brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
135ec2617da7fa660ee0db842d4c170a1cb2d939
oam/knowledge base/ssh.md
Michele Cereda a0d6614b84 Added SetEnv option in the configuration file example
2023-01-01 19:36:34 +01:00

5.6 KiB
Raw Blame History

SSH

  1. TL;DR
  2. Key Management
  3. SSHFS
    1. Installation
  4. Configuration
  5. Further readings
  6. Sources

TL;DR

# Load keys from '~/.ssh' and add them to the agent.
eval `ssh-agent` && ssh-add

# Create new keys.
ssh-keygen -t rsa -b 4096
ssh-keygen -t dsa
ssh-keygen -t ecdsa -b 521
ssh-keygen -t ed25519 -f ~/.ssh/keys/id_ed25519 -C test@winzoz

# Remove elements from the known hosts list.
ssh-keygen -R "pi4.lan"
ssh-keygen -R 192.168.1.237 -f .ssh/known_hosts
ssh-keygen -R "raspberrypi.lan" -f "${HOME}/.ssh/known_hosts"

# Change the password of a key.
ssh-keygen -f ~/.ssh/id_rsa -p

# Mount a remote folder.
sshfs nas.lan:/mnt/data Data -o auto_cache,reconnect,defer_permissions,noappledouble,volname=Data

# List keys added to the agent by fingerprint.
ssh-add -l
ssh-add -L   # full key in OpenSSH format

# Authorize keys for passwordless access.
ssh-copy-id -i ~/.ssh/id_rsa.pub user@nas.lan

Key Management

Create a new key:

ssh-keygen -t rsa -b 4096
ssh-keygen -t dsa
ssh-keygen -t ecdsa -b 521
ssh-keygen -t ed25519 -f .ssh/id_ed25519 -C test@winzoz

Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in C:\Users\test/.ssh/id_ed25519.
Your public key has been saved in C:\Users\test/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:lFrpPyqTy0d30TfnN0QRY678LnyCzmvMDbl1Qj2/U/w test@winzoz
The key's randomart image is:
+--[ED25519 256]--+
|           +o.o++|
|             ==*O|
|            . .X*|
|         o .   +=|
|        S S +..==|
|         . .+..*E|
|           + ...o|
|         .+ .o = |
|          =+ .o .|
+----[SHA256]-----+

Remove a host from the list of known hosts:

ssh-keygen -R "pi4.lan"
ssh-keygen -R 192.168.1.237 -f .ssh/known_hosts
ssh-keygen -R "raspberrypi.lan" -f ".ssh/known_hosts"

Host pi4.lan found: line 5
/home/mek/.ssh/known_hosts updated.
Original contents retained as /home/mek/.ssh/known_hosts.old

Change password of a key file

ssh-keygen -f ~/.ssh/id_rsa -p

SSHFS

Options:

  • auto_cache enables caching based on modification times;
  • reconnect reconnects to the server;
  • defer_permissions works around the issue where certain shares may mount properly, but cause permissions denied errors when accessed (caused by how Mac OS X's Finder translates and interprets permissions;
  • noappledouble prevents Mac OS X to write .DS_Store files on the remote file system;
  • volname defines the name to use for the volume.

Usage:

sshfs -o $OPTIONS_LIST $HOST:$REMOTE_PATH $LOCAL_PATH

sshfs user@nas.lan:/mnt/data Data -o auto_cache,reconnect,defer_permissions,noappledouble,volname=Data

Installation

# Mac OS X requires `macports`, since `brew` does not offer 'sshfs' anymore
sudo port install sshfs

Configuration

When connecting to a host, the SSH client will use settings:

  1. from the command line,
  2. from the user's ~/.ssh/config file,
  3. from the /etc/ssh/ssh_config file

In a first-come-first-served way. Settings should hence appear from the most specific to the most generic:

Host targaryen
    HostName targaryen.example.com
    User john
    Port 2322
    IdentityFile ~/.ssh/targaryen.key
    LogLevel INFO
    Compression yes

Host *ell
    user oberyn
    sendenv BE_SASSY
    StrictHostKeyChecking no

Host * !martell
    LogLevel INFO
    StrictHostKeyChecking accept-new
    UserKnownHostsFile /dev/null

Host *
    User root
    Compression yes
    SendEnv -LC_* -LANG*
    SetEnv MYENV=itsvalue

# Append domains to a hostname before attempting to check if they exist.
CanonicalizeHostname yes
CanonicalDomains xxx.auckland.ac.nz yyy.auckland.ac.nz

Host  *.xxx.auckland.ac.nz
    User user_xxx
Host *.yyy.auckland.ac.nz
    User user_yyy

# Keep a connection open for 30s and reuse it when possible.
# Save the above pipe in a safe directory, and use a hash of different data to
# identify it.
# source: https://www.cyberciti.biz/faq/linux-unix-reuse-openssh-connection/
ControlMaster auto
ControlPath ~/.ssh/control-%C
ControlPersist 30s

Further readings

Sources