scripts-fabq/notes/ssh.md
Fabrice Quenneville 89e4bd519a docs(notes): expand storage, btrfs, linux, and ssh notes
btrfs.md:
- Add device scan (no-arg form) and device stats --reset / -z
- Add read-only mount, remount with performance/default options
- Add Degraded Mount and Missing Device Removal subsection
- Add stdbuf + zstd backgrounded defrag with log output
- Add RAID1 balance conversion
- Add ionice for scrub, watch scrub+device stats, watch scrub+temperatures
- Add Recovery → Filesystem Check (btrfs check, --force)
- Add Recovery → Diagnosis (journal by date, dmesg btrfs filter)

linux.md:
- Add CPU info commands (lscpu, /proc/cpuinfo, core count)
- Add GPU info (lspci | grep vga) and CPU scaling driver
- Add mount --bind and chroot with pseudo-fs setup
- Add update-initramfs -k all and -c -k $(uname -r) variants
- Add NFS section (showmount, exportfs)
- Add Network Diagnostics section (curl timing, high-freq ping, jumbo frame ping)
- Add journal date filtering and microcode grep to Diagnosis

ssh.md:
- Add Placeholders section
- Replace all hardcoded usernames, hostnames, IPs, and key paths with placeholders
- Add Skip Host Key Verification section (StrictHostKeyChecking, UserKnownHostsFile)

storage.md:
- Add lsblk -e 7 to exclude loop devices
- Add blkid <partition> variant
- Add cat /proc/mounts grep
- Add SMART filtered greps (Reallocated, Pending, UDMA_CRC, Load_Cycle_Count)
- Add drive temperature one-liner and watch loop
- Add Hardware Monitoring section (lm-sensors, sensors-detect, sensors)
- Add Kernel Messages section (dmesg tail, err/warn, -T, nvme, ata/scsi, I/O, ATA port mapping)
- Add strings on raw device to Hex Dump
2026-05-12 01:03:26 -04:00

9.6 KiB

SSH

Table of Contents

Placeholders

Replace the placeholders below with the appropriate values for your setup:

  • Connection

    • Username: <username> (e.g., john)
    • Hostname: <hostname> (e.g., server.example.com)
    • IP address: <ip> (e.g., 192.168.1.100)
    • SSH port: <port> (e.g., 2222)
    • SSH key: <keyfile> (e.g., ~/.ssh/id_rsa)
    • Key comment: <key-comment> (e.g., john@example.com)
    • Host alias: <alias> (e.g., myserver)
  • Paths

    • Local file: <local-path> (e.g., /home/user/file.txt)
    • Remote path: <remote-path> (e.g., /home/user/file.txt)
    • Local script: <script-path> (e.g., /home/user/script.sh)
    • Project name: <project> (e.g., myapp)

Connect with specific key

ssh -i <keyfile> root@<hostname>
ssh -i <keyfile> <username>@<hostname>

Skip Host Key Verification

Useful for ephemeral machines, VMs, or hosts that are frequently rebuilt where saved known_hosts entries would cause conflicts:

ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null <username>@<hostname>
  • StrictHostKeyChecking=no: Automatically accepts new or changed host keys without prompting.
  • UserKnownHostsFile=/dev/null: Discards the host key entirely — nothing is saved to ~/.ssh/known_hosts.
  • ⚠️ Do not use on untrusted networks — this disables MITM protection.

SSH Key Management

Generate a new RSA SSH key pair with a 4096-bit key length

ssh-keygen -t rsa -b 4096 -C "<key-comment>" -f <keyfile>
  • ssh-keygen -t rsa -b 4096: Generates a new RSA SSH key pair with a key size of 4096 bits for enhanced security.
  • -C "<key-comment>": Adds a comment to the key, usually the email address of the key owner.
  • -f <keyfile>: Specifies the filename for the private key; the public key will be saved with the same name but with a .pub extension.

Copy the generated SSH keys to the remote server

scp <keyfile>* <username>@<hostname>:~/.ssh/
  • scp <keyfile>*: Securely copies both the private and public keys to the remote server.
  • <username>@<hostname>:~/.ssh/: Specifies the destination path on the remote server where the keys will be copied.

Install the public key on the remote server for passwordless authentication

ssh-copy-id <username>@<ip>
ssh-copy-id <username>@<hostname>
  • ssh-copy-id: Installs the public key on the specified remote server, allowing for passwordless SSH login.

Install the public key on multiple servers using a specific private key

ssh-copy-id -i <keyfile> root@<ip>
ssh-copy-id -i <keyfile> <username>@<hostname>
  • -i <keyfile>: Specifies which private key to use for authentication when copying the public key.

Install the public key on the remote server for passwordless authentication manually

This process is useful when ssh-copy-id is unavailable, or when you want more granular control over the setup. Follow these steps on the remote server:

  1. Create the .ssh directory if it doesn't exist and set proper permissions:

    mkdir -p /home/<username>/.ssh
    chmod 700 /home/<username>/.ssh
    
  2. Open the authorized_keys file and paste the public key (usually from ~/.ssh/id_rsa.pub on the local machine):

    nano /home/<username>/.ssh/authorized_keys
    
  3. Set the correct permissions for the authorized_keys file:

    chmod 600 /home/<username>/.ssh/authorized_keys
    
  4. Ensure the ownership of the .ssh directory and its contents is set to the correct user:

    chown -R <username>:<username> /home/<username>/.ssh
    

Verbose

Use the -v option to enable verbose mode, which provides detailed information about the connection process:

ssh -i <keyfile> -v root@<hostname>
ssh -i <keyfile> -v <username>@<hostname>

Enable root login

Modify the SSH configuration file to allow root login:

nano /etc/ssh/sshd_config

Edit the configuration as follows:

PermitRootLogin prohibit-password
PermitRootLogin yes

Firewall Configuration with firewalld

Allow SSH service through the firewall

firewall-cmd --permanent --zone=public --add-service=ssh
  • firewall-cmd: The command-line tool used to manage firewalld.
  • --permanent: Ensures that the change persists across reboots.
  • --zone=public: Specifies the zone to which the rule applies. The "public" zone is typically used for untrusted networks.
  • --add-service=ssh: Adds the SSH service to the specified zone, allowing incoming SSH connections.

Examples of configuring other Linux firewalls

  1. Using UFW (Uncomplicated Firewall)

    ufw allow ssh
    
  2. Using iptables

    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    
    • -A INPUT: Appends the rule to the INPUT chain.
    • -p tcp --dport 22: Matches TCP traffic on port 22.
    • -j ACCEPT: Accepts the specified traffic.
  3. Using nftables

    nft add rule ip filter input tcp dport 22 accept
    
    • add rule ip filter input: Adds a new rule to the input chain of the filter table.
    • tcp dport 22: Matches TCP packets directed to port 22.
    • accept: Accepts the matching packets.

Note: Reload or restart the firewall service after making changes to apply the new rules.

SCP (Secure Copy Protocol)

The scp command securely transfers files and directories between local and remote systems over SSH.

Copy a local file to a remote server:

scp <local-path> <username>@<hostname>:<remote-path>

Copy a directory recursively:

scp -r <local-path>/ <username>@<hostname>:<remote-path>/
  • -r: Enables recursive copying of directories and their contents.

Copy a file using a specific SSH key:

scp -i <keyfile> <local-path> <username>@<hostname>:<remote-path>
  • -i <keyfile>: Specifies the identity file (private key) for authentication.

Send Remote Commands

Run a local script on a remote server:

ssh <username>@<hostname> 'bash -s' < <script-path>

Remove a file:

ssh <username>@<ip> "rm <remote-path>"

Mount all filesystems:

ssh root@<hostname> "mount -a"

Reboot the remote server:

ssh root@<hostname> "reboot -h now"

Connect using a host key alias:

ssh -o "HostKeyAlias=<alias>" root@<ip>

Test Connection, Add Alias, and Update Known Hosts

Test connection with host key alias:

Commands to establish an SSH connection while specifying a host key alias. This helps avoid conflicts with existing entries in the known_hosts file.

ssh -o 'HostKeyAlias=<hostname>' <username>@<ip>
ssh -o 'HostKeyAlias=<alias>' <username>@<ip>

Test host identity without authenticating:

ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=<alias>' <username>@<ip> /bin/true
  • -e none: Disables escape character processing.
  • -o 'BatchMode=yes': Suppresses all prompts, suitable for scripts.
  • /bin/true: Simple command that always returns success, confirming the connection without further actions.

Retrieve public SSH keys from a remote server:

ssh-keyscan -H <hostname>
  • Fetches the server's public SSH keys without establishing a full session. Used to pre-populate known_hosts.

Add an alias to SSH config for easy access:

Host <alias>
    HostName <hostname>
    User <username>
    IdentityFile <keyfile>

Remove Offending SSH Keys

When a server's host key has changed, remove the old entry from known_hosts.

View known hosts:

cat ~/.ssh/known_hosts

Edit known hosts manually:

nano ~/.ssh/known_hosts

Update known hosts with current server key:

ssh-keyscan -H <hostname> >> ~/.ssh/known_hosts

Remove offending key by hostname or IP:

ssh-keygen -R "<hostname>"
ssh-keygen -R "<ip>"

Remove offending key specifying the known_hosts file:

ssh-keygen -f "/home/<username>/.ssh/known_hosts" -R "<hostname>"
ssh-keygen -f "/root/.ssh/known_hosts" -R "<ip>"
ssh-keygen -f "/etc/ssh/ssh_known_hosts" -R "<hostname>"

Change SSH Port

1. Edit the SSH configuration file:

nano /etc/ssh/sshd_config

Set the desired port:

Port <port>

2. Create directory for systemd override:

mkdir -p /etc/systemd/system/ssh.socket.d

3. Create the override configuration file:

nano /etc/systemd/system/ssh.socket.d/override.conf
[Socket]
ListenPort=<port>

4. (Optional) Edit the Sockets Target Configuration

You may also want to edit the sockets target configuration to ensure it points to the correct SSH socket:

nano /etc/systemd/system/sockets.target.wants/ssh.socket

5. Restart the SSH service to apply the changes:

systemctl restart sshd

6. Verify the new port:

netstat -tuln | grep LISTEN

Restart ssh

systemctl restart sshd