Archive for the tag 'SSH'

SBDavid

ssh debugging tips

The OpenSSH SSH client supports SSH protocols 1 and 2. Protocol 2 is the default, with ssh falling back to protocol 1 if it detects protocol 2 is unsupported. These settings may be altered using the Protocol option in ssh_config(5)

-v Verbose mode. Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentication, and configuration problems.

Multiple -v options increase the verbosity. The maximum is 3.

Example:

jyothis@dell:~$ ssh root@192.168.1.1 -v
OpenSSH_4.7p1 Debian-8, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.
debug1: Connection established.
debug1: identity file /home/jyothis/.ssh/identity type -1
debug1: identity file /home/jyothis/.ssh/id_rsa type 1
debug1: identity file /home/jyothis/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5ubuntu1
debug1: match: OpenSSH_5.1p1 Debian-5ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0

Cannot use SSH with old system accounts after Installation of DirectAdmin

For all SSH accounts created with DirectAdmin, it adds the “AllowUsers” option to the /etc/ssh/sshd_config file.

When DirectAdmin is installed, it will add “root” and “admin” to that file under the AllowUsers option.

Any other users who have had SSH account on the system will also require to be added to that file in order to access the server via SSH.

Source: http://directadmin.com

Allowing connections to the SSH service from one IP using APF

You want to deny all IPs to connect to shell/ssh on you server but only allow a select one or few to connect with APF firewall.

APF firewall can deny ALL connections for ssh and allow only a single or select few of IPs to connect to your server.

Login to your server as the root user.

cd /etc/apf
vi /etc/apf/allow_hosts.rules

Add the following in:

tcp:in:d=22:s=IP-ADDRESS
out:d=22:d=IP-ADDRESS

The d=22 part is the port, so you can repeat for other services as well to limit connections if you like.

Save the changes.

vi /etc/apf/deny_hosts.rules

Add the following:

tcp:in:d=22:s=0/0
out:d=22:d=0/0

Save the changes.

Restart APF firewall

apf -r
SBDavid

SSh key passphrase and SSH Agent

SSh key passphrase and SSH Agent

It is recommended to protect the keys with a passphrase. it is straightforward to do so. In fact you will be asked to provide a passphrase to your private key during key generation and you can skip it if you want. In case you did skip it you can lock it again with a passphrase using the following.

$ ssh-keygen -p

Then it will prompt to put the key file path and you should enter then the password which must be more than five chrs.

Of course using keys is not only useful for security reasons, but also for not asking for password every time you use ssh. But thanks to ssh-agent we could save ourselves a few keystrokes, and more importantly use ssh in automated scripts without interrupting the script to prompt for passwords.

SSH Agent

$ eval `ssh-agent`
$ ssh-add /home/buddies/.ssh/buddies_rsa
$ ssh root@myremote.serverbuddies.com

We first ran the ssh agent, which is actually a service.

Then use ssh-add to add the key, then ssh the remote server with only the user name and the remote server address, without providing the key, and if you have protected the key with passphrase you will be asked for the passphrase when you add it.

The ssh-agent help in opening a session so we can use ssh to access remote server without giving any keys or password.

SBDavid

SSH Key generation for Security

SSH Key generation for Security

We need to generate a pair of keys, on public for the server to encrypt the data and a private key, which is the only key that could decipher the encrypted data, and this private key is by definition should be kept private. There is many secure algorithm for encryption with different degree of encryption strength.

There is DSA and RSA, DSA is the standard encryption for the USA government, DSA keys has a 1024 size limit, whereas RSA is unlimited .

RSA key with a 2048 length, here are the steps.

$ ssh-keygen -v -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/buddies/.ssh/id_rsa): /home/buddies/.ssh/buddies_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/buddies/.ssh/buddies_rsa.
Your public key has been saved in /home/buddies/.ssh/buddies_rsa.pub.
The key fingerprint is:
66:d2:cc:7b:6a:62:f9:f5:c6:ef:69:fc:7b:87:0d:46 buddies@buddies


and then

$ chmod 600 /home/buddies/.ssh/buddies_rsa
$ scp /home/buddies/.ssh/buddies_rsa.pub buddies@myremote.server.com:/home/buddies/.ssh

on remote server we should do the following.

$ cat /home/buddies/.ssh/buddies_rsa.pub > /home/buddies/.ssh/authorized_keys

You will be asked for the login password on remote before the copying commences.

The file will be copied to login user home directory on remote (/home/buddies in that case).

« Prev - Next »