Monday, November 12

SSH Howto Tips

**X Forwarding over SSH

To run GUI programs on one machine using another machine, We can use X forwarding by connecting using ssh -X user@remotecomputer and once logged in running the command to start the GUI app, the GUI window will open on the local machine. X11Forwarding must be enabled in the file /etc/ssh/sshd_config which is usually set by default.

To speed things up -Y (Trusted X11Forwarding) or -C (compression) can be used instead of -X.
X11Forwarding is also applicable accessing windows computer via linux system using rdesktop (remote desktop).

e.g. #ssh -Y user@remotehost rdesktop remotecomputer

where remotehost is a linux server and remotecomputer(windowsPC) can be access via linux server only.

**Automatic SSH login without password

SSH is a secure clone of RSH with RSA encryption based authentication. This article tells you how to use ssh without having to type in your password every time you use 'ssh'.

First, generate your public/private keys using ssh-keygen

#ssh-keygen - This will generate 'identity' and 'identity. pub' in the .ssh directory in your home directory.
#ssh-keygen -t rsa -This will generate 'id_rsa' and 'id_rsa.pub' in the .ssh directory in your home directory.

When asked, just press enter for safety. Goto directory where you generate your ssh key. Usually, ~user/.ssh/

Second, Copy the *.pub file to the .ssh directory of the remote host using scp command.

[root@ron .ssh]#scp filename.pub ron1@remotehost:/home/ron1/.ssh/


Under ron1:

#cd /home/ron1/.ssh
[root@ron1 .ssh]#touch authorized_keys
[root@ron1 .ssh]#cat filename.pub > authorized_keys

To append ssh key type:
(Use for setting up multiple access keys.)

[root@ron1 .ssh]#cat filename.pub >> authorized_keys


Finally, you can try ssh without entering password and Viola!

#ssh ron1@remotehost or simply

#ssh remotehost

**Runing Commands Over SSH

Sometimes you don't really want to run a shell like Bash on the host you are connecting to. Maybe you just want to run a command and exit. This is easy to accomplished by putting the command you wish to run at the end of your ssh connection command.

#ssh user@remotehost ls -l /home

#ssh user@remotehost less /etc/hosts.allow


**Keeping your SSH session alive

Keeping your SSH session up and idle is sometimes a problem. For whatever reason, the connection dies at X minutes of inactivity. Usually this happens because there is a firewall between you and the internet that is configured to only keep stateful connections.

Fortunately, in recent versions of OpenSSH, there is a fix for this problem. Simply put in your sshd_config file the following:

Host *
Protocol 2
TCPKeepAlive yes
ServerAliveInterval 60

**Allow only specific users to log in via SSH

You should not permit root logins via SSH, this is a big and unnecessary security risk. If an attacker gains root login for your system, he can do more damage than if he gains normal user login. Configure SSH server so that root user is not allowed to log in. Find the line that says:

PermitRootLogin yes

Change yes to no and restart the service. You can then log in with any defined user and switch to user root if you want to become a superuser.

It is wise to create a dummy local user with absolutely no rights on the system and use that user to login into SSH. That way no harm can be done if the user account is compromised. You can specify certain users who you want to have access by editing your sshd_config file.

At the end of sshd_config file I would add a line like this:

AllowUsers ron hannah jean

Allowing only specific hosts using tcp wrappers

You can allow only specific hosts on a network to be able to connect to your SSH service, but you don't want to use or mess up your iptables configuration. Instead, you can use TCP wrappers, in this case the sshd TCP wrapper.

By default TCP wrappers first look in the /etc/hosts.deny file to see what hosts are denied for what service. Next, TCP wrapper looks in /etc/hosts.allow file to see if there are any rules that would allow hosts to connect to a specific service. Edit your /etc/hosts.deny using your favorite editor. For me, I always use vi editor.

#vi /etc/hosts.deny
sshd: ALL

This means that by default all hosts are forbidden to access the SSH service. This needs to be here, otherwise all hosts would have access to the SSH service, since TCP wrappers first looks into hosts.deny file and if there is no rule regarding blocking SSH service, any host can connect.

Next, create a rule in /etc/hosts.allow to allow only specific hosts to use the SSH service. Let say, local subnet 192.168.1.0/24 or specific IP 192.100.1.2. Only hosts specified below can access the ssh service.

#vi /etc/hosts.allow then add:
sshd: 192.168.1 192.100.1.2

All other hosts are disconnected before they even get to the login prompt, and receive an error like this:

ssh_exchange_identification: Connection closed by remote host


@If you found this article informative, you may be interested on the black square window above related to this post. You can also leave comments or subscribe.

No comments: