[ Bloke.com || Linux || JavaScript || Java || Volleyball || Link Me ]
Free: [ Guestbook || MessageBot || Plugins || Counter || AusPrices || Advertise ]

Home - Linux - ssh/scp

Setting up ssh without a password.

Yeah it's bad, lots of info on the newsgroups as to why it's bad, but for us, it's about stopping passwords going across int he clear text. This is the level of security that we require. I don't recommend you do this, there are security issues, and you should do such things without understand the security implications.

ssh-keygen -t rsa -f ~/.ssh/id_rsa -N ""
cat id_rsa.pub >> authorized_keys2
copy the authorized_keys2 to the other machine (just cat it to the end)
Also check /etc/ssh/ssh_config, basically look for "PubkeyAuthentication yes" (and in sshd_config). Also useful is ssh -v, and "LogLevel DEBUG" in sshd_config.

Use the following files are your own risk, you may open up security holes.

My /etc/ssh/ssh_config (nothing exciting here)

[cameron@jack cameron]$ cat /etc/ssh/ssh_config
#	$OpenBSD: ssh_config,v 1.9 2001/03/10 12:53:51 deraadt Exp $

# This is ssh client systemwide configuration file.  See ssh(1) for more
# information.  This file provides defaults for users, and the values can
# be changed in per-user configuration files or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for various options

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsAuthentication no
#   RhostsRSAAuthentication yes
#   RSAAuthentication yes
My /etc/ssh/sshd_config
#	$OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# This is the sshd server system-wide configuration file.  See sshd(8)
# for more information.

Port 22
#Protocol 2,1
#ListenAddress ::
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
# Don't read ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
#PrintLastLog no
KeepAlive yes

# Logging
SyslogFacility AUTHPRIV
LogLevel INFO
#obsoletes QuietMode and FascistLogging

RhostsAuthentication no
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
RSAAuthentication yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Uncomment to disable s/key passwords 
#ChallengeResponseAuthentication no

# Uncomment to enable PAM keyboard-interactive authentication 
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

#CheckMail yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem	sftp	/usr/libexec/openssh/sftp-server
If you change this file you should do /etc/rc.d/init.d/sshd restart Also check your firewall to make sure that ssh is allowed.

faster ssh
When doing scp or ssh, you can use the -C command line option to speed up commands and copies. The cool thing is that you can run this for a normal shell, so if you do:

[cameron@tiger cameron]$ ssh -C machine.host.com
Then the connection will actually run faster (and, as a side effect, is actually slightly more secure).

Slow login? disable dns lookups on server /etc/ssh/sshd_config

UseDNS no

SSH tunnel with compression

 ssh -C2qTnN -L remoteuser@remotehost.bloke.com

ssh tunnel to access to machine behind a firewall

Say that you have a machine that is behind a firewall, and that you want to be able to access it from the internet. Then given that you already have a machine on the internet "publicmachine", then you can run the following on the machine behind the firewall "privatemachine".
ssh -R 10044:localhost:22 user@publicmachine
Then when you are actually logged into "publicmachine", then anytime you wanted to connect to the private machine, you would run:
ssh -p 10044 -l whateveruser localhost
Where "whateveruser" is a user on private machine.

Note that what I do is setup an authorized key, and run it through a loop like this:

while [ 1 ]; do
  ssh -R 10044:localhost:22 user@publicmachine echo connected\;  sleep 10000
  sleep 1

Access to some other server behind a firewall

Say you are logged onto machine X which is behind a firewall, and machine X has access to some other machine (eg the router, or port 80 on some other machine), and you want to be able to acess the other machine Y from the internet, then, on machine X, run the following, where "publicmachine" is a machine on the internet, and "user" is a user on that machine (that you know the password to).
ssh -R 10080:Y:80 user@publicmachine
So now when you do a connection to port 10080 on "publicmachine" it will connect you to port 80 on machine "Y"

Last Change: Saturday, 16-Jan-2010 08:25:17 EST


The information provided within these pages is provided AS IS, and without any warranty. Following these directions may (but not limited to) crash your computer, delete all the information on your hard disk, open up security holes or cause your house to burn down. I made these pages to provide some information about the setup that I have done, but I did not proofread it for correctness, and in most cases did not test it. There are commands in these pages that would definately delete or corrupt all the data on your computer (especially the dualboot section). In fact it happened to me.... So you are on your own!

Cameron Gregory