ssh

Infrastructure

Remote Server Access

UNIX

PuTTY

Windows

Linux Firewall

sftp

SSH Daemon

Check

You can confirm that the ssh daemon is running using this command on Linux and AIX...

systemctl status sshd

For simpler output you could use...

ps -ef | grep sshd

Start

sudo systemctl start ssh

Stop

sudo systemctl stop ssh

Version

ssh -V

apt list --installed | grep openssh-server

apt list --installed | grep openssh-client

Risks

If someone else has 'root' access on a computer containing your keys then they have access to your keys. If those people are your organisation's UNIX sysadmins then they may have access to everything anyway. If they don't, or if people other than trusted sysadmins have root access, then be very aware of the risk.

Note that even if you do something clever like "mount your ssh keys temporarily from a network drive or USB device, add them to you ssh-agent, then unmount the ssh keys", someone with root can still steal your private key from the running ssh-agent process. Make sure you kill the agent whenever you logout (see the "SSH Forwarding/Tunnelling (Linux)" section later on this page). You should consider the feasibility of using the -t option of ssh-add to keep the key in the agent only long enough to establish your connection.

Install

On Linux ssh is shipped in two packages. openssh-server installs the daemon (sshd) and openssh-client installs the client (ssh). There is a third package that gets automatically installed: openssh-sftp-server.

openssh-server

sudo apt install openssh-server

openssh-client

sudo apt install openssh-client

In recent Ubuntu versions the client is installed by default but the server is not

Usage

ssh hostname [command]

To suppress any messages that may be set to display on connection use...

ssh -q hostname [command]

To show debugging information...

ssh -v hostname [command]

NOTE: If you omit [command] you will be logged in to the shell on the target server, otherwise the command will run and the ssh session will end.

SSH Forwarding/Tunnelling (Linux)

The ssh-agent tends to be already running for Ubuntu sessions. If it is not running, start it using...

Note: Consider adding this to your .bash_profile or .profile (as appropriate)...

eval $(ssh-agent)

To avoid starting a new process every time you connect, you should also add this (which will kill ssh-agent at logout)...

trap 'test -n "$SSH_AGENT_PID" && eval $(/usr/bin/ssh-agent -k)' 0

Identify your key...

ssh-add -L

Add this key to ~/.ssh/authorized_keys on all hosts, including any Bastion (jump-box) server, that you will access.

For AWS, if you have followed the documentation on this site, your keys should already be there. If you are configuring access for someone else you may still need to add them.

Add your key to the ssh agent.

If you are not on the server where you created this key initially then copy it to .ssh under your home directory first.

cd ~/.ssh

ssh-add $(whoami).pem

For AWS, use the PEM file from the EC2 Key Pair.

ssh-add -L

The key should be there

EC2 Key Pairs

Bastion Host

To delete the identity from the agent after 60 seconds...

ssh-add -t 60

To delete all identities from the agent...

ssh-add -D

Create an ssh config file...

This example is for an AWS installation of Jira and Confluence

# Bastion

Host bbb.bbb.bbb.bbb

ForwardAgent yes

User ec2-user

# Server1

Host 111.111.111.111

ProxyCommand ssh -A ec2-user@bbb.bbb.bbb.bbb -W %h:%p

User ec2-user

# Server2

Host 222.222.222.222

ProxyCommand ssh -A ec2-user@bbb.bbb.bbb.bbb -W %h:%p

User ec2-user

Where:bbb.bbb.bbb.bbb is the Bastion (Jump) IP address111.111.111.111 is the IP address of server1222.222.222.222 is the IP address of server2ec2-user is the login user on each server

You should now be able to connect directly to any of the servers using the variables containing the IP addresses or the IP addresses themselves...

ssh username@${JumpIP}

ssh username@${TargetIP[0]}

ssh username@${TargetIP[1]}

If you omit username shh will attempt to connect with your current username.

Port Forwarding

TODO

ssh -L

ssh -R

Configuration

All configuration is held under the .ssh subdirectory of the home directory of each user. e.g.

/home/oracle/.ssh

Private/Public Key File

(default: id_rsa/id_rsa.pub)

/home/oracle/.ssh/id_rsa

This is a private key with the default name. This should only be accessible by the user who owns it (in this example, 'oracle').

/home/oracle/.ssh/id_rsa.pub

This is a public key with the default name. Copy the contents of this file to the authorized_keys file on another server to allow ther holder of the associated private key to connect without requiring a password .

If you need to generate a private key/public key pair (where mykey.pem will be the file containing the private key):

ssh-keygen -t rsa -b 3072 -f mykey.pem

Note that the RSA signing algorithm is the default. However, it's good practice to specify it, just in case the default changes.Minimum key size is 1024 bits, default is 3072 and maximum is 16384.

To generate the public key file from an existing private key file...

ssh-keygen -y -f mykey.pem > $HOME/.ssh/mykey.pub

Convert PPK to PEM

If you are sent a private key in PPK format (e.g. I was sent a PPK file to access a training environment in OCI) but you want to connect via a native Linux terminal rather than via PuTTY... You can use these steps to convert the key.

First get the PPK file onto your Linux machine.
Install putty-tools (if not installed already).

puttygen mykey.ppk -O private-openssh -o mykey.pem

chmod 400 mykey.pem

Convert PEM to PPK

If you want to do this then I assume you already have PuTTY installed on a Windows machine, In which case, this is easy...

Open the .pem file in puttygen
Save it as .ppk

PuTTY

Includes instructions for installing putty-tools on Linux.

authorized_keys

/home/oracle/.ssh/authorized_keys

If a key entry in the authorized_keys file on a serverA matches the public key of serverB then you can ssh to serverA from serverB without entering a password.

On Linux you can add keys to a remote authorized_keys file using this command (it does not work on AIX)...

ssh-copy-id -i ~/.ssh/id_rsa.pub user@serverA

known_hosts

/home/oracle/.ssh/known_hosts

Whenever you connect to a host using ssh, a checksum gets added to the known_hosts file under the .ssh directory in the users home directory. If the checksum ever changes, ssh will give you a warning when you try to connect.

config

https://www.ssh.com/ssh/config/

For a specific user...

/home/oracle/.ssh/config

Config inherited by all users...

/etc/ssh/ssh_config

Use this file for overriding command line defaults and for configuration where there is no command line option. For example, this line in the config file...

VisualHostKey=yes

... is the same as this option on the command line...

ssh -o VisualHostKey=yes hostname

To make it easier to login to a host with an alternate user and ssh key, use something like this in you config file...

Host myserver

User myuser

IdentityFile ~/.ssh/mykey.pem

Passphrase

Having a passphrase makes the use of ssh more secure but can cause issues if you want to run automated scripts that connect to other servers without intervention. To remove/set a passphrase use...

ssh-keygen -p

Windows SSH

SSH is implemented as standard in Windows Server 2016 and later and Windows 10 (Build 1809) and later.

Check (Powershell)

Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

Alternative ssh Clients

PuTTY
mRemoteNG

PuTTY

Windows

Troubleshooting

For extra information about your ssh session use the -v, -vv, or -vvv command line options.

(-vvv gives the highest level of detail).

Key Checks

The .ssh directory should be owned by the user whose login home it is in.
The .ssh directory should have rwx (700) permissions for the owner only.
The Private key file should have rw (600) permissions for the owner only.
The authorized_keys file should have rw-r--r-- (644) permissions.

UNIX File Permissions

Bibliography

http://www.openssh.com/ https://stackoverflow.com/questions/112396/how-do-i-remove-the-passphrase-for-the-ssh-key-without-having-to-create-a-new-ke https://www.ssh.com/ssh/openssh/https://www.ssh.com/ssh/config/https://www.cyberciti.biz/faq/create-ssh-config-file-on-linux-unix/https://www.cyberciti.biz/faq/howto-start-stop-ssh-server/https://devconnected.com/how-to-install-and-enable-ssh-server-on-ubuntu-20-04/https://aws.amazon.com/premiumsupport/knowledge-center/ec2-ssh-key-pair-regions/https://www.tecmint.com/enable-debugging-mode-in-ssh/https://wiki.archlinux.org/title/SSH_keyshttps://superuser.com/questions/1556852/how-to-check-if-your-ssh-keys-are-in-the-ssh-rsa2-formathttps://docs.oracle.com/cd/E36784_01/html/E36870/ssh-1.html
Tunnelling/SSH Agent Forwardinghttps://www.ssh.com/ssh/tunneling/https://www.ssh.com/ssh/tunneling/examplehttps://www.ssh.com/academy/ssh/tunneling-examplehttps://www.ssh.com/ssh/agent http://woshub.com/ssh-tunnel-port-forward-windows/ (Native SSH Port Forwarding (Tunneling) on Windows 10)https://developer.github.com/v3/guides/using-ssh-agent-forwarding/http://www.unixwiz.net/techtips/ssh-agent-forwarding.html (An Illustrated Guide to SSH Agent Forwarding)https://blog.scottlowe.org/2015/11/21/using-ssh-bastion-host/https://blog.scottlowe.org/2016/09/13/ssh-bastion-host-follow-up/https://tenmilesquare.com/using-ssh-through-a-bastion-host-transparently/https://stackoverflow.com/questions/18880024/start-ssh-agent-on-login https://stackoverflow.com/questions/40549332/how-to-check-if-ssh-agent-is-already-running-in-bashhttps://www.kevssite.com/connect-to-postgresql-using-an-ssh-tunnel/https://www.cyberciti.biz/faq/linux-unix-ssh-proxycommand-passing-through-one-host-gateway-server/http://woshub.com/ssh-tunnel-port-forward-windows/https://rubenlaguna.com/post/2014-06-10-ssh-port-forwarding-through-multiple-hops-slash-dot-ssh-slash-config-slash/http://etutorials.org/Linux+systems/linux+security/Chapter+6.+Protecting+Outgoing+Network+Connections/Recipe+6.11+Terminating+an+SSH+Agent+on+Logout/https://rabexc.org/posts/pitfalls-of-ssh-agentshttps://linux.die.net/man/1/ssh-addhttps://man7.org/linux/man-pages/man1/ssh-add.1.htmlhttps://wiki.archlinux.org/title/SSH_keys
http://www.dirk-loss.de/sshvis/drunken_bishop.pdf http://users.ece.cmu.edu/~adrian/projects/validation/validation.pdf (Hash Visualization: a New Technique to improve Real-World Security - Perrig & Song)https://linuxhint.com/ssh_virtualbox_guest/
puttyhttps://support.hostway.com/hc/en-us/articles/115001509884-How-To-Use-SSH-Keys-on-Windows-Clients-with-PuTTY-http://www.unixwiz.net/techtips/putty-openssh.htmlhttps://tecadmin.net/convert-ppk-to-pem-using-command/https://stackoverflow.com/questions/3190667/convert-pem-to-ppk-file-format
mRemoteNGhttps://github.com/mRemoteNGhttps://mremoteng.org/
AWS EC2 Instance Connecthttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect.html
Windowshttps://www.onmsft.com/how-to/how-to-configure-port-forwarding-on-a-windows-10-pc https://www.pugetsystems.com/labs/hpc/How-To-Use-SSH-Client-and-Server-on-Windows-10-1470/
Troubleshootinghttps://unix.stackexchange.com/questions/15575/can-i-find-out-which-ssh-key-was-used-to-access-an-account
OCIhttps://docs.oracle.com/en-us/iaas/Content/Compute/Tasks/connect-to-linux-instance.htm