Mercurial Mercurial > tips / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
ssh.rst
author Oleksandr Gavenko <gavenkoa@gmail.com>
Tue, 07 Feb 2023 00:53:39 +0200
changeset 2555 70383fa8bf12
parent 2554 c83fb8d3809f
child 2585 9b1f7faff31c
permissions -rw-r--r--
About copying SSH pubkey.

.. -*- coding: utf-8; -*-

===========
 SSH/sshd.
===========
.. contents::
   :local:

Debugging ssh client.
=====================
::

  $ ssh -vvv ...

Maintaining key pair
====================

Check available key types::

  $ ssh -Q key

Generate keys::

  $ ssh-keygen -t dsa     # for DSA
  $ ssh-keygen -t rsa     # for RSA
  $ ssh-keygen -t dsa -C comment     # put own comment instead user@host
  $ ssh-keygen -t dsa -f my_dsa_key  # store priv key under my_dsa_key
                                     # and pub key under my_dsa_key.pub

  ssh-keygen -f my.key

Recover pub key from priv::

  ssh-keygen -y -f ~/.ssh/id_dsa >~/.ssh/id_dsa.pub

Show fingerprint::

  ssh-keygen -l -f ~/.ssh/id_dsa
  ssh-keygen -E md5 -l -f ~/.ssh/id_dsa

Change passphrase of priv key::

  $ ssh-keygen -p -N "newphrase" -P "oldphrase" -f ~/.ssh/id_dsa

To copy your public key to a remote host (for automatic login by a pubkey authentication)::

  $ ssh-copy-id $user@$host

  $ ssh $user@$host cat ">>" "~/.ssh/authorized_keys" <~/.ssh/id_rsa.pub

Dealing with server pubkeys
===========================

To remove a host fingerprint from a local ``known_hosts`` (if you changed a server pubkey or changed
a server)::

  $ ssh-keygen -R hostname
  $ ssh-keygen -R hostname -f ~/.ssh/known_hosts

Each SSH server keeps a single priv key, sharing a common pub key with all clients. It is an
identity of the server and upon a new connection you are asked to trust this pub key. After
accepting the pub key it is written to ``~/.ssh/known_hosts``.

To list advertized pub keys by a server (``-H`` is host hashing/hiding host name)::

  ssh-keyscan $HOST
  ssh-keyscan -H $HOST

To list fingerprints of the server pub keys::

  ssh-keygen -lf <(ssh-keyscan $HOST 2>/dev/null)

To ensure MD5 output format (which is usually displayed with vast majority of existing SSH
clients)::

  ssh-keygen -E md5 -lf <(ssh-keyscan $HOST 2>/dev/null)

Disabling pubkey
================
::

  ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@host

Shell login
===========
::

  $ ssh $user@$host
  $ ssh $user@$host:$port

  $ ssh -i ~/.ssh/my_dsa_key $user@$host

or::

  $ ssh -l $user $host
  $ ssh -l $user $host:$port

X11 forwarding
==============

Enable X11 forwarding on remote host in ``~/.ssh/config`` or ``/etc/ssh_config``::

  X11Forwarding yes

then login to this host by::

  $ ssh -X $user@$host

or by using trusted X11 forwarding::

  $ ssh -Y $user@$host

See:

http://x.cygwin.com/docs/faq/cygwin-x-faq.html#q-ssh-no-x11forwarding
  X11Forwarding does not work with OpenSSH under Cygwin

Multiply private keys
=====================

``ssh`` tries to use all provided keys::

  $ ssh -i ./priv1 -i ./priv2 $user@$host

Alternatively place them to ``~/.ssh/config``::

  Host *
  IdentityFile ~/.ssh/identity # standard search path for protocol ver. 1
  IdentityFile ~/.ssh/id_dsa   # standard search path for RSA key protocol ver. 2
  IdentityFile ~/.ssh/id_rsa   # standard search path for DSA key protocol ver. 2
  IdentityFile ~/.ssh/my_dsa
  IdentityFile ~/.ssh/another_dsa

or per host private key::

  Host host1                   # alias, that user provide at CLI
  HostName host1.example.com   # real host name to log into
  User iam
  IdentifyFile ~/.ssh/iam_priv_dsa
  Host host2                   # alias, that user provide at CLI
  HostName 192.168.1.2         # real host IP to log into
  User admin
  IdentifyFile ~/.ssh/admin_priv_dsa

Installing sshd on Cygwin
=========================

* Install base packages and openssh.
* Create Windows user and set its password.
* Recreate /etc/passwd::

    $ mkpasswd -l -u user >>/etc/passwd

  or::

    $ mkpasswd -l >/etc/passwd

* Register sshd::

    $ mkdir -p /home/user
    $ ssh-host-config -y

* Start::

    $ net start sshd

  or::

    $ cygrunsrv -S sshd

* Check from remote host::

    $ ssh $gygwin_host -l user

To stop service use::

  $ net stop sshd
  $ cygrunsrv -E sshd

To delete service::

  $ cygrunsrv -E sshd
  $ cygrunsrv -R sshd

If you have ``connection closed`` error check permission for ``/home/*/.ssh``
directories. If you start service from ``user`` account - add write permission
to ``/home/*/.ssh``. I fix by::

  $ rm -r /home/*/.ssh
  cmd> icacls c:\opt\cygwin\home /t /grant:r cyg_server:(f)

In order to enable logging from ``sshd`` uncomment in ``/etc/ssh/sshd_config``::

  SyslogFacility AUTH
  LogLevel INFO

and start syslogd from ``inetutils`` package (don't forget to restart
``sshd``!)::

  $ /bin/syslogd-config
  $ net start syslogd

Check ``/var/log/messages`` for logging messages.

.. note::

   In order to allow pubkey login and to avoid error::

     userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes

   add ``PubkeyAcceptedKeyTypes *`` or ``PubkeyAcceptedKeyTypes=+ssh-dss`` to
   ``/etc/ssh/sshd_config`` but DSS keys are depricated at all.
tips