logo

ssh / mosh / sshuttle Cheatsheet

Basic usage

$ ssh 10.200.0.x

# as root user
$ ssh root@jumpbox

# SSH with key
$ ssh -i Keypair.pem [email protected]

# skip entering "yes"
$ ssh -o StrictHostKeyChecking=accept-new ...

# run commands on the remote machine
$ ssh 10.200.0.x -o StrictHostKeyChecking=accept-new "systemctl stop containerd; systemctl stop kubelet; rm -rf /etc/kubernetes"

Password-less SSH

Keypair: one public key and one private key. Local machine has the private one, and remote machine has the public one.

  • Remote: the public keys are stored in ~/.ssh/authroized_keys on the remote machine.
  • Local: use ssh -i myPrivateKey foo@baz to specify which private key to use (in this case myPrivateKey)
    • if use public clouds like Amazon AWS, you probably will get a file like Keypair.pem from the platform, it is actually a private key.
    • if use ssh-keygen, 2 files will be generated, the one without .pub is the private key.
    • if you do not specify which private key file to use(-i), ssh will look for the file ~/.ssh/id_rsa.

.ssh/config

Specify User and IdentityFile

Host foo
    HostName 10.xx.xx.xx
    User root
    IdentityFile /path/to/key.pem

then

$ ssh foo

Equivalent to

$ ssh -i /path/to/key.pem [email protected]

2 Hops: ProxyCommand

Host hop1
    Hostname hop1.example.com
    User root

Host hop2
    ProxyCommand ssh -q hop1 nc hop2.example.com  22

where -q is quite mode (no log), 22 is the port of SSH, nc(netcat) is used to listen hop2.

Tunnel

local -> foo.example.com -> bar.example.com

~/.ssh/config

Host bar
    HostName bar.example.com
    ProxyCommand nc -X 5 -x localhost:9999 %h %p
    User username
  • nc: netcat, anything related to TCP/UDP
  • -X 5: use SOCKS v.5
  • -x localhost:9999: connect to host via this proxy

tunnel.sh

#!/usr/bin/env bash

netstat -nlp 2> /dev/null | grep --color=auto 9999 > /dev/null 2>&1;
if [ $? -ne 0 ]; then
    ssh -D0.0.0.0:9999 -f -N [email protected]
fi

SSH Troubleshooting

UNPROTECTED PRIVATE KEY FILE!

Error:

$ ssh <something>
The authenticity of host '10.xxx.xxx.xxx (10.xxx.xxx.xxx)' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.xxx.xxx.xxx' (RSA) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/path/to/key.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /path/to/key.pem

Solution

$ chmod 600 /path/to/key.pem

REMOTE HOST IDENTIFICATION HAS CHANGED

Symptom

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
bc:95:f9:a4:....:45:ad:89.
Please contact your system administrator.

Problem: the fingerprint changed

In my case: Terminate an EC2 instance and start another one, while the ip remains the same.

Solution:

$ rm ~/.ssh/known_hosts

Cannot ssh as root

Check current setting

$ cat /etc/ssh/sshd_config | grep Root

Edit the /etc/ssh/sshd_config, change PermitRootLogin option to yes:

$ sed -i 's/^#PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config

Restart the SSH server to pick up the updated configuration file:

$ systemctl restart ssh

Try again ssh [email protected].

Cannot ssh to server

Try to reinstall openssh-server:

$ sudo apt-get purge openssh-server
$ sudo apt-get install openssh-server

Creating config file /etc/ssh/sshd_config with new version
Created symlink /etc/systemd/system/sockets.target.wants/ssh.socket \u2192 /usr/lib/systemd/system/ssh.socket.
Created symlink /etc/systemd/system/ssh.service.requires/ssh.socket \u2192 /usr/lib/systemd/system/ssh.socket.
Setting up ssh-import-id

sshuttle

Allows you to create a VPN connection from your machine to any remote server that you can connect to via ssh.

You must have root access on the local machine, but you can have a normal account on the server.

mosh

Use mosh instead of ssh

https://mosh.org/

mosh + tmux

$ mosh -6 [dev-server-address or ssh alias] -- tmux a

You can create an alias in your bash profile so you don't need to type the above command

alias dev="mosh -6 [dev-server-address or ssh alias] -- tmux a"

Detached Sessions

You may see messages like this:

Mosh: You have a detached Mosh session on this server (mosh [12345]).

For security reasons, you can not reattach.

To kill the session:

$ kill 12345

To kill all mosh connections:

$ kill `pidof mosh-server`

Alternative: Eternal Terminal (et) https://github.com/MisterTea/EternalTerminal

logo
PRIVACY POLICYABOUT中文