ow do I create and setup an OpenSSH config file to create shortcuts for servers I frequently access under Linux or Unix desktop operating systems?

A global or local configuration file for SSH client can create shortcuts for sshd server including advanced ssh client options. You can configure your OpenSSH ssh client using various files as follows to save time and typing frequently used ssh client command line options such as port, user, hostname, identity-file and much more:

System-wide SSH client configuration files

/etc/ssh/ssh_config : This files set the default configuration for all users of OpenSSH clients on that desktop/laptop and it must be readable by all users on the system.

User-specific SSH client configuration files

~/.ssh/config or $HOME/.ssh/config : This is user’s own configuration file which, overrides the settings in the global client configuration file, /etc/ssh/ssh_config.

~/.ssh/config file rules

The rules are as follows to create an ssh config file:

You need to edit ~/.ssh/config with a text editor such as vi.

One config parameter per line is allowed in the configuration file with the parameter name followed by its value or values. The syntax is:

config value

config1 value1 value2

You can use an equal sign (=) instead of whitespace between the parameter name and the values.

config=value

config1=value1 value2

All empty lines are ignored.

All lines starting with the hash (#) are ignored.

All values are case-sensitive, but parameter names are not.

Tip : If this is a brand new Linux, Apple OS X/Unix box, or if you have never used ssh before create the ~/.ssh/ directory first using the following syntax:

mkdir -p $HOME/.ssh

chmod 0700 $HOME/.ssh

Examples

For demonstration purpose my sample setup is as follows:

Local desktop client – Apple OS X or Ubuntu Linux.

Remote Unix server – OpenBSD server running latest OpenSSH server.

Remote OpenSSH server ip/host: 75.126.153.206 (server1.cyberciti.biz)

Remote OpenSSH server user: nixcraft

Remote OpenSSH port: 4242

Local ssh private key file path : /nfs/shared/users/nixcraft/keys/server1/id_rsa

Based upon the above information my ssh command is as follows:

$ ssh -i /nfs/shared/users/nixcraft/keys/server1/id_rsa -p 4242 nixcraft@server1.cyberciti.biz

OR

$ ssh -i /nfs/shared/users/nixcraft/keys/server1/id_rsa -p 4242 -l nixcraft server1.cyberciti.biz

You can avoid typing all of the ssh command parameters while logging into a remote machine and/or for executing commands on a remote machine. All you have to do is create an ssh config file. Open the Terminal application and create your config file by typing the following command:

edit file in $HOME dir

vi ~/.ssh/config

OR

edit file in $HOME dir

vi $HOME/.ssh/config

Add/Append the following config option for a shortcut to server1 as per our sample setup:

Host server1

HostName server1.cyberciti.biz

User nixcraft

Port 4242

IdentityFile /nfs/shared/users/nixcraft/keys/server1/id_rsa

Save and close the file. To open your new SSH session to server1.cyberciti.biz by typing the following command:

$ ssh server1

Adding another host

Append the following to your ~/.ssh/config file:

Host nas01

HostName 192.168.1.100

User root

IdentityFile ~/.ssh/nas01.key

You can simply type:

$ ssh nas01

Putting it all together

Here is my sample ~/.ssh/config file that explains and create, design, and evaluate different needs for remote access using ssh client:

default for all ##

Host *

ForwardAgent no

ForwardX11 no

ForwardX11Trusted yes

User nixcraft

Port 22

Protocol 2

ServerAliveInterval 60

ServerAliveCountMax 30

override as per host ##

Host server1

HostName server1.cyberciti.biz

User nixcraft

Port 4242

IdentityFile /nfs/shared/users/nixcraft/keys/server1/id_rsa

Home nas server ##

Host nas01

HostName 192.168.1.100

User root

IdentityFile ~/.ssh/nas01.key

Login AWS Cloud ##

Host aws.apache

HostName 1.2.3.4

User wwwdata

IdentityFile ~/.ssh/aws.apache.key

Login to internal lan server at 192.168.0.251 via our public uk office ssh based gateway using ##

$ ssh uk.gw.lan ##

Host uk.gw.lan uk.lan

HostName 192.168.0.251

User nixcraft

ProxyCommand  ssh nixcraft@gateway.uk.cyberciti.biz nc %h %p 2> /dev/null

Our Us Proxy Server ##

Forward all local port 3128 traffic to port 3128 on the remote vps1.cyberciti.biz server ##

$ ssh -f -N  proxyus ##

Host proxyus

HostName vps1.cyberciti.biz

User breakfree

IdentityFile ~/.ssh/vps1.cyberciti.biz.key

LocalForward 3128 127.0.0.1:3128

Understanding ~/.ssh/config entries

Host : Defines for which host or hosts the configuration section applies. The section ends with a new Host section or the end of the file. A single * as a pattern can be used to provide global defaults for all hosts.

HostName : Specifies the real host name to log into. Numeric IP addresses are also permitted.

User : Defines the username for the SSH connection.

IdentityFile : Specifies a file from which the user’s DSA, ECDSA or DSA authentication identity is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for protocol version 2.

ProxyCommand : Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user’s shell. In the command string, any occurrence of %h will be substituted by the host name to connect, %p by the port, and %r by the remote user name. The command can be basically anything, and should read from its standard input and write to its standard output. This directive is useful in conjunction with nc(1) and its proxy support. For example, the following directive would connect via an HTTP proxy at 192.1.0.253:

ProxyCommand /usr/bin/nc -X connect -x 192.1.0.253:3128 %h %p

LocalForward : Specifies that a TCP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be [bind_address:]port and the second argument must be host:hostport.

Port : Specifies the port number to connect on the remote host.

Protocol : Specifies the protocol versions ssh(1) should support in order of preference. The possible values are 1 and 2.

ServerAliveInterval : Sets a timeout interval in seconds after which if no data has been received from the server, ssh(1) will send a message through the encrypted channel to request a response from the server. See blogpost “Open SSH Server connection drops out after few or N minutes of inactivity” for more information.

ServerAliveCountMax : Sets the number of server alive messages which may be sent without ssh(1) receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, ssh will disconnect from the server, terminating the session.

Speed up ssh session

Multiplexing is nothing but send more than one ssh connection over a single connection. OpenSSH can reuse an existing TCP connection for multiple concurrent SSH sessions. This results into reduction of the overhead of creating new TCP connections. Update your ~/.ssh/config:

Host server1

HostName server1.cyberciti.biz

ControlPath ~/.ssh/controlmasters/%r@%h:%p

ControlMaster auto

See “Linux / Unix: OpenSSH Multiplexer To Speed Up OpenSSH Connections” for more info. In this example, I go through one host to reach another server i.e. jump host using ProxyCommand:

~/.ssh/config ##

Host internal

HostName 192.168.1.100

User vivek

ProxyCommand ssh vivek@vpn.nixcraft.net.in -W %h:%p

ControlPath ~/.ssh/controlmasters/%r@%h:%p

ControlMaster auto

For more info see following tutorials:

How To Reuse SSH Connection To Speed Up Remote Login Process Using Multiplexing

How To Setup SSH Keys on a Linux / Unix System

A note about shell aliases (outdated method)

WARNING! This bash shell aliased based setup may work out for you. However, I recommend that you use ~/.ssh/config file for better results in a long run. SSH config file is more advanced and elegant solutions. The alias command only used here for demo purpose and it is here due to historical reasons.

An alias is nothing but shortcut to commands and you can create the alias use the following syntax in your ~/.bashrc file:

create a new bash shell alias as follow ##

alias server1= ssh -i /nfs/shared/users/nixcraft/keys/server1/id_rsa -p 4242 nixcraft@server1.cyberciti.biz

Then, to ssh into the server1, instead of typing full ssh -i /nfs/shared/users/nixcraft/keys/server1/id_rsa -p 4242 nixcraft@server1.cyberciti.biz command, you would only have to type the command ‘server1’ and press the [ENTER] key:

$ server1

References

See ssh_config(5) for more information on syntax and some of the other available options.

Top 20 OpenSSH Server Best Security Practices

I am unable to login to the server. How do change my password using the passwd command over ssh based session?

For security reasons, your ssh based account has limited access to the server. You can only upload or download files using scp, sftp, rsync and so on. You may execute limited number of commands such as passwd, ls and so on.

Also, it is a good idea to change your password every month or at least every four months. Make sure you use combination of alphabets (upper and lower case characters), numbers, and special characters as a password to safeguard your account. You should choose a password of at least ten characters.

Syntax

The syntax is:

Where,

-t : This option force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs (such as passwd) on a remote machine, which can be very useful, e.g. when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty.

Examples

In this example, change password for user called nixcraft on server1.cyberciti.biz by issuing the passwd command over ssh:

ssh -t nixcraft@server1.cyberciti.biz passwd

ssh -t vivek@nas01 passwd

Sample outputs:

Animated gif 01: Change password using the passwd command over ssh

Warning: If you skip the -t option, either you will see password in a plain text on screen or you will get an error that read as follows:

passwd: pam_chauthtok(): conversation failure

In this example, change password for user called vivek on nas01 by issuing the passwd command without the -t over ssh:

ssh nixcraft@server1.cyberciti.biz passwd

ssh vivek@nas01 passwd

Sample outputs:

Animated gif 02: Change password using the passwd command without -t option over ssh. Note the password is shown in clear text.

See also

Read man pages for more info: ssh(1),passwd(1)

A global or local configuration file for SSH client can create shortcuts for sshd server including advanced ssh client options. You can configure your OpenSSH ssh client using various files as follows to save time and typing frequently used ssh client command line options such as port, user, hostname, identity-file and much more:

System-wide SSH client configuration files

/etc/ssh/ssh_config : This files set the default configuration for all users of OpenSSH clients on that desktop/laptop and it must be readable by all users on the system.

User-specific SSH client configuration files

~/.ssh/config or $HOME/.ssh/config : This is user’s own configuration file which, overrides the settings in the global client configuration file, /etc/ssh/ssh_config.

~/.ssh/config file rules

The rules are as follows to create an ssh config file:

You need to edit ~/.ssh/config with a text editor such as vi.

One config parameter per line is allowed in the configuration file with the parameter name followed by its value or values. The syntax is:

config value

config1 value1 value2

You can use an equal sign (=) instead of whitespace between the parameter name and the values.

config=value

config1=value1 value2

Tip : If this is a brand new Linux, Apple OS X/Unix box, or if you have never used ssh before create the ~/.ssh/ directory first using the following syntax:

mkdir -p $HOME/.ssh

chmod 0700 $HOME/.ssh

Examples

For demonstration purpose my sample setup is as follows:

Local desktop client – Apple OS X or Ubuntu Linux.

Local ssh private key file path : /nfs/shared/users/nixcraft/keys/server1/id_rsa

Based upon the above information my ssh command is as follows:

$ ssh -i /nfs/shared/users/nixcraft/keys/server1/id_rsa -p 4242 nixcraft@server1.cyberciti.biz

OR

$ ssh -i /nfs/shared/users/nixcraft/keys/server1/id_rsa -p 4242 -l nixcraft server1.cyberciti.biz

You can avoid typing all of the ssh command parameters while logging into a remote machine and/or for executing commands on a remote machine. All you have to do is create an ssh config file. Open the Terminal application and create your config file by typing the following command:

edit file in $HOME dir

vi ~/.ssh/config

OR

edit file in $HOME dir

vi $HOME/.ssh/config

Add/Append the following config option for a shortcut to server1 as per our sample setup:

Host server1

HostName server1.cyberciti.biz

User nixcraft

Port 4242

IdentityFile /nfs/shared/users/nixcraft/keys/server1/id_rsa

Save and close the file. To open your new SSH session to server1.cyberciti.biz by typing the following command:

$ ssh server1

Adding another host

Append the following to your ~/.ssh/config file:

Host nas01

HostName 192.168.1.100

User root

IdentityFile ~/.ssh/nas01.key

You can simply type:

$ ssh nas01

Putting it all together

Here is my sample ~/.ssh/config file that explains and create, design, and evaluate different needs for remote access using ssh client:

default for all ##

Host *

ForwardAgent no

ForwardX11 no

ForwardX11Trusted yes

User nixcraft

Port 22

Protocol 2

ServerAliveInterval 60

ServerAliveCountMax 30

override as per host ##

Host server1

HostName server1.cyberciti.biz

User nixcraft

Port 4242

IdentityFile /nfs/shared/users/nixcraft/keys/server1/id_rsa

Home nas server ##

Host nas01

HostName 192.168.1.100

User root

IdentityFile ~/.ssh/nas01.key

Login AWS Cloud ##

Host aws.apache

HostName 1.2.3.4

User wwwdata

IdentityFile ~/.ssh/aws.apache.key

Login to internal lan server at 192.168.0.251 via our public uk office ssh based gateway using ##

$ ssh uk.gw.lan ##

Host uk.gw.lan uk.lan

HostName 192.168.0.251

User nixcraft

ProxyCommand  ssh nixcraft@gateway.uk.cyberciti.biz nc %h %p 2> /dev/null

Our Us Proxy Server ##

Forward all local port 3128 traffic to port 3128 on the remote vps1.cyberciti.biz server ##

$ ssh -f -N  proxyus ##

Host proxyus

HostName vps1.cyberciti.biz

User breakfree

IdentityFile ~/.ssh/vps1.cyberciti.biz.key

LocalForward 3128 127.0.0.1:3128

Understanding ~/.ssh/config entries

Host : Defines for which host or hosts the configuration section applies. The section ends with a new Host section or the end of the file. A single * as a pattern can be used to provide global defaults for all hosts.

HostName : Specifies the real host name to log into. Numeric IP addresses are also permitted.

User : Defines the username for the SSH connection.

IdentityFile : Specifies a file from which the user’s DSA, ECDSA or DSA authentication identity is read. The default is ~/.ssh/identity for protocol version 1, and ~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for protocol version 2.

ProxyCommand : Specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user’s shell. In the command string, any occurrence of %h will be substituted by the host name to connect, %p by the port, and %r by the remote user name. The command can be basically anything, and should read from its standard input and write to its standard output. This directive is useful in conjunction with nc(1) and its proxy support. For example, the following directive would connect via an HTTP proxy at 192.1.0.253:

ProxyCommand /usr/bin/nc -X connect -x 192.1.0.253:3128 %h %p

LocalForward : Specifies that a TCP port on the local machine be forwarded over the secure channel to the specified host and port from the remote machine. The first argument must be [bind_address:]port and the second argument must be host:hostport.

Port : Specifies the port number to connect on the remote host.

Protocol : Specifies the protocol versions ssh(1) should support in order of preference. The possible values are 1 and 2.

ServerAliveInterval : Sets a timeout interval in seconds after which if no data has been received from the server, ssh(1) will send a message through the encrypted channel to request a response from the server. See blogpost “Open SSH Server connection drops out after few or N minutes of inactivity” for more information.

ServerAliveCountMax : Sets the number of server alive messages which may be sent without ssh(1) receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, ssh will disconnect from the server, terminating the session.

Speed up ssh session

Multiplexing is nothing but send more than one ssh connection over a single connection. OpenSSH can reuse an existing TCP connection for multiple concurrent SSH sessions. This results into reduction of the overhead of creating new TCP connections. Update your ~/.ssh/config:

Host server1

HostName server1.cyberciti.biz

ControlPath ~/.ssh/controlmasters/%r@%h:%p

ControlMaster auto

See “Linux / Unix: OpenSSH Multiplexer To Speed Up OpenSSH Connections” for more info. In this example, I go through one host to reach another server i.e. jump host using ProxyCommand:

~/.ssh/config ##

Host internal

HostName 192.168.1.100

User vivek

ProxyCommand ssh vivek@vpn.nixcraft.net.in -W %h:%p

ControlPath ~/.ssh/controlmasters/%r@%h:%p

ControlMaster auto

For more info see following tutorials:

How To Reuse SSH Connection To Speed Up Remote Login Process Using Multiplexing

How To Setup SSH Keys on a Linux / Unix System

A note about shell aliases (outdated method)

WARNING! This bash shell aliased based setup may work out for you.

However,

I recommend that you use ~/.ssh/config file for better results in a long run. SSH config file is more advanced and elegant solutions.

The alias command only used here for demo purpose and it is here due to historical reasons.

An alias is nothing but shortcut to commands and you can create the alias use the following syntax in your ~/.bashrc file:

create a new bash shell alias as follow ##

alias server1= ssh -i /nfs/shared/users/nixcraft/keys/server1/id_rsa -p 4242 nixcraft@server1.cyberciti.biz

Then, to ssh into the server1, instead of typing full ssh -i /nfs/shared/users/nixcraft/keys/server1/id_rsa -p 4242 nixcraft@server1.cyberciti.biz command, you would only have to type the command ‘server1’ and press the [ENTER] key:

$ server1

References

See ssh_config(5) for more information on syntax and some of the other available options.

Top 20 OpenSSH Server Best Security Practices

I am unable to login to the server. How do change my password using the passwd command over ssh based session?

For security reasons, your ssh based account has limited access to the server. You can only upload or download files using scp, sftp, rsync and so on. You may execute limited number of commands such as passwd, ls and so on.

Also, it is a good idea to change your password every month or at least every four months. Make sure you use combination of alphabets (upper and lower case characters), numbers, and special characters as a password to safeguard your account. You should choose a password of at least ten characters.

Syntax

The syntax is:

Where,

-t : This option force pseudo-tty allocation. This can be used to execute arbitrary screen-based programs (such as passwd) on a remote machine, which can be very useful, e.g. when implementing menu services. Multiple -t options force tty allocation, even if ssh has no local tty.

Examples

In this example, change password for user called nixcraft on server1.cyberciti.biz by issuing the passwd command over ssh:

ssh -t nixcraft@server1.cyberciti.biz passwd

ssh -t vivek@nas01 passwd

Sample outputs:

Animated gif 01: Change password using the passwd command over ssh

Warning: If you skip the -t option, either you will see password in a plain text on screen or you will get an error that read as follows:

passwd: pam_chauthtok(): conversation failure

In this example, change password for user called vivek on nas01 by issuing the passwd command without the -t over ssh:

ssh nixcraft@server1.cyberciti.biz passwd

ssh vivek@nas01 passwd

Sample outputs:

Animated gif 02: Change password using the passwd command without -t option over ssh. Note the password is shown in clear text.

See also

Read man pages for more info: ssh(1),passwd(1)

manage MS-Windows server and recently started to play with OpenBSD server. How do I reload or restart the dhcpd server on OpenBSD using shell command line option?

If you made changes to the configuration of your DHCP (dhcpd) server, you will have to stop and restart the server manually. On OpenBSD and Unix like operating system, you kill the dhcpd server and restart manually. Another option is to send HUP (SIGHUP) to dhcpd server.

Method#1: Find dhcpd PID and kill it

Type the following ps command to find dhcpd PID as root user:

# ps ax | grep dhcpd

Sample outputs:

USER       PID %CPU %MEM   VSZ   RSS TT   STAT STARTED       TIME COMMAND

_dhcp    13420  0.0  0.1   588   568 ??  Ss    10:27PM    0:00.04 dhcpd re0

You need to kill that process with kill command.

# kill -9 13420

To start dhcpd, type the following commands:

# touch /var/db/dhcpd.leases

# dhcpd -q re0

Method #2: Say hello to /etc/rc.d/dhcpd script

You can skip all of the above commands. Use rc script as follows to start, stop, restart, and check dhcpd server on OpenBSD:

/etc/rc.d/dhcpd start

/etc/rc.d/dhcpd stop

/etc/rc.d/dhcpd restart

/etc/rc.d/dhcpd check

am a new CentOS Linux user. How do I change default sshd tcp port # 22 to 2022 on CentOS Linux version 5/6?

You can set or specifies the port number that sshd server listens on. The default is TCP port # 22.

Syntax: Change SSH port on a CentOS Linux

You can use any one of the following option in /etc/ssh/sshd_config file:

Port PortNumberHere

OR

ListenAddress IPv4Address:Port

ListenAddress IPv6Address:Port

ListenAddress Hostname:Port

If Port is not specified, sshd will listen on the address and all prior Port options specified. The default is to listen on all local IP addresses. Multiple ListenAddress options are aloowed in sshd_config.

Run ssh on a non-standard port # 2022 using Port option

Edit /etc/ssh/sshd_config, enter:

# vi /etc/ssh/sshd_config

Edit/Append as follows to set Port to 2022:

Port 2022

Save and close the file.

CentOS run ssh on a non-standard port # 2022 using ListenAddress option

Note: If you have multiple IP address on the server, try ListenAddress as follows :

bind sshd to two ip address on a non-standard port ##

ListenAddress 192.168.1.5:2022

ListenAddress 203.1.2.3:2022

Save and close the file.

Reload SSHD service

Before you restart or reload sshd server. You need to update:

SELinux configuration

Firewall settings

fail2ban settings

A note about OpenSSH SELinux user

If you are using SELinux, add tcp port # 2022 to port contexts for OpenSSH server:

# semanage port -a -t ssh_port_t -p tcp 2022

Update firewall settings

You also need to update firewall settings so that users can login using TCP # 2022. Edit, /etc/sysconfig/iptables and open sshd port 2022:

# vi /etc/sysconfig/iptables

Edit/append as follows:

delete or comment out port 22 line ##

-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT

open port 2022

-A INPUT -m state –state NEW -m tcp -p tcp –dport 2022 -j ACCEPT

Save and close the file. If you are using IPv6, edit /etc/sysconfig/ip6tables file too. Temporally, stop the firewall so that you will not loos the connectivity to the server:

# service iptables stop

# service ip6tables stop

Fail2ban settings

Fail2ban scans log files and bans IPs that show the malicious signs — too many password failures, seeking for exploits, ssh login etc. See this comment below on how to change your port number and you use fail2ban you have to update the rules.

Restart sshd on a CentOS

Type the following command to restart / reload SSHD service:

# service sshd reload

Verify new port settings with the following netstat command:

# netstat -tulpn | grep sshd

Finally, star the firewall on a CentOS Linux:

# service iptables start

IPv6 ##

# service ip6tables start

How do I connect to ssh server on port # 2022 using ssh command?

The syntax is:

ssh -p PortNumberHere user@server-name-here

ssh -p PortNumberHere user@server-name-here commandNameHere

ssh -p 2022 nixcraft@192.168.1.5

ssh -p 2022 nixcraft@192.168.1.5 df

How do I connect to ssh server on port # 2022 using scp command?

The syntax is:

scp -P PortNumberHere source user@server-name-here:/path/to/dest

scp -P 2022 resume.pdf nixcraft@nas01:/backups/personal/nixcraft/files/

How do I connect to ssh server on port # 2022 using sftp command?

The syntax is:

sftp -P PortNumberHere user@server-name-here

sftp -P 2022 nixcraft@192.168.1.5

How do I connect to ssh server on port # 2022 using rsync command?

The syntax is as follows to change SSH port number with rsync command:

sync -av -e  ssh -p PORT-NUMBER-HERE  source user@server-name

So to backup /home/vivek to server1.nixcraft.net.in at port number 2022, enter:

rsync -av -e  ssh -p 2022  /home/vivek/ backupop@server1.nixcraft.net.in

I also suggest that you can update your /.ssh/config ($HOME/.ssh/config) fileto overrides the Port settings. This will save you some time whenever you use ssh/scp/sftp command.

See also

RHEL/Red Hat Change SSH Port

Man pages: sshd(8),sshd_config(5)

In SSH for Linux/Unix, how do I set up public key authentication?

I am assuming that you are using Linux or Unix-like server and client with the following software:

OpenSSH SSHD server

OpenSSH ssh client and friends on Linux (Ubuntu, Debian, {Free,Open,Net}BSD, RHEL, CentOS, MacOS/OSX, AIX, HP-UX and co).

What is a public key authentication?

OpenSSH server supports various authentication schema. The two most popular are as follows:

Passwords based authentication

Public key based authentication. It is an alternative security method to using passwords. This method is recommended on a VPS, cloud, dedicated or even home based server.

How to set up SSH keys

Steps to setup secure ssh keys:

Create the key pair using ssh-keygen command.

Copy and install the public key using ssh-copy-id command.

Add yourself to sudo admin account.

Disable the password login for root account.

Let us see all steps in details.

How do I set up public key authentication?

You must generate both a public and a private key pair. For example:

Fig.01: Our sample setup

Where,

server1.cyberciti.biz – You store your public key on the remote hosts and you have an accounts on this Linux/Unix based server.

client1.cyberciti.biz – Your private key stays on the desktop/laptop/ computer (or local server) you use to connect to server1.cyberciti.biz server. Do not share or give your private file to anyone.

In public key based method you can log into remote hosts and server, and transfer files to them, without using your account passwords.

Feel free to replace server1.cyberciti.biz and client1.cyberciti.biz names with your actual setup. Enough talk, let’s set up public key authentication. Open the Terminal and type following commands if .ssh directory does not exists:

mkdir -p $HOME/.ssh

chmod 0700 $HOME/.ssh

#1: Create the key pair

On the computer (such as client1.cyberciti.biz), generate a key pair for the protocol.

ssh-keygen -t rsa

Sample outputs:

Generating public/private rsa key pair.

Enter file in which to save the key (/Users/vivek/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

And Enter same passphrase again:

Your identification has been saved in /Users/vivek/.ssh/id_rsa.

Your public key has been saved in /Users/vivek/.ssh/id_rsa.pub.

The key fingerprint is:

80:5f:25:7c:f4:90:aa:e1:f4:a0:01:43:4e:e8:bc:f5 vivek@desktop01

The key s randomart image is:

+–[ RSA 2048]—-+

| oo    …+.     |

|.oo  .  .ooo     |

|o .o. . .o  .    |

| o …+o.        |

|  o .=.=S        |

| .  .Eo .        |

+—————–+

You need to set the Key Pair location and name. I recommend you use the default location if you do not yet have another key there, for example: $HOME/.ssh/id_rsa. You will be prompted to supply a passphrase (password) for your private key. I suggest that you setup a passphrase when prompted. You should see two new files in $HOME/.ssh/ directory:

$HOME/.ssh/id_rsa– contains your private key.

$HOME/.ssh/id_rsa.pub – contain your public key.

Optional syntax for advance users

The following syntax specifies the 4096 of bits in the RSA key to creation (default 2048):

$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/vps-cloud.web-server.key -C  My web-server key

Where,

-t rsa : Specifies the type of key to create. The possible values are “rsa1” for protocol version 1 and “dsa”, “ecdsa”, “ed25519”, or “rsa” for protocol version 2.

-b 4096 : Specifies the number of bits in the key to create

-f ~/.ssh/vps-cloud.web-server.key : Specifies the filename of the key file.

-C  My web-server key  : Set a new comment.

#2: Install the public key in remote server

Use scp or ssh-copy-id command to copy your public key file (e.g., $HOME/.ssh/id_rsa.pub) to your account on the remote server/host (e.g., nixcraft@server1.cyberciti.biz). To do so, enter the following command on your client1.cyberciti.biz:

ssh-copy-id -i $HOME/.ssh/id_rsa.pub user@server1.cyberciti.biz

OR just copy the public key in remote server as authorized_keys in ~/.ssh/ directory:

scp $HOME/.ssh/id_rsa.pub user@server1.cyberciti.biz:~/.ssh/authorized_keys

A note about appending the public key in remote server

On some system ssh-copy-id command may not be installed, so use the following commands (when prompted provide the password for remote user account called vivek) to install and append the public key:

First create .ssh directory on server ##

ssh vivek@server1.cyberciti.biz  umask 077; test -d .ssh || mkdir .ssh

cat local id.rsa.pub file and pipe over ssh to append the public key in remote server ##

cat $HOME/.ssh/id_rsa.pub | ssh vivek@server1.cyberciti.biz  cat >> .ssh/authorized_keys

#3: Test it (type command on client1.cyberciti.biz)

The syntax is:

ssh user@server1.cyberciti.biz

Or copy a text file called foo.txt:

scp foo.txt user@server1.cyberciti.biz:/tmp/

You will be prompted for a passphrase. To get rid of passphrase whenever you log in the remote host, try ssh-agent and ssh-add commands.

What are ssh-agent and ssh-add, and how do I use them?

To get rid of a passphrase for the current session, add a passphrase to ssh-agent and you will not be prompted for it when using ssh or scp/sftp/rsync to connect to hosts with your public key. The syntax is as follows:

eval $(ssh-agent)

Type the ssh-add command to prompt the user for a private key passphrase and adds it to the list maintained by ssh-agent command:

ssh-add

Enter your private key passphrase. Now try again to log into user@server1.cyberciti.biz and you will not be prompted for a password:

ssh user@server1.cyberciti.biz

#4: Disable the password based login on a server

Login to your server, type:

client commands ##

eval $(ssh-agent)

ssh-add

ssh user@server1.cyberciti.biz

Edit /etc/ssh/sshd_config on server1.cyberciti.biz using a text editor such as nano or vim:

Warning: Make sure you add yourself to sudoers files. Otherwise you will not able to login as root later on. See “How To Add, Delete, and Grant Sudo Privileges to Users on a FreeBSD Server” for more info.

$ sudo vim /etc/ssh/sshd_config

OR directly jump to PermitRootLogin line using a vim text editor:

$ sudo vim +/PermitRootLogin /etc/ssh/sshd_config

Find PermitRootLogin and set it as follows:

PermitRootLogin no

Save and close the file. I am going to add a user named vivek to sudoers on Ubuntu Linux:

# adduser vivek

Finally, reload/restart the sshd server, type command as per your Linux/Unix version:

CentOS/RHEL/Fedora (older version) Linux server reload sshd ##

sudo service sshd reload

CentOS/RHEL/Fedora (latest version i.e. systemd based) Linux server reload sshd ##

sudo systemctl reload sshd

Debian/Ubuntu Linux (older version) server reload sshd ##

sudo /etc/init.d/ssh reload

Debian/Ubuntu Linux (systemd based latest) server reload sshd ##

sudo systemctl reload ssh

Generic Unix method to reload sshd ##

sudo kill -HUP cat /var/run/sshd.pid

OR

sudo kill -HUP $(cat /var/run/sshd.pid)

#5: How to add or replace a passphrase for an existing private key?

To to change your passphrase type the following command:

ssh-keygen -p

#6: How to backup an existing private/public key?

Just copy files to your backup server or external USB pen/hard drive:

Copy files to  home based nas server ##

rsync -avr $HOME/.ssh user@home.nas-server:/path/to/encrpted/nas/partition/

Copy files to  usb pen drive mounted at /mnt/usb ##

cp -avr $HOME/.ssh/ /mnt/usb/backups/

How do I protect my ssh keys

Always use a strong passphrase.

Do not share your private keys anywhere online or store in insecure cloud storage.

Restrict privileges of the account.

How do I create and setup an OpenSSH config file to create shortcuts for servers I frequently access?

See how to create and use an OpenSSH ssh_config file for more info.

See also

keychain: Set Up Secure Passwordless SSH Access For Backup Scripts

Ubuntu / Debian Linux Server Install Keychain SSH Key Manager For OpenSSH

Man pages – ssh(1),ssh-agent(1),ssh-add(1),ssh-keygen(1)

And, there you have it, ssh set up with public key based authentication for Linux or Unix-like systems.

am a new Linux server user. I need to tunnel X over ssh. I type the following command from OS X Unix terminal to login into far_away_machine (a centos server):

ssh -X -o options -A -p 22 user@centos-far-away-server

But, I am getting the following error on screen:

X11 forwarding request failed on channel 0

Last login: Sun Mar 23 15:58:51 2014 from 1.2.3.4

How do I fix “X11 forwarding request failed on channel 0” on Linux or Unix-like systems?

You may get an error when you try to display a server managment app or any other X app. You will be able to run a graphical application on server and get applications display (window) on your desktop using X11 forwarding. The fix this issue make sure OpenSSH SSHD is configured as follows

Fixing forwarding request failed on channel 0 on a Linux/Unix based server

Login to your centos-far-away-server, enter:

$ ssh -A -p 22 user@centos-far-away-server

Edit /etc/ssh/sshd_config file, enter:

$ sudo vi /etc/ssh/sshd_config

Set the following two options:

X11Forwarding yes

X11UseLocalhost no

Save and close the file. Reload the sshd, enter:

$ sudo /etc/init.d/sshd reload

Sample outputs:

Reloading sshd:                                            [  OK  ]

Install X authority file utility

You need to install xauth tool using yum command:

$ sudo yum install xauth

Sample outputs:

Loaded plugins: downloadonly, fastestmirror, security

Loading mirror speeds from cached hostfile

* base: mirrors.tummy.com

* epel: mirror.steadfast.net

* extras: centos-mirror.jchost.net

* updates: centos.hostingxtreme.com

Setting up Install Process

Resolving Dependencies

–> Running transaction check

—> Package xorg-x11-xauth.x86_64 1:1.0.2-7.1.el6 will be installed

–> Processing Dependency: libXmuu.so.1()(64bit) for package: 1:xorg-x11-xauth-1.0.2-7.1.el6.x86_64

–> Running transaction check

—> Package libXmu.x86_64 0:1.1.1-2.el6 will be installed

–> Processing Dependency: libXt.so.6()(64bit) for package: libXmu-1.1.1-2.el6.x86_64

–> Running transaction check

—> Package libXt.x86_64 0:1.1.3-1.el6 will be installed

–> Finished Dependency Resolution

Dependencies Resolved

===========================================================================================================

Package                      Arch                 Version                        Repository          Size

===========================================================================================================

Installing:

xorg-x11-xauth               x86_64               1:1.0.2-7.1.el6                base                35 k

Installing for dependencies:

libXmu                       x86_64               1.1.1-2.el6                    base                66 k

libXt                        x86_64               1.1.3-1.el6                    base               184 k

Transaction Summary

===========================================================================================================

Install       3 Package(s)

Total download size: 285 k

Installed size: 681 k

Is this ok [y/N]: y

Downloading Packages:

(1/3): libXmu-1.1.1-2.el6.x86_64.rpm                                                |  66 kB     00:00

(2/3): libXt-1.1.3-1.el6.x86_64.rpm                                                 | 184 kB     00:00

(3/3): xorg-x11-xauth-1.0.2-7.1.el6.x86_64.rpm                                      |  35 kB     00:00

Total                                                                      1.2 MB/s | 285 kB     00:00

Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

Running Transaction

Installing : libXt-1.1.3-1.el6.x86_64                                                                1/3

Installing : libXmu-1.1.1-2.el6.x86_64                                                               2/3

Installing : 1:xorg-x11-xauth-1.0.2-7.1.el6.x86_64                                                   3/3

Verifying  : libXmu-1.1.1-2.el6.x86_64                                                               1/3

Verifying  : libXt-1.1.3-1.el6.x86_64                                                                2/3

Verifying  : 1:xorg-x11-xauth-1.0.2-7.1.el6.x86_64                                                   3/3

Installed:

xorg-x11-xauth.x86_64 1:1.0.2-7.1.el6

Dependency Installed:

libXmu.x86_64 0:1.1.1-2.el6                          libXt.x86_64 0:1.1.3-1.el6

Complete!

Try ssh command as follows:

$ ssh -X -o options -A -p 22 user@centos-far-away-server

Sample outputs:

Last login: Sun Mar 23 16:25:09 2014 from 1.2.3.4

/usr/bin/xauth:  creating new authority file /home/vivek/.Xauthority

Once you got ~/.Xauthority file, you can run X apps as follows over ssh:

$ xeyes &

$ my-cool-raid-app-manager &

Tip: Finding issues with X over ssh

If you still need hints, run ssh command as follows to debug problems:

$ ssh -v user@server-name-here

am a new Linux server user. I need to tunnel X over ssh. I type the following command on a CentOS/RHEL based remote host to get display on a local desktop:

ssh -X user@server1.cyberciti.biz

xeyes &

firefox &

But, I am getting an error that read as follows:

**error**: Failed to contact configuration server; some possible causes are that you need to enable TCP/IP networking for ORBit, or you have stale NFS locks due to a system crash. See http://projects.gnome.org/gconf/ for information. (Details – 1: Failed to get connection to session: /bin/dbus-launch terminated abnormally without any error message)

How do I fix this error on a newly formatted/installed RHEL or CentOS Linux 6.x server?

You need to install D-Bus. It is nothing but a message bus system, a simple way for applications to talk to one another. In addition to interprocess communication, D-Bus helps coordinate process lifecycle; it makes it simple and reliable to code a “single instance” application or daemon, and to launch applications and daemons on demand when their services are needed. You also need to install Fonts on a CentOS/RHEL based system.

To fix /bin/dbus-launch terminated abnormally without any error message on a CentOS/RHEL

Type the following yum command to install D-Bus and Fonts:

$ sudo yum install dbus-x11

Sample outputs:

Loaded plugins: downloadonly, fastestmirror, security

Loading mirror speeds from cached hostfile

* base: mirrors.tummy.com

* epel: mirror.steadfast.net

* extras: centos-mirror.jchost.net

* updates: centos.hostingxtreme.com

Setting up Install Process

Resolving Dependencies

–> Running transaction check

—> Package dbus-x11.x86_64 1:1.2.24-7.el6_3 will be installed

–> Finished Dependency Resolution

Dependencies Resolved

===========================================================================================================

Package                 Arch                  Version                           Repository           Size

===========================================================================================================

Installing:

dbus-x11                x86_64                1:1.2.24-7.el6_3                  base                 40 k

Transaction Summary

===========================================================================================================

Install       1 Package(s)

Total download size: 40 k

Installed size: 28 k

Is this ok [y/N]: y

Downloading Packages:

dbus-x11-1.2.24-7.el6_3.x86_64.rpm                                                  |  40 kB     00:00

Running rpm_check_debug

Running Transaction Test

Transaction Test Succeeded

Running Transaction

Installing : 1:dbus-x11-1.2.24-7.el6_3.x86_64                                                        1/1

Verifying  : 1:dbus-x11-1.2.24-7.el6_3.x86_64                                                        1/1

Installed:

dbus-x11.x86_64 1:1.2.24-7.el6_3

Complete!

To install Fonts, type:

$ sudo yum groupinstall  Fonts

Now, you can run and tunnel X over ssh:

$ ssh -X user@server1.cyberciti.biz

$ xeyes

$ firefox

have created/launched Amazon Machine Image (AMI) instance powered by a CentOS/RHEL/Red Hat Enterprise Linux. How can I connect to my instance using OpenSSH Linux/Unix/OSX ssh client?

You can use OpenSSH ssh client program for logging into a remote machine and for executing commands on a remote machine. The same client can be used to login into Amazon AWS EC2 instance powered by a CentOS Linux / Fedora / RHEL.

Create a Key Pair For a New EC2 Instance

Login to your Amazon EC2 console at https://console.aws.amazon.com/ec2/.

Select the region i.e. click US East (N. Virginia). (See fig.01)

From the left navigation pane, click Key Pairs.

Click Create Key Pair.

Type “key name” (such as “centos-aws-db-1”) in the new Key pair name box, and then click Create. (See fig.02)

Fig.01: AWS Create SSH Key Pair (click to enlarge)

Download the private key file, which is named centos-aws-db-1.pem, and keep it in a safe place. You will need it to access any instances that you launch with this key pair.

Fig.02: Create AWS EC2 SSH Key Pair For Login

You need to use this key-pair for all your new instances. If you lose the key pair, you cannot connect to your Amazon EC2 instances.

Set private key permissions

Use the chmod command to make sure your private key file isn’t publicly viewable:

chmod 0400 ~/.ssh/centos-aws-db-1.pem

Connecting to Amazon EC2 Instance from a RHEL/CentOS Linux/UNIX/OSX Using a SSH Client

The syntax is as follows:

ssh -i key-file-name-here.pam ec2-user@public-dns-name

In this example, I’m connecting using the key ~/.ssh/centos-aws-db-1.pem file, ec2-user name and the instance’s DNS name is ec2-54-211-235-9.compute-1.amazonaws.com:

ssh -i ~/.ssh/centos-aws-db-1.pem ec2-user@ec2-54-211-235-9.compute-1.amazonaws.com

Sample outputs:

Fig. 03: Successfully ssh into my box powered by RHEL 7

SSH user names for various Linux distros

For Amazon Linux, the default user name is ec2-user.

For CentOS/RHEL, the user name is often root or ec2-user.

For Ubuntu, the user name is ubuntu.

For SUSE Linux, the user name is root.

Also, check with your AMI provider for username.

References

Amazon EC2 Key Pairs Guide