Openssh Quick Reference
ADVERTISEMENT
1
2OpenSSH Quick Reference
Protocol
SSH protocol
2, 1
NumberOfPasswordPro
Allow the number of password
3
mpts
tries
StrictModes
check files ownership and perm.
yes
Author: Jialong He
SyslogFacility
Syslog facility code
AUTH
TCPKeepAlive
Send TCP keepalive to other end
yes
TCPKeepAlive
Send TCP keepalive to client
yes
VerifyHostKeyDNS
Verify the remote key using DNS
no
UseDNS
lookup client DNSname
yes
What is OpenSSH and where to get it
CheckHostIP
Check the host IP address in the
yes
Compression
Compress network traffic
yes
known_hosts file
OpenSSH is a protocol suite of network connectivity tools that replace
Permit X11 forwarding
no
telnet, ftp, rsh, and rcp. It encrypts all traffic (including passwords) to
X11Forwading
effectively eliminate eavesdropping, connection hijacking, and other
Public Key Authentication
network-level attacks. OpenSSH comes with most Linux distributions.
Client Configuration
Public key authentication is a preferred method. It is more secure than
Use command “ssh -V” to check the SSH version installed. The latest
password authentication because no password travels through the network,
ssh (sftp,
scp) are OpenSSH commands to replace telnet, ftp, rcp. The
version can be found from:
but you have to do some setup before you can use public key
properties of these program are controlled by (1) command line options,
authentication. Public key authentication is configured for individual user.
Server Configuration
(2) per user configuration file $HOME/.ssh/config and (3) system wide
configuration file /etc/ssh/ssh_config.
(1) Modify SSH server’s configuration file (sshd_config) to enable public
sshd
is the OpenSSH server (daemon). It is controlled by a configuration
key authentication:
(PublicKeyAuthentication
yes). Also modify client’s
file
sshd_config
which normally resides in /etc/ssh directory. You can
Usage Example:
configuration file (ssh_config) to use public key authentication
specify command-line options to override their configuration file
ssh user@remotehost
# connect to remote host as user
(PubkeyAuthentication
yes). Normally, these are default settings.
equivalents. Here are some useful options. For the complete list of
scp myfile user@remotehost:/home/user # remote copy “myfile”
keywords, see sshd_config (5) manual page.
(2) Generate a key pair for this user
Here are useful keywords in ssh_config. For the complete list of keywords,
Keyword
Description
Default
ssh-keygen –t rsa –f $HOME/.ssh/id_rsa
see ssh_config (5) manual page.
Allow only specified groups to
*
AllowGroups
Keyword
Description
Default
It will prompt you a passphrase to encrypt private key. Two files “id_rsa”
connect. May use '*' and '?'.
and “id_rsa.pub” will be generated.
HostName
Default host to connect
none
AllowUsers
Allow only specified users to
*
connect. May use '*' and '?'.
User
Default user name
none
(3) Transfer user’s public key (id_rsa.pub) to SSH server and append its
contents to:
DenyGroups
Groups NOT allowed connecting.
none
PreferredAuthentications
Preferred authentication methods
see left
$HOME/.ssh/authorized_keys or $HOME/.ssh/authorized_keys2.
hostbased, publickey, password
DenyUsers
Users NOT allowed connecting.
none
Try hostbased authentication
no
HostbasedAuthentication
AllowTcpForwarding
TCP forwarding allowed.
yes
You may also restrict from which computers allowed to use public key
authentication. For example, in authorized_key file, you put “from” before
PubkeyAuthentication
Try Public key authentication
yes
GatewayPorts
Allow other computers to connect
no
the public key.
to the forwarding port.
PasswordAuthentication
Try password authentication
yes
from=”Goat.domain.com” AAAAB3NzaC1yc2EAAA ….
HostbasedAuthentication
Allow host based authentication
no
LocalForward
Specify TCP port forwarding in
none
(use .shosts or /etc/shosts.equiv)
(4) Now you can log on to remote system with
LPORT RHOST:RPORT
ssh my_sshserver
IgnoreRhosts
Ignore per user .rhosts and .shosts
yes
Remote forward port
none
RemoteForward
in hostbased authentication.
RPORT LHOST:LPORT
It will prompt you passphrase to decrypt the private key. If you did not
IgnoreUserKnownHosts
Ignore $HOME/.ssh/known_hosts,
no
give a passphrase in the step 2, you will be connected with asking
GatewayPorts
Allow hosts other than this host to
no
use only /etc/ssh/ssh_known_hosts
password.
connect to the forwarding port
Password authentication allowed
yes
PasswordAuthentication
ForwardX11
Forward X11 connection
no
(5) If you do give a passphrase to protect private key, but don’t want to
PermitEmptyPasswords
Allow blank password
no
type this passphrase every time, it is possible to use ssh agent command:
Compression
Compress network traffic
no
PublicKeyAuthentication
Public key authentication allowed
yes
CompressionLevel
If use compress, compress level
6
eval `ssh-agent`
AuthorizedKeysFile
Public key file name. Default:
see left
ssh-add ~/.ssh/id_isa
$HOME/.ssh/authorized_keys
Default remote port
22
Port
This will prompt you passphrase once. As long as the current terminal is
IP address to accept connection
0.0.0.0
ListenAddress
Protocol
SSH protocol
2, 1
open, you can connect to the SSH server without typing passphrase. Note,
Port
Listening port
22
this is only valid for the current terminal, you still need to type passphrase
StrictHostKeyChecking
Allow connect to a host which is
ask
in other terminal.
not in $HOME/.ssh/known_hosts
LogLevel
sshd verbosity level
info
or /etc/ssh/ssh_known_hosts
PermitRootLogin
Allow root login
yes
In order to run scripts without typing password, the easiest way is to use a
LogLevel
Verbosity level
info
blank passphrase in step 2. Unlike password, passphrase never travels
PrintLastLog
Print last login date
yes
through the network. It is used for protecting local private key.
PrintMotd
Print /etc/motd file
yes
ADVERTISEMENT
0 votes
Related Articles
Related forms
Related Categories
Parent category: Education