Image

Secure Shell (SSH)

How to disable password authentication in SSH

SSH is by default configured to allow password login. You can disable password authentication if you’re in favour of public key authentication by following these steps;

  1. Set PasswordAuthentication to no in /etc/ssh/sshd_config

    PasswordAuthentication no
  2. Reload or restart SSH

How to disable root login in SSH

Certain SSH server is configured to not allow root login mainly due to security and audit reason. You can disallow root login to your server with these simple steps;

  1. Set PermitRootLogin to no in /etc/ssh/sshd_config

    PasswordAuthentication no
  2. Reload or restart SSH

How to configure passwordless SSH login

You can login to an SSH server without password by using public key authentication via these steps;

  1. Generate an SSH key pair. Make sure to not set any passphrase for the key pair

  2. Enable public key authentication in the target server

  3. Copy your SSH public key to the server

You will no longer be prompted for password the next time you log in to the server.

How to generate SSH keypair

You can easily create an SSH key pair by using ssh-keygen as in the following example.

$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
1a:6c:a4:94:df:e0:19:ec:85:b0:3f:27:e4:a1:de:65 [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|   .             |
|    o E          |
|     O o         |
|    c @ S        |
|   o A @         |
|    . E .        |
|   . =           |
|    .            |
+-----------------+

There are a few things that you might want need to take note;

  1. A 2048 bit RSA key pair will be generated by default. You can use different key type by using -t option and specify any of the supported key types

    dsa ecdsa ed25519 rsa rsa1
  2. The private key will be stored in ~/.ssh/id_rsa while the public key will be stored in ~/.ssh/id_rsa.pub. You can specify other location when prompted during the key generation process if you already have a key pair at the default location
  3. You can specify passphrase for your key pair when prompted but you’ll have to not set the passphrase to use passwordless SSH login

How to run SSH on multiple ports

You can make your SSH server to run on multiple ports by adding more of the Port options in your SSHd the configuration file.

For example, having these lines in /etc/ssh/sshd_config will make the SSH server to run on both port 22 and 2222.

Port 22
Port 2222

You’ll need to reboot your SSH server after making the change.

How to restart SSH service

Ubuntu 16.10 and later, RedHat/CentOS 7 and later, fedora and other platform with systemd

sudo systemctl restart sshd.service

Older platforms with System V init scripts

sudo /etc/init.d/sshd restart

Platforms with service command. Normally a wrapper to System V init scripts or systemd commands.

sudo service ssh restart

How to fix Remote Host Identification Has Changed error in SSH

SSH by default will check and keep key fingerprint of all the hosts you’ve connected to in ~/.ssh/known_hosts. You’ll get the following warning if the fingerprint changed from the last time you’ve connected to the host;

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!  @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
11:5b:16:56:a5:cd:9b:1e:11:aa:2b:1c:a2:91:cd:a2.
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending key in /home/user/.ssh/known_hosts:1
RSA host key for docs.oseems.com has changed and you have requested strict checking.
Host key verification failed.

You can fix the problem by whether disabling the key check, or have the right key in your ~/.ssh/known_hosts file.

The check is done for security reason. Proceed only if you know exactly what you’re into.

How to enable X11 forwarding in SSH

This method is used to run X11 (GUI based) programs in remote machine, and output the display to the local machine. The purpose is almost similar to VNC and such, though they are technologically very different.

To use this feature, simply add the -X option when running SSH. Below is a sample SSH command.

ssh -X [email protected]

To execute a program on the remote machine and output the display locally, just type the program name at the terminal and you sould get the forwarded display on your desktop.

If it fails, set the these options in the remote machine’s /etc/ssh/sshd_config as the following and then restart the SSH service;

X11Forwarding yes

If it still doesn’t work, try to check your local machine’s /etc/ssh/ssh_config and set these option as the following;

ForwardX11 yes

If you get permission error, run the following command at you terminal;

xhost +

How to disable DNS lookup and speed up login in SSH

SSHd is by default configured to perform DNS Lookup everytime you connect to the server. This is especially true for CentOS/Red Hat and could significantly increase login time.

UseDNS
Specifies whether sshd(8) should look up the remote host name
and check that the resolved host name for the remote IP address
maps back to the very same IP address. The default is “yes”.

To fix this you’ll have to disable the UseDNS option on the server via the following steps;

  1. Open SSHd config file.

    /etc/ssh/sshd_config
  2. Look for UseDNS and set the value to no

    UseDNS no
  3. Restart SSHd service

How to create SSH SOCKS proxy

SSH SOCKS proxy is one of the way to have a secure tunnel for web browsing. It’s comes handy when we need to do secure browsing in a public network such as in a public WiFi environment, as the traffic between our host and the proxy is encrypted .

For this to work, we need to have an SSH server somewhere that we want to tunnel our traffic to, and an SSH client at our host.

Creating an SSH SOCKS tunnel is as simple as running the following command;

$ ssh -D 8080 [email protected]

The following command assumes we have a user account with the username user at the server with the address proxy-address, and 8080 is our local port to be used for the tunnel.

The next step is to configure your applications to use the proxy you have just created.

Top