Some notes on using ssh...
- 1 Generate a key
- 2 WindowMaker, ssh-agent and public keys
- 3 Simpler command-lines
- 4 X11 forwarding
- 5 Disabling ssh version 1
- 6 Limiting users who can connect
- 7 Print MessageOfTheDay
- 8 LoginGraceTime
- 9 PermitRootLogin
- 10 Restrict Access by IP
- 11 SSH Port Forwarding
Generate a key
ssh-keygen -t rsa -b 6144
WindowMaker, ssh-agent and public keys
Generate a key pair and use a passphrase:
$ ssh-keygen -t dsa
Then copy the public key onto the remote machine:
$ scp ~/.ssh/id_dsa.pub remote.example.com:
Then connect to the remote machine and do the folowing.
If you don't have a ~/.ssh then create one:
$ mkdir ~/.ssh $ chmod 750 ~/.ssh
Create or append to the authorized_keys file:
$ cat ~/id_dsa.pub >> ~/.ssh/authorized_keys $ rm ~/id_dsa.pub
Sometime the authorized_keys file has the wrong permissions:
$ chmod 640 ~/.ssh/authorized_keys
The you need to edit your ~/.xinitrc file locally so that you are prompted for the passphrase when you startx:
exec ssh-agent sh -c 'ssh-add < /dev/null & RunWM --WindowMaker'
Now after starting X you are asked for a passphrase and after that you can ssh to remote machines without a password :-)
You can make aliases for frequently-used hosts in your .ssh/config file by adding paragraphs like:
Host shortname Hostname the.real.hostname.slugbug.org.uk
Then "ssh shortname" will be the same as if you had typed "ssh the.real.hostname.slugbug.org.uk". You can put other settings in those paragraphs, like "Compression yes" to speed things up on hosts that support it.
Many distros enable X11 forwarding by default, this is not a good idea, because:
- if you log in via SSH to a remote server with X11 forwarding, root on that server can access your desktop, sniff your keystrokes, abuse your windows, you name it - http://www.hackinglinuxexposed.com/articles/20040705.html
Yeew! To turn off X11 forwarding add this to your ~/.ssh/config or /etc/ssh/ssh_config file:
Host * ForwardX11 no ForwardAgent no
Then if you do need to connect to a machine with X11 forwarding you can explicitly turn it on:
$ ssh -X example.org
Disabling ssh version 1
Many distros have ssh 1 enables but this is hardly ever needed now, to disable it edit your /etc/ssh/sshd_config file:
# Protocol 2,1 Protocol 2
Limiting users who can connect
If you want to limit who can ssh into your machine then you can do this in the /etc/ssh/sshd_config file:
AllowUsers lisa bart
The option PrintMotd specifies whether the ssh daemon should print the contents of the /etc/motd file when a user logs in interactively. The /etc/motd file is also known as the message of the day.
The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in.
The option PermitRootLogin specifies whether root can log in using ssh. Never say yes to this option.
Restrict Access by IP
You will need to edit /etc/hosts.allow and /etc/hosts.deny with the IP addresses that you want to allow or deny.
vi /etc/hosts.allow sshd: my.allowable.ip.addresses
to allow your machines to access.
vi /etc/hosts.deny sshd: ALL
to keep out everybody else. Also restrict access using iptables just to make sure.
You can add to the hosts.deny dynamically with a script. Useful if you are getting brute force attacks. Run the following from a cron job every 15 minutes ( or less )
#!/bin/bash LOGFILE="/var/log/auth.log" HOSTSDENY="/etc/hosts.deny" BADCOUNT="10" grep "Illegal user" $LOGFILE | cut -d':' -f 7 | cut -d' ' -f1 | sort | uniq -c | while read i do count=`echo $i | cut -d" " -f1` ip=`echo $i | cut -d" " -f2` # echo "count="$count # echo "ip="$ip already=`grep $ip $HOSTSDENY | grep sshd` if [ -z "$already" ] then if [ "$count" -ge "$BADCOUNT" ] then echo "banned from sshd: "$ip echo "sshd: "$ip >> $HOSTSDENY fi fi done
You can also put IP addresses / hostnames into the authorized_keys file to limit access using a from line, eg:
from="*.example.org" ssh-rsa AAAAB3NzaC1…
from="foo.example.org,bar.example.com" ssh-rsa AAAAB3NzaC1…
SSH Port Forwarding
There is a good article on Security Focus that covers SSH Port Forwarding.
An example to forward 3128 locally to a remote machine running squid that is set to allow you to access it, you don't need root to set this up since it's a high port number
$ ssh -L 3128:remote.server.example.com:3128 -l username -N remote.server.example.com