This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
fuss:openssh [2017/02/22 18:30] – external edit 127.0.0.1 | fuss:openssh [2020/12/16 07:39] – [Enabling Diffie-Hellman-Group-SHA1 Key Exchange] office | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== Remove Duplicate Keys ====== | ||
+ | |||
+ | Sometimes when '' | ||
+ | |||
+ | < | ||
+ | Warning: the ECDSA host key for ' | ||
+ | Offending key for IP in / | ||
+ | Matching host key in / | ||
+ | Are you sure you want to continue connecting (yes/no)? | ||
+ | |||
+ | </ | ||
+ | |||
+ | The offending key can be removed easily using '' | ||
+ | <code bash> | ||
+ | sed -i 30d / | ||
+ | </ | ||
+ | |||
+ | which deletes line '' | ||
+ | |||
+ | ====== Generate Public Key ====== | ||
+ | |||
+ | For '' | ||
+ | |||
+ | <code bash> | ||
+ | ssh-keygen -t rsa | ||
+ | </ | ||
+ | |||
+ | For '' | ||
+ | <code bash> | ||
+ | ssh-keygen -t dsa | ||
+ | </ | ||
+ | |||
+ | ====== Speeding-Up SSH Startup ====== | ||
+ | |||
+ | As pointed out by [[http:// | ||
+ | <code c> | ||
+ | closefrom(STDERR_FILENO + 1); | ||
+ | </ | ||
+ | |||
+ | This can be checked with '' | ||
+ | <code bash> | ||
+ | sh-3.2# dtruss / | ||
+ | # ... | ||
+ | stat64("/ | ||
+ | getpid(0x7FFF925948F8, | ||
+ | close(0x7DE) = -1 Err#9 | ||
+ | close(0x7DF) = -1 Err#9 | ||
+ | close(0x7E0) = -1 Err#9 | ||
+ | close(0x7E1) = -1 Err#9 | ||
+ | close(0x7E2) = -1 Err#9 | ||
+ | close(0x7E3) = -1 Err#9 | ||
+ | close(0x7E4) = -1 Err#9 | ||
+ | close(0x7E5) = -1 Err#9 | ||
+ | close(0x7E6) = -1 Err#9 | ||
+ | close(0x7E7) = -1 Err#9 | ||
+ | close(0x7E8) = -1 Err#9 | ||
+ | close(0x7E9) = -1 Err#9 | ||
+ | close(0x7EA) = -1 Err#9 | ||
+ | close(0x7EB) = -1 Err#9 | ||
+ | close(0x7EC) = -1 Err#9 | ||
+ | close(0x7ED) = -1 Err#9 | ||
+ | close(0x7EE) = -1 Err#9 | ||
+ | close(0x7EF) = -1 Err#9 | ||
+ | close(0x7F0) = -1 Err#9 | ||
+ | close(0x7F1) = -1 Err#9 | ||
+ | |||
+ | </ | ||
+ | |||
+ | From the '' | ||
+ | <code c> | ||
+ | __progname = ssh_get_progname(av[0]); | ||
+ | |||
+ | #ifndef HAVE_SETPROCTITLE | ||
+ | /* Prepare for later setproctitle emulation */ | ||
+ | /* Save argv so it isn't clobbered by setproctitle() emulation */ | ||
+ | saved_av = xcalloc(ac + 1, sizeof(*saved_av)); | ||
+ | for (i = 0; i < ac; i++) | ||
+ | saved_av[i] = xstrdup(av[i]); | ||
+ | saved_av[i] = NULL; | ||
+ | compat_init_setproctitle(ac, | ||
+ | av = saved_av; | ||
+ | #endif | ||
+ | |||
+ | /* | ||
+ | * Discard other fds that are hanging around. These can cause problem | ||
+ | * with backgrounded ssh processes started by ControlPersist. | ||
+ | */ | ||
+ | closefrom(STDERR_FILENO + 1); | ||
+ | |||
+ | /* | ||
+ | * Save the original real uid. It will be needed later (uid-swapping | ||
+ | * may clobber the real uid). | ||
+ | */ | ||
+ | original_real_uid = getuid(); | ||
+ | original_effective_uid = geteuid(); | ||
+ | </ | ||
+ | |||
+ | |||
+ | The '' | ||
+ | |||
+ | <code asm> | ||
+ | 000000010000d792 BF03000000 | ||
+ | ; nop closeform() | ||
+ | 000000010000d797 E8D7510200 | ||
+ | 000000010000d79c E8DD8E0400 | ||
+ | |||
+ | </ | ||
+ | |||
+ | resulting in: | ||
+ | <code asm> | ||
+ | 000000010000d792 BF03000000 | ||
+ | 000000010000d797 90 nop | ||
+ | 000000010000d798 90 nop | ||
+ | 000000010000d799 90 nop | ||
+ | 000000010000d79a 90 nop | ||
+ | 000000010000d79b 90 nop | ||
+ | 000000010000d79c E8DD8E0400 | ||
+ | |||
+ | </ | ||
+ | |||
+ | which avoids the '' | ||
+ | |||
+ | <code bash> | ||
+ | sh-3.2# dtruss ./ssh | ||
+ | # ... | ||
+ | open("/ | ||
+ | close(0x3) = 0 0 | ||
+ | getuid(0x3, 0x2, 0x7FFF551ECBC0) = 0 0 | ||
+ | geteuid(0x3, | ||
+ | seteuid(0x0, | ||
+ | shm_open(0x7FFF8475DCCA, | ||
+ | mmap(0x0, 0x1000, 0x1, 0x1, 0x3, 0x0) = 0x10AAE6000 0 | ||
+ | close_nocancel(0x3) = 0 0 | ||
+ | open_nocancel("/ | ||
+ | issetugid(0x7FFF88B67E15, | ||
+ | issetugid(0x7FFF88B67E15, | ||
+ | |||
+ | </ | ||
+ | |||
+ | Or, on one line: | ||
+ | <code bash> | ||
+ | sudo dd if=< | ||
+ | </ | ||
+ | |||
+ | Note that this modification will most likely break '' | ||
+ | |||
+ | ====== Better Responsiveness and Speed-up ====== | ||
+ | |||
+ | The following settings will make '' | ||
+ | |||
+ | * disable DNS lookups | ||
+ | * turn off compression | ||
+ | * restrict the ciphers and hashes to faster variants while still being backward-compatible. | ||
+ | |||
+ | Edit ''/ | ||
+ | < | ||
+ | # Server configuration | ||
+ | UseDNS no | ||
+ | compression no | ||
+ | ciphers arcfour, | ||
+ | macs hmac-md5-96 | ||
+ | |||
+ | </ | ||
+ | |||
+ | On OSX, the client configuration should be changed in order to include '' | ||
+ | < | ||
+ | Host * | ||
+ | SendEnv LANG LC_* | ||
+ | compression no | ||
+ | Ciphers arcfour, | ||
+ | MACs hmac-md5-96, | ||
+ | </ | ||
+ | |||
+ | ====== Restrict SSHd Users ====== | ||
+ | |||
+ | Edit ''/ | ||
+ | < | ||
+ | PermitRootLogin no | ||
+ | AllowUsers merlin | ||
+ | </ | ||
+ | where '' | ||
+ | |||
+ | ====== Tunneling ====== | ||
+ | |||
+ | The following command: | ||
+ | |||
+ | <code bash> | ||
+ | ssh -f jack@home.internal -L 2000: | ||
+ | </ | ||
+ | |||
+ | creates an SSH tunnel between the local machine that the command is run on and '' | ||
+ | |||
+ | The command can be broken down into the following options: | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | * '' | ||
+ | |||
+ | ====== Copying File Path with Special Characters ====== | ||
+ | |||
+ | Sometimes one has to copy files that either contain special characters or the path to the file contains special characters. In such cases, you will find yourself experiencing either the dreaded error: | ||
+ | < | ||
+ | scp: ambiguous target | ||
+ | </ | ||
+ | |||
+ | in case '' | ||
+ | < | ||
+ | No such file or directory | ||
+ | </ | ||
+ | |||
+ | In order to avoid that, both the source path and the target path must be escaped just that the target path must be double-escaped. | ||
+ | |||
+ | For example, suppose we wanted to send the file from the local machine: | ||
+ | < | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | to '' | ||
+ | < | ||
+ | / | ||
+ | </ | ||
+ | |||
+ | We then have several methods of doing this: | ||
+ | |||
+ | * <code bash>scp / | ||
+ | * <code bash>scp / | ||
+ | * <code bash>scp / | ||
+ | * <code bash>scp / | ||
+ | * <code bash>scp / | ||
+ | |||
+ | ====== Restrict Users to SFTP only Instead of SSH ====== | ||
+ | |||
+ | To restrict users or groups to use SFTP only without being able to log-in, first create a designated SFTP-only group: | ||
+ | <code bash> | ||
+ | groupadd sftponly | ||
+ | </ | ||
+ | |||
+ | and adding users to the '' | ||
+ | <code bash> | ||
+ | usermod -g users -G users, | ||
+ | </ | ||
+ | |||
+ | and then modifying ''/ | ||
+ | < | ||
+ | Match group sftponly | ||
+ | chrootDirectory /var/www | ||
+ | ForceCommand internal-sftp | ||
+ | AllowTcpForwarding no | ||
+ | X11Forwarding no | ||
+ | </ | ||
+ | |||
+ | where ''/ | ||
+ | |||
+ | Finally, set the shell to ''/ | ||
+ | <code bash> | ||
+ | usermod -s / | ||
+ | </ | ||
+ | |||
+ | ====== Enabling Diffie-Hellman-Group-SHA1 Key Exchange ====== | ||
+ | |||
+ | Some older hardware requires the '' | ||
+ | <code bash> | ||
+ | ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 192.168.0.2 | ||
+ | </ | ||
+ | |||
+ | alternatively, | ||
+ | < | ||
+ | Host 192.168.0.2 | ||
+ | KexAlgorithms +diffie-hellman-group1-sha1 | ||
+ | </ | ||
+ | |||
+ | ====== Fixing Various Network Issues ====== | ||
+ | |||
+ | Any of the following symptoms are to be detected? | ||
+ | * SSH connections drop, | ||
+ | * issuing commands with large output over SSH makes the SSH session hang | ||
+ | |||
+ | They may all boil down to a non-uniform MTU setting across the network. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||