X
  • Sun
    February 28, 2007

SSH Cheat Sheet

This is offered for those who want to kick their telnet habit. I also offer a
simple text version, which you can keep in ~/.ssh.

To create an SSH key for an account

srchost$ ssh-keygen -t rsa

This will create id_rsa and id_rsa.pub in
~/.ssh. "-t dsa" can be used instead. You will need an SSH
key if you want to log in to a system without supplying a
password.

To be able to log in to desthost from srchost without a password (as below)

srchost$ ssh desthost
desthost$

Simply add the contents of
srchost:~/.ssh/id_rsa.pub
to
desthost:~/.ssh/authorized_keys
in the form "ssh-rsa AAAkeystringxxx= myusername@srchost".

To enable forwarding of an X-windows session back to your $DISPLAY on
srchost

Just use "-X":

srchost$ ssh -X desthost
desthost$ xterm

If I use a different account on desthost (and I want to use a short name
for desthost)

Add something like this:

Host

paedata
Hostname

paedata.sfbay
User

tc35445

to srchost:~/.ssh/config

Still Getting Prompted For a Password

If I find that my key is not being recognised on desthost (I still get
prompted for a password), I probably have a premission problem. try this
as the user on desthost:

cd
chmod g-w,o-w .
chmod g=,o= .ssh .ssh/authorized_keys

To allow root logins (but must specify password or have an
authorized_key) on a host


  1. Edit /etc/ssh/sshd_config, change line to
    PermitRootLogin yes

  2. Solaris 9 & earlier:
    # /etc/init.d/sshd restart
  3. Solaris 10 & later:

    # svcadm restart ssh

Here is a patch (will save the originial config file in sshd_config.orig)

/usr/bin/patch -b /etc/ssh/sshd_config << 'EOT'
--- sshd_config.orig Fri Feb 2 11:27:12 2007
+++ sshd_config Fri Feb 23 14:12:24 2007
@@ -129,7 +129,8 @@
# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
# maybe denied access by a PAM module regardless of this setting.
# Valid options are yes, without-password, no.
-PermitRootLogin no
+#PermitRootLogin no
+PermitRootLogin yes
# sftp subsystem
Subsystem sftp /usr/lib/ssh/sftp-server
EOT

Host Key Has Changed

Reconfigure of desthost - this happens when you (re-)install Solaris.
You can avoid it by restoring /etc/ssh/ssh_host_\*_key\*. Otherwise:

bash$ ssh katie
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Someone could be eavesdropping on you right now(man-in-the-middle attack)
It is also possible that the RSA host key has been changed.
The fingerprint for the RSA key sent by the remote host is
md5 8e:c4:53:93:64:5b:2d:b4:f8:e9:a8:9c:d9:95:4a:70.
Please contact your system administrator.
Add correct host key in /home/tc35445/.ssh/known_hosts
Offending key is entry 3 in /home/tc35445/.ssh/known_hosts
RSA host key for katie has changed and you have requested strict checking.

Solution - remove the "katie" entry in ~/.ssh/known_hosts and
log-in again - ssh will put a new host key in for you.

Join the discussion

Comments ( 1 )
  • Dick Davies Wednesday, February 28, 2007
    If you want to login as root using DSA/RSA keys, then use the
    PermitRootLogin without-password
    instead. This allows key logins but not password logins, so the account can't be brute forced.
    ANd 'man ssh-agent' when you get a chance, makes managing rsa passwords much much easier.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha