SSH

• Connect to remote host

  $ ssh <username>@<hostname/ip> [-p <port>]

• Setup keys (no password login)

  • Generate keys on client

    $ ssh-keygen -t ed25519  -f ~/.ssh/<key-name> -C "<Some comment>"

    where,
    t = type of key algo
    f = file name of generated keys
    C = comment regarding who and where of key usage

  • Ensure passphrase is entered, it is remembered later

  • Copy public key to remote server

    $ ssh-copy-id  -i ~/.ssh/<key-name>.pub <username>@<hostname>

    where,
    i = Identity file to use

  • Turn off password authentication on remote server

    $ sudo sed -i \
      -e 's/#\?PasswordAuthentication yes/PasswordAuthentication no/' \
      -e 's/PubkeyAuthentication no/PubkeyAuthentication yes/' \
      /etc/ssh/sshd_config

  • May also disable PermitRootLogin

  • May change default port

  • Reload ssh daemon via systemctl sudo systemctl reload sshd

  • May change default ssh porto

  • Should use tool like fail2ban to reject unauthorized attempts

  • To disable login banner/info:

    $ sed -i 's/PrintLastLog yes/PrintLastLog no/' /etc/ssh/sshd_config
    $ touch /home/$USER/.hushlogin

• Add a known host to ssh config for easier connection (also used by scp & rsync), using ssh config

  $ touch ~/.ssh/config && chmod 600 ~/.ssh/config

  Host server-name # server-name is pattern matched
    HostName <hostname/ip> # indentation optional but recommended
    User <username>
    Port <port>
    PreferredAuthentications publickey
    IdentityFile ~/.ssh/<private-key>

  $ ssh server-name

• Recommended - generate a new ssh key pair for every remote host (so even if stolen, cannot compromise others). Can add in config as:

  Host name1
    ...
    Identity ~/.ssh/<key-name>
  
  Host name2
    ...
    Identity ~/.ssh/<key-name>

Running local scripts on remote host

ssh user@server 'bash -s' <<'EOF'
# ...commands
whoami
EOF