SSH

Updated: 2018-11-30

SSH with key

$ ssh -i Keypair.pem [email protected]

Password-less SSH

Keypair: one public key and one private key. Local machine has the private one, and remote machine has the public one, if somehow they match, you are connected!

  • Remote: the public keys are stored in ~/.ssh/authroized_keys. Yes the "keys", it can have not only your public key but also tons of others.
  • Local: use ssh -i myPrivateKey [email protected] to specify which private key to use(in this case myPrivateKey)

    • if you are using Amazon AWS, OpenStack or others of the kind, you probably will get a file like Keypair.pem from the platform, it is actually a private key.
    • if you are using ssh-keygen, 2 files will be generated, the one without .pub is the private key

And here is the magic: if you do not specify which private key file to use("-i"), ssh will look for the file ~/.ssh/id_rsa!

Specify IdentityFile for Host

To specify an IdentityFile other than the default, edit ~/.ssh/config

Host heroku.com
    HostName heroku.com
    IdentityFile /path/to/another/private-key

when you use git to talk to the remote repository [email protected]:myapp.git, it will use the specified key instead.

WARNING: UNPROTECTED PRIVATE KEY FILE!

Error:

$ ssh <something>
The authenticity of host '10.xxx.xxx.xxx (10.xxx.xxx.xxx)' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.xxx.xxx.xxx' (RSA) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for '/path/to/key.pem' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /path/to/key.pem

Solution

$ chmod 600 /path/to/key.pem

.ssh/config

Specify User and IdentityFile

Host example1
    HostName 10.xx.xx.xx
    User root
    IdentityFile /path/to/key.pem

Equivalent to

$ ssh -i /path/to/key.pem [email protected]

2 Hops

Host hop1
    Hostname hop1.example.com
    User root

Host hop2
    ProxyCommand ssh -q hop1 nc hop2.example.com  22

where -q is quite mode(no log), 22 is the port of SSH, nc(netcat) is used to listen hop2.

Tunnel

local -> foo.example.com -> bar.example.com

~/.ssh/config

Host bar
    HostName bar.example.com
    ProxyCommand nc -X 5 -x localhost:9999 %h %p
    User username
  • nc: netcat, anything related to TCP/UDP
  • -X 5: use SOCKS v.5
  • -x localhost:9999: connect to host via this proxy

tunnel.sh

#!/usr/bin/env bash

netstat -nlp 2> /dev/null | grep --color=auto 9999 > /dev/null 2>&1;
if [ $? -ne 0 ]; then
    ssh -D0.0.0.0:9999 -f -N [email protected]
fi

SSH error

Symptom

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
bc:95:f9:a4:....:45:ad:89.
Please contact your system administrator.

Problem: the fingerprint changed

In my case: Terminate an EC2 instance and start another one, while the ip remains the same.

Solution:

$ rm ~/.ssh/known_hosts

~/.ssh/config

Host <alias>
    HostName <host_name or IP>
    User <user_name>
    IdentityFile /path/to/private/key.pem

For example

Host foo
    HostName 10.xxx.xxx.xxx
    User stack
    IdentityFile /path/to/private/key.pem

then

$ ssh foo

is essentially the same as

$ ssh -i /path/to/private/key.pem [email protected]