SSH Tips and Tricks

Categories: linux

This is just a brief overview of the options I’m using every now and then.

SSH examples

  • ssh 192.168.1.2 – SSH to IP 192.168.1.2 as your current user
  • ssh [email protected] – SSH to IP 192.168.1.2 as the root user
  • ssh 192.168.1.2 -p 2222 – SSH defaults to port 22, but by using -p you can connect to ssh on other ports
  • ssh -i ~/.ssh/id_rsa – Use this specific private key for authentication. This is useful when you have multiple key pairs
  • ssh -A – Enables forwarding of connections from an authentication agent such as ssh-agent
  • ssh -L 1234:localhost:80 192.168.1.2 – TCP Port or socket forwarding. In this example I’m forwarding port 80 from the server 192.168.1.2 to port 1234 on my local machine. Opening http://localhost:1234 in a browser will now show the webpage running on server 192.168.1.2
  • ssh -o “VerifyHostKeyDNS ask” abc.example.com – Specifies whether to verify the remote key using DNS and SSHFP resource records. If this option is set to yes, the client will implicitly trust keys that match a secure fingerprint from DNS. Insecure fingerprints will be handled as if this option was set to ask. If this option is set to ask, information on fingerprint match will be displayed,

SSH Keygen examples

  • ssh-keygen – Generates an RSA key. This is the default setting
  • ssh-keygen -C – Provides a comment, otherwise your [email protected] will be used. Using a comment is useful if you have a specific keypair for a single host or customer
  • ssh-keygen -f – Specifies filename of keypair
  • ssh-keygen -H – In .ssh/known_hosts file, the hostnames and addresses will be shown as hashed values so the files value won’t be revealed
  • ssh-keygen -N – Adds a passphrase to the private key
  • ssh-keygen -f ~./ssh/id_rsa -p – Changes passphrase of the private key id_rsa
  • ssh-keygen -r abc.example.com -f /etc/ssh/ssh_id_host_id25519.pub – Print the SSHFP fingerprint record for DNS fingerprint verification. Note this command is run from server abc.example.com so we can get the fingerprint from it’s host key. The records can be added to DNS
  • ssh-keygen -R abc.example.com – Removes abc.example.com from the ~/.ssh/known_hosts file. This is useful to delete hashed hosts
  • ssh-keygen -t – used for specifying the key type you want to create. Supported values are “dsa”, “ecdsa”, “ecdsa-sk”, “ed25519”, “ed25519-sk”, or “rsa”

SSH Add

Adds private key identities to the OpenSSH authentication agent

  • ssh-add ~/.ssh/id_rsa – Adds my private key to ssh-agent
  • ssh-add -l – Shows a summary of the keys added to ssh-agent
  • ssh-add -L – Shows a detailed view of keys added to ssh-agent
  • ssh-add -d ~/.ssh/id_rsa – Removes the specified private key from ssh-agent
  • ssh-add -D – Removes all keys from ssh-agent
  • ssh-add -K –Load resident keys from a FIDO authenticator

Sign files with SSH

Signing a file is a way to show the file hasn’t been tampered with

  1. Start by creating the file test.txt with the following content:

    This is my document and i want the receiver to verify that it hasn't been tampered with.

  2. Let’s sign test.txt

    ssh-keygen -Y sign -f ~/.ssh/id_rsa -n file test.txt
    Signing file test.txt
    Write signature to test.txt.sig
    
    -Y sign # Tells ssh to use the sign function
    -f # Sign with my private file
    -n file # File is the namespace it could be email as well if i was signing an email

  3. Let’s see the contents of test.txt.sig

    -----BEGIN SSH SIGNATURE-----
    U1NIU0lHAAAAAQAAAEoAAAAac2stc3NoLWVkMjU1MTlAb3BlbnNzaC5jb20AAAAgWbOshU
    iG4m+k8aBY4J21ofo4yjnIxZAjNBzqFqxFYmgAAAAEc3NoOgAAAARmaWxlAAAAAAAAAAZz
    aGE1MTIAAABnAAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAQEPM2iXUIlP+UO
    sdPR6icOa1KurqI31tuzfzaJiiTcNE52UEHkQmJGOtN2sZ9YPD+1m6E2QhkM10EqZzXK8+
    BwMBAAACAg==
    -----END SSH SIGNATURE-----

  4. Before we can verify the signatures, we need a file with the public keys of the signer. I will create a file called signers.txt and add the public keys from John and Bob

    [email protected] [email protected] AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFmzrIVIhuJvpPGgWOCdtaH6OMo5yMWQIzQc6hasRWJoAAAABHNzaDo=
    [email protected] [email protected] AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEaH+d2/cPolLrvFjsE0orogMUOPgkq5oCaP+boNCGcQAAAABHNzaDo=

  5. Verify the signatures

    ssh-keygen -Y verify -f signers.txt -I [email protected] -n file -s test.txt.sig < test.txt
    Good "file" signature for [email protected] with ED25519-SK key SHA256:BgPMRhYf1AgUdACHH6hNwwIsDomxXal9awV7IhqLfIs
    
    -Y verify # Tells ssh to use the verify function
    -f # The signers file with all the public keys from my trusted signers
    -I # The username/email of the person who signed the file. This has to match with the public key in the signers file
    -n # File is the namespace it could be email as well if i was signing an email
    -s # The .sig file
    < orgfile # the original file

Common issues

Unable to negotiate with x.x.x.x port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss

The ssh server is offering authentication over ssh-rsa or ssh-dss. ssh-rsa(RSA/SHA1) has been deprecated since OpenSSH 8.2. You can get around this error by adding -o “HostKeyAlgorithms +ssh-rsa”

Example: ssh x.x.x.x -o “HostKeyAlgorithms +ssh-rsa”