Difference between revisions of "Secure Shell"

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search
m
m
 
Line 20: Line 20:
 
== auto login ssh ==
 
== auto login ssh ==
 
{{:Secure Shell - auto login ssh}}
 
{{:Secure Shell - auto login ssh}}
 +
 +
== Disable SSH Host Key Checking ==
 +
Do you get tired of...
 +
The authenticity of host '192.168.0.10 (192.168.0.10)' can't be established.
 +
ECDSA key fingerprint is SHA256:Ncv99ABCdeF/GhIJKlMnOPQ6Abcde0FgHijklMnOp9c.
 +
Are you sure you want to continue connecting (yes/no)?
 +
 +
Yes it is a security feature to ensure you are not being redirected to a false host in an attempt to steal your password or otherwise invade security.  However, sometimes it is, or, often, it is not necessary.  On a private LAN, for example, where hosts are not Internet accessible and users are trusted the prompt is more annoying than useful.  It also breaks some automation.  There are other automation related resolutions but here we will discuss a way to completely disable this security feature.
 +
 +
  ssh -o "StrictHostKeyChecking=no" 192.168.0.10
 +
 +
  ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" 192.168.0.10
 +
 +
If you dont want to have to type it on the command line each time you can make it the default for your user
 +
  vi ~/.ssh/config
 +
add the following:
 +
Host *
 +
    StrictHostKeyChecking no
 +
    UserKnownHostsFile=/dev/null
 +
The file probably doesn't exist.  Just create it and add the lines.
 +
 +
You can tell it to ignore checking for your lan but still check for other hosts.
 +
Host 192.168.0.*
 +
    StrictHostKeyChecking no
 +
    UserKnownHostsFile=/dev/null
 +
 +
resource: ShellHacks Blog: [https://www.shellhacks.com/disable-ssh-host-key-checking/ HowTo: Disable SSH Host Key Checking]
  
 
== Related Pages ==
 
== Related Pages ==

Latest revision as of 19:38, 29 April 2022

Secure Shell (SSH) is a cryptographic network protocol for operating network services such as remote command-line, login, and remote command execution over an unsecured network in a secure way. SSH provides a secure channel over an unsecured network by using a client–server architecture, connecting an SSH client application with an SSH server. SSH is generally used to access Unix-like operating systems, but it can also be used on Microsoft Windows. Windows 10 uses OpenSSH as its default SSH client and SSH server.

SSH was designed as a replacement for Telnet and for unsecured remote shell protocols which would send information, notably passwords, in plaintext, rendering them susceptible to interception and recognition. The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network such as the Internet. While Telnet was once widely used by administrators for remote management, it does not offer the security mechanisms like SSH, which establishes a secure connection from the host to the remote host.

SSH / Secure Shell provides for two ways to accomplish authentication

  1. password authentication
  2. key authentication

Linux Secure Shell Support for Remote Login

Modern Ubuntu / Mint

I don't know why they do not include SSH by default. Allows remote secure terminal shell connection.

sudo apt install openssh-server openssh-client 
sudo service ssh start

Note: Added 10/17/2016 old less secure or compromised cyphers no longer configured, may cause connection problems with legacy ssh clients such as SecureCRT. ref: https://blog.hqcodeshop.fi/archives/245-SSH-connection-fails.html

use SSH to execute a remote command

You'll need to be able to ssh with automated password or enter the password each time you run the command.

Execute a remote command on a host over SSH:

ssh nicolep@192.168.100.10 'reboot'

The example above will reboot the remote computer.

Multiple commands

ssh nicolep@192.168.100.10 'uptime; df -h'

Show the kernel version, number of CPUs and the total RAM:

ssh root@192.168.100.10 << EOF
uname -a
lscpu  | grep "^CPU(s)"
grep -i memtotal /proc/meminfo
EOF

Here is how Nicole can execute her script on the remote computer

ssh nicolep@192.168.100.10 'bash -s' < nicolejob.sh

Nicole's script is local on her machine, and she executed it on the remote host.

auto login ssh

There is a key authentication system that can be used with OpenSSH. The OpenSSH ssh utility doesn't accept a password on the command line or on its standard input, except for prompting the user for password requiring manual interaction. By using the key authentication system you will not be prompted for a password.

OPTIONS FOR SSH AUTOMATED

  1. Use an SSH key for authentication, instead of a password.
  2. Use sshpass, expect, or a similar tool to automate responding to the password prompt.
  3. Use the SSH_ASKPASS feature to get ssh to get the password by running another program.
  4. Use the insecure host-based authentication, sometimes common on private networks.
  5. Use a custom or modified ssh client adapted from source code, or one that allows for stored password.

sshpass

Install the sshpass utility so that you can automate ssh login including password.

apt install sshpass

Now you can automate the login process

sshpass -p "mysecretpass" ssh -o StrictHostKeyChecking=no nicolep@192.168.100.10

Custom port example:

sshpass -p "mysecretpass" ssh -o StrictHostKeyChecking=no nicolep@192.168.100.10:9600

public key authentication

BEFORE MAKING NEW KEY PAIRS: Try to Find an Existing Secure Shell Key Pair. See if you already have a .ssh under your home directory. If you already have a key pair then you should not need to make a new key pair.

In the source host run this only once:

ssh-keygen -t rsa 

Now you've generated the public key. It needs to be copied onto the remote host.

ssh-copy-id -i ~/.ssh/id_rsa.pub nicolep@192.168.100.10

add identities to the ssh-agent – the authentication agent on the local host.

ssh-add

now press ENTER to every field

ssh-copy-id nicolep@192.168.100.10

expect

Example script

#!/usr/bin/expect

set timeout 15

set cmd [lrange $argv 1 end]
set password [lindex $argv 0]

eval spawn $cmd
expect "assword:"
send "$password\r";
interact

Another example

#!/usr/bin/expect -f
#  ./ssh.exp password 192.168.100.10 id
set pass [lrange $argv 0 0]
set server [lrange $argv 1 1]
set name [lrange $argv 2 2]

spawn ssh $name@$server
match_max 100000
expect "*?assword:*"
send -- "$pass\r"
send -- "\r"
interact

And finally, a more elaborate example can be found here:

Disable SSH Host Key Checking

Do you get tired of...

The authenticity of host '192.168.0.10 (192.168.0.10)' can't be established.
ECDSA key fingerprint is SHA256:Ncv99ABCdeF/GhIJKlMnOPQ6Abcde0FgHijklMnOp9c.
Are you sure you want to continue connecting (yes/no)? 

Yes it is a security feature to ensure you are not being redirected to a false host in an attempt to steal your password or otherwise invade security. However, sometimes it is, or, often, it is not necessary. On a private LAN, for example, where hosts are not Internet accessible and users are trusted the prompt is more annoying than useful. It also breaks some automation. There are other automation related resolutions but here we will discuss a way to completely disable this security feature.

 ssh -o "StrictHostKeyChecking=no" 192.168.0.10
 ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" 192.168.0.10

If you dont want to have to type it on the command line each time you can make it the default for your user

 vi ~/.ssh/config

add the following:

Host *
   StrictHostKeyChecking no
   UserKnownHostsFile=/dev/null

The file probably doesn't exist. Just create it and add the lines.

You can tell it to ignore checking for your lan but still check for other hosts.

Host 192.168.0.*
   StrictHostKeyChecking no
   UserKnownHostsFile=/dev/null

resource: ShellHacks Blog: HowTo: Disable SSH Host Key Checking

Related Pages