Differences

This shows you the differences between two versions of the page.

--- ssh [2009/03/10 17:48]
a
+++ ssh [2016/08/04 09:37] (current)
zagi [other SSH stuff]
@@ Line 1: / Line 1: @@
-====== banner in ssh ======
+====== SSH ======
+Links:
+   * [[http://www.howtoforge.com/chrooted-ssh-sftp-tutorial-debian-lenny|Chrooted SSH/SFTP Tutorial (Debian Lenny) ]]
+   * [[http://wiki.centos.org/HowTos/Network/SecuringSSH|Securing SSH (CentOS wiki)]]
+===== banner in ssh =====
    /etc/ssh/sshd_config
@@ Line 11: / Line 17: @@
    *********************************************
-===== Creating SSH key =====
+http://techgurulive.com/2008/09/15/how-to-protect-ssh-from-multiple-and-parallel-coordinated-attacks/
+===== SSH and working with keys =====
-**DSA key**
+create your key
    ssh-keygen -t dsa
+copy your new key out to all the servers, and make ssh use it.
+the mkdir below may fail if the directory exists, ignore the error its harmless
+<code bash|>
+for i in $(cat servers) ; do
+echo SERVER=$;
+scp ~/.ssh/id_dsa.pub $i
+ssh $i "mkdir .ssh ;
+chmod 700 .ssh ;
+cat ~/id_dsa.pub >> ~/.ssh/authorized_keys ;
+chmod 644 /.ssh/authorized_keys;"
+done
+</code>
+===== How to Fix Offering key in ~/.ssh/known_hosts =====
+# ssh -o 'StrictHostKeyChecking no' user@host
+==== Remove the offending ssh key ====
+<code>
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
+@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
+IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
+Someone could be eavesdropping on you right now (man-in-the-middle attack)!
+It is also possible that the RSA host key has just been changed.
+The fingerprint for the RSA key sent by the remote host is
+a7:a8:f2:97:94:33:58:b7:9d:bc:e0:a6:6b:f7:0a:29.
+Please contact your system administrator.
+Add correct host key in /home/ramesh/.ssh/known_hosts to get rid of this message.
+Offending key in /home/ramesh/.ssh/known_hosts: 6
+Permission denied (publickey,password).
+</code>
+   # sed -i '6d' ~/.ssh/known_hosts
+<note important>**Note**: Change the **6d** according to the line number shown.</note>
+**Perl solution**:
+   # perl -pi -e 's/\Q$_// if ($. == 6);' ~/.ssh/known_hosts
@@ Line 110: / Line 158: @@
 This document is free; you can redistribute it and/or modify it under the terms of the GNU GPL, see http://www.gnu.org/copyleft/gpl.html .  There is NO WARRANTY.
+===== Fail2Ban ====
+  /etc/fail2ban/jail.conf\\
+\\
+      action = %(action_mw)s\\
+===== other SSH stuff ======
+use EF DSCP in ssh:
+  ~/.ssh/config
+  IPQoS ef
+use jump host
+  ~/.ssh/config
+  Host finalhost
+  HostName finalhost
+  User userfinal
+  ProxyCommand ssh proxyuser@proxyhost nc %h %p
+then one can simply type
+  ssh finalhost
+to ssh via proxyhost to final destination host
+using same options for multiple hosts in same domain
+   Host switch* router* myrouter* cmts*
+no need to type FQDN for switch-somethingsomething