| Add passphrase protection to ssh keyfile | ssh-keygen -p -f id_rsa |
| configure SSH to avoid trying all identity files | ssh -o IdentitiesOnly=yes -i id1.key [email protected] |
| Convert OpenSSL format to SSH-RSA format | ssh-keygen -f my_ssh.pub -i |
| Critical ssh files/folders | ~/.ssh/authorized_keys, ~/.ssh/config, ~/.ssh/known_hosts |
| SSH config file | /etc/ssh/ssh_config, /etc/ssh/sshd_config |
| SSH key file permission | chmod 600 ~/.ssh/id_rsa |
| SSH folder permission | chmod 700 ~/.ssh, chown -R $USER:$USER ~/.ssh |
| Authorizedkeys file permission | chmod 644 ~/.ssh/authorized_keys |
Mute Warning: Permanently added | ssh -o LogLevel=error |
Tag: SSH Cheat Sheet
This cheat sheet includes basic command and methods to help you using SSH. SSH or Secure Shell is a network protocol that allows one computer to securely connect to another computer over an unsecured network, like the internet, by having a shared agreement of how to communicate.
| SSH port forward to a local port | ssh -N -i <ssh-keyfile> -f [email protected] -L *:18085:localhost:8085 -n /bin/bash |
| Reverse port forward to remote server | ssh -R *:40099:localhost:22 [email protected], ssh -p 40099 [email protected] |
| Setup ssh tunnel for your web browsing | sshuttle -r [email protected] 30.0.0.0/16 192.168.111.0/24 192.168.150.0/24 192.167.0.0/24 |
| Disable ssh by password | sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config |
| Disable root login | sed -i 's/^PermitRootLogin yes/#PermitRootLogin yes/' /etc/ssh/sshd_config |
| Enable/Disable SSH Host Key Checking | StrictHostKeyChecking yes change ~/.ssh/config |
| Protect SSH server from brute force attacks | using fail2ban command-line tool |
| Download a remote folder | scp -r ec2-user@<ssh-host>:/home/letsencrypt-20180825 ./ |
| Upload a file | scp -i <ssh-keyfile> /tmp/hosts ec2-user@<ssh-host>:/root/ |
| Upload a folder | scp -r /tmp/abc/ ec2-user@<ssh-host>:/root/ |
| Upload with timestamps/permissions kept | scp -rp /tmp/abc/ ec2-user@<ssh-host>:/root/ |
| Mount remote directory as local folder | sshfs [email protected]:/path/remote_folder /path/local_folder |
| Events of ssh down | grep -R "ssh.*Received signal 15" /var/log/auth.log |
| Events of ssh up | grep -R "sshd.*Server listening" /var/log/auth.log |
| Events of ssh failed login | grep -R "sshd.*Failed password for invalid user" /var/log/auth.log |
| Events of ssh break-in attemp | grep -R "sshd.*POSSIBLE BREAK-IN ATTEMPT!" /var/log/auth.log |
| Events of ssh port scap | grep -R "sshd.*Bad protocol version identification" /var/log/auth.log |
| Events of ssh login by public key | grep -R "sshd.*Accepted publickey for" /var/log/auth.log |
| Events of ssh login by password | grep -R "sshd.*Accepted password for" /var/log/auth.log |
| Events of ssh logout event | grep -R "sshd.*pam_unix(sshd:session): session closed for" /var/log/auth.log |
eval $(ssh-agent) # Start agent on demand
ssh-add -l # List keys
ssh-add # Add default key
ssh-add ~/.ssh/id_rsa # Add specific key
ssh-add -t 3600 ~/.ssh/id_rsa # Add with timeout
ssh-add -D # Drop keys
ssh -A ... # Enforce agent forwardingHost unreachable_host
ProxyCommand ssh -e none gateway_host exec nc %h %pssh -J Jumphost FooServer
ssh -J Jumphost [email protected]
ssh -J hello.vpn.cyberciti.biz www.nixcraft.com
ssh -J hello.vpn.cyberciti.biz:22 [email protected]
Host <your jump host>
ForwardAgent yes
Hostname <your jump host>
User <your user name on jump host>
# Note the server list can have wild cards, e.g. "webserver-* database*"
Host <server list>
ForwardAgent yes
User <your user name on all these hosts>
ProxyCommand ssh -q <your jump host> nc -q0 %h 22Host myserver
User myuser
Host myserver.com
ProxyCommand bash -c '/usr/bin/knock %h 1000 2000 3000 4000; sleep 1; exec /bin/nc %h %p'# Enforce a umask with SFTP
Subsystem sftp /usr/libexec/openssh/sftp-server -u 0002# Parallel SSH on Debian
apt-get install pssh=> using
pssh -h host_list.txt <command>
pssh -i -t 60 -h host_list.txt -- <command> # 60s timeout, list output# Clustered SSH on Debian
apt-get install clusterssh=> using
cssh server1 server2# Vim Remote File Editing:
vim scp:[email protected]//some/directory/file.txt# Use GPG keys with SSH agent
monkeysphere subkey-to-ssh-agent -t 3600# Knockd installation
apt update
apt install -y knockd iptables-persistent# iptables rules
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j DROP
iptables-save > /etc/iptables/rules.v4These commands will do the following:
- Instruct iptables to keep existing connections alive.
- Instruct iptables to drop any connection to port tcp/22 (if your SSH daemon is listening on a port other than 22, you should modify the above command accordingly.)
- Save these two rules so they will persist after a reboot.
# Knockd configuration
Open the file /etc/knockd.conf
You will see:
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = synChange the opening sequence:
[openSSH]
sequence = x,y,zChange the command value :
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPTChange the closing sequence accordingly:
[closeSSH]
sequence = z,y,xSave your changes and exit, and open the file /etc/default/knockd
- Replace
START_KNOCKD=0withSTART_KNOCKD=1. - Add the following line to the end of the file:
KNOCKD_OPTS="-i ens3"(replaceens3with the name of your public network interface if it differs.) - Save and exit.
Start Knockd:
systemctl start knockd~. | terminate the connection (and any multiplexed sessions) |
~B | send a BREAK to the remote system |
~C | open a command line |
~R | Request rekey (SSH protocol 2 only) |
~^Z | suspend ssh |
~# | list forwarded connections |
~& | background ssh (when waiting for connections to terminate) |
~? | this message |
~~ | send the escape character by typing it twice |