OpenSSH
OpenSSH is a popular suite of software utilities implementing Secure Shell (SSH) protocol. OpenSSH includes the ability to set up a TCP secured channel and it is widely use as a replacement for not secured telnet and secure replacement of file transfers such as rcp and ftp. OpenSSH offers a great number of features including ssh session multiplexing. [1][2]
The OpenSSH suite includes the following command-line utilities and daemons:
ssh
, ssh client and TCP secure replacement forrlogin
,rsh
andtelnet
to allow shell access to a remote machine.scp
, a replacement forrcp
sftp
, a replacement forftp
to copy files between computerssshd
, the SSH server daemon which allows shell access and file transfers to a remote machine.ssh-keygen
, a tool to inspect and generate the RSA, DSA and Elliptic Curve keys that are used for user and host authenticationssh-keyscan
, which scans a list of hosts and collects their public keysssh-agent
andssh-add
, utilities to ease authentication by holding keys ready and avoid the need to enter passphrases every time they are usedssh-copy-id
, copy local keys to remote machine.
Contents
Readings[edit]
Config[edit]
- Client:
/etc/ssh/ssh_config
or~./config
- Server:
/etc/ssh/sshd_config
ssh clients[edit]
OpenSSH includes an ssh client:ssh
. Others clients are available such us PuTTY
, mosh
, paramiko
and autossh
[3].
autossh
[4] main feature not include in OpenSSH ssh client is the capability to monitor an ssh connection and restart it if necessary.
- Loop waiting to connect to server:
AUTOSSH_POLL=5 AUTOSSH_GATETIME=0 autossh -M 0 -o ServerAliveInterval=5 -o ServerAliveCountMax=1 YOUR_SERVER_NAME_OR_IP
Ssh clients in Linux are frequently executed inside a terminal or using any kind of terminal multiplexer such as tmux
or screen
.
Activities[edit]
Basic[edit]
- Install OpenSSH:
apt install openssh-server
- Convert a PuTTY ssh key format to Openssh format, you can follow the following instructions http://www.codeblocq.com/2016/05/Convert-a-putty-ppk-key-to-a-pem-file-on-OSX/, https://stackoverflow.com/questions/3475069/use-ppk-file-in-mac-terminal-to-connect-to-remote-connection-over-ssh
- Open a reverse ssh tunnel, follow the following instructions https://www.howtoforge.com/reverse-ssh-tunneling
- Configure OpenSSH to reuse ssh connections (
ControlMaster
) - Generate a public Key from a private Key: [5]
ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub
(example for RSA keys but can be applied to other key types) - Configure OpenSSH to allow Public-key authentication (
authorized_keys
)[6] - Activate SSH on macOS:
sudo systemsetup -setremotelogin on
- Activate OpenSSH on Windows (Windows Server 2019 or Windows 10):[7]
Intermediate[edit]
- Learn about different client connection options, such us:
-oBatchMode=yes
or-o ConnectTimeout=2
[8] - Connect to remote server temporarily turning off host key checking, (security implications):
ssh -oStrictHostKeyChecking=no SERVER_NAME
Advanced[edit]
- Read ssh documentation about multiplexing https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing and its implementation details: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.mux?annotate=HEAD
- Configure ssh session multiplexing
- Use
ProxyJump
directive to connect using a "Jump Server"[9] - Run a shell script on a remote machine using ssh:
ssh root@MachineB 'bash -s' < local_script.sh
[10]. See also: parallel - Read https://github.com/openssh/openssh-portable source code
- Read OpenSSH changelog
Related terms[edit]
- MAC (message authentication code)
- Damien Miller
- Key Revocation Lists (KRL)
- AWS EC2 Instance Connect (Jun 2019)
See also[edit]
- Telnet (deprecated use), netcat
- OpenSSH (changelog):
/etc/ssh/sshd_config
|/etc/ssh/ssh_config
|~/.ssh/
|openSSL | sshd logs
|sftp
|scp
|authorized_keys
|ssh-keygen
|ssh-keyscan
|ssh-add
|ssh-agent
|ssh
|Ssh -O stop
|ssh-copy-id
|CheckHostIP
|UseKeychain
, OpenSSF sslh
[11] Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)sshpass
(brew install http://git.io/sshpass.rb
)conch
client written in python- openssl
- Port knocking,
fail2ban
[12]fwknop
, DenyHosts - Security: Security portfolio, Security standards, Hardening, CVE, CWE, Wireless Network Hacking, vulnerability scanner, Security risk assessment, SCA, Application Security Testing, OWASP, Data leak, NIST, SANS, MITRE, Security policy, Access Control attacks, password policy, password cracking, Password manager, MFA, OTP, UTF, Firewall, DoS, Software bugs, MITM, Certified Ethical Hacker (CEH) Contents, Security+ Malware, FIPS, DLP, Network Access Control (NAC), VAPT, SIEM, EDR, SOC, pentest, PTaaS, Clickjacking, MobSF, Janus vulnerability, Back Orifice, Backdoor, CSO, CSPM, PoLP, forensic, encryption, Keylogger, Pwn2Own, CISO, Prototype pollution
Text is available under the Creative Commons Attribution-ShareAlike License; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy.
Original source: https://en.wikiversity.org/wiki/OpenSSH
- ↑ https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing
- ↑ https://stackoverflow.com/questions/20410252/how-to-reuse-an-ssh-connection
- ↑ https://linux.die.net/man/1/autossh
- ↑ https://linux.die.net/man/1/autossh
- ↑ https://serverfault.com/questions/52285/create-a-public-ssh-key-from-the-private-key
- ↑ https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server
- ↑ https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse
- ↑ https://linux.die.net/man/1/ssh
- ↑ https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts#Passing_Through_One_or_More_Gateways_Using_ProxyJump
- ↑ https://stackoverflow.com/a/2732991
- ↑ https://github.com/yrutschle/sslh
- ↑ https://serverfault.com/a/608976
Advertising: