SSH In Case Of

2016 - 05 - 18

Note: Putty officially recommends to use Bitvise SSH Client & Server.

SUDO

no passwd for sudo 

vim /etc/sudoers

modify ALL=(ALL) ALL to ALL=(ALL) NOPASSWD:ALL (add NOPASSWD: before the last ALL)

Config > Less Time

Add two commands to avoid long time before asking passwords: 

GSSAPIAuthentication no
UseDNS no

GSS API is alternative to SSH-keys

Config > More Security

Change to get high security by using key auth only: 

PasswordAuthentication no
ChallengeResponseAuthentication no

Config > Keep Alive

On server: 

ClientAliveInterval 100
ClientAliveCountMax 2

(this can also be done on clients, but usually clients_nr > server_nr.)

Config > Remember to Restart

sudo service ssh restart

Config > All Above Together

echo ' '                                  >> /etc/ssh/sshd_config;
echo 'GSSAPIAuthentication no'            >> /etc/ssh/sshd_config;
echo 'UseDNS no'                          >> /etc/ssh/sshd_config;
echo 'PasswordAuthentication no'          >> /etc/ssh/sshd_config;
echo 'ChallengeResponseAuthentication no' >> /etc/ssh/sshd_config;
echo "ClientAliveInterval 100" | sudo tee -a /etc/ssh/sshd_config
echo "ClientAliveCountMax 2"   | sudo tee -a /etc/ssh/sshd_config
echo ' '                                  >> /etc/ssh/sshd_config;
service ssh restart && sleep 1 && service ssh status

To Allow Root Login w/ Password

Note: dangerous, use for tests only. 

sed -i 's/.*PermitRootLogin.*//' /etc/ssh/sshd_config
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config

sed -i 's/.*PasswordAuthentication.*//' /etc/ssh/sshd_config
echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config

service ssh restart && sleep 1 && service ssh status

SSH Tunneling

port forwarding (direct forwarding)

Suppose we want the client to Listen on80 and forward all traffic via SSH-server to localhost:8888 (a jupyter is running on "localhost" on the server).

nix as client:

ssh -L 80:localhost:8888 [email protected]_server_ip

win as client:

socks proxy (dynamic port forwarding)

nix:

ssh -D 9876 -f -C -q -N [email protected]_ssh_server
 -D 9876 : dynamic, it behave as a SOCKS server.
 -f : fork the process into the background after you type your password.
 -C : compression on.
 -q : quiet mode. Since this is just a tunnel we can make it quiet.
 -N : no command will be sent. (the -f will complain if we don’t specify this)

win:

putty ssh tunnels > source port 9876; dest: Dynamic.
 bitvise > services > SOCKS proxy > enable > listen port 9876.

in firefox:

about:config 

network.proxy.no_proxies_on : localhost, 127.0.0.1, 192.168.0.0/24, .yourcompany.com
network.proxy.socks : 127.0.0.1
network.proxy.socks_port : 8080
network.proxy.socks.remote_dns : true
network.proxy.socks_version : 5
network.proxy.type : 1

ref

Generate Keys for Openssh-server

(OBS: putty-gen can convert .ppk to openssh, but not vice-versa. cuz .ppk contains key pair.)

in windows with putty

Run PUTTYGEN.EXE: (OBS: some servers support 2048 only)

Result:

  1. Change "Key comment" !!! (will influence .ppk chucksum, so canNOT be easily changed later).
  2. Give passphrase (recommended).
  3. Copy the "public key for ... authorized_keys" content to file "authorized_keys" (OpenSSH, most Nix distribution).
  4. "Save private key" to .ppk (private & public pair, putty).
  5. Menu > Conversions > "Export OpenSSH Key" > file "id_rsa" (private, OpenSSH).

in nix

Generate and distribute: 

ssh-keygen -b 2048
ssh-copy-id -i $HOME/.ssh/id_rsa.pub [email protected]
ssh-copy-id -i $HOME/.ssh/id_rsa.pub [email protected]

REMOVE FINGERPRINT CHECK INFO

method 1: add fingerpring for all nodes

(this may insert redundant/duplicate items if any is already exiting, but no problems.) 

ssh-keyscan -H ip_domain_1,ip_domain_2,ip_domain_3 >> ~/.ssh/known_hosts

Batch from a file example: 

ssh-keyscan -f $HADOOP_HOME/etc/hadoop/slaves -H >> ~/.ssh/known_hosts

method 2: permanently disable check (not recommended)

ssh config: 

Host *
    StrictHostKeyChecking no

method 3: ssh w/ -o to each node to trigger auto-adding fingerprint

(why not use ssh-keyscan instead?) 

ssh -oStrictHostKeyChecking=no 192.168.1.1

RUN A COMMAND ON REMOTE SERVER

ssh [email protected] "echo \$HOME" # need to escape variables

RUN A SCRIPT ON REMOTE SERVER

Nix as driver: 

ssh [email protected] 'bash -s' < myscript.sh

Win as driver, see here.

DISABLE PROMPTS OF APT-GET (DIST-)UPGRADE / INSTALL GRUB

sudo DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade

ref

Config Putty

here

Mosh (Mobile-Shell)

install

Windows cygwin (or simply use chrome): 

C:\cygwin64\setup-x86_64.exe -q mobile-shell
C:\cygwin64\Cygwin.bat

Nix: 

sudo apt install mosh

run

mosh host_or_ip
# or
mosh --ssh="ssh -p 80" [email protected]_or_ip

NOTE: here uses --ssh=... to set ssh port, as mosh -p means the mosh port, not ssh one.

#nix #linux #ssh
Comments
Write a Comment