates that this rule applies to traffic on port 22 (the default SSH port). - `-j ACCEPT`: Instructs the firewall to accept the specified traffic. 3. **Using nftables** **Allow SSH traffic** ```bash nft add rule ip filter input tcp dport 22 accept ``` - `nft`: The command-line tool for interacting with the nftables framework. - `add rule ip filter input`: Adds a new rule to the input chain of the filter table. - `tcp dport 22`: Matches TCP packets directed to port 22. - `accept`: Specifies that the matching packets should be accepted. **Note:** Be sure to reload or restart the firewall service after making changes to apply the new rules effectively. ## SCP (Secure Copy Protocol) - The `scp` command is used to securely transfer files and directories between local and remote systems over SSH. **Copy Local File to Remote Server** To copy a file from your local machine to a remote server, use the following syntax: ```bash scp /local/file/path fabrice@servername.fabq.ca:/remote/file/path ``` - `/local/file/path`: Specify the path to the local file you want to copy. - `fabrice@servername.fabq.ca`: This is the user and remote server where the file will be copied. - `/remote/file/path`: This is the destination path on the remote server. **Copy a Directory** To copy an entire directory, use the `-r` option, which stands for "recursive": ```bash scp -r /home/fabrice/foldername/ root@servername.fabq.ca:/remote/parent/ ``` - `-r`: This option enables recursive copying of directories and their contents. - `/home/fabrice/foldername/`: The path to the local directory you wish to copy. - `root@servername.fabq.ca:/remote/parent/`: The destination path on the remote server where the directory will be copied. **Copy a Configuration File Using a Specific SSH Key** To copy a configuration file while specifying a particular SSH key for authentication, use the following command: ```bash scp -i /home/fabrice/.ssh/fabquenneville /mnt/workbench/webserver/projectname/config.ini fabrice@servername.fabq.ca:/mnt/workbench/projectname/ ``` - `-i /home/fabrice/.ssh/fabquenneville`: This option specifies the identity file (private key) for authentication. - `/mnt/workbench/webserver/projectname/config.ini`: The path to the local configuration file being transferred. - `fabrice@servername.fabq.ca`: The user and server to which the file is being copied. - `/mnt/workbench/projectname/`: The destination path on the remote server where the file will be stored. ## Send Remote Commands **Execute Commands Directly on a Remote Server** You can use the `ssh` command to execute various commands on a remote server. Here are some examples: **Run a Local Script on a Remote Server** ```bash ssh fabrice@servername.fabq.ca 'bash -s' < /local/path/to/script.sh ``` - This command will execute the local script located at `/local/path/to/script.sh` on the remote server. **Remove a file:** ```bash ssh fabrice@192.168.1.100 "rm /home/fabrice/filename.log" ``` **Mount all filesystems:** ```bash ssh root@servername.fabq.ca "mount -a" ``` **Reboot the remote server:** ```bash ssh root@servername.fabq.ca "reboot -h now" ``` **Connect using a host key alias:** ```bash ssh -o "HostKeyAlias=servername" root@192.168.1.100 ``` ## Test Connection, Add Alias, and Update Known Hosts **Test Connection with Host Key Alias** Use the following commands to establish an SSH connection while specifying a host key alias. This helps avoid conflicts with existing entries in the `known_hosts` file. ```bash ssh -o 'HostKeyAlias=servername.fabq.ca' fabrice@192.168.1.100 ssh -o 'HostKeyAlias=servername' fabrice@192.168.1.100 ``` **Test Host Identity without Authenticating** To test the identity of a remote server without fully authenticating and to check connectivity, use the following command: ```bash ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=servername' fabrice@192.168.1.100 /bin/true ``` - `-e none`: Disables encryption for this command, which is useful in specific testing scenarios. - `-o 'BatchMode=yes'`: Ensures that SSH does not prompt for user interaction, making it suitable for scripts. - `/bin/true`: Executes a simple command that always returns success, confirming the connection without further actions. This command allows you to verify that you can connect to the server while avoiding any authentication prompts. **Retrieve Public SSH Keys** To retrieve the public SSH keys from a remote server, use the following command: ``` ssh-keyscan -H servername.fabq.ca ``` - This command fetches the public SSH keys from the specified server, allowing you to add them to your `known_hosts` file. - It does not establish a full SSH session and is primarily used for key retrieval, which helps ensure secure connections in future interactions. By using both commands, you can test connectivity to a remote server and gather its public SSH keys for secure authentication later. **Add Alias to SSH Config for Easy Access** To simplify your SSH connections, you can create an alias for your SSH connections by editing the `~/.ssh/config` file: ```ini Host servername HostName servername.fabq.ca User fabrice IdentityFile ~/.ssh/fabquenneville ``` - `Host servername`: This defines the alias you will use for the SSH connection. - `HostName servername.fabq.ca`: This is the actual hostname of the remote server. - `User fabrice`: This specifies the user to log in as. - `IdentityFile ~/.ssh/fabquenneville`: This indicates the SSH key file to use for authentication. ## Remove Offending SSH Keys When you encounter an "offending key" warning when connecting to a server, you can remove the old key from the `known_hosts` file. This is necessary if the server's host key has changed. **View Known Hosts** To view the contents of your `known_hosts` file, use: ```bash cat ~/.ssh/known_hosts ``` **Edit Known Hosts Manually (Optional)** You can edit the `known_hosts` file manually if you prefer: ```bash nano ~/.ssh/known_hosts ``` **Update Known Hosts File with SSH Key** ```bash ssh-keyscan -H servername.fabq.ca >> ~/.ssh/known_hosts ``` - This command retrieves the public key of the specified server and appends it to your `known_hosts` file, allowing SSH to recognize the server during subsequent connections. **Remove Offending Key by Hostname** You can use the `ssh-keygen` command to remove specific keys from your `known_hosts` file. Here are examples for different scenarios: - To remove the offending key for a specific server: ```bash ssh-keygen -R "servername.fabq.ca" ssh-keygen -R "192.168.1.100" ``` - To specify the `known_hosts` file directly: ```bash ssh-keygen -f "/home/fabrice/.ssh/known_hosts" -R "servername.fabq.ca" ssh-keygen -f "/root/.ssh/known_hosts" -R "192.168.1.100" ssh-keygen -f "/etc/ssh/ssh_known_hosts" -R "servername.fabq.ca" ``` **Summary of Key Removal** You can also use a shorthand command to remove the offending key without specifying the file: ```bash ssh-keygen -R servername.fabq.ca ``` This will automatically target the correct `known_hosts` file based on your user and system configuration. ## Change SSH Port To enhance security, you may want to change the default SSH port (22) to a custom port. Follow these steps: **1. Edit the SSH Configuration File** Open the SSH daemon configuration file using a text editor: ```bash nano /etc/ssh/sshd_config ``` Edit the following line to set a new port (e.g., port 2222): ```ini Port 2222 ``` - Locate the line that specifies the port (usually `#Port 22`) and change it to your desired port number (e.g., `Port 2222`). - Make sure to uncomment the line by removing the `#`. **2. Create Directory for Systemd Override** If you're using systemd, create a directory for the SSH socket override: ```bash mkdir -p /etc/systemd/system/ssh.socket.d ``` **3. Create an Override Configuration File** Create or edit the override configuration file for the SSH socket: ```bash nano /etc/systemd/system/ssh.socket.d/override.conf ``` - Add the following lines to specify the custom port: ```ini [Socket] ListenPort=2222 # Replace with your desired port number ``` **4. (Optional) Edit the Sockets Target Configuration** You may also want to edit the sockets target configuration to ensure it points to the correct SSH socket: ```bash nano /etc/systemd/system/sockets.target.wants/ssh.socket ``` - Make any necessary adjustments based on your custom port. **5. Restart the SSH service to apply the changes** After making changes, restart the SSH service to apply the new configuration: ```bash systemctl restart sshd ``` **6. (Optional) Verify the New Port** To verify that SSH is listening on the new port, you can use: ```bash netstat -tuln | grep LISTEN ``` This will display the ports currently being listened to, allowing you to confirm that your changes were successful. ## Restart ssh **Restart the SSH service to apply changes** To restart the SSH service, use the following command: ```bash systemctl restart sshd ```