scripts-fabq/notes/ssh.md

SSH

Table of Contents

• SSH
  • Table of Contents
  • Connect with specific key
  • SSH Key Management
  • Verbose
  • Enable root login
  • Firewall Configuration with firewalld
  • SCP (Secure Copy Protocol)
  • Send Remote Commands
  • Test Connection, Add Alias, and Update Known Hosts
  • Remove Offending SSH Keys
  • Change SSH Port
  • Restart ssh

Connect with specific key

ssh -i /home/fabrice/.ssh/fabquenneville root@servername.fabq.ca
ssh -i /home/fabrice/.ssh/fabquenneville fabrice@servername.fabq.ca

SSH Key Management

Generate a new RSA SSH key pair with a 4096-bit key length

ssh-keygen -t rsa -b 4096 -C "fabrice@fabq.ca" -f ~/.ssh/fabrice@fabq.ca

• ssh-keygen -t rsa -b 4096: This command generates a new RSA SSH key pair with a key size of 4096 bits for enhanced security.
• -C "fabrice@fabq.ca": This option adds a comment to the key, usually the email address of the key owner.
• -f ~/.ssh/fabrice@fabq.ca: This specifies the filename for the private key; the public key will be saved with the same name but with a .pub extension.

Copy the generated SSH keys to the remote server

scp ~/.ssh/fabrice@fabq.ca* fabrice@servername.fabq.ca:~/.ssh/

• scp ~/.ssh/fabrice@fabq.ca*: This command securely copies both the private and public keys to the remote server.
• fabrice@servername.fabq.ca:~/.ssh/: Specifies the destination path on the remote server where the keys will be copied.

Install the public key on the remote server for passwordless authentication

ssh-copy-id fabrice@192.168.1.100
ssh-copy-id fabrice@servername.fabq.ca

• ssh-copy-id "fabrice@servername.fabq.ca": This command installs the public key on the specified remote server, allowing for passwordless SSH login.

Install the public key on multiple servers using specific private key

ssh-copy-id -i /home/fabrice/.ssh/fabquenneville root@192.168.1.100
ssh-copy-id -i /home/fabrice/.ssh/fabquenneville fabrice@servername.fabq.ca

• ssh-copy-id -i /home/fabrice/.ssh/fabquenneville: This specifies which private key to use for authentication when copying the public key.
• root@192.168.1.100 and fabrice@servername.fabq.ca: These commands install the public key on the respective remote servers, allowing for secure, passwordless access.

Verbose

• Use the 'ssh' command with the '-v' option to enable verbose mode, which provides detailed information about the connection process.

ssh -i /home/fabrice/.ssh/fabquenneville -v root@servername.fabq.ca
ssh -i /home/fabrice/.ssh/fabquenneville -v fabrice@servername.fabq.ca

Enable root login

• Modify the SSH configuration file to allow root login.

nano /etc/ssh/sshd_config

Edit the configuration as follows:

PermitRootLogin prohibit-password
PermitRootLogin yes

Firewall Configuration with firewalld

Allow SSH service through the firewall

firewall-cmd --permanent --zone=public --add-service=ssh

• firewall-cmd: This is the command-line tool used to manage firewalld.
• --permanent: This option ensures that the change persists across reboots.
• --zone=public: Specifies the zone to which the rule applies. The "public" zone is typically used for untrusted networks.
• --add-service=ssh: This adds the SSH service to the specified zone, allowing incoming SSH connections.

Examples of configuring other Linux firewalls

1. Using UFW (Uncomplicated Firewall)

   Allow SSH traffic

   ufw allow ssh
   

   • This command allows incoming SSH traffic through the firewall. UFW is designed to simplify the process of managing a firewall.

2. Using iptables

   Allow SSH traffic

   iptables -A INPUT -p tcp --dport 22 -j ACCEPT
   

   • iptables: This is a low-level tool for managing Linux firewalls.
   • -A INPUT: Appends the rule to the INPUT chain.
   • -p tcp: Specifies that this rule applies to TCP packets.
   • --dport 22: Indicates that this rule applies to traffic on port 22 (the default SSH port).
   • -j ACCEPT: Instructs the firewall to accept the specified traffic.

3. Using nftables

   Allow SSH traffic

   nft add rule ip filter input tcp dport 22 accept
   

   • nft: The command-line tool for interacting with the nftables framework.
   • add rule ip filter input: Adds a new rule to the input chain of the filter table.
   • tcp dport 22: Matches TCP packets directed to port 22.
   • accept: Specifies that the matching packets should be accepted.

Note: Be sure to reload or restart the firewall service after making changes to apply the new rules effectively.

SCP (Secure Copy Protocol)

• The scp command is used to securely transfer files and directories between local and remote systems over SSH.

Copy Local File to Remote Server

To copy a file from your local machine to a remote server, use the following syntax:

scp /local/file/path fabrice@servername.fabq.ca:/remote/file/path

• /local/file/path: Specify the path to the local file you want to copy.
• fabrice@servername.fabq.ca: This is the user and remote server where the file will be copied.
• /remote/file/path: This is the destination path on the remote server.

Copy a Directory

To copy an entire directory, use the -r option, which stands for "recursive":

scp -r /home/fabrice/foldername/ root@servername.fabq.ca:/remote/parent/

• -r: This option enables recursive copying of directories and their contents.
• /home/fabrice/foldername/: The path to the local directory you wish to copy.
• root@servername.fabq.ca:/remote/parent/: The destination path on the remote server where the directory will be copied.

Copy a Configuration File Using a Specific SSH Key

To copy a configuration file while specifying a particular SSH key for authentication, use the following command:

scp -i /home/fabrice/.ssh/fabquenneville /mnt/workbench/webserver/projectname/config.ini fabrice@servername.fabq.ca:/mnt/workbench/projectname/

• -i /home/fabrice/.ssh/fabquenneville: This option specifies the identity file (private key) for authentication.
• /mnt/workbench/webserver/projectname/config.ini: The path to the local configuration file being transferred.
• fabrice@servername.fabq.ca: The user and server to which the file is being copied.
• /mnt/workbench/projectname/: The destination path on the remote server where the file will be stored.

Send Remote Commands

Execute Commands Directly on a Remote Server

You can use the ssh command to execute various commands on a remote server. Here are some examples:

Run a Local Script on a Remote Server

ssh fabrice@servername.fabq.ca 'bash -s' < /local/path/to/script.sh

• This command will execute the local script located at /local/path/to/script.sh on the remote server.

Remove a file:

ssh fabrice@192.168.1.100 "rm /home/fabrice/filename.log"

Mount all filesystems:

ssh root@servername.fabq.ca "mount -a"

Reboot the remote server:

ssh root@servername.fabq.ca "reboot -h now"

Connect using a host key alias:

ssh -o "HostKeyAlias=servername" root@192.168.1.100

Test Connection, Add Alias, and Update Known Hosts

Test Connection with Host Key Alias

Use the following commands to establish an SSH connection while specifying a host key alias. This helps avoid conflicts with existing entries in the known_hosts file.

ssh -o 'HostKeyAlias=servername.fabq.ca' fabrice@192.168.1.100
ssh -o 'HostKeyAlias=servername' fabrice@192.168.1.100

Test Host Identity without Authenticating

To test the identity of a remote server without fully authenticating and to check connectivity, use the following command:

ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=servername' fabrice@192.168.1.100 /bin/true

• -e none: Disables encryption for this command, which is useful in specific testing scenarios.
• -o 'BatchMode=yes': Ensures that SSH does not prompt for user interaction, making it suitable for scripts.
• /bin/true: Executes a simple command that always returns success, confirming the connection without further actions.

This command allows you to verify that you can connect to the server while avoiding any authentication prompts.

Retrieve Public SSH Keys

To retrieve the public SSH keys from a remote server, use the following command:

ssh-keyscan -H servername.fabq.ca

• This command fetches the public SSH keys from the specified server, allowing you to add them to your known_hosts file.
• It does not establish a full SSH session and is primarily used for key retrieval, which helps ensure secure connections in future interactions.

By using both commands, you can test connectivity to a remote server and gather its public SSH keys for secure authentication later.

Add Alias to SSH Config for Easy Access

To simplify your SSH connections, you can create an alias for your SSH connections by editing the ~/.ssh/config file:

Host servername
    HostName servername.fabq.ca
    User fabrice
    IdentityFile ~/.ssh/fabquenneville

• Host servername: This defines the alias you will use for the SSH connection.
• HostName servername.fabq.ca: This is the actual hostname of the remote server.
• User fabrice: This specifies the user to log in as.
• IdentityFile ~/.ssh/fabquenneville: This indicates the SSH key file to use for authentication.

Remove Offending SSH Keys

When you encounter an "offending key" warning when connecting to a server, you can remove the old key from the known_hosts file. This is necessary if the server's host key has changed.

View Known Hosts

To view the contents of your known_hosts file, use:

cat ~/.ssh/known_hosts

Edit Known Hosts Manually (Optional)

You can edit the known_hosts file manually if you prefer:

nano ~/.ssh/known_hosts

Update Known Hosts File with SSH Key

ssh-keyscan -H servername.fabq.ca >> ~/.ssh/known_hosts

• This command retrieves the public key of the specified server and appends it to your known_hosts file, allowing SSH to recognize the server during subsequent connections.

Remove Offending Key by Hostname

You can use the ssh-keygen command to remove specific keys from your known_hosts file. Here are examples for different scenarios:

• To remove the offending key for a specific server:

ssh-keygen -R "servername.fabq.ca"
ssh-keygen -R "192.168.1.100"

• To specify the known_hosts file directly:

ssh-keygen -f "/home/fabrice/.ssh/known_hosts" -R "servername.fabq.ca"
ssh-keygen -f "/root/.ssh/known_hosts" -R "192.168.1.100"
ssh-keygen -f "/etc/ssh/ssh_known_hosts" -R "servername.fabq.ca"

Summary of Key Removal

You can also use a shorthand command to remove the offending key without specifying the file:

ssh-keygen -R servername.fabq.ca

This will automatically target the correct known_hosts file based on your user and system configuration.

Change SSH Port

To enhance security, you may want to change the default SSH port (22) to a custom port. Follow these steps:

1. Edit the SSH Configuration File

Open the SSH daemon configuration file using a text editor:

nano /etc/ssh/sshd_config

Edit the following line to set a new port (e.g., port 2222):

Port 2222

• Locate the line that specifies the port (usually #Port 22) and change it to your desired port number (e.g., Port 2222).
• Make sure to uncomment the line by removing the #.

2. Create Directory for Systemd Override

If you're using systemd, create a directory for the SSH socket override:

mkdir -p /etc/systemd/system/ssh.socket.d

3. Create an Override Configuration File

Create or edit the override configuration file for the SSH socket:

nano /etc/systemd/system/ssh.socket.d/override.conf

• Add the following lines to specify the custom port:

[Socket]
ListenPort=2222  # Replace with your desired port number

4. (Optional) Edit the Sockets Target Configuration

You may also want to edit the sockets target configuration to ensure it points to the correct SSH socket:

nano /etc/systemd/system/sockets.target.wants/ssh.socket

• Make any necessary adjustments based on your custom port.

5. Restart the SSH service to apply the changes

After making changes, restart the SSH service to apply the new configuration:

systemctl restart sshd

6. (Optional) Verify the New Port

To verify that SSH is listening on the new port, you can use:

netstat -tuln | grep LISTEN

This will display the ports currently being listened to, allowing you to confirm that your changes were successful.

Restart ssh

Restart the SSH service to apply changes

To restart the SSH service, use the following command:

systemctl restart sshd