Linux SSH Command and Configuration

What is SSH?

SSH (Secure Shell) is a protocol used to securely connect to remote systems over a network. It provides encrypted communication and is commonly used for remote login and command execution.

Package name: openssh_server
Demon name: sshd
Port number: 22
Command name: ssh
Service name: sshd.service
Log file: /var/log/secure
Configuration file: /etc/ssh/sshd_config

Basic SSH Command

The basic syntax of the SSH command is:

ssh [user]@[hostname or IP address]

Example:

ssh user@192.168.1.100

This command connects to the remote system with the username user at the IP address 192.168.1.100.

SSH Configuration File

The SSH client configuration file is typically located at ~/.ssh/config. It allows you to define shortcuts and settings for SSH connections.

Example configuration:

Host myserver
    HostName 192.168.1.100
    User user
    Port 22
            

With this configuration, you can connect to the server using:

ssh myserver

Common SSH Options

• -p [port]: Specify the port to connect to (default is 22).
• -i [identity_file]: Specify the private key file for authentication.
• -L [local_port]:[remote_host]:[remote_port]: Set up port forwarding.
• -R [remote_port]:[local_host]:[local_port]: Set up reverse port forwarding.
• -X: Enable X11 forwarding for graphical applications.
• -C: Enable compression for the SSH session.
• -v: Enable verbose mode for debugging.
• -q: Quiet mode, suppresses warning messages.
• -o [option]: Specify options in the format key=value.
• -t: Force pseudo-terminal allocation.
• -A: Enable forwarding of the authentication agent connection.
• -K: Enable GSSAPI authentication and forwarding.
• -4: Force SSH to use IPv4 addresses.
• -6: Force SSH to use IPv6 addresses.
• -o StrictHostKeyChecking=no: Disable host key checking (not recommended for production).
• -o UserKnownHostsFile=/dev/null: Ignore the known hosts file (not recommended for production).
• -o LogLevel=ERROR: Set the logging level to suppress non-error messages.
• -o ConnectTimeout=[seconds]: Set a timeout for the connection attempt.
• -o ServerAliveInterval=[seconds]: Set the interval for sending keepalive messages to the server.
• -o ServerAliveCountMax=[count]: Set the maximum number of keepalive messages before disconnecting.
• -o PreferredAuthentications=[method]: Specify the preferred authentication methods (e.g., publickey,password).
• -o IdentityFile=[file]: Specify the path to the private key file for authentication.
• -o ForwardAgent=yes: Enable forwarding of the authentication agent.
• -o ForwardX11=yes: Enable X11 forwarding.
• -o Compression=yes: Enable compression for the SSH session.
• -o TCPKeepAlive=yes: Enable TCP keepalive messages.
• -o CheckHostIP=no: Disable checking the IP address of the host (not recommended for production).

Example: Copying Files with SCP

SSH is also used with SCP (Secure Copy) to transfer files securely:

scp file.txt user@192.168.1.100:/path/to/destination

This command copies file.txt to the remote server.

SSH with information collect in remote host

To collect information from a remote host using SSH, you can execute commands directly:

ssh user@[hostname or IP address] "df -Th"

This command connects to the remote host and runs the df -Th command to display disk usage information.

SSH Deny user and Allow user

To deny or allow specific users to connect via SSH, you can modify the SSH configuration file /etc/ssh/sshd_config.

To deny a user:

echo "DenyUsers username" | sudo tee -a /etc/ssh/sshd_config

To allow a user:

echo "AllowUsers username" | sudo tee -a /etc/ssh/sshd_config

After making changes, restart the SSH service:

sudo systemctl restart sshd

Permanent Root login

To allow root login via SSH, edit the SSH configuration file /etc/ssh/sshd_config and set the following:

PermitRootLogin yes

After making changes, restart the SSH service:

sudo systemctl restart sshd

Password less SSH configuration step

To set up passwordless SSH login, follow these steps:

1. Generate an SSH key pair on the local machine:
ssh-keygen -t rsa -b 2048
2. Copy the public key to the remote server:
ssh-copy-id user@remote_host
3. Test the passwordless login:
ssh user@remote_host
            

SSH port change with SELinux

To change the SSH port and configure SELinux, follow these steps:

1. Edit the SSH configuration file:
sudo vim /etc/ssh/sshd_config
2. Change the port number:
Port 2222
3. Save and exit the file.
4. Update SELinux to allow the new port:
semanage port -a -t ssh_port_t -p tcp 2222
5. Restart the SSH service:
sudo systemctl restart sshd
6. Verify the new port is allowed in SELinux:
semanage port -l | grep ssh
7. Update the firewall to allow the new port:
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload
            

Note: Ensure that the new port is allowed in your firewall settings.

Firewall Port forwarding step

To change a Traffic in port 22 to 2222

sudo firewall-cmd --permanent --add-forward-port=port=22:proto=tcp:toport=2222
sudo firewall-cmd --reload
            

This command forwards incoming traffic on port 22 to port 2222.