SSH tips and tricks

SSH login with empty passwords

Create password key from the workstation and user where you want to login from. Leave password fields empty.

ssh-keygen

Transfer .ssh/id_rsa.pub to remote server and user where you want to login to via SFTP.

sftp user@server
> put .ssh/id_rsa.pub
> exit

Add id_rsa.pub to .ssh/authorized_keys files on remote host.

ssh user@server
$ cat id_rsa.pub >> .ssh/authorized_keys
$ exit

Done. Now it should work to do empty password login.

ssh user@server

File permission problems

It is important that folder permissions of both home folder and .ssh folder and contents have the correct permissions.

home folder must only allow allow write permissions for owner otherwise empty passwords will not work. .ssh files must only be read and writable by owner

ls -l /home
drwxr-xr-x   9 backup       backup        512 Jul 31 20:44 backup
ls -l /home/backup
drwx------  2 backup  backup  512 May 24 19:36 .ssh
ls -l /home/backup/.ssh
-rw-------  1 backup  backup  806 Nov  4 16:34 authorized_keys

I spent a number of hours figuring this out. Login will still be possible just not with empty passphrase.

Using ssh-agent

A more safe solution than using empty passwords is to use ssh-agent for password management.

So, unless the connection has to be made unattended from a script/cron one should use a key with a passphrase in conjunction with ssh-agent. This will only need the password once when launching and then work as a passwordless key.

Disable root login on a server

For public available servers it is recommended to prohibit root ssh login. Simply enter the following configuration in /etc/ssh/sshd_config and restart the sshd.

PermitRootLogin no

Just remember to include any user that shall be permitted to switch to root to be included in wheel group.

SSH tunnel via external host to internal

Setup SSH tunnel on an external machine (remote) to an internal node (backup) via an external facing firewall.

ssh -N -L 2200:backup:22 peter@lounge.se

This creates a SSH tunnel on port 2200 (on remote machine) to port 22 on internal server via external facing firewall. Add -f option to fork tunnel when used in scripts.

To connect to the internal server (from external backup host) through the SSH tunnel connect as follows.

ssh -p 2200 share@localhost    # OR on OpenBSD ...
ssh -p 2200 share@127.0.0.1

You can also connect to the tunnel through the firewall, but then port 2200 must be opened in firewall.

ssh -p 2200 share@lounge.se

This connects directly to internal server from an external host.

Note: The same can be achieved by redirecting traffic in the pf firewall.

You may also use the same port 22 if you like. Need root on a mac.

ssh -N -L 22:internal:22 peter@lounge.se

Then you may use default ssh port when connecting from external host.

ssh share@localhost

If you want to avoid entering passwords make sure to install public keys from external host in both firewall and internal server.

References

• OpenSSH Key Management
• ssh-agent
• How the SCP protocol works
• How to Create SSH Tunnels
• Backup remote server via RSync

This site is maintained by Peter Ljung using the powers of OpenBSD, Ruby, Roda combined as WebFactory