Secure Shell
Secure Shell (SSH) is a cryptographic network protocol for operating network services such as remote command-line, login, and remote command execution over an unsecured network in a secure way. SSH provides a secure channel over an unsecured network by using a client–server architecture, connecting an SSH client application with an SSH server. SSH is generally used to access Unix-like operating systems, but it can also be used on Microsoft Windows. Windows 10 uses OpenSSH as its default SSH client and SSH server.
SSH was designed as a replacement for Telnet and for unsecured remote shell protocols which would send information, notably passwords, in plaintext, rendering them susceptible to interception and recognition. The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network such as the Internet. While Telnet was once widely used by administrators for remote management, it does not offer the security mechanisms like SSH, which establishes a secure connection from the host to the remote host.
SSH / Secure Shell provides for two ways to accomplish authentication
- password authentication
- key authentication
Contents
Linux Secure Shell Support for Remote Login
Modern Ubuntu / Mint
I don't know why they do not include SSH by default. Allows remote secure terminal shell connection.
sudo apt install openssh-server openssh-client sudo service ssh start
Note: Added 10/17/2016 old less secure or compromised cyphers no longer configured, may cause connection problems with legacy ssh clients such as SecureCRT. ref: https://blog.hqcodeshop.fi/archives/245-SSH-connection-fails.html
use SSH to execute a remote command
You'll need to be able to ssh with automated password or enter the password each time you run the command.
Execute a remote command on a host over SSH:
ssh nicolep@192.168.100.10 'reboot'
The example above will reboot the remote computer.
Multiple commands
ssh nicolep@192.168.100.10 'uptime; df -h'
Show the kernel version, number of CPUs and the total RAM:
ssh root@192.168.100.10 << EOF uname -a lscpu | grep "^CPU(s)" grep -i memtotal /proc/meminfo EOF
Here is how Nicole can execute her script on the remote computer
ssh nicolep@192.168.100.10 'bash -s' < nicolejob.sh
Nicole's script is local on her machine, and she executed it on the remote host.
auto login ssh
There is a key authentication system that can be used with OpenSSH. The OpenSSH ssh utility doesn't accept a password on the command line or on its standard input, except for prompting the user for password requiring manual interaction. By using the key authentication system you will not be prompted for a password.
OPTIONS FOR SSH AUTOMATED
- Use an SSH key for authentication, instead of a password.
- Use sshpass, expect, or a similar tool to automate responding to the password prompt.
- Use the SSH_ASKPASS feature to get ssh to get the password by running another program.
- Use the insecure host-based authentication, sometimes common on private networks.
- Use a custom or modified ssh client adapted from source code, or one that allows for stored password.
sshpass
Install the sshpass utility so that you can automate ssh login including password.
apt install sshpass
Now you can automate the login process
sshpass -p "mysecretpass" ssh -o StrictHostKeyChecking=no nicolep@192.168.100.10
Custom port example:
sshpass -p "mysecretpass" ssh -o StrictHostKeyChecking=no nicolep@192.168.100.10:9600
public key authentication
BEFORE MAKING NEW KEY PAIRS: Try to Find an Existing Secure Shell Key Pair. See if you already have a .ssh under your home directory. If you already have a key pair then you should not need to make a new key pair.
In the source host run this only once:
ssh-keygen -t rsa
Now you've generated the public key. It needs to be copied onto the remote host.
ssh-copy-id -i ~/.ssh/id_rsa.pub nicolep@192.168.100.10
add identities to the ssh-agent – the authentication agent on the local host.
ssh-add
now press ENTER to every field
ssh-copy-id nicolep@192.168.100.10
expect
Example script
#!/usr/bin/expect set timeout 15 set cmd [lrange $argv 1 end] set password [lindex $argv 0] eval spawn $cmd expect "assword:" send "$password\r"; interact
Another example
#!/usr/bin/expect -f # ./ssh.exp password 192.168.100.10 id set pass [lrange $argv 0 0] set server [lrange $argv 1 1] set name [lrange $argv 2 2] spawn ssh $name@$server match_max 100000 expect "*?assword:*" send -- "$pass\r" send -- "\r" interact
And finally, a more elaborate example can be found here:
Disable SSH Host Key Checking
Do you get tired of...
The authenticity of host '192.168.0.10 (192.168.0.10)' can't be established. ECDSA key fingerprint is SHA256:Ncv99ABCdeF/GhIJKlMnOPQ6Abcde0FgHijklMnOp9c. Are you sure you want to continue connecting (yes/no)?
Yes it is a security feature to ensure you are not being redirected to a false host in an attempt to steal your password or otherwise invade security. However, sometimes it is, or, often, it is not necessary. On a private LAN, for example, where hosts are not Internet accessible and users are trusted the prompt is more annoying than useful. It also breaks some automation. There are other automation related resolutions but here we will discuss a way to completely disable this security feature.
ssh -o "StrictHostKeyChecking=no" 192.168.0.10
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" 192.168.0.10
If you dont want to have to type it on the command line each time you can make it the default for your user
vi ~/.ssh/config
add the following:
Host * StrictHostKeyChecking no UserKnownHostsFile=/dev/null
The file probably doesn't exist. Just create it and add the lines.
You can tell it to ignore checking for your lan but still check for other hosts.
Host 192.168.0.* StrictHostKeyChecking no UserKnownHostsFile=/dev/null
resource: ShellHacks Blog: HowTo: Disable SSH Host Key Checking
