SSH command in details

• Until SSH, telnet was the standard to connect to any server, telnet was highly insecure as it did not encrypt communication b/w you and the server you were connecting to.
• this meant that anyone on the same network with you could steal you linux user password and see everything you did on that server during your telent session.
• The SSH protocol uses strong encryption to avoid this and the openssh daemon is built very carefully to avoid security bugs as much as possible.
• Currently Openssh is used by millions of servers and has stood the test of time proving to be very hard to hack.
• SSH is network protocol to access server securely from client machine.
• The openssh deaemon run in the background on the server all the time.
• SSH means secure shell.
• with ssh when you log in to a system you get an interactive login shell.

How does SSH works?

See the following diagram:

See ssh verbose & logs:

[satish@host]$ ssh -v user@server_ip_addres

[satish@host]$ tail -f /var/log/secure

What is ssh-keygen?

• ssh-keygen -t rsa is an utility that basically generates, manages and converts authentication keys for ssh.
• ssh-keygen generates Public key and Private key in user home directory under .ssh folder.
• Make sure .ssh has right permission otherwise you might get an error.
• chmod g-w $HOME 
• chmod 700 $HOME/.ssh

• Other than Public key and Private key There could be two more files in  .ssh folder.
• known_hosts It is maintained on the client machine, This file ensure that you are connecting to right server. 
• authorized_keys It is maintained on the server machine, This file contains list of public keys of user who has access to server.
• chmod 600 $HOME/.ssh/authorized_keys
• if a user needs access to your server, usually they generate keys and you can add the public key to authorized_keys

 

Generate Public Key if you have pem file:

[satish@host]$ ssh-keygen -y -f ssh-recover.pem 

What is ssh-keyscan?

• ssh-keyscan gathers the ssh public key.
• This utility is mainly design to verify known host file.

[satish@host]$ cat $HOME/.ssh/known_hosts

[satish@host]$ cat $HOME/.ssh/known_hosts | awk '{ print $3 }'

To delete the already existing public key associated with any server you could use sed command.

[satish@host]$ sed -i "/192.168.100.112/d" $HOME/.ssh/known_hosts 
[satish@host]$ ssh-keyscan 192.168.100.112 >> $HOME/.ssh/known_host 

OR

[satish@host]$ ssh-keygen -R 10.11.12.9 

What is sshpass?

• sshpass is a command line utility tool that can be used when you don't prompt for asking password.
• This is used for Non-interactive ssh-login. 
• This can used in shell script for automation purpose.
• sshpass -p Alter1! ssh username@192.168.100.112
• sshpass -f passwordfile.txt ssh username@192.168.100.112
• cat passwordfile.txt Alter1! 

What is ssh-copy-id ?

• ssh-copy-id is useful when you want to add public key to server's authorized key so that passwordless connection can be establish.

[satish@host]$ ssh-copy-id -i $HOME/.ssh/id_rsa.pub user_name@server_address
[satish@host]$ sshpass -p Alter1! ssh-copy-id user_name@server_address

How do we Setup passwordless connection using key pair?

• you just need to copy the content of server's public key i.e id_rsa.pub and add it to remote server's ~/.ssh/authorized_keys file.

[satish@host]$ ssh <user_name>@<ssh-server_address> 'cat >> ~/.ssh/authorized_keys' < id_rsa.pub
[satish@host]$ ssh <user_name>@<remote_ssh-server> -i id_rsa

Improve Security of ssh:

• You could enforce people to use key-based authentication and disable password authentication.
• [satish@host]$ vim /etc/ssh/sshd_config
  PasswordAuthentication no
  [satish@host]$ sudo systemctl restart sshd 

SSH tunneling using command line :

[satish@host]$ssh -R

SCP command syntax:

$scp -i mykey.pem somefile.txt ec2-user@145.34.56.43:/home/ec2-user

Configure SSH servers and clients:

server : vi /etc/ssh/ssdh_config

client : vi /etc/ssh/ssh_config

server : vi /etc/ssh/ssdh_config

Match User satish

     PasswordAuthentication no

client : vi /$HOME/.ssh/config

Host centos

        HostName 10.11.12.9

        Port 22

        User aaron

:wq

chmod 600 .ssh/config

ssh centos

Sometime while running the script from Jenkins or from some shell script you might get the following error:

Issues1:

Sometime while running the script from Jenkins or from some shell script you might get the following error:

+ ssh user_name@192.168.100.112
Pseudo-terminal will not be allocated because stdin is not a terminal.
Host key verification failed.

Resolution:

[satish@host]$ ssh -o StrictHostKeyChecking=no user_name@192.168.100.112 "echo hello $hostname"

Issues2:

Sometime when you are trying to do ssh on server you might get following issues:

permission denied, please try again.
permission denied (publickey,password)

Resolution:
You might need to check permission of .ssh folder of target machine properly. 

chmod 700 $HOME/.ssh
chmod 600 $HOME/.ssh/authorized_keys

Issues3:

Sometime when you are trying to do ssh on server you might get following issues:

$ ssh -i key-pair.pem admin@10.131.168.188
Unable to negotiate with 10.131.168.188 port 22: no matching key exchange method found. Their offer: diffie-hellman-group14-sha1

$ ssh -i key-pair.pem admin@10.131.168.188 -o KexAlgorithms=diffie-hellman-group14-sha1

Some Automation Tips:

Check if authorized_keys exists or not on server.

[satish@host]$ sshpass -p Alter1! ssh user_name@server_address -o StrictHostChecking=no "if [[ ! -f ~/.ssh/authorized_keys ]]; then mkdir ~/.ssh; touch ~/.ssh/authorized_keys"

References:

• https://security.stackexchange.com/questions/20706/what-is-the-difference-between-authorized-keys-and-known-hosts-file-for-ssh