Ssh: Difference between revisions

From Wiki
Jump to navigation Jump to search
No edit summary
 
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{lowercase title}}
{{lowercase title}}
== Cheat Sheet ==
<pre>
ssh-keygen -t ed25519 -a 31 (public/private key)
ssh -L localhost:2222:perth:22 tube (create tunnel)
hg clone ssh://hg@localhost:2222/irc/peplab-dev dev (use the tunnel for mercurial)
</pre>
== Basics ==
To log into a remote computer that's running an ssh server:
To log into a remote computer that's running an ssh server:
<pre>
<pre>
Line 36: Line 47:
If the username is the same on both local and remote computers, it may be omitted in the above commands.
If the username is the same on both local and remote computers, it may be omitted in the above commands.


== Background and Advanced Usage ==
==== SSH server listening on alternate port ====
If the SSH server is listening on port 1234 instead of the standard 22, modify the commands as follows:
<pre>
ssh -p1234 ...
</pre>
and
<pre>
scp -P1234 ...
</pre>
 
== Public/Private Keys ==
https://help.ubuntu.com/community/SSH/OpenSSH/Keys
 
SSH is a client-server protocol. You use an ssh client to connect to a remote host running an ssh server (where you already have an account). Your public key is stored on the remote computer. ssh-agent runs on the local machine, and you must give it your private key and a passphrase to unlock it (with ssh-add).
SSH is a client-server protocol. You use an ssh client to connect to a remote host running an ssh server (where you already have an account). Your public key is stored on the remote computer. ssh-agent runs on the local machine, and you must give it your private key and a passphrase to unlock it (with ssh-add).


Port forwarding or tunneling reroutes a TCP/IP connection to pass through an SSH connection.
Port forwarding or tunneling reroutes a TCP/IP connection to pass through an SSH connection.


Public/private key combinations are an alternative to passwords and are useful for automated logins and file transfers. The local user creates a public/private key pair and gives the public key to the remote user. WHen the local user tries to log in to the remote account, the remote host uses local's public key to encrypt a random string. The local user then decrypts this with his private key and sends it back to the remote host. This authenticates the local user to the remote user account.
Public/private key combinations are an alternative to passwords and are useful for automated logins and file transfers. The local user creates a public/private key pair and gives the public key to the remote user. When the local user tries to log in to the remote account, the remote host uses local's public key to encrypt a random string. The local user then decrypts this with his private key and sends it back to the remote host. This authenticates the local user to the remote user account.


To create a public/private key pair:
To create a public/private key pair:
<pre>
<pre>
ssh-keygen -t dsa
ssh-keygen -t rsa -b 8192 (for servers with SSH2 but without ecdsa)
ssh-keygen -t ecdsa -b 521 (currently best security for SSH1)
ssh-keygen -t ed25519 -a 31 (new)
</pre>
</pre>


This creates a public key at <code>~/.ssh/id_dsa.pub</code> and a private key at <code>~/.ssh/id_dsa</code>
This creates a public key at <code>~/.ssh/id_ecdsa.pub</code> and a private key at <code>~/.ssh/id_ecdsa</code>


To set up key-based login from "<code>larry@local</code>" to "<code>roger@remote</code>":
To set up key-based login from <code>larry@local</code> to <code>roger@remote</code>:
* Login as <code>larry@local</code> and run "<code>ssh-keygen -t dsa</code>"
* Login as <code>larry@local</code> and run the <code>ssh-keygen</code> command.
* Copy the text from <code>~larry/.ssh/id_dsa.pub</code> on local and append it to <code>~roger/.ssh/authorized_keys</code> on remote.
* Copy the text from <code>~larry/.ssh/id_dsa.pub</code> on local and append it to <code>~roger/.ssh/authorized_keys</code> on remote.
* From the <code>larry@local</code> account, type "<code>ssh roger@remote</code>". You should not be prompted for <code>roger@remote</code>'s password. If you supplied a passphrase when generating the key pair, you will be asked for this. If you left the passphrase blank, you won't be asked for any authenication.
* From the <code>larry@local</code> account, type <code>ssh roger@remote</code>. You should not be prompted for <code>roger@remote</code>'s password. If you supplied a passphrase when generating the key pair, you will be asked for this. If you left the passphrase blank, you won't be asked for any authentication.
 
=== Troubleshooting permissions ===
<pre>
chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
</pre>
ALSO: some older Ubuntu's won't accept ecdsa keys.

Latest revision as of 17:04, 23 March 2020

Cheat Sheet

ssh-keygen -t ed25519 -a 31 (public/private key)

ssh -L localhost:2222:perth:22 tube (create tunnel)

hg clone ssh://hg@localhost:2222/irc/peplab-dev dev (use the tunnel for mercurial)

Basics

To log into a remote computer that's running an ssh server: 

ssh -l barney myserver.com

or 

ssh barney@myserver.com

To copy a file to barney's home directory on a remote computer: 

scp test.txt barney@myserver.com:

To copy a directory to barney's home directory on a remote computer: 

scp -r my_dir/ barney@myserver.com:

To copy a file to another directory on a remote computer: 

scp test.txt barney@myserver.com:/tmp

To copy a file from a remote computer to a local computer: 

scp barney@myserver.com:test.txt .

To execute a command on a remote computer (uses home directory as current): 

ssh barney@myserver.com pwd

If the username is the same on both local and remote computers, it may be omitted in the above commands.

SSH server listening on alternate port

If the SSH server is listening on port 1234 instead of the standard 22, modify the commands as follows: 

ssh -p1234 ...

and 

scp -P1234 ...

Public/Private Keys

https://help.ubuntu.com/community/SSH/OpenSSH/Keys

SSH is a client-server protocol. You use an ssh client to connect to a remote host running an ssh server (where you already have an account). Your public key is stored on the remote computer. ssh-agent runs on the local machine, and you must give it your private key and a passphrase to unlock it (with ssh-add).

Port forwarding or tunneling reroutes a TCP/IP connection to pass through an SSH connection.

Public/private key combinations are an alternative to passwords and are useful for automated logins and file transfers. The local user creates a public/private key pair and gives the public key to the remote user. When the local user tries to log in to the remote account, the remote host uses local's public key to encrypt a random string. The local user then decrypts this with his private key and sends it back to the remote host. This authenticates the local user to the remote user account.

To create a public/private key pair: 

ssh-keygen -t rsa -b 8192 (for servers with SSH2 but without ecdsa)
ssh-keygen -t ecdsa -b 521 (currently best security for SSH1)
ssh-keygen -t ed25519 -a 31 (new)

This creates a public key at ~/.ssh/id_ecdsa.pub and a private key at ~/.ssh/id_ecdsa

To set up key-based login from larry@local to roger@remote:

  • Login as larry@local and run the ssh-keygen command.
  • Copy the text from ~larry/.ssh/id_dsa.pub on local and append it to ~roger/.ssh/authorized_keys on remote.
  • From the larry@local account, type ssh roger@remote. You should not be prompted for roger@remote's password. If you supplied a passphrase when generating the key pair, you will be asked for this. If you left the passphrase blank, you won't be asked for any authentication.

Troubleshooting permissions

chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

ALSO: some older Ubuntu's won't accept ecdsa keys.

Retrieved from "https://wiki.scott5.org/index.php?title=Ssh&oldid=1748"