- SUDO
- Config > Less Time
- Config > More Security
- Config > Keep Alive
- Config > Remember to Restart
- Config > All Above Together
- To Allow Root Login w/ Password
- SSH Tunneling
- Generate Keys for Openssh-server
- REMOVE FINGERPRINT CHECK INFO
- RUN A COMMAND ON REMOTE SERVER
- RUN A SCRIPT ON REMOTE SERVER
- DISABLE PROMPTS OF APT-GET (DIST-)UPGRADE / INSTALL GRUB
- Config Putty
Note: Putty officially recommends to use Bitvise SSH Client & Server.
SUDO
no passwd for sudo
vim /etc/sudoers
modify ALL=(ALL) ALL to ALL=(ALL) NOPASSWD:ALL (add NOPASSWD: before the last ALL)
Config > Less Time
Add two commands to avoid long time before asking passwords:
GSSAPIAuthentication no
UseDNS noGSS API is alternative to SSH-keys
Config > More Security
Change to get high security by using key auth only:
PasswordAuthentication no
ChallengeResponseAuthentication noConfig > Keep Alive
On server:
ClientAliveInterval 100
ClientAliveCountMax 2(this can also be done on clients, but usually clients_nr > server_nr.)
Config > Remember to Restart
sudo service ssh restart
Config > All Above Together
echo ' ' >> /etc/ssh/sshd_config; echo 'GSSAPIAuthentication no' >> /etc/ssh/sshd_config; echo 'UseDNS no' >> /etc/ssh/sshd_config; echo 'PasswordAuthentication no' >> /etc/ssh/sshd_config; echo 'ChallengeResponseAuthentication no' >> /etc/ssh/sshd_config; echo "ClientAliveInterval 100" | sudo tee -a /etc/ssh/sshd_config echo "ClientAliveCountMax 2" | sudo tee -a /etc/ssh/sshd_config echo ' ' >> /etc/ssh/sshd_config; service ssh restart && sleep 1 && service ssh status
To Allow Root Login w/ Password
Note: dangerous, use for tests only.
sed -i 's/.*PermitRootLogin.*//' /etc/ssh/sshd_config echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config sed -i 's/.*PasswordAuthentication.*//' /etc/ssh/sshd_config echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config service ssh restart && sleep 1 && service ssh status
SSH Tunneling
port forwarding (direct forwarding)
Suppose we want the client to Listen on80 and forward all traffic via SSH-server to localhost:8888 (a jupyter is running on "localhost" on the server).
nix as client:
ssh -L 80:localhost:8888 [email protected]_server_ip
win as client:
socks proxy (dynamic port forwarding)
nix:
ssh -D 9876 -f -C -q -N [email protected]_ssh_server-D 9876 : dynamic, it behave as a SOCKS server.-f : fork the process into the background after you type your password.-C : compression on.-q : quiet mode. Since this is just a tunnel we can make it quiet.-N : no command will be sent. (the -f will complain if we don’t specify this)
win:
putty ssh tunnels > source port 9876; dest: Dynamic.
bitvise > services > SOCKS proxy > enable > listen port 9876.
in firefox:
about:config
network.proxy.no_proxies_on : localhost, 127.0.0.1, 192.168.0.0/24, .yourcompany.com
network.proxy.socks : 127.0.0.1
network.proxy.socks_port : 8080
network.proxy.socks.remote_dns : true
network.proxy.socks_version : 5
network.proxy.type : 1Generate Keys for Openssh-server
(OBS: putty-gen can convert .ppk to openssh, but not vice-versa. cuz .ppk contains key pair.)
in windows with putty
Run PUTTYGEN.EXE: (OBS: some servers support 2048 only)
Result:
- Change "Key comment" !!! (will influence .ppk chucksum, so canNOT be easily changed later).
- Give passphrase (recommended).
- Copy the "public key for ... authorized_keys" content to file "authorized_keys" (OpenSSH, most Nix distribution).
- "Save private key" to .ppk (private & public pair, putty).
- Menu > Conversions > "Export OpenSSH Key" > file "id_rsa" (private, OpenSSH).
in nix
Generate and distribute:
ssh-keygen -b 2048 ssh-copy-id -i $HOME/.ssh/id_rsa.pub [email protected] ssh-copy-id -i $HOME/.ssh/id_rsa.pub [email protected]
REMOVE FINGERPRINT CHECK INFO
method 1: add fingerpring for all nodes
(this may insert redundant/duplicate items if any is already exiting, but no problems.)
ssh-keyscan -H ip_domain_1,ip_domain_2,ip_domain_3 >> ~/.ssh/known_hosts
Batch from a file example:
ssh-keyscan -f $HADOOP_HOME/etc/hadoop/slaves -H >> ~/.ssh/known_hosts
method 2: permanently disable check (not recommended)
ssh config:
Host *
StrictHostKeyChecking nomethod 3: ssh w/ -o to each node to trigger auto-adding fingerprint
(why not use ssh-keyscan instead?)
ssh -oStrictHostKeyChecking=no 192.168.1.1
RUN A COMMAND ON REMOTE SERVER
ssh [email protected] "echo \$HOME" # need to escape variables
RUN A SCRIPT ON REMOTE SERVER
Nix as driver:
ssh [email protected] 'bash -s' < myscript.sh
Win as driver, see here.
DISABLE PROMPTS OF APT-GET (DIST-)UPGRADE / INSTALL GRUB
sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade