SSH How To

Contents 1 How to limit SSH access to specific users 2 How to configure cygwin SSH to start as a service 3 How to mount remote file system over SSH and debug it 4 How to set up passwordless login using a separate identity 5 How to control, setup and shutdown an ssh tunnel 6 How to enable external ssh to wrt54g 7 How to multiplex SSH connections over one 8 How to setup an SSH tunnel 9 How to forward a privileged port using a ssh shared key login by a non-root user 10 How to forward the X ports 11 How to stick a password into an SSH prompt 12 How to suppress host key warning when using multiple hosts on the same ip 13 How to use established SSH tunnel from a host side

[edit] How to limit SSH access to specific users

Add the following line to your /etc/ssh/sshd_config

AllowUsers alex

With this setting all users other than these listed will be denied an SSH connect, even if they use a correct password. To prevent only certain users to connect over SSH use DenyUsers or DenyGroups, but remember that blacklisting is inherently less secure than whitelisting.

Also, consider setting the following to "no" to deny remote root logins

PermitRootLogin no

Restart sshd after changing your file

sudo service ssh restart

[edit] How to configure cygwin SSH to start as a service

• Right click My Computer, Properties, Advanced, "Environment Variables", under "System variables" add variable CYGWIN set to "ntsec tty"
• In the same place, edit the PATH variable and ;c:\cygwin\bin to the end
• Start cygwin's cmd and run

ssh-host-config

• Answer yes to all questions and "ntsec tty" to the CYGWIN value question
• Now start the CYGWIN SSH service. You can configure it by editing /etc/sshd_config (chmod 644 first if needed)

Note: If you have permission issues you may want to try the following in cygwin's command prompt:

chmod 644 /etc/sshd_config
chmod 644 /etc/passwd
chmod 644 /etc/group
chmod 755 /var
touch /var/log/sshd.log
chmod 644 /var/log/sshd.log

[edit] How to mount remote file system over SSH and debug it

To mount, create a mount point and run

sshfs -o port=1234 host.name.com: /media/mountpoint

To debug add the -o sshfs_debug (although it might not be that helpful). If you are connecting under a different identity add -o IdentityFile=/home/user/.ssh/other_key

If you are heaving connection resets first check that your port is correct, then try connecting by IP, not the host name.

To unmount run

fusermount -u /media/mountpoint

[edit] How to set up passwordless login using a separate identity

First, make sure that your ssh server is on port 22 since ssh-copy-id does not appear to have a port option. If it is not and you can not change the server port number do "less" on ssh-copy-id (it is a shell script) and mimic what it is doing with the command line.

ssh-keygen -t rsa -f ~/.ssh/other_identity
ssh-copy-id -i ~/.ssh/other_identity.pub user@host

Test by running

ssh -i ~/.ssh/other_identity.pub user@host

[edit] How to control, setup and shutdown an ssh tunnel

Use control sockets (need the M and the S option):

ssh -fNM -L <localport>:<host from remote machine>:<remote port> -S ~/.ssh/some_control_socket -p 28322 -i ~/.ssh/pge_identity e91311@pcl0323

then check status or terminate by calling

ssh -O check -S ~/.ssh/pge_control_socket localhost
ssh -O exit -S ~/.ssh/pge_control_socket localhost

[edit] How to enable external ssh to wrt54g

iptables -I INPUT 1 -p tcp --dport 22 -j logaccept

[edit] How to multiplex SSH connections over one

Configure the default settings in your ~/.ssh/config file

ControlMaster auto
ControlPath /tmp/master-%r@%h:%p

[edit] How to setup an SSH tunnel

ssh -fNgL 3389:targethost.com:3389 xxxx@sshproviderhost

-f - Run in background -N do not open remote shell -g allow remote hosts to connect to the remote connection (use if you want to route traffic from other hosts through this tunnel)

[edit] How to forward a privileged port using a ssh shared key login by a non-root user

sudo ssh -L 80:192.168.1.1:80 -i ~user/.ssh/id_rsa root@sshhost.net

[edit] How to forward the X ports

Make sure your x can accept tcp

sudo gedit /etc/gdm/gdm.conf

[security]
DisallowTCP=false

Restart gdm (Ctrl-Alt-Backspace to kill X) or kill the gdm process Then use ssh -X to forward X If you set DISPLAY on the remote host it will send traffic unencrypted in parallel to the ssh tunnel.

[edit] How to stick a password into an SSH prompt

This is not as secure as using a public cert, but may help in certain situations

expect -c 'spawn ssh user@host ; expect assword ; send "passw0rd\n" ; interact'

[edit] How to suppress host key warning when using multiple hosts on the same ip

in your ~/.ssh/config file

Host myphone
        HostName 127.0.0.1
        Port 3023
        User mobile
        UserKnownHostsFile ~/.ssh/myphone_known_hosts

Host labphone
        HostName 127.0.0.1
        Port 3023
        User mobile
        UserKnownHostsFile ~/.ssh/labphone_known_hosts

[edit] How to use established SSH tunnel from a host side

If you have a tunnel from a client to a host and do not want to create a tunnel from the host to the client to copy files or smthing (say there is a NAT firewall on the client side) Add the following to ~/.ssh/config

Host myphone
  RemoteForward 2202 localhost:22

Then use 2202 on the host to leverage the tunnel