SSH
- Utilities
- ssh — OpenSSH remote login client
- scp — OpenSSH secure file copy
- ssh-add — adds private key identities to the OpenSSH authentication agent
- ssh-keyscan — gather SSH public keys from servers
- ssh-copy-id — use locally available keys to authorise logins on a remote machine
- ssh-keygen — OpenSSH authentication key utility
- SSH agent
- SSH key pair
- Remove shit
- Server offering outdated and insecure algorithms
- Unsorted
Utilities
ssh — OpenSSH remote login client
| -A | Enables forwarding of connections from an authentication agent such as ssh-agent(1). |
| -L [bind_address:]port:host:hostport -L [bind_address:]port:remote_socket -L local_socket:host:hostport -L local_socket:remote_socket | Specifies that connections to the given TCP port or Unix socket on the local (client) host are to be forwarded to the given host and port, or Unix socket, on the remote side. |
Forward a local port to a remote host and port reachable by the SSH server
I can reach myserver over SSH, my server can reach 192.168.178.150 but I cannot. Then I will map the port 443 on 192.168.178.150 to my own 8443 port, over the SSH server.
ssh -L 8443:192.168.178.150:443 myserverThen to connect:
https://localhost:8443scp — OpenSSH secure file copy
use scp on path with empty spaces:
scp 'user@host:/Path/"Some Filename With Spaces"' [destination]ssh-add — adds private key identities to the OpenSSH authentication agent
ssh-add ~/mysshkey
ssh-add -Lssh-keyscan — gather SSH public keys from servers
ssh-keyscan -H myhost.org,myhost2.org >> ~/.ssh/known_hostsssh-copy-id — use locally available keys to authorise logins on a remote machine
ssh-copy-id -i ~/.ssh/mykey user@hostssh-keygen — OpenSSH authentication key utility
-i | This option will read an unencrypted private (or public) key file in the format specified by the -m option and print an OpenSSH compatible private (or public) key to stdout. This option allows importing keys from other software, including several commercial SSH implementations. The default import format is “RFC4716”. |
-f filename | Specifies the filename of the key file. |
-C comment | Provides a new comment |
-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa | Specifies the type of key to create |
Generate a new keypair
ssh-keygen -t ed25519 -C "your_email@example.com"Convert a PuTTYgen generated key to Openssh format
ssh-keygen -i -f puttygenkey.pubSSH agent
ssh-agent — OpenSSH authentication agent
SSH agent forwarding
Lets the remote server use your local keys. Good for remote deployment when all remote servers are set with your public keys, but you do not want to have the private one leave your computer.
-A‘ Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file.
SSH key pair
The book Practical Cryptography With Go suggests that ED25519 keys are more secure and performant than RSA keys.
As OpenSSH 6.5 introduced ED25519 SSH keys in 2014, they should be available on any current operating system.
You can create and configure an ED25519 key with the following command:
ssh-keygen -t ed25519 -C "<comment>"Remove shit
ssh-keygen -f ~/.ssh/known_hosts -R "192.168.53.130"remove line 121 in known_hosts (-i = inplace)
sed -i '121d' ~/.ssh/known_hostsServer offering outdated and insecure algorithms
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-rsa -oMacs=+hmac-sha1 admin@192.168.1.100ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes128-cbc admin@192.168.1.100no matching key exchange method found. Their offer: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1
-oKexAlgorithms=+diffie-hellman-group1-sha1# ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.orgno matching host key type found. Their offer: ssh-rsa
-oHostKeyAlgorithms=+ssh-rsa# ssh -Q key
ssh-ed25519
ssh-ed25519-cert-v01@openssh.com
sk-ssh-ed25519@openssh.com
sk-ssh-ed25519-cert-v01@openssh.com
ecdsa-sha2-nistp256
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521
ecdsa-sha2-nistp521-cert-v01@openssh.com
sk-ecdsa-sha2-nistp256@openssh.com
sk-ecdsa-sha2-nistp256-cert-v01@openssh.com
ssh-dss
ssh-dss-cert-v01@openssh.com
ssh-rsa
ssh-rsa-cert-v01@openssh.comno matching MAC found. Their offer: hmac-sha1-96,hmac-md5,hmac-sha1,hmac-md5-96
-oMacs=+hmac-sha1# ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.comcipher
-c aes128-cbcssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.comCorresponding entry in config file
Host oldswitch
Hostname 192.168.1.100
User admin
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-rsa
Macs +hmac-sha1