basic ssh

How to create a ssh network

basic ssh
Posted on August 23, 2011 by nadir

1) Connect

ssh server-name
ssh user@servername

At the first time it will say:
user@client:~$ ssh server
The authenticity of host ‘server (192.168.1.5)’ can’t be established.
RSA key fingerprint is b5:0e:ec:b7:16:06:e6:24:a6:39:18:58:4e:ec:3b:d1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘server’ (RSA) to the list of known hosts.
Password:

To check the fingerprint:
ssh-keygen -f /etc/ssh/ssh_host_rsa_key.pub -l

It will be stored in
~/.ssh/known_hosts
If the key has changed (new installation…), delete it with:
ssh-keygen -R server-name
or:
ssh-keygen -R IP

2) ~/.ssh/config

for example:

host choosen-name
hostname 192.168.1.42
user username
port 2222
#ServerAliveInternal 30
ServerAliveCountMax 100
IdentityFile ~/.ssh/server_rsa

And there is no need to enter port, username or identiy file from the cli:
ssh choosen-name
with server-name being arbitrary.

It will also work for sshfs, rsync and similar programs (gftp):
sshfs choosen-name ~/TempMount

3) /etc/ssh/sshd_config

set a non standard port:
Port 2222

disable root login
PermitRootLogin no

after enabling key-authentication (step 4), disable password-authentication
PasswordAuthentication no

/etc/init.d/ssh restart
to activate the new config

4) public-key authentication

create a public key:
ssh-keygen -t rsa
best might be to give it a uniqe name, else defaults are fine.

Result is a public and a private key:
~/.ssh/to-choosen-server_rsa.pub
~/.ssh/to-choosen-sever_rsa
And the public key needs to be stored at the server:
~/.ssh/authorized_keys
For example with:
ssh-copy-id -i ~/.ssh/to-choosen-server_rsa.pub user@choosen-server

Now disable PasswordAuthentication

5) ssh commands for non standard values without a ~/.ssh/config file

ssh -p 2222 -i ~/.ssh/to-choosen-server_rsa user@choosen-server

rsync -e ‘ssh -p 2222 -i ~/.ssh/to-choosen-server_rsa’ filename user@choosen-server

sshfs user@10.232.139.234:/mnt/files /remote_files \

-o IdentityFile=/.ssh/to-choosen-server_rsa \
-o port=2222 \
-o ServerAliveInterval=60 -o allow_other

I am not that sure bout the sshfs version.

6) sftp

sftp server-name or IP
to upload files:
put filename
to download files:
get filename

 
nadir
2011-11-13

a)
create a keypair
ssh-keygen

*_rsa is private, keep it very safe
*_rsa.pub is public, copy it to the server[s] you want to access with a key-pair

b)
copy the pub-key to the server[s]
ssh-copy-id -i ~/.ssh/*_rsa.pub username@server-ip

c)
Edit the file:
/home/user/.ssh/config
as user, if in doubt search for an example file at the WWW
and
/etc/ssh/sshd_config
as root
- change the default port 22 to a port of your liking
- disable Root-login
- disable Password-authentication

d)
Copy all files to all clients and server[s]:
rsync ~/.ssh/config user@other-client-ip:/home/user/.ssh
rsync ~/.ssh/*_rsa user@other-client-ip:/home/user/.ssh
as user

as root:
rsync /etc/ssh/sshd_config root@server:/etc/passwd

e)
The moment of truth. ssh to the server, become root and run
/etc/init.d/ssh restart
exit root and logout from ssh, then reconnect via ssh.
It should read ~/.ssh/config,
connect via port non-default and
ask you for a keypassphrase instead for the user password.

If that failed, you can’t login anymore and need to attach a monitor to the server,
to troubleshoot from there.
 
   
nadir
2011-11-13

tornow.posterous.com/nother-basic-ssh