Locking Down SSH User Access
To secure your system, you shouldn’t allow root to login remotely.
Instead, if an admin needs to use the root account they should
login using their own account and then su - or
sudo to the root account as needed.
Edit the /etc/ssh/sshd_config file and change the
following lines:
PermitRootLogin no
PermitEmptyPasswords no
Some of these properties may be commented out in the file, so all you’d need to do is remove the # sign.
Once these changes are made you should then restart ssh. On my system this is done by:
# /etc/rc.d/rc.sshd restart
After the restart your changes will be in affect. However, root can still login “from the local terminal”.
You can go a step further and restrict only specific users access to login via ssh. For example, if you wanted only user1 and user2 the ability to login with ssh you can add a line to the above file:
AllowUsers user1 user2
Everyone except these two users will be denied access via ssh.
Tags: cli, ssh, ssh-config, motd
SSH Escape Sequences
Have you ever had an SSH connection timeout on you and you’re left with what looks like a locked session. Repeatedly hitting the Enter key does nothing. It seems that there is nothing that you can do except close the console terminal session…or is there something else?
Many people are not aware that SSH has its own set of keyboard shortcuts. The solution to the above problem is to terminate the connection using the first of these shortcuts.
- Press the Enter key.
- Press the tilde followed by a period.
- Press Enter again. You should now be back at your command prompt.
Supported escape sequences:
~. - terminate
connection (and any multiplexed sessions)
~B - send a
BREAK to the remote system
~R - request rekey
~V/v - decrease/increase verbosity (LogLevel)
~^Z - suspend ssh
~# - list forwarded
connections
~& - background ssh (when waiting for
connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)
It is important to note that you always press the Enter key before typing the key sequences above.
Tags: cli, ssh, shortcuts, motd
Bind to a Remote Port Using SSH
If you are trying to access the web page of an application running on a remote machine and you find that you are blocked, you can bind to it using SSH with similar parameters to this:
$ ssh pi@raspberrypi.local -L 8384:127.0.0.1:8384 -N
Where:
pi@raspberrypi.localis the remote server,8384is the port number on the remote that you wish to connect with,127.0.0.1:8384is the local machine and the port that you want to redirect to, and-Nis a flag tellingsshnot to execute a remote command.
Diff 2 Folders Over SSH
If you need to do a 'diff' on 2 folders and one of them is remote then you can accomplish that as follows:
$ diff <(ssh username@192.168.1.60 ls -R /home/username/dir1) <(ls -R /home/username/dir2)
Creating Passwordless SSH Keys
Create the key. Note those are two single quotes after the -N (for a blank passwd)
$ ssh-keygen -t rsa -b 4096 -N ''
Copy it to the target server
$ cat .ssh/idrsa.pub | ssh username@192.168.1.123 'cat >> .ssh/authorizedkeys'
Test it
$ ssh username@192.168.1.123
SSH Directory Permissions Settings
It is important to set the directory and file permissions for your ~/.ssh correctly.
Typically you want the permissions to be:
- .ssh directory: 700 (drwx------)
- public key (.pub file): 644 (-rw-r--r--)
- private key (id_rsa): 600 (-rw-------)
- lastly your home directory should not be writeable by the group or others (at most 755 (drwxr-xr-x)).
For example, to set this permissions do:
$ chmod 700 ~/.ssh
$ chmod 600 ~/.ssh/*
$ chmod 644 ~/.ssh/*.pub
$ ls -ltr ~/.ssh/