{"id":137,"date":"2019-06-02T22:15:33","date_gmt":"2019-06-02T21:15:33","guid":{"rendered":"https:\/\/blog.inplico.uk\/?p=137"},"modified":"2021-01-06T13:18:27","modified_gmt":"2021-01-06T13:18:27","slug":"ssh-notes","status":"publish","type":"post","link":"https:\/\/blog.inplico.uk\/?p=137","title":{"rendered":"SSH Notes"},"content":{"rendered":"

\u00a0<\/strong><\/p>\n

Root Login<\/strong><\/p>\n

While it may not be recommended there are times when you may wish to enable root login remotely (at least temporarily while you are setting up a remote system) Debian stretch no longer automatically permits root login remotely so you have to enable it by editing the config file sshd_config<\/strong> The line you need to change is PermitRootLogin<\/strong> which you need to uncomment and change to yes<\/strong><\/p>\n

PermitRootLogin yes<\/pre>\n
now all you have to do is restart the sshd daemon with<\/p>\n
service sshd restart<\/pre>\n
Login without having to type password<\/strong><\/p>\n
Using a key rather than a password is generally considered more secure (as long as you keep the key safe) so it is a good idea to do this as well as making it easier to log on to your servers.<\/p>\n
ssh-keygen -t rsa -b 4096 -C myServerName_rsa -f myServerName_rsa<\/pre>\n
Will generate a keypair called myServerName_rsa<\/strong> and pub<\/strong> you then need to add the client key to your agent using ssh-add<\/p>\n
ssh-add myServerName_rsa<\/pre>\n
And now copy its public pairing to the server<\/p>\n
ssh-copy-id \u2013i myServerName_rsa.pub myUserName@myServer<\/pre>\n
The \u201ci\u201d switch is short for identity (if you really care).<\/p>\n
You will be prompted to attempt to log on at this stage although it probably will not work without running ssh-add first unless you explicitly specify the keyfile to use.<\/p>\n
ssh-add myServerName_rsa<\/pre>\n
Now you need to create or edit the config file<\/p>\n
vi ~\/.ssh\/config<\/pre>\n
In all cases you should put the following at the top of the file:<\/p>\n
Host *\r\nIdentitiesOnly=yes<\/pre>\n
If this is not present then you may get a “too many authentication errors” notification if you have a lot of clients.<\/p>\n
For each client you will need to provide an entry similar to the following.<\/p>\n
Host MyHostAlias\r\nHostName myhost.fqdn\u00a0\u00a0 \r\nUser myusername\r\nUseKeychain yes\u00a0\u00a0 \u00a0\u00a0 \r\nIdentityFile ~\/.ssh\/myServerName_rsa<\/pre>\n
While not entirely necessary, it is good practice to create an separate keyfile pair for each connection.<\/p>\n
Host<\/strong>: This is the shortcut name of your connection<\/p>\n
HostName<\/strong>: The IP or FQDN of the client<\/p>\n
User<\/strong>: This is the username that you wish to use to log on<\/p>\n
IdentityFile<\/strong>: The XXXX_rsa file that you generated with ssh-keygen (not the XXXX_rsa.pub)<\/p>\n
You should now be able to log in to your client using its alias or domain name without using a password.<\/p>\n
ssh myhost<\/pre>\n
Troubleshooting<\/strong><\/p>\n
If you are having issues automatically logging in then run sshd in debug mode<\/p>\n
\/path\/to\/sshd \u2013d \u2013d \u2013d \u2013d \u2013d<\/pre>\n
The path is usually \/usr\/sbin\/sshd; if you are using centryfy and have installed its own version of ssh then the path may be something like \/usr\/share\/centrifydc\/sbin\/sshd<\/p>\n
To find the path easily you can look it up along with the running process id.<\/p>\n
ps \u2013ef |grep sshd<\/pre>\n
should return the path along with the pid. You will need to kill the process eg.<\/p>\n
kill -9 982538<\/pre>\n
Permissions:<\/p>\n
If you are getting a permissions warning (something like \u201cSSH Authentication Refused: Bad Ownership or Modes for Directory\u201d) then you need to set the permissions as follows:<\/p>\n
chmod 700 ~\/.ssh\r\nchmod 644 ~\/.ssh\/authorized_keys\r\nchmod 644 ~\/.ssh\/known_hosts\r\nchmod 644 ~\/.ssh\/config\r\nchmod 600 ~\/.ssh\/yourkey_rsa\r\nchmod 644 ~\/.ssh\/yourkey_rsa.pub<\/pre>\n
 <\/p>\n
 <\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
\u00a0 Root Login While it may not be recommended there are times when you may wish to enable root login remotely (at least temporarily while you are setting up a remote system) Debian stretch no longer automatically permits root login remotely so you have to enable it by editing the config file sshd_config The line […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[],"class_list":["post-137","post","type-post","status-publish","format-standard","hentry","category-debian-server"],"_links":{"self":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts\/137","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=137"}],"version-history":[{"count":11,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts\/137\/revisions"}],"predecessor-version":[{"id":267,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=\/wp\/v2\/posts\/137\/revisions\/267"}],"wp:attachment":[{"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.inplico.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}