Jump to content
Not connected, Your IP: 3.133.139.28
Sign in to follow this  
cm0s

How To SSH

Recommended Posts

serverbox is 192.168.1.103
clientbox is 192.168.1.100

if you have a current ssh install
back files up and do a new install:

# systemctl stop sshd
# mv /etc/ssh ~/sshbkup
# mv ~/.ssh ~/.sshbkup
# pacman -S --noconfirm openssh nmap

check the files in /etc/ssh:
# ls /etc/ssh
moduli  ssh_config  sshd_config

# cp /etc/ssh/sshd_config ~/sshd_configbkup
# cp /etc/ssh/ssh_config ~/ssh_configbkup

on the serverbox create user servz:
# useradd -m -g users -G wheel -s /bin/bash servz
# passwd servz
enter new password twice

on the clientbox create user clyz:
# useradd -m -g users -G wheel -s /bin/bash clyz
# passwd clyz
enter new password twice

on the serverbox create ssh directory:
# mkdir /home/servz/.ssh
# touch /home/servz/.ssh/authorized_keys
# chown -R servz:wheel authorized_keys
# ls -l /home/servz/.ssh/authorized_keys
-rw-r--r-- 1 servz wheel 735 Jul 30 15:10 authorized_keys
# mkdir /home/servz/sshfilez
# chown -R servz:wheel /home/servz/sshfilez


on the clientbox create ssh directory:
# mkdir /home/clyz/.ssh
# touch /home/clyz/.ssh/authorized_keys
# chown -R clyz:wheel authorized_keys
# ls -l /home/clyz/.ssh/authorized_keys
-rw-r--r-- 1 clyz wheel 735 Jul 30 15:10 authorized_keys
# mkdir /home/clyz/sshfilez
# chown -R clyz:wheel /home/clyz/sshfilez

check yer local and destination...
# nmap -sS -O -p22 IPHERE
# iptables -nL | grep 22

nmap should show this on both boxes:
PORT   STATE SERVICE
22/tcp open  ssh

since the serverbox is 192.168.1.103
and the clientbox is 192.168.1.100
set iptables for each box accordingly
this allows only xyz ip to port 22

# iptables -I INPUT -p tcp --dport 22 -s IPHERE -j ACCEPT 
# iptables -A INPUT -p tcp --dport 22 -j REJECT

verify:
#  iptables -nL | grep 22
ACCEPT tcp -- 192.168.1.103 0.0.0.0/0 tcp dpt:22
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 
reject-with icmp-port-unreachable

start ssh on both boxes:
# systemctl start sshd
verify:
# systemctl status sshd 
Active: active (running)

do a login from the clientbox:
# ssh -p 22 servz@192.168.1.103
type yes and enter the password
root > ssh -p 22 servz@192.168.1.103
The authenticity of host '192.168.1.103 (192.168.1.103)' can't be established.
ECDSA key fingerprint is SHA256:nTXLL8Z/i7sumshitcodekeystuffherebruhright.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.103' (ECDSA) to the list of known hosts.
servz@192.168.1.103's password: 
[servz@h0stm0st ~]$ exit
logout
Connection to 192.168.1.103 closed.

repeat for the serverbox:
# ssh -p 22 clyz@192.168.1.100

the previous was a basic login password only
without key authentication/non-root using a 
stock ssh config if you need root type su
or use sudo after login for wan/vps access

if needed to remove a user account:
# userdel username
# rm -r /home/username

for key authentication only
login from the clientbox:
# ssh -p 22 servz@192.168.1.103
enter the password for the user servz
[servz@h0stm0st ~]$

gen the key with sudo and no password:
# sudo ssh-keygen -t rsa -b 4096 -P ''
again enter the password for the user servz
hit enter for default location
[servz@h0stm0st ~]$ sudo ssh-keygen -t rsa -b 4096 -P ''

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for servz: 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:sumkeystuffshowzherebruhFmdYX2XpGpD8lsVRIfs root@h0stm0st
The key's randomart image is:
+---[RSA 4096]----+
|          =BX..o@|
|         ..@.=o* |
|    .     o O.*  |
|   o .     . O.. |
|  nofuxway. . oE |
| . = =   +   .   |
|  + . + +        |
|   . . + o       |
|    .   o        |
+----[SHA256]-----+
[servz@h0stm0st ~]$ exit

banner for serverbox:
# cat <<-EOF > /home/servz/.ssh/servz.motd
     Welcome 2 serverbox
     we all float down here
EOF

banner for clientbox:
# cat <<-EOF > /home/clyz/.ssh/clyz.motd
     Welcome 2 clientbox
     we all float down here
EOF

from serverbox:
# cat ~/.ssh/id_rsa.pub | ssh clyz@192.168.1.100 'cat >> /home/clyz/.ssh/authorized_keys && echo "key copied to clientbox"'
root > cat ~/.ssh/id_rsa.pub | ssh clyz@192.168.1.100 'cat >> /home/clyz/.ssh/authorized_keys && echo "key copied to clientbox"'
servz@192.168.1.100's password: 
key copied to clientbox
root > 

from clientbox:
# cat ~/.ssh/id_rsa.pub | ssh servz@192.168.1.103 'cat >> /home/servz/.ssh/authorized_keys && echo "key copied to serverbox"'
root > cat ~/.ssh/id_rsa.pub | ssh servz@192.168.1.103 'cat >> /home/servz/.ssh/authorized_keys && echo "key copied to serverbox"'
servz@192.168.1.103's password: 
key copied to serverbox
root > 

stop sshd on both boxes:
# systemctl stop sshd

set banner on serverbox:
# grep --null -lr "#Banner none" /etc/ssh/sshd_config | xargs --null sed -i 's|#Banner none|Banner /home/servz/.ssh/servz.motd|g' /etc/ssh/sshd_config

set banner on clientbox:
# grep --null -lr "#Banner none" /etc/ssh/sshd_config | xargs --null sed -i 's|#Banner none|Banner /home/clyz/.ssh/clyz.motd|g' /etc/ssh/sshd_config

set key only each box:
# grep --null -lr "#PubkeyAuthentication yes" /etc/ssh/sshd_config | xargs --null sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/g' /etc/ssh/sshd_config

on each box disable passwords for the ssh client:
# grep --null -lr "#   PasswordAuthentication yes" /etc/ssh/ssh_config | xargs --null sed -i 's/#   PasswordAuthentication yes/#   PasswordAuthentication no/g' /etc/ssh/ssh_config

on serverbox:
# chown -R servz:wheel /home/servz/.ssh/servz.motd

on clientbox:
# chown -R clyz:wheel /home/clyz/.ssh/clyz.motd

start sshd on both boxes:
# systemctl start sshd

verify:
# systemctl status sshd 
Active: active (running)

login key only custom banner from clientbox
with example gaining root with root password:
root > ssh -p 22 servz@192.168.1.103
     Welcome 2 serverbox
     we all float down here
Last login: Sun Jul 30 15:47:26 2017 from 192.168.1.100
[servz@h0stm0st ~]$ su
Password: 
root > pwd
/home/servz
root > exit
exit
[servz@h0stm0st ~]$ exit
logout
Connection to 192.168.1.103 closed.

create a test file on the clientbox:
# cat <<-EOF > /home/clyz/sshfilez/file2server.md
     this is a text document to 
     transfer to the server
EOF

transfer the file to the serverbox: 
# scp /home/clyz/sshfilez/file2server.md servz@192.168.1.103:/home/servz/sshfilez

from the clientbox you should see this:
root > pwd
/home/clyz/sshfilez
root > cat <<-EOF > /home/clyz/sshfilez/file2server.md
>      this is a text document to 
>      transfer to the server
> EOF
root > scp /home/clyz/sshfilez/file2server.md servz@192.168.1.103:/home/servz/sshfilez
     Welcome 2 serverbox
     we all float down here
file2server.md                           100%   61    79.7KB/s   00:00    
root > 

to send a directory located on the clientbox to the serverbox:
# scp -r /home/clyz/sshfilez/files4server servz@192.168.1.103:/home/servz/sshfilez
output:
root > pwd
/home/clyz/sshfilez
root > ls
files4server
root > scp -r /home/clyz/sshfilez/files4server servz@192.168.1.103:/home/servz/sshfilez
     Welcome 2 serverbox
     we all float down here
file2server.md                           100%   61    75.6KB/s   00:00    
root >  

delete the files4server directory from the clientbox:
# rm -r files4server

to send a directory located on the serverbox back to the clientbox:
# scp -r servz@192.168.1.103:/home/servz/sshfilez/files4server /home/clyz/sshfilez
output:
root > pwd
/home/clyz/sshfilez
root > ls
root > scp -r servz@192.168.1.103:/home/servz/sshfilez/files4server /home/clyz/sshfilez
     Welcome 2 serverbox
     we all float down here
file2server.md                           100%   61    73.3KB/s   00:00    
root > ls
files4server
root >  

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...