wiki

security | ssh

ssh tips and tricks

Generate key:

ssh-keygen -b 4096

Copy to server:

ssh-copy-id username@remote-server

Reference:

archlinux

Disable the password for root login:

sudo nano /etc/ssh/sshd_config

Set the line:

PermitRootLogin no

Restart ssh:

sudo service ssh restart

Disable password logins completely:

sudo nano /etc/ssh/sshd_config

Set the line:

PasswordAuthentication no

Restart ssh:

sudo service ssh restart

Remove potentially duplicated ssh host keys.

rm /etc/ssh/ssh_host_*

remove the keys of this server from the client computers

ssh-keygen -R hostname

ssh-keygen -R ip

Regenerate host keys.

/usr/sbin/dpkg-reconfigure openssh-server

If this does not work you need to manually create the keys:

ssh-keygen -t dsa -N "" -f /etc/ssh/ssh_host_dsa_key

ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_rsa_key

ssh-keygen -t ecdsa -N "" -f /etc/ssh/ssh_host_ecdsa_key

Run a local script remotely

ssh user@server 'bash -s' < script.sh

A trick I use sometimes is to use base64 to encode the commands, and pipe it to bash on the other site:

MYCOMMAND=`base64 -w0 script.sh`
ssh user@remotehost "echo $MYCOMMAND | base64 -d | sudo bash"

Reference:

serverfault

Mount sshfs (-C is for compression):

sshfs -p22 -o allow_other pi@192.168.0.105:/home/pi /home/skolem/Downloads/uzak/

sshfs -C -p 40 -o allow_other 88.99.190.190:/ ~/Downloads/uzak/

Unmount:

fusermount -u ~/Downloads/uzak/

Web browsing over SSH:

A. Open a blank Firefox tab and navigate to "about:config". Find the setting:

network.proxy.socks_remote_dns

Set this setting to true. Also consider:

network.http.pipelining true

network.http.pipelining.maxrequests 8

network.http.pipelining.ssl true

network.http.proxy.pipelining true

Also increase the following if needed:

network.http.max-persistent-connections-per-proxy

network.http.max-persistent-connections-per-server

B. Making ssh proxy:

ssh -C2qTnN -D 8080 username@remote_machine.com

C. To use the proxy in Firefox go to Firefox settings: Manual proxy configuration:

SOCKS Proxy 127.0.0.1 Port 8080

check the box for "SOCKS v5"

Reference: calomel

Fixing SSH time-out problem in the client:

sudo nano /etc/sysctl.conf

net.ipv4.tcp_mtu_probing = 1

sudo sysctl -p

cat /proc/sys/net/ipv4/tcp_mtu_probing

Reference:

launchpad fitzcarraldoblog