====== Howto use SSH ======
===== Client SSH =====
==== How To Create SSH Keys ====
Different type of SSH keys exists. At this time it's **no more recommended to use DSA or RSA1**, support is removed from latest SSH versions. RSA2 is the most often use, and the latest is ECDSA (asymetric algorithm).
Each user can generate SSH keys pair, it will be located in $HOME/.ssh/
Now generate a key RSA2 with length 4096 bits, press enter if you want to use it without passphrase (password), then press enter as passphrase:
[toto@aix72]/home/toto # ssh-keygen -t rsa -b 4096
Or directly
[toto@aix72]/home/toto # echo | ssh-keygen -q -t rsa -b 4096 -N ''
Check your ssh key type:
[toto@aix72]/home/toto # ssh-keygen -l -f id_rsa.pub
4096 SHA256:hI0QsTxu220Jxxxxxxxxxxx4BdSXrECyaLOzIfxWrB0Mxc root@aix72 (RSA)
[toto@aix72]/home/toto/.ssh # ls -lsa
total 8
0 drwx------ 2 toto usr 256 Aug 16 16:14 .
4 drwxr-xr-x 4 toto usr 4096 Oct 11 14:06 ..
4 -rw-r--r-- 1 toto usr 1993 Mar 8 2010 authorized_keys
4 -rw------- 1 toto usr 1675 Feb 4 2009 id_rsa
4 -rw-r--r-- 1 toto usr 394 Feb 4 2009 id_rsa.pub
4 -rw-r--r-- 1 toto usr 547 Oct 18 15:18 known_hosts
Now in the folder $HOME/.ssh, you have a public key (id_rsa.pub) and the private key (id_rsa).
The public key will be distributed to other servers if needed, and the private will stay on local server.
==== Automatic connection using SSH Keys ====
To have an automatic connection without prompted for password, you have to put the public key on the **target** server, in the folder of the target user, who can be different from source user.
== For example with RSA2 key ==
copy the file from source server: $HOME/.ssh/id_rsa.pub to target server in $HOME/.ssh/authorized_keys
[toto@aix72]/home/toto/.ssh # scp id_rsa.pub targetuser@tagethost:/home/targetuser/.ssh/authorized_keys
Copy/paste from the key is also possible.
Now you have to do a first connection from source server, with source user to target server and user, to accept (register) once the source host key into the file $HOME/.ssh/known_hosts . This step is required, else automatic connection will failed.
**Important**
Typically permissions
* .ssh directory 700 (drwx------)
* public key (.pub file) 644 (-rw-r--r--)
* private key (id_rsa) 600 (-rw-------)
* home directory should not be writeable by the group or others (at most 755 (drwxr-xr-x)).
What is the host key ? During installation of OpenSSH, some host keys are generated into /etc/ssh (most often use folder)
[root@aix72]/etc/ssh #
total 196
4 drwxr-xr-x 2 root system 4096 Jul 7 09:49 .
20 drwxr-xr-x 49 root system 20480 Oct 31 10:37 ..
132 -rw------- 1 root system 132839 Jul 7 09:49 moduli
4 -rw-r--r-- 1 root system 1524 Jul 7 11:46 ssh_config
4 -rw------- 1 root system 668 Jan 6 2009 ssh_host_dsa_key
4 -rw-r--r-- 1 root system 590 Jan 6 2009 ssh_host_dsa_key.pub
4 -rw------- 1 root system 227 Mar 19 2014 ssh_host_ecdsa_key
4 -rw-r--r-- 1 root system 174 Mar 19 2014 ssh_host_ecdsa_key.pub
4 -rw------- 1 root system 963 Jan 6 2009 ssh_host_key
4 -rw-r--r-- 1 root system 627 Jan 6 2009 ssh_host_key.pub
4 -rw------- 1 root system 1675 Jan 6 2009 ssh_host_rsa_key
4 -rw-r--r-- 1 root system 382 Jan 6 2009 ssh_host_rsa_key.pub
4 -rw-r--r-- 1 root system 3214 Oct 10 12:18 sshd_config
Differents type of key pairs are generated, the latest ECDSA is currently the default for host key.
Once the first connection established, you can use automatic connections, you can try to connect to the target:
[toto@aix72]/home/toto # ssh targetuser@tagethost
Last unsuccessful login: Mon Sep 18 16:52:57 CEST 2017 on ssh from 10.10.10.31
Last login: Tue Oct 31 11:02:55 CET 2017 on ssh from aix72
[targetuser@tagethost]/home/targetuser #
To automatically add new host keys into known_hosts, use the following option
ssh -o StrictHostKeyChecking=accept-new
== How to replace unsafe protocols: ==
* rsh, rexec by **ssh**
* telnet, rlogin by **ssh**
* rcp by **scp** or **rsync -e ssh**
* ftp by **sftp**
===== Server SSH =====
The ssh default folder config
[root@aix72]/etc/ssh #
total 196
4 drwxr-xr-x 2 root system 4096 Jul 7 09:49 .
20 drwxr-xr-x 49 root system 20480 Oct 31 10:37 ..
132 -rw------- 1 root system 132839 Jul 7 09:49 moduli
4 -rw-r--r-- 1 root system 1524 Jul 7 11:46 ssh_config
4 -rw------- 1 root system 668 Jan 6 2009 ssh_host_dsa_key
4 -rw-r--r-- 1 root system 590 Jan 6 2009 ssh_host_dsa_key.pub
4 -rw------- 1 root system 227 Mar 19 2014 ssh_host_ecdsa_key
4 -rw-r--r-- 1 root system 174 Mar 19 2014 ssh_host_ecdsa_key.pub
4 -rw------- 1 root system 963 Jan 6 2009 ssh_host_key
4 -rw-r--r-- 1 root system 627 Jan 6 2009 ssh_host_key.pub
4 -rw------- 1 root system 1675 Jan 6 2009 ssh_host_rsa_key
4 -rw-r--r-- 1 root system 382 Jan 6 2009 ssh_host_rsa_key.pub
4 -rw-r--r-- 1 root system 3214 Oct 10 12:18 sshd_config
Test your server config file, in case of problem
[root@aix72]/etc/ssh # sshd -t -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 286
debug2: parse_server_config: config /etc/ssh/sshd_config len 286
debug3: /etc/ssh/sshd_config:13 setting Port 22
debug3: /etc/ssh/sshd_config:15 setting ListenAddress 0.0.0.0
debug3: /etc/ssh/sshd_config:19 setting Protocol 2
debug3: /etc/ssh/sshd_config:33 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:34 setting LogLevel INFO
debug3: /etc/ssh/sshd_config:39 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:84 setting UsePAM no
debug3: /etc/ssh/sshd_config:101 setting UseDNS no
debug3: /etc/ssh/sshd_config:102 setting PidFile /var/run/sshd.pid
debug3: /etc/ssh/sshd_config:111 setting Subsystem sftp /usr/sbin/sftp-server
debug1: sshd version OpenSSH_7.1, OpenSSL 1.0.2k 26 Jan 2017
debug1: private host key #0: ssh-rsa SHA256:35Iaa1st06it22Cyp2vHeio6GN1bbBd1It7Zfl+NR8E
debug1: private host key #1: ssh-dss SHA256:XY2aajOLDDzmuFV92R379t4YV67MbbRh75L+bt9y0Aw
debug1: private host key #2: ecdsa-sha2-nistp256 SHA256:bckbyaaqlZqbbT/rf/mig/BzqxGjpzJrhIID9tCicPg
debug1: private host key #3: ssh-ed25519 SHA256:Dd0aakyMCF/sVBDnR2bbb6AGvlEDx3JHN/Mi9v1InwM
List the current parameters value
[root@aix72]/etc/ssh # sshd -T
port 22
protocol 2
addressfamily any
listenaddress 0.0.0.0:22
usepam no
serverkeybits 1024
logingracetime 120
keyregenerationinterval 3600
...
Example of host key generation for ECDSA, if missing:
[root@aix72]/etc/ssh # echo | ssh-keygen -q -t ecdsa -b 521 -f /etc/ssh/ssh_host_ecdsa_key -N ''
===== Server SSH options =====
==== access restriction or enhanced ====
You can allow or deny users or groups
AllowUsers *
AllowGroups system staff root_access aix-all-srvgrp
DenyUsers nobody
DenyGroups ftpusers monitor
==== Specific options for a user or group ====
Match Address 192.168.184.8,202.54.1.1,192.168.1.0/24
PermitRootLogin yes
Match User vivek Address 192.168.1.0/24
PermitTunnel yes
PasswordAuthentication yes
Match Host *.home.lan
X11Forwarding yes
Match User *,!foo
X11Forwarding yes
PermitTunnel yes
PermitTTY no
Match Address 10.20.30.40,80.90.100.200 Host dispatch.raymii.org
PasswordAuthentication Yes
PermitRootLogin yes
Match Group users
ChrootDirectory /home
AllowTCPForwarding no
===== IBM AIX: Regular users can ssh into AIX but sftp fails =====
A regular user can ssh into AIX but a sftp request fails for the same user.
Steps
The most common reason for this problem is incorrect permission on the /etc/ssh/sshd_config file.
The /etc/ssh/sshd_config file is configured by default with the following line for sftp service:
Subsystem sftp /usr/sbin/sftp-server
OpenSSH on AIX is configured to use sftp-server by default and it requires the permission to be 644 on sshd_config.
The default permission on /etc/ssh/sshd_config is 644 and owned by root system.
Check the permission on sshd_config.
# ls -l /etc/ssh/sshd_config
If the permission on the sshd_config file is not **644** change it to 644. (rw-r--r--).
# chmod 644 /etc/ssh/sshd_config
If your environment requires that permission on sshd_config to be **640** due to security concerns you can use internal-sftp instead of sftp-server. They are virtually the same functionally. SFTP will work with permission 640 on sshd_config if configured to use internal-sftp.
To use internal-sftp change the sftp-server line in sshd_config to the following:
Subsystem sftp internal-sftp
Stop and restart sshd afterwards.
# stopsrc -s sshd
# startsrc -s sshd
===== CIS AIX 7.2 =====
/etc/ssh/sshd_config
Port 22
ListenAddress 0.0.0.0
SyslogFacility AUTH
LogLevel INFO
PermitRootLogin yes
MaxAuthTries 4
AuthorizedKeysFile .ssh/authorized_keys
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication yes
PermitEmptyPasswords no
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,chacha20-poly1305@openssh.com,aes128-gcm@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
RekeyLimit 1G 3600
PermitUserEnvironment no
PidFile /var/run/sshd.pid
Banner /etc/ssh/ssh_banner
Subsystem sftp /usr/sbin/sftp-server -u 027 -f AUTH -l INFO
AllowUsers root user1 oracle
FIXME
To prevent usage for specific Ciphers or KexAlgorithms, you can also exclude some:
KexAlgorithms -*sha1,*sha1-*
MACs -*sha1,*sha1-*
Full specs (second example)
Port 22
ListenAddress 0.0.0.0
Protocol 2
RekeyLimit 1G 3600
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
LogLevel INFO
PermitRootLogin without-password
MaxAuthTries 4
HostbasedAuthentication no
IgnoreRhosts yes
PermitEmptyPasswords no
UsePAM yes
AllowTcpForwarding no
PermitUserEnvironment no
ClientAliveInterval 3600
ClientAliveCountMax 3
PidFile /var/run/sshd.pid
Banner /etc/ssh/ssh_banner
Subsystem sftp /usr/sbin/sftp-server
AllowUsers *
AllowGroups *
DenyUsers nobody
DenyGroups ftpusers monitor
kexalgorithms -*sha1,*sha1-*
macs -*sha1,*sha1-*
===== SSH problems =====
==== Add known_hosts ====
SSH connections are very slow, about 4 seconds, bad keys are available on the known_host file. Remove this file and start from scratch.
Automaticaly accept entries into known_hosts
# ssh -o StrictHostKeyChecking=accept-new $i uname
==== Add timeout ====
If an host doesn't answer, the timeout will stop the connexion
# ssh -o ConnectTimeout=10 $i uname
==== Boost ssh connection ====
Add a socket for many connections on the same host
[root@aix001]/root> ssh -M -S /tmp/sockets -o ControlPersist=5m lnx203 exit
[root@aix001]/root> time ssh lnx203 exit
real 0m0.43s
user 0m0.12s
sys 0m0.01s
[root@aix001]/root> time ssh -S /tmp/sockets lnx203 exit
real 0m0.03s
user 0m0.00s
sys 0m0.00s
==== Bad cipher or MAC ====
I can specify the cipher and the MAC:
ssh -c aes256-cbc -m hmac-sha1
==== no matching host key type found ====
Error with sha1 keys
[root@aixa001]/root/scripts> ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 USERID@10.0.1.11
Unable to negotiate with 10.0.1.11 port 22: no matching host key type found. Their offer: ssh-rsa
[root@aixa001]/root/scripts> ssh -o HostKeyAlgorithms=+ssh-rsa USERID@10.0.1.11
The authenticity of host '10.0.1.11 (10.0.1.11)' can't be established.
RSA key fingerprint is SHA256:fEia4p8Ylxxxxxxxxxxxxxxx23gMy3Iq0bmtmk/1Q.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.1.11' (RSA) to the list of known hosts.
(USERID@10.0.1.11) Enter login password:
You can also add some paramters into **/etc/ssh/ssh_config**, or for a specific user **~/.ssh/config**\\
**Ex** for the error Their offer: ssh-dss
~/.ssh/config
Host my.host.com *.myinsecure.net 10.0.1.*
HostkeyAlgorithms +ssh-dss
PubkeyAcceptedKeyTypes +ssh-dss
KexAlgorithms diffie-hellman-group1-sha1
Or in command line
ssh -v -o HostKeyAlgorithms=ssh-dss -o KexAlgorithms=diffie-hellman-group14-sha1 my.host.com
==== Disable SSH prompt ====
Using commad line:
[root@aix001]/root> ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o LogLevel=ERROR aix002
Using a user config file: for a specific user create a file into home directory's **.ssh/config**, or for all users into /etc/ssh/ssh_config (LogLevel can also be QUIET : no error)
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
LogLevel ERROR
==== Error: hostfile_replace_entries ====
Error:
[root@aix001]/root> ssh server001
update_known_hosts: hostfile_replace_entries failed for /root/.ssh/known_hosts: Operation not permitted
Resolution
[root@aix001]/root> ssh-keyscan -H server001 >> ~/.ssh/known_hosts
# server001 SSH-2.0-OpenSSH_8.1
# server001 SSH-2.0-OpenSSH_8.1
# server001 SSH-2.0-OpenSSH_8.1
# server001 SSH-2.0-OpenSSH_8.1
==== Edit a file on a remote host ====
Use ssh command with **-t** option
==== SCP Connection closed ====
Use the option **-O** tells SCP to use legacy SCP protocol for file transfers
[root@aix001]/root/scripts# scp count_path.sh padmin@vios01:/tmp
scp: Connection closed
[root@aix001]/root/scripts# scp -O count_path.sh padmin@vios01:/tmp
count_path.sh 100% 1972 1.9MB/s 00:00
**Note:** Since OpenSSH 8.8 the scp utility uses the SFTP protocol by default. The -O option must be used to use the legacy SCP protocol.
==== List ciphers and Macs on client ====
* Ciphers: ssh -Q cipher
* MACs: ssh -Q mac
* KexAlgorithms: ssh -Q kex
* PubkeyAcceptedKeyTypes: ssh -Q key
You can also remotely probe a ssh server for its supported ciphers with recent nmap versions:
# nmap --script ssh2-enum-algos -sV -p
[root@vios]/etc/ssh# ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com
[root@vios]/etc/ssh# ssh -Q mac
hmac-sha1
hmac-sha1-96
hmac-sha2-256
hmac-sha2-512
hmac-md5
hmac-md5-96
umac-64@openssh.com
umac-128@openssh.com
hmac-sha1-etm@openssh.com
hmac-sha1-96-etm@openssh.com
hmac-sha2-256-etm@openssh.com
hmac-sha2-512-etm@openssh.com
hmac-md5-etm@openssh.com
hmac-md5-96-etm@openssh.com
umac-64-etm@openssh.com
umac-128-etm@openssh.com
==== Connection slow ====
Check using **ssh -vvv **, if it hangs on
debug1: Next authentication method: gssapi-with-mic
Change the following parameter in the file **/etc/ssh/sshd_config**
GSSAPIAuthentication no
FIXME On some new Linux versions, check also the files located in the folder **/etc/ssh/sshd_config.d/**