Showing posts with label Secure Shell. Show all posts
Showing posts with label Secure Shell. Show all posts

Tuesday, August 29, 2017

SSH: Accessing Virtual Private Server Using RSA Private Key File

Command:

$ cat vps.key


Result:

-----BEGIN RSA PRIVATE KEY-----
fasdfsadfsadJAyxNgvFkJoMF+MEyWV4Qfasdfasd
gTf2LsM2mo6Jodh+VVffsadfsadfsdafsadfa0QPTlY+905/z3e24DYtKHbP
eRfem0kq/H17eguWk4BounPWfJKrYGR1rS00K5OeWfoTAoz6osc3rN8LXwIBIwKB
gQCZXb8ppDdM50Ki7A04CSoEb/qWChMJtIRFGfMI3A+MvFuj/50Wi7zGoQz9wDxW
gv0cNaT/Z/B1z40AAAAAAAAAAAAAAAAAAAAIY83RKh/Kj+Jv8OhW1FNUp/Il7WOs
1zo+owYp9uyT08gE1XBGvMrdam2w77YabIT20Dt2jkKs2wJBfasdfVu88cqmJ2P
F0+JlFbOL5pvldjfkeDkefIesdIdfeIdkXxK343/45uo35lYVj6vXfdsafFeMWD
jHH3EYMCQQD1JcnOz8CGMSeMbFXrdb1erkt3fgcJwny4WotUUoRx5KZinPGSasXv
GmL8zshzHcN9wWFgicXGOcqpQijM8kP1AkAdHoMd4MtnOBFxF6rkhMB+8v4gR0zw
F901P7OURpHAiCf/4lnFD98fadsfsadfasdfasdfuoUFHeHqr/LLMi3jAkBUDPS7
73U1Uq55SbcO5ooR1Vuz8LH0t7W7jMIOSC1o4K4TLn6123cQJk3TBRGGjdygJQtx
jlJv2UzMUTKPaQFbAkAuvRDkvUVb1lvuduolUZHmz3SBdwiKIVMn8+SeXoCT+hL8
SQJ56ary8w+dkfjaldkfkjdekelsldkelf

-----END RSA PRIVATE KEY-----


Command:

$ cat ~/.ssh/config


Result:

Host vps
HostName 111.111.11.111
Port 22
User root
IdentityFile ~/vps.key


Command:

$ chmod 600 ~/vps.key


Command:

$ ssh vps


Result:

[root@v111-111-11-111 ~]#

Sunday, November 13, 2016

macOS Sierra: SSH (Secure Shell) Client Configuration File: Fixing Perl Locale Warning on Server

Command:

$ diff /etc/ssh/ssh_config /etc/ssh/ssh_config.org


Result:

21c21
< #        SendEnv LANG LC_*
---
>         SendEnv LANG LC_*

Friday, June 10, 2016

Secure Shell: sshd_config: Disable Password Login

Command (Duplicating configuration file):

root@remote:/etc/ssh# cp -p sshd_config sshd_config.org


Command (Displaying original configuration file):

root@remote:/etc/ssh# cat sshd_config.org


Result (Displaying original configuration file):

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes


Command (Displaying configuration file after modification):

root@remote:/etc/ssh#  cat /etc/ssh/sshd_config


Result (Displaying configuration file after modification):

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.

UsePAM no


Command (Comparing configuration files before and after):

root@remote:/etc/ssh# diff sshd_config sshd_config.org
28c28
< PermitRootLogin no
---
> PermitRootLogin prohibit-password
52c52
< PasswordAuthentication no
---
> #PasswordAuthentication yes
88c88
< UsePAM no
---
> UsePAM yes

Thursday, June 9, 2016

Secure Shell: Logging In Without Password After Placing Public Key on Remote Server

Command:

$ ssh remote.servername.com
Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-22-generic x86_64)

 * Documentation:  https://help.ubuntu.com/
Last login: Thu Jun  9 21:33:51 2016 from 123.456.789.01

Secure Shell: authorized_keys: Placing the public key on the remote server

Commands:

$ ssh username@remote.servername.com
username@remote.servername.com's password:
Welcome to Ubuntu 16.04 LTS (GNU/Linux 4.4.0-22-generic x86_64)

 * Documentation:  https://help.ubuntu.com/
Last login: Tue May 17 21:41:16 2016 from 123.456.789.01


$ ls -al
合計 40
drwxr-xr-x 4 username username 4096  6月  9 21:04 .
drwxr-xr-x 3 root root 4096  5月 12 22:42 ..
-rw------- 1 username username 1770  5月 17 21:40 .bash_history
-rw-r--r-- 1 username username  220  5月 12 22:42 .bash_logout
-rw-r--r-- 1 username username 3771  5月 12 22:42 .bashrc
drwx------ 2 username username 4096  5月 12 22:50 .cache
drwxrwxr-x 2 username username 4096  5月 17 00:09 .nano
-rw-r--r-- 1 username username  675  5月 12 22:42 .profile
-rw-rw-r-- 1 username username   66  5月 17 00:09 .selected_editor
-rw-r--r-- 1 username username    0  5月 12 22:52 .sudo_as_admin_successful
-rw-r--r-- 1 username username  400  6月  9 21:04 id_rsa.pub


$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yd2EAAAADAQABAAABAQDNN6bT33VQ4CXWmFBx0H428yw/SHwARc91vc/Z/CExXrjUb3uhUaHb4EHCl7/pXpJgyyRr6dE5sl2FlE3jPWua2ooZ3uXof7NkiK2WMPVDpWZeKE2zxynEg5yPw41AtwyxI+Y15Hbt4WNEEhXsHunCu+ekGf3d3w67VCxGz8aA1Tbxe6zOs3e9VXNrgQW99ycD5xtXAXh8x5Jt+HhgAma5P7+gQ0rSMKSYsxKxr7TcR1k5yg9uC02u8NgqjuQDXoqLO9I+CGxv1rfFyl6n8fUlclPFgftJzYK9JuzHxEl3yMFSH/izSviYKp0MTph1dH3UWa5DiIAf8blDmZVkPCkT


$ mkdir .ssh
$ chmod 700 .ssh/
$ cat id_rsa.pub >> .ssh/authorized_keys
$ chmod 600 .ssh/authorized_keys
$ cd .ssh/


$ ls -al
合計 12
drwx------ 2 username username 4096  6月  9 21:36 .
drwxr-xr-x 5 username username 4096  6月  9 21:35 ..
-rw------- 1 username username  400  6月  9 21:36 authorized_keys


$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yd2EAAAADAQABAAABAQDNN6bT33VQ4CXWmFBx0H428yw/SHwARc91vc/Z/CExXrjUb3uhUaHb4EHCl7/pXpJgyyRr6dE5sl2FlE3jPWua2ooZ3uXof7NkiK2WMPVDpWZeKE2zxynEg5yPw41AtwyxI+Y15Hbt4WNEEhXsHunCu+ekGf3d3w67VCxGz8aA1Tbxe6zOs3e9VXNrgQW99ycD5xtXAXh8x5Jt+HhgAma5P7+gQ0rSMKSYsxKxr7TcR1k5yg9uC02u8NgqjuQDXoqLO9I+CGxv1rfFyl6n8fUlclPFgftJzYK9JuzHxEl3yMFSH/izSviYKp0MTph1dH3UWa5DiIAf8blDmZVkPCkT


Man page (sshd):


~/.ssh/authorized_keys
Lists the public keys (DSA, ECDSA, Ed25519, RSA) that can be used for logging in as this user.  The format of this file is described above.  The content of the file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. If this file, the ~/.ssh directory, or the user's home directory are writable by other users, then the file could be modified or replaced by unauthorized users.  In this case, sshd will not allow it to be used unless the StrictModes option has been set to “no”.


Secure Copy (scp): Sending Public Key to Remote Server

Command:

$ scp .ssh/id_rsa.pub username@remote.servername.com:~/
username@remote.servername.com's password:
id_rsa.pub                                                                                                                100%  400     0.4KB/s   00:00                

ssh-keygen: Generating Private and Public Keys (公開鍵と秘密鍵を作る)


Commands:

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/username/.ssh/id_rsa): 
/Users/username/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/username/.ssh/id_rsa.
Your public key has been saved in /Users/username/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:xCFSgzCQb5J5yjX911Xvdav018XVmXbfibdoEYxjXs0


$ ls -l .ssh/
total 24
-rw-------  1 username  staff  1679 Jun  4  2014 id_rsa
-rw-r--r--  1 username  staff   394 Jun  4  2014 id_rsa.pub
-rw-r--r--  1 username  staff  1118 May 16 10:26 known_hosts


$ cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAzTem0991UOAl1phQcdB+NvMsP0h8AEXPdb3P2fwhMV641G97
oVGh2+BBwpe/6V6SYMska+nRObJdhZRN4z1rmtqKGd7l6H+zZIitljD1Q6VmXihN
s8cpxIOcj8xNQLcMiSPmNeR27eFjRBIV7B7pwrvnpBn93d8Ou1QsRs/GgNU28Xus
zrN3vVVza4EFvfcnA+cbVwF4fMeSbfh4YAJmuT+/oENK0jCkmLMSmq+03EdZOcoP
bgtNrvDYKo7kA16KizvSPghsb9a3xcpep/H1JXJTxYH7Sc2CvSbsx8RJd8jBUh/4
s0r4mCqdDE6YdXR91FmuQ4iAH/G5Q5mVZDwpEwIDAQABAoIBAHDyXkliRYlbtLel
YTEjFTRdJk82L7less4UyB8rm4E2pveU3DBvY2xGwyq8po1k1Z+cbtFOAS+GMd7h
PvUAywaRnUyb12HdVvjQGOn+zB6NHAhamlmGFkDoRvUBJe8mUCnyrjOfKK3ITQAc
DCDG6tWY4eb5vzWsHMmRjET0+kXRFsdApPAqIfz0AXME0XtW6FmZ93uWkHb6ikf+
0hqEoh7vWQVDBlr9CixPIZYIlsncOGoSYgxoyWMS6wI5cmk6f1CaTXfHYlQubItx
H7yWWnUNIk6vL8j8bMXr5Vk/ehnXg4Iv15tFNC9lNIFBpxbETP+5GWGRxviu5Nsg
HGaPxEECgYEA9wo73G7d4zFI2zomc/IFlvh1zRiRzCGa8XsZUM1sRfn8JCzr0xxU
7bk8gsLWcpuO8piIUkTnnamh7uw6TzBaNI2vfJmC2uVyAqJTbQl1XqqAkyrExf5p
zrsjsOte9q2Pz3xcPVPWijK+SHLdvwRBLm9JNLEpzu3lOT7eYncovrECgYEA1KkY
Wf/p5EVCutzsGnm9YqzRqkyWgmZsbLHLtQ4aUWGGzgzQR9/ZqX3zdgsTaIhTNJsi
HMk4bdxP4DGCaUjar1270KcVvhYesc3ChZX7w6M3prb5zTuEtRWNyu9BLKAcF3Pw
mkNbn3Z2Bq6NDtqDwLIyfdbvlkd70Uv3mbRd/QMCgYEAsiNFCy0+/4cYfE0wUUdi
VH0RpTVkXQiWjC8yEBwxSTx8XzGtU+wIKev7AGey763QpIrtMjXRttUNmhXp7hR1
15ObyYOA4ou1bMTU17mMUxkr4fNjNUrBzXsQv5DaR5LcMsgAU5DTEZCJugBpwaw1
vGAvL7nY5giR1HfLMMGwNeECgYA6M00G1JMedhYdLfkwBcFfEA0RnoRSi9WAqegm
VQW+4AIUwkz+XrUjPeUzmTRml2iuLQbY+fkHmBQEN4iJZ/bxp6WPJSs+Kq+b2cQy
6ylMEY9ZgRo8oN1g8dUshO5BWFBX2tMuZODec305tuvD9Om6AwruhbRsXIP2c+P/
nO1cIQKBgQDNA0tHNDMPjzA+lf0znuZgWZq0PPx7tm030L6/ZZJzgBdHDniMPRyg
aV30d7/gV4boa3hzYeINuQ4v5Gyva9A2jCgwTp5mL1/Q5i7///T1G+z6LyiYC/36
EdltFKfwJiooHbUe7joRAwWg1uHelZK7GUAl7rDXfcC7vyXALRZI/g==
-----END RSA PRIVATE KEY-----


$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yd2EAAAADAQABAAABAQDNN6bT33VQ4CXWmFBx0H428yw/SHwARc91vc/Z/CExXrjUb3uhUaHb4EHCl7/pXpJgyyRr6dE5sl2FlE3jPWua2ooZ3uXof7NkiK2WMPVDpWZeKE2zxynEg5yPw41AtwyxI+Y15Hbt4WNEEhXsHunCu+ekGf3d3w67VCxGz8aA1Tbxe6zOs3e9VXNrgQW99ycD5xtXAXh8x5Jt+HhgAma5P7+gQ0rSMKSYsxKxr7TcR1k5yg9uC02u8NgqjuQDXoqLO9I+CGxv1rfFyl6n8fUlclPFgftJzYK9JuzHxEl3yMFSH/izSviYKp0MTph1dH3UWa5DiIAf8blDmZVkPCkT OpenShift-Key


Vocabularies:
  • Public-key cryptography (公開鍵暗号)
  • Symmetric-key algorithm (共通鍵暗号)