btrfs.md: - Add device scan (no-arg form) and device stats --reset / -z - Add read-only mount, remount with performance/default options - Add Degraded Mount and Missing Device Removal subsection - Add stdbuf + zstd backgrounded defrag with log output - Add RAID1 balance conversion - Add ionice for scrub, watch scrub+device stats, watch scrub+temperatures - Add Recovery → Filesystem Check (btrfs check, --force) - Add Recovery → Diagnosis (journal by date, dmesg btrfs filter) linux.md: - Add CPU info commands (lscpu, /proc/cpuinfo, core count) - Add GPU info (lspci | grep vga) and CPU scaling driver - Add mount --bind and chroot with pseudo-fs setup - Add update-initramfs -k all and -c -k $(uname -r) variants - Add NFS section (showmount, exportfs) - Add Network Diagnostics section (curl timing, high-freq ping, jumbo frame ping) - Add journal date filtering and microcode grep to Diagnosis ssh.md: - Add Placeholders section - Replace all hardcoded usernames, hostnames, IPs, and key paths with placeholders - Add Skip Host Key Verification section (StrictHostKeyChecking, UserKnownHostsFile) storage.md: - Add lsblk -e 7 to exclude loop devices - Add blkid <partition> variant - Add cat /proc/mounts grep - Add SMART filtered greps (Reallocated, Pending, UDMA_CRC, Load_Cycle_Count) - Add drive temperature one-liner and watch loop - Add Hardware Monitoring section (lm-sensors, sensors-detect, sensors) - Add Kernel Messages section (dmesg tail, err/warn, -T, nvme, ata/scsi, I/O, ATA port mapping) - Add strings on raw device to Hex Dump
9.6 KiB
SSH
Table of Contents
- SSH
- Table of Contents
- Placeholders
- Connect with specific key
- Skip Host Key Verification
- SSH Key Management
- Verbose
- Enable root login
- Firewall Configuration with firewalld
- SCP (Secure Copy Protocol)
- Send Remote Commands
- Test Connection, Add Alias, and Update Known Hosts
- Remove Offending SSH Keys
- Change SSH Port
- Restart ssh
Placeholders
Replace the placeholders below with the appropriate values for your setup:
-
Connection
- Username:
<username>(e.g., john) - Hostname:
<hostname>(e.g., server.example.com) - IP address:
<ip>(e.g., 192.168.1.100) - SSH port:
<port>(e.g., 2222) - SSH key:
<keyfile>(e.g., ~/.ssh/id_rsa) - Key comment:
<key-comment>(e.g., john@example.com) - Host alias:
<alias>(e.g., myserver)
- Username:
-
Paths
- Local file:
<local-path>(e.g., /home/user/file.txt) - Remote path:
<remote-path>(e.g., /home/user/file.txt) - Local script:
<script-path>(e.g., /home/user/script.sh) - Project name:
<project>(e.g., myapp)
- Local file:
Connect with specific key
ssh -i <keyfile> root@<hostname>
ssh -i <keyfile> <username>@<hostname>
Skip Host Key Verification
Useful for ephemeral machines, VMs, or hosts that are frequently rebuilt where saved known_hosts entries would cause conflicts:
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null <username>@<hostname>
StrictHostKeyChecking=no: Automatically accepts new or changed host keys without prompting.UserKnownHostsFile=/dev/null: Discards the host key entirely — nothing is saved to~/.ssh/known_hosts.- ⚠️ Do not use on untrusted networks — this disables MITM protection.
SSH Key Management
Generate a new RSA SSH key pair with a 4096-bit key length
ssh-keygen -t rsa -b 4096 -C "<key-comment>" -f <keyfile>
ssh-keygen -t rsa -b 4096: Generates a new RSA SSH key pair with a key size of 4096 bits for enhanced security.-C "<key-comment>": Adds a comment to the key, usually the email address of the key owner.-f <keyfile>: Specifies the filename for the private key; the public key will be saved with the same name but with a.pubextension.
Copy the generated SSH keys to the remote server
scp <keyfile>* <username>@<hostname>:~/.ssh/
scp <keyfile>*: Securely copies both the private and public keys to the remote server.<username>@<hostname>:~/.ssh/: Specifies the destination path on the remote server where the keys will be copied.
Install the public key on the remote server for passwordless authentication
ssh-copy-id <username>@<ip>
ssh-copy-id <username>@<hostname>
ssh-copy-id: Installs the public key on the specified remote server, allowing for passwordless SSH login.
Install the public key on multiple servers using a specific private key
ssh-copy-id -i <keyfile> root@<ip>
ssh-copy-id -i <keyfile> <username>@<hostname>
-i <keyfile>: Specifies which private key to use for authentication when copying the public key.
Install the public key on the remote server for passwordless authentication manually
This process is useful when ssh-copy-id is unavailable, or when you want more granular control over the setup. Follow these steps on the remote server:
-
Create the
.sshdirectory if it doesn't exist and set proper permissions:mkdir -p /home/<username>/.ssh chmod 700 /home/<username>/.ssh -
Open the
authorized_keysfile and paste the public key (usually from~/.ssh/id_rsa.pubon the local machine):nano /home/<username>/.ssh/authorized_keys -
Set the correct permissions for the
authorized_keysfile:chmod 600 /home/<username>/.ssh/authorized_keys -
Ensure the ownership of the
.sshdirectory and its contents is set to the correct user:chown -R <username>:<username> /home/<username>/.ssh
Verbose
Use the -v option to enable verbose mode, which provides detailed information about the connection process:
ssh -i <keyfile> -v root@<hostname>
ssh -i <keyfile> -v <username>@<hostname>
Enable root login
Modify the SSH configuration file to allow root login:
nano /etc/ssh/sshd_config
Edit the configuration as follows:
PermitRootLogin prohibit-password
PermitRootLogin yes
Firewall Configuration with firewalld
Allow SSH service through the firewall
firewall-cmd --permanent --zone=public --add-service=ssh
firewall-cmd: The command-line tool used to managefirewalld.--permanent: Ensures that the change persists across reboots.--zone=public: Specifies the zone to which the rule applies. The "public" zone is typically used for untrusted networks.--add-service=ssh: Adds the SSH service to the specified zone, allowing incoming SSH connections.
Examples of configuring other Linux firewalls
-
Using UFW (Uncomplicated Firewall)
ufw allow ssh -
Using iptables
iptables -A INPUT -p tcp --dport 22 -j ACCEPT-A INPUT: Appends the rule to the INPUT chain.-p tcp --dport 22: Matches TCP traffic on port 22.-j ACCEPT: Accepts the specified traffic.
-
Using nftables
nft add rule ip filter input tcp dport 22 acceptadd rule ip filter input: Adds a new rule to the input chain of the filter table.tcp dport 22: Matches TCP packets directed to port 22.accept: Accepts the matching packets.
Note: Reload or restart the firewall service after making changes to apply the new rules.
SCP (Secure Copy Protocol)
The scp command securely transfers files and directories between local and remote systems over SSH.
Copy a local file to a remote server:
scp <local-path> <username>@<hostname>:<remote-path>
Copy a directory recursively:
scp -r <local-path>/ <username>@<hostname>:<remote-path>/
-r: Enables recursive copying of directories and their contents.
Copy a file using a specific SSH key:
scp -i <keyfile> <local-path> <username>@<hostname>:<remote-path>
-i <keyfile>: Specifies the identity file (private key) for authentication.
Send Remote Commands
Run a local script on a remote server:
ssh <username>@<hostname> 'bash -s' < <script-path>
Remove a file:
ssh <username>@<ip> "rm <remote-path>"
Mount all filesystems:
ssh root@<hostname> "mount -a"
Reboot the remote server:
ssh root@<hostname> "reboot -h now"
Connect using a host key alias:
ssh -o "HostKeyAlias=<alias>" root@<ip>
Test Connection, Add Alias, and Update Known Hosts
Test connection with host key alias:
Commands to establish an SSH connection while specifying a host key alias. This helps avoid conflicts with existing entries in the known_hosts file.
ssh -o 'HostKeyAlias=<hostname>' <username>@<ip>
ssh -o 'HostKeyAlias=<alias>' <username>@<ip>
Test host identity without authenticating:
ssh -e none -o 'BatchMode=yes' -o 'HostKeyAlias=<alias>' <username>@<ip> /bin/true
-e none: Disables escape character processing.-o 'BatchMode=yes': Suppresses all prompts, suitable for scripts./bin/true: Simple command that always returns success, confirming the connection without further actions.
Retrieve public SSH keys from a remote server:
ssh-keyscan -H <hostname>
- Fetches the server's public SSH keys without establishing a full session. Used to pre-populate
known_hosts.
Add an alias to SSH config for easy access:
Host <alias>
HostName <hostname>
User <username>
IdentityFile <keyfile>
Remove Offending SSH Keys
When a server's host key has changed, remove the old entry from known_hosts.
View known hosts:
cat ~/.ssh/known_hosts
Edit known hosts manually:
nano ~/.ssh/known_hosts
Update known hosts with current server key:
ssh-keyscan -H <hostname> >> ~/.ssh/known_hosts
Remove offending key by hostname or IP:
ssh-keygen -R "<hostname>"
ssh-keygen -R "<ip>"
Remove offending key specifying the known_hosts file:
ssh-keygen -f "/home/<username>/.ssh/known_hosts" -R "<hostname>"
ssh-keygen -f "/root/.ssh/known_hosts" -R "<ip>"
ssh-keygen -f "/etc/ssh/ssh_known_hosts" -R "<hostname>"
Change SSH Port
1. Edit the SSH configuration file:
nano /etc/ssh/sshd_config
Set the desired port:
Port <port>
2. Create directory for systemd override:
mkdir -p /etc/systemd/system/ssh.socket.d
3. Create the override configuration file:
nano /etc/systemd/system/ssh.socket.d/override.conf
[Socket]
ListenPort=<port>
4. (Optional) Edit the Sockets Target Configuration
You may also want to edit the sockets target configuration to ensure it points to the correct SSH socket:
nano /etc/systemd/system/sockets.target.wants/ssh.socket
5. Restart the SSH service to apply the changes:
systemctl restart sshd
6. Verify the new port:
netstat -tuln | grep LISTEN
Restart ssh
systemctl restart sshd