From Aktivix
Jump to navigation Jump to search

Some notes on using ssh...

Generate a key

ssh-keygen -t rsa -b 6144

WindowMaker, ssh-agent and public keys

Generate a key pair and use a passphrase:

$ ssh-keygen -t dsa

Then copy the public key onto the remote machine:

$ scp ~/.ssh/

Then connect to the remote machine and do the folowing.

If you don't have a ~/.ssh then create one:

$ mkdir ~/.ssh
$ chmod 750 ~/.ssh

Create or append to the authorized_keys file:

$ cat ~/ >> ~/.ssh/authorized_keys
$ rm ~/ 

Sometime the authorized_keys file has the wrong permissions:

$ chmod 640 ~/.ssh/authorized_keys

The you need to edit your ~/.xinitrc file locally so that you are prompted for the passphrase when you startx:

exec ssh-agent sh -c 'ssh-add < /dev/null & RunWM --WindowMaker'

Now after starting X you are asked for a passphrase and after that you can ssh to remote machines without a password :-)

Simpler command-lines

You can make aliases for frequently-used hosts in your .ssh/config file by adding paragraphs like:

 Host shortname

Then "ssh shortname" will be the same as if you had typed "ssh". You can put other settings in those paragraphs, like "Compression yes" to speed things up on hosts that support it.

X11 forwarding

Many distros enable X11 forwarding by default, this is not a good idea, because:

if you log in via SSH to a remote server with X11 forwarding, root on that server can access your desktop, sniff your keystrokes, abuse your windows, you name it -

Yeew! To turn off X11 forwarding add this to your ~/.ssh/config or /etc/ssh/ssh_config file:

 Host *
 ForwardX11 no
 ForwardAgent no

Then if you do need to connect to a machine with X11 forwarding you can explicitly turn it on:

 $ ssh -X

Disabling ssh version 1

Many distros have ssh 1 enables but this is hardly ever needed now, to disable it edit your /etc/ssh/sshd_config file:

 # Protocol 2,1
 Protocol 2

Limiting users who can connect

If you want to limit who can ssh into your machine then you can do this in the /etc/ssh/sshd_config file:

 AllowUsers lisa bart

Print MessageOfTheDay

The option PrintMotd specifies whether the ssh daemon should print the contents of the /etc/motd file when a user logs in interactively. The /etc/motd file is also known as the message of the day.

 PrintMotd yes


The option LoginGraceTime specifies how long in seconds after a connection request the server will wait before disconnecting if the user has not successfully logged in.

 LoginGraceTime 30


The option PermitRootLogin specifies whether root can log in using ssh. Never say yes to this option.

 PermitRootLogin no

Restrict Access by IP

You will need to edit /etc/hosts.allow and /etc/hosts.deny with the IP addresses that you want to allow or deny.

 vi /etc/hosts.allow
 sshd: my.allowable.ip.addresses

to allow your machines to access.

 vi /etc/hosts.deny
 sshd: ALL

to keep out everybody else. Also restrict access using iptables just to make sure.

You can add to the hosts.deny dynamically with a script. Useful if you are getting brute force attacks. Run the following from a cron job every 15 minutes ( or less )

grep "Illegal user" $LOGFILE | cut -d':' -f 7 | cut -d' ' -f1 | sort | uniq -c | while read i
       count=`echo $i | cut -d" " -f1`
       ip=`echo $i | cut -d" " -f2`
#       echo "count="$count
#       echo "ip="$ip
        already=`grep $ip $HOSTSDENY | grep sshd`
       if [ -z "$already"  ]
               if [ "$count" -ge "$BADCOUNT" ]
                       echo "banned from sshd: "$ip
                       echo "sshd: "$ip >> $HOSTSDENY

Setting allowed remote addresses in authorized_keys

You can also put IP addresses / hostnames into the authorized_keys file to limit access using a from line, eg:

from="*" ssh-rsa AAAAB3NzaC1…
from="," ssh-rsa AAAAB3NzaC1…

See Key Access Limits and Authorized_keys file format.

SSH Port Forwarding

There is a good article on Security Focus that covers SSH Port Forwarding.

An example to forward 3128 locally to a remote machine running squid that is set to allow you to access it, you don't need root to set this up since it's a high port number

$ ssh -L -l username -N