Tutorial: SSH (Secure Shell)
(Update) Sept. 30, 2019 A new version of the slides (including clustershell was uploaded.
Developed by SSH Communications Security Ltd., Secure Shell is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another in a secure way.
It provides strong authentication and secure communications over insecure channels. To use SSH, you have to generate a pair of keys, one public and the other private. The public key authentication is the most secure and flexible approach to ensure a multi-purpose transparent connection to a remote server.
Generating new SSH keys (Linux / Mac OS)
You should generate new SSH key pairs using ssh-keygen
for your laptop (use a strong passphrase).
There are various algorithms available, so you are encouraged to use at least the following ones:
1 2 |
|
See this blog to better understand why these commands are used.
Your local SSH configuration is located in the ~/.ssh/
directory.
- Public key:
~/.ssh/id_{rsa,ed25519}.pub
. This one is the only one SAFE to distribute. - Private (identity) key:
~/.ssh/id_{rsa,ed25519}
SSH Configuration: ~/.ssh/config
, where each entry having the following typical format:
1 2 3 4 |
|
~/.ssh/known_hosts
: Contains a list of host keys for all hosts you have logged into that are not already in the system-wide list of known host keys. This permits to detect man-in-the-middle attacks.
Advanced SSH Tools
See also the Awesome SSH Tools
assh
: Advanced SSH config - ssh wrapper using ProxyCommand that adds regex, aliases, gateways, includes, dynamic hostnames to SSH andssh-config
- stormssh - A command line tool to manage SSH connections.
- DSH – Distributed / Dancer’s Shell, for running simultaneously the same commands over multiple machines over SSH. This tools is similar to the (no longer maintained?) pdsh
- Mosh – Mobile Shell, whish supports intermittent connectivity.
- clustershell
SSH under Windows
The OLD way: using Putty tools
The OLD way consisted to install Putty and the associated tools, more precisely:
- PuTTY, the free SSH client – download
- Pageant, an SSH authentication agent for PuTTY tools – download
- PuTTYgen, an RSA and DSA key generation utility – download
- PSCP, an SCP (file transfer) client, i.e. command-line secure file copy – download
- WinSCP, SCP/SFTP (file transfer) client with easy-to-use graphical interface
- PLink, th PuTTy CLI
In this case, the simplest method is probably to download and run the latest Putty installer (does not include WinSCP).
The NEW way: Using MobaXterm!
MobaXterm is an excellent all-in-one tools offering a maximum of flexibility for managing remote sessions. Among its many features, it supports:
- [tabbed] Sessions management over SSH, Telnet, Rlogin, RDP, VNC, XDMCP, FTP, SFTP or Serial
- X11 server w. enhanced X extensions
- Graphical SFTP browser
- SSH gateway / tunnels wizards
- [remote] Text Editor
- etc.
Advanced Tips
Best practices on SSH Server Configuration /etc/ssh/sshd_config
See https://wiki.mozilla.org/Security/Guidelines/OpenSSH
SSH Server Configuration to restrict to Public key authenticationw
The configuration of the SSH server is set in /etc/ssh/sshd_config
.
- Prevent
root
access:
1 2 3 |
|
- Disable password authentication and enable public key authentication:
1 2 3 4 5 |
|
Once you have finish the edition of the configuration file, you’ll need to restart the SSH service.
- On CentOS / Redhat like systems:
systemctl restart sshd
- On Debian like systems:
service ssh restart
SSH Multiplexing
There are many existing wrappers for executing the same command on multiple hosts over ssh
in parallel.
- PDSH – archive
- DSH – Distributed / Dancer’s Shell
- ClusterShell
I personnaly like dsh you can then use as follows:
1
|
|
- using
-a
, you run the command on all nodes listed inmachines.list
- using
-g <group>
, you restrict the commands to the group of hosts<group>
- using
-m <hostname>
, you run the command only onhostname
- using
-c
, you run the commands in parallel (default) - using
-w
, you run the commands in sequential
See also my DSH tutorial
As for ClusterShell, it is probably more convenient nowadays. See the above slides.
FAQ
sudo: sorry, you must have a tty to run sudo
To permit the run of sudo
commands over ssh (and thus DSH), you have to change the default configuration of sudo
which is configured to require a tty.
This is generally enforced by having Defaults requiretty
in the /etc/sudoers
.
Since we connect as localadmin
, we can remove this restriction for him by adding:
Defaults:localadmin !requiretty
sshd: Connection closed by <serverIP>
[preauth]
This might indicate a SELinux issue: the SSH daemon is not able to read the authorized_keys
file upon connection (as the fcontext is wrong).
Fix:
1 2 |
|