About copying SSH pubkey.
.. -*- coding: utf-8; -*-
===========
SSH/sshd.
===========
.. contents::
:local:
Debugging ssh client.
=====================
::
$ ssh -vvv ...
Maintaining key pair
====================
Check available key types::
$ ssh -Q key
Generate keys::
$ ssh-keygen -t dsa # for DSA
$ ssh-keygen -t rsa # for RSA
$ ssh-keygen -t dsa -C comment # put own comment instead user@host
$ ssh-keygen -t dsa -f my_dsa_key # store priv key under my_dsa_key
# and pub key under my_dsa_key.pub
ssh-keygen -f my.key
Recover pub key from priv::
ssh-keygen -y -f ~/.ssh/id_dsa >~/.ssh/id_dsa.pub
Show fingerprint::
ssh-keygen -l -f ~/.ssh/id_dsa
ssh-keygen -E md5 -l -f ~/.ssh/id_dsa
Change passphrase of priv key::
$ ssh-keygen -p -N "newphrase" -P "oldphrase" -f ~/.ssh/id_dsa
To copy your public key to a remote host (for automatic login by a pubkey authentication)::
$ ssh-copy-id $user@$host
$ ssh $user@$host cat ">>" "~/.ssh/authorized_keys" <~/.ssh/id_rsa.pub
Dealing with server pubkeys
===========================
To remove a host fingerprint from a local ``known_hosts`` (if you changed a server pubkey or changed
a server)::
$ ssh-keygen -R hostname
$ ssh-keygen -R hostname -f ~/.ssh/known_hosts
Each SSH server keeps a single priv key, sharing a common pub key with all clients. It is an
identity of the server and upon a new connection you are asked to trust this pub key. After
accepting the pub key it is written to ``~/.ssh/known_hosts``.
To list advertized pub keys by a server (``-H`` is host hashing/hiding host name)::
ssh-keyscan $HOST
ssh-keyscan -H $HOST
To list fingerprints of the server pub keys::
ssh-keygen -lf <(ssh-keyscan $HOST 2>/dev/null)
To ensure MD5 output format (which is usually displayed with vast majority of existing SSH
clients)::
ssh-keygen -E md5 -lf <(ssh-keyscan $HOST 2>/dev/null)
Disabling pubkey
================
::
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@host
Shell login
===========
::
$ ssh $user@$host
$ ssh $user@$host:$port
$ ssh -i ~/.ssh/my_dsa_key $user@$host
or::
$ ssh -l $user $host
$ ssh -l $user $host:$port
X11 forwarding
==============
Enable X11 forwarding on remote host in ``~/.ssh/config`` or ``/etc/ssh_config``::
X11Forwarding yes
then login to this host by::
$ ssh -X $user@$host
or by using trusted X11 forwarding::
$ ssh -Y $user@$host
See:
http://x.cygwin.com/docs/faq/cygwin-x-faq.html#q-ssh-no-x11forwarding
X11Forwarding does not work with OpenSSH under Cygwin
Multiply private keys
=====================
``ssh`` tries to use all provided keys::
$ ssh -i ./priv1 -i ./priv2 $user@$host
Alternatively place them to ``~/.ssh/config``::
Host *
IdentityFile ~/.ssh/identity # standard search path for protocol ver. 1
IdentityFile ~/.ssh/id_dsa # standard search path for RSA key protocol ver. 2
IdentityFile ~/.ssh/id_rsa # standard search path for DSA key protocol ver. 2
IdentityFile ~/.ssh/my_dsa
IdentityFile ~/.ssh/another_dsa
or per host private key::
Host host1 # alias, that user provide at CLI
HostName host1.example.com # real host name to log into
User iam
IdentifyFile ~/.ssh/iam_priv_dsa
Host host2 # alias, that user provide at CLI
HostName 192.168.1.2 # real host IP to log into
User admin
IdentifyFile ~/.ssh/admin_priv_dsa
Installing sshd on Cygwin
=========================
* Install base packages and openssh.
* Create Windows user and set its password.
* Recreate /etc/passwd::
$ mkpasswd -l -u user >>/etc/passwd
or::
$ mkpasswd -l >/etc/passwd
* Register sshd::
$ mkdir -p /home/user
$ ssh-host-config -y
* Start::
$ net start sshd
or::
$ cygrunsrv -S sshd
* Check from remote host::
$ ssh $gygwin_host -l user
To stop service use::
$ net stop sshd
$ cygrunsrv -E sshd
To delete service::
$ cygrunsrv -E sshd
$ cygrunsrv -R sshd
If you have ``connection closed`` error check permission for ``/home/*/.ssh``
directories. If you start service from ``user`` account - add write permission
to ``/home/*/.ssh``. I fix by::
$ rm -r /home/*/.ssh
cmd> icacls c:\opt\cygwin\home /t /grant:r cyg_server:(f)
In order to enable logging from ``sshd`` uncomment in ``/etc/ssh/sshd_config``::
SyslogFacility AUTH
LogLevel INFO
and start syslogd from ``inetutils`` package (don't forget to restart
``sshd``!)::
$ /bin/syslogd-config
$ net start syslogd
Check ``/var/log/messages`` for logging messages.
.. note::
In order to allow pubkey login and to avoid error::
userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes
add ``PubkeyAcceptedKeyTypes *`` or ``PubkeyAcceptedKeyTypes=+ssh-dss`` to
``/etc/ssh/sshd_config`` but DSS keys are depricated at all.