SSH

ssh

SSH Client Config Reference

man ssh_config

ssh-keygen

  • Notes

    • In general, a comment is there to identify which computer generated the key, so that the key can be removed if the computer (or at least, the key it generated) is no longer available.
    • Private keys should have 400 permissions, while public keys should have 444 permissions.
    • Private key should have a file name identifying where it's being used.

Generate a key pair

ssh-keygen -t $algorithm -C $comment -f $key_file_path

Notes:

  • For $comment, use $(id -un)@$(hostname) to indicate the client in the public key so the server can track which client is the key for.
  • For key file name, use id_${server_user}_${server_host} to indicate the corresponding account on the server.
# e.g.
ssh-keygen -t ed25519 -C "$(id -un)@$(hostname)" -f id_cq_CDOP3

Get the fingerprint & comment of a private key

Get the public key of a private key

ssh-keygen -y -f $private_key > $public_key

Tunneling

Tooling

Visual Studio Code

Cheatsheet

Set up SSH access

start sshd service on the remote server

  • SysV

    • If needed, specify a port in /etc/ssh/sshd_config

    • Start sshd if not already

      sudo service ssh start

      or

      sudo service ssh --full-restart

  • Systemd

    • systemctl status sshd

      Check sshd service status

    • start systemctl start sshd

      Start sshd service

Generate public/private key pair on the client
  • ssh-keygen -t ed25519 -C "$comment"
# e.g.
$ ssh-keygen
 
Generating public/private rsa key pair.
# Type a file name here, for example /c/Users/user-name/.ssh/codecommit_rsa
Enter file in which to save the key (/drive/Users/user-name/.ssh/id_rsa):
 
# Type a passphrase, and then press Enter
Enter passphrase (empty for no passphrase):
 
# Type the passphrase again, and then press Enter
Enter same passphrase again:
 
Your identification has been saved in drive/Users/user-name/.ssh/codecommit_rsa.  # private key file path
Your public key has been saved in drive/Users/user-name/.ssh/codecommit_rsa.pub.  # public key file path
The key fingerprint is:
45:63:d5:99:0e:99:73:50:5e:d4:b3:2d:86:4a:2c:14 username@client-hostname
The key's randomart image is:
+--[ RSA 2048]----+
|        E.+.o*.++|
|        .o .=.=o.|
|       . ..  *. +|
|        ..o . +..|
|        So . . . |
|          .      |
|                 |
|                 |
|                 |
+-----------------+
Install public key on the remote server
ssh-copy-id -i $public_key_file -p $port $user@$host

or

  1. Manually deploy public key file to the remote server
  2. Add the public key content to ~/.ssh/authorized_keys file

  • Update ~/.ssh/config and add a new section

    Host <host-alias>
  HostName <host-IP / host-domain>
  User <user-name>
  IdentityFile <private-key-file-path>
Test setup with ssh -Tv <host-alias>, which would give you either success or error message

To remove the need to specify identity file (private key file) for connection

  • Create a file named config in ~/.ssh/config if not created.

  • Add content with the following template to the config file:

    Host <host-alias>
  HostName <host-IP / host-domain>
  User <user-name>
  IdentityFile <identity-file-path>
  IdentitiesOnly yes                # Specifies that ssh should only use the identity keys configured in the ssh_config files, even if ssh-agent offers more identities.

    Comparison of the command, before and after having the config:

    • Before: ssh -i <IdentityFile> <User>@<HostName>
    • After: ssh <Host>

Run a command remotely via SSH

ssh $host -f $command

Troubleshooting

  • Options helpful to troubleshooting

    ssh -Tv

    -v: verbose, and more v can be added for more verbosity

    -T: avoids requesting said terminal, since GitHub has no intention of giving you an interactive secure shell, where you could type command.

  • Case 1

    load pubkey "/c/Users/Takechiyo/.ssh/aws_ec2_us-east-1_01.pem": invalid format

    Possible cause(s)

    • Different line endings (platform-dependent)

  • Case 2

    git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

    Possible cause(s)

    • Host github.com must exactly match the one specified in ssh config

      Host github             # the host pattern to match, when private key is not explicitly specified
HostName github.com     # the real host to use for connection
User git
IdentityFile ~/.ssh/github

  • Case 3

    # ~/.ssh/config
Host git-codecommit
  Hostname git-codecommit.us-east-1.amazonaws.com
  User APKAZ5PJDOMUQPMW6ICQ
  IdentityFile ~/.ssh/aws-681778049833-DevAdmin-codecommit-us_east_1_01

$ ssh APKAZ5PJDOMUQPMW6ICQ@git-codecommit.us-east-1.amazonaws.com

APKAZ5PJDOMUQPMW6ICQ@git-codecommit.us-east-1.amazonaws.com: Permission denied (publickey).

$ ssh git-codecommit

You have successfully authenticated over SSH. You can use Git to interact with AWS CodeCommit. Interactive shells are not supported.Connection to git-codecommit.us-east-1.amazonaws.com closed by remote host. Connection to git-codecommit.us-east-1.amazonaws.com closed.

    Possible cause(s)

    • When -i option is omitted (no specified private key), the host used in ssh command must match Host field, not HostName field. In this example, change Host field to git-codecommit.us-east-1.amazonaws.com will solve the issue. This rule also applies to scp command.

Mount remote directories

Running a local script on remote machine

ssh $username@$server 'bash -s' < $script_file

Implementations

OpenSSH

Paramiko (Python) - SSHv2

Apache MINA sshd (Java)

Resources

Enterprise Application ArchitectureThe Twelve Factors