# SSH
Your ssh key should never leave a host. That should be a policy and you should write rules to detect when that policy is being violated (check for processes accessing the file).
If you need access from N computers you should be generating N keys. - HN
List identity
Find and take a note of your public key fingerprint, to recognize which key belong to who.
$ ssh-add -l -E sha256
> 2048 SHA256:274ffWxgaxq/tSINAykStUL7XWyRNcRTlcST1Ei7gBQ /Users/USERNAME/.ssh/id_rsa (RSA)You might need to start ssh-agent before you run the ssh-add command (SO):
$ eval `ssh-agent -s`Copy ssh keys to another machine - askubuntu
$ ssh-copy-id -i .ssh/id_rsa.pub root@10.11.99.1
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.11.99.1's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'root@10.11.99.1'"Alternative for key copied locally
$ cat <your_public_key_file> >> ~/.ssh/authorized_keysChanging SSH key passphrase
$ ssh-keygen -pSSH Quoting
ssh $server "$(cat script)"Disable password access
If you want to fully disable password-based authentication, set BOTH PasswordAuthentication and ChallengeResponseAuthentication to ‘no’… since SSH is a network-based protocol, the server has no way to guarantee that responses to ChallengeResponseAuthentication (a.k.a. ‘keyboard-interactive’) are actually being provided by a user sitting at a keyboard so long as the challenge(s) always and only consists of asking a user for her password.
# Edit /etc/ssh/sshd_config
PasswordAuthentication no
ChallengeResponseAuthentication: no
$ sudo systemctl restart sshdTest that it works
$ ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no example.com
=> yves@192.168.0.x: Permission denied (publickey).Keep SSH session
- EternalTerminal (et)
- install both on client and host (need a server)
- mosh
http://byobu.co/index.html
Enable SSH server
sudo apt install openssh-serverGenerating a new ssh key
Use one key per origin host, no need to change the default file.
$ ssh-keygen -t rsa -b 4096 -C <hostname>
Generating public/private rsa key pair.
Enter file in which to save the key (/home/yves/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in github_rsa
Your public key has been saved in github_rsa.pub- Add comment to existing SSH public key - Just add a space after the key and put in the comment
- How do I retrieve the public key from a SSH private key?
References
- How often should I rotate my SSH keys?
- How do you manage your SSH keys?
- SSH: Best practices
- SSH port fluxing / Github
- Ctrl-C handling in SSH session -
ssh -t remotehost command args ...