SSH is a popular, powerful, software-based approach to network security. It is used for logging into a remote machine and for executing commands on a remote machine. Whenever data is sent by a computer to the network, ssh will automatically encrypts it. It is designed and created to provide the best security when accessing another computer remotely. SSH server, by default, listens on the standard TCP port 22.
In this guide, we will discuss how to use SSH to connect to a remote system.
Basic Syntax
ssh ec2-user@52-66-84-114
Once you have connected to the server, Password prompt will asked for verification (if password less connectivity not established) for verify your identity , providing a password for connecting with a server.
Later, we will cover how to generate keys to use instead of passwords.
To exit back into your local session, simply type:
shaha@oc8535558703 ~]$ exit
There is two main configuration files for SSH .
1) ~/.ssh/config ( Per-user's configuration file )
This is the per-user configuration file. This file is used by the SSH client. this file must have strict permissions: read/write for the user, and not accessible by others. We use all parameter in this file for accessing another computer remotely . This files called client configuration files
[shaha@oc8535558703 ~]$ ls -lrt ~/.ssh/config
-rw-------. 1 shaha shaha 988 Jul 19 23:54 /home/shaha/.ssh/config
[shaha@oc8535558703 ~]$
2) /etc/ssh/ssh_config ( system-wide configuration file )
Systemwide configuration file. This file provides defaults for those values that are not specified in the user's configuration file, and for those users who do not have a configuration file. This file must be world-readable. all parameter defined in this file world-readable.
[root@oc8535558703 ~]# ls -rlt /etc/ssh/ssh_config
-rw-r--r--. 1 root root 2047 Apr 26 16:36 /etc/ssh/ssh_config
[root@oc8535558703 ~]#
SSH Command Line Options
StrictHostKeyChecking
If you would like to bypass this verification step, you can set the "StrictHostKeyChecking" option to "no" on the command line.
This option disables the prompt and automatically adds the host key to the ~/.ssh/known_hosts file.
$ ssh -oport=922 -o "StrictHostKeyChecking=no" user@172.23.XX.XX
ConnectTimeout
for ip in ${IP} ; do
ssh -o BatchMode=yes -o StrictHostKeyChecking=no -o ConnectTimeout=10 -l ${USERNAME} ${SCRIPT_HOST} "${COMMAND} -i $ip || echo timeout" >> ./myscript.out
done
I'm executing a script connecting via password-less SSH on a remote host. I want to set a timeout, so that if the remote host is taking an infinite time to run, I want to comeout of that ssh session and continue other lines in my sh script.
BatchMode
If you use ssh -o “BatchMode yes”, and password less connectivity is enable the command execute successfully on remote, else it will return error and continues.
Batch mode command execution using SSH — success case
ssh -o "batchmode=yes" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.com who
[Note: This will display the output of remote-host's who command]
Batch mode command execution using SSH — Failure case
$ ssh -o "batchmode=yes" ec2-user@ec2-52-66-84-114.ap-south-1.compute.amazonaws.com who
Permission denied (publickey,password).
[ec2-user@ip-172-31-13-103 ~]$
Note: If you didn’t use -o “BatchMode yes”, the above command would’ve asked for the password for my account on the remote host. This is the key difference in using the BatchMode yes option.
Bind IP Example
ssh -oPort=922 -oBindAddress=172.18.XX.X a2308078@41.223.XX.XX
SSH / OpenSSH / Port Forwarding
There are three types of port forwarding with SSH:
1. Local port forwarding : connections from the SSH client are forwarded via the SSH server, then to a destination server
2. Remote port forwarding : connections from the SSH server are forwarded via the SSH client, then to a destination server
3. Dynamic port forwarding : connections from various programs are forwarded via the SSH client, then via the SSH server, and finally to several destination servers
Local Port Forwarding
ssh -L 8080:172.18.19.23:80 -L 12345:172.18.19.20:80
This would forward two connections, one to 172.18.19.23, the other to 172.18.19.20. Pointing your browser at http://localhost:8080/ would download pages from 172.18.19.23, and pointing your browser to http://localhost:12345/ would download pages from 172.18.19.20.
Remote Port Forwarding
ssh -R 5900:localhost:5900 ec2-user@ec2-52-66-84-114.ap-south-1.compute.amazonaws.com
The -R option specifies remote port forwarding. For the duration of the SSH session, ec2-52-66-84-114.ap-south-1.compute.amazonaws.com would be able to access your desktop by connecting a VNC client to port 5900 on his computer (if you had set up a shared desktop)
Dynamic Port Forwarding
ssh -C -D 1001 User@ec2-52-66-84-114.ap-south-1.compute.amazonaws.com
The -D option specifies dynamic port forwarding. 1001 is the standard SOCKS port. Although you can use any port number, some programs will only work if you use 1001. -C enables compression, which speeds the tunnel up when proxying mainly text-based information (like web browsing), but can slow it down when proxying binary information (like downloading files).
Next you would tell Firefox to use your proxy:
go to Edit -> Preferences -> Advanced -> Network -> Connection -> Settings...
check "Manual proxy configuration"
make sure "Use this proxy server for all protocols" is cleared
clear "HTTP Proxy", "SSL Proxy", "FTP Proxy", and "Gopher Proxy" fields
enter "127.0.0.1" for "SOCKS Host"
enter "1001" (or whatever port you chose) for Port.
Forwarding GUI Programs
ssh -X User@ec2-52-66-84-114.ap-south-1.compute.amazonaws.com
Once the connection is made, type the name of your GUI program on the SSH command-line:
firefox &
Another example
ssh -X ec2-user@ec2-52-66-84-114.ap-south-1.compute.amazonaws.com
[ec2-user@ip-172-31-13-103 ~]$ xeyes &
Enables trusted X11 forwarding. Trusted X11 forwarding are not subjected to the X11 SECURITY extension controls.
PORT
ssh -oport=922 "EC2_KEY_PAYER.pem" -v ec2-user@ec2-52-66-84-114
Port to connect to on the remote host. This can be specified on a per-host basis in the configuration file.
Use Configuration files from command line
ssh -F /export/oracle/db/config/ssh/config.922pw -f svwprd1b@172.23.XX.XX -t "rm /home/oracle11/work/datastage/testing_ssh"
If a configuration file is given on the command line, the system-wide configuration file (/etc/ssh/ssh_config) will be ignored. The default for the per-user configuration file is ~/.ssh/config.
We can create any configration file for ssh connectivity
It will read all configration from config file & run in background , then execute command on remote server
ssh -F /var/dcs/db/confi/config.922 -f -N svwprd1b@172.24.X.70 -t "rm /svw/svwprd1b/work/svwprd1b/testing_ssh"
It will read all configuration from config file & run in background , -N restrict executing command on remote
**** -f puts ssh in background
**** -N makes it not execute a remote command
Find version of the SSH command
We can find the version of SSH installed on the unix system using the -V option to the ssh.
ssh -V ec2-user@ec2-52-66-84-114.ap-south-1.compute.amazonaws.com
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
This is shown below:
-v Option for run ssh command in Verbose mode.
Causes ssh to print debugging messages about its progress. This is helpful in debugging connection, authentication,
and configuration problems. Multiple -v options increase the verbosity. The maximum is 3.
Debugging the SSH Client
When we are not able to connect to the remote host, it is good to debug and find the exact error messages that causing the issue. Use the -v option for debugging the ssh client.
output of ssh command verbose mode .
shaha@oc8535558703 ~]$ ssh -v ec2-user@ec2-52-66-84-114.ap-south-1.compute.amazonaws.com
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to ec2-52-66-84-114.ap-south-1.compute.amazonaws.com [52.66.84.114] port 22.
debug1: Connection established.
debug1: identity file /home/shaha/.ssh/identity type -1
debug1: identity file /home/shaha/.ssh/identity-cert type -1
debug1: identity file /home/shaha/.ssh/id_rsa type 1
debug1: identity file /home/shaha/.ssh/id_rsa-cert type -1
debug1: identity file /home/shaha/.ssh/id_dsa type -1
debug1: identity file /home/shaha/.ssh/id_dsa-cert type -1
debug1: identity file /home/shaha/.ssh/id_ecdsa type -1
debug1: identity file /home/shaha/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'ec2-52-66-84-114.ap-south-1.compute.amazonaws.com' is known and matches the RSA host key.
debug1: Found key in /home/shaha/.ssh/known_hosts:35
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/shaha/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /home/shaha/.ssh/identity
debug1: Trying private key: /home/shaha/.ssh/id_dsa
debug1: Trying private key: /home/shaha/.ssh/id_ecdsa
debug1: Next authentication method: password
ec2-user@ec2-52-66-84-114.ap-south-1.compute.amazonaws.com's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env XMODIFIERS = @im=ibus
debug1: Sending env LANG = en_US.UTF-8
Last login: Tue Jul 19 18:40:56 2016 from 223.188.198.5__| __|_ )
_| ( / Amazon Linux AMI
___|\___|___|https://aws.amazon.com/amazon-linux-ami/2016.03-release-notes/
4 package(s) needed for security, out of 13 available
Run "sudo yum update" to apply all updates.
[ec2-user@ip-172-31-13-103 ~]$
SSH Config File options
The /etc/ssh/ssh_config file is the system-wide configuration file for Open SSH which allows you to set options
that modify the operation of the client programs. The file contains keyword-value pairs, one per line,
with keywords being case insensitive.
Here are the most important keywords to configure your ssh for top security .
Edit the ssh_config file, vi /etc/ssh/ssh_config and add/or change, if necessary the following parameters:
# Site-wide defaults for various options
Host *
ForwardAgent no
ForwardX11 no
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
FallBackToRsh no
UseRsh yes
BatchMode yes
CheckHostIP yes
StrictHostKeyChecking no
IdentityFile ~/.ssh/identity
Port 922
Description of config file parameter
Host *
The option Host restricts all forwarded declarations and options in the configuration file to be only for those hosts
that match one of the patterns given after the keyword. The pattern * means for all hosts up to the next Host keyword. With this option you can set different declarations for different hosts in the same ssh_config file.
ForwardAgent no
The option ForwardAgent specifies which connection authentication agent if any should be forwarded to the remote machine.
ForwardX11 no
ssh -o "ForwardX11=no" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.co
The option ForwardX11 is for people that use the Xwindow GUI and want to automatically redirect X11 sessions to
the remote machine. Since we setup a server and don't have GUI installed on it, we can safely turn this option off.
RhostsAuthentication no
ssh -o "RhostsAuthentication=no" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.co
The option RhostsAuthentication specifies whether we can try to use rhosts based authentication.
Because rhosts authentication is insecure you shouldn't use this option.
RhostsRSAAuthentication no
ssh -o "RhostsRSAAuthentication=no" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.co
The option RhostsRSAAuthentication specifies whether or not to try rhosts authentication in concert with RSA host authentication.
RSAAuthentication yes
ssh -o "RSAAuthentication=yes" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.co
The option RSAAuthentication specifies whether to try RSA authentication. This option must be set to yes for better security on your sessions. RSA uses public and private keys pair created with the ssh-keygen1utility for authentication purposes.
PasswordAuthentication yes
ssh -o "PasswordAuthentication=yes" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.co
The option PasswordAuthentication specifies whether we should use password-based authentication. For strong security. This option must always be set to yes. this parameter protect your server connectivity to other
without password no one connect to server
FallBackToRsh no
ssh -o "FallBackToRsh=no" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.co
The option FallBackToRsh specifies that if a connection with ssh daemon fails rsh should automatically be used instead. Recalling that rsh service is insecure, this option must always be set to no.
UseRsh no
ssh -o "UseRsh=no" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws.co
The option UseRsh specifies that rlogin/rsh services should be used on this host. As with the FallBackToRsh
option, it must be set to no for obvious reasons.
BatchMode no
ssh -o "BatchMode=no" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws
The option BatchMode specifies whether a username and password querying on connect will be disabled. This option is useful when you create scripts and dont want to supply the password. e.g. Scripts that use the scp command to make backups over the network.
CheckHostIP yes
ssh -o "CheckHostIP=yes" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws
The option CheckHostIP specifies whether or not ssh will additionally check the host IP address that connect to the server to detect DNS spoofing. It's recommended that you set this option to yes.
StrictHostKeyChecking no
ssh -o "StrictHostKeyChecking=no" ec2-user@ec2-52-66-11-114.ap-south-1.compute.amazonaws
The option StrictHostKeyChecking specifies whether or not ssh will automatically add new host keys to the $HOME/.ssh/known_hosts file, or never automatically add new host keys to the host file. This option, when set to yes, provides maximum protection against Trojan horse attacks. One interesting procedure with this option is to set it to no at the beginning, allow ssh to add automatically all common hosts to the host file as they are connected to, and then return to set it to yes to take advantage of this feature.
IdentityFile ~/.ssh/identity
The option IdentityFile specifies an alternate RSA authentication identity file to read. Also, multiple identity files may be specified in the configuration file ssh_config.
Cipher blowfish
The option Cipher specifies what cipher should be used for encrypting sessios. The blowfish use 64-bit blocks and keys of up to 448 bits.
EscapeChar ~
The option EscapeChar specifies the session escape character for suspension.
Sample Configuration file for testing with parameter
We have create /export/oracle/db/config/ssh/config.922pw using multiple parameter for testing .
[shah@hostname:~]$ cat /export/oracle/db/config/ssh/config.922pw
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.VerifyHostKeyDNS no
StrictHostKeyChecking no
UserKnownHostsFile /dev/nullHost *
Host 172.23.6.117 172.23.XX 172.24.XX 172.24.XX 10.56.xx.xx
Protocol 2,1
Compression yes
CompressionLevel 7
IdentityFile /var/dcs_6.0/db/dcs/config/ssh/ssh_keys/id_rsa_ime_prod
CheckHostIP no
PreferredAuthentications publickey,keyboard-interactive,password
LogLevel ERROR
ForwardAgent no
ForwardX11 yes
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
FallBackToRsh no
UseRsh no
BatchMode no
CheckHostIP yes
StrictHostKeyChecking no
Port 922
user cgi
Cipher blowfish
IgnoreUserKnownHosts yes
UserKnownHostsFile no
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
ServerAliveInterval 100
Compression yes
CompressionLevel 5
CheckHostIP no
When we try to connect remote server with our configuration files , all parameter call in ssh connectivity .
please find the below out of ssh connectivity with config file .
[user@hostname:.ssh]$ ssh -F /export/oracle/db/config/ssh/config.922pw user@172.27.3.XX.XX
Last unsuccessful login: Fri Jul 15 12:10:33 WAT 2016 on ssh from 10.14.43.39
Last login: Fri Jul 15 14:55:14 WAT 2016 on ssh from 172.27.0.XX
[user@hostname:.ssh]$
The post Powerful SSH Command Options with Examples on Linux appeared first on LinOxide.