User Tools

Site Tools


info:ssh

SSH

Verify host key

ssh-keygen -l -f /etc/ssh_host_rsa_key.pub

Location may vary; could be /etc, /etc/ssh

Here's a quickie script that I use for checking the key; I put this in ~/bin/sshkey:

#!/bin/sh
if [ "$1" = "-a" -o "$1" = "a" ]; then
        find /etc -name 'ssh_*.pub' -exec ssh-keygen -l -f {} \; 2>/dev/null
else
        echo "Pass '-a' to this script if you want to list all public keys"
        echo "But I'm 99% sure that you want this one:"
        find /etc -name 'ssh_host_rsa_key.pub' \
                -exec ssh-keygen -l -f {} \; 2>/dev/null
fi

sshfs

usage: sshfs [user@]host:[dir] mountpoint [options]

When I first tried to use sshfs, I didn't realize that the colon was required after the hostname, always. When you leave it off, it gives a "missing host" error.

To unmount:

fusermount -u local_mountpoint

Troubleshooting public key logins

I had some trouble logging in to certain machines with a public key (it would accept a password, but not the public key). It was a permissions problem. I had checked the .ssh directory and the files in it, but the user's home directory was was group and world writable. There might be some option in the sshd_config to ignore this security issue when you don't care about it. I've been trying to reproduce the fix on a similar machine, to no avail so far.\

Some more suggestions here: http://ramblings.narrabilis.com/wp/ssh-key-problem-troubleshooting/. In particular, these are mentioned as the maximum allowable permissions:

authorized_keys and authorized_keys2 600
.ssh 700
Home Directory 711
Keys (id_dsa,id_rsa) 600
Public Keys (id_dsa.pub,id_rsa.pub) 644

Troubleshooting Kerberos Logins

Name resolution seems to be a big part of it, but as far as I can tell it never really puts any useful errors anywhere.

Some things to check:

  • Forward and reverse name resolution
  • hostname returns short hostname and hostname -f returns fully-qualified domain name
  • Try disabling NetworkManager and using the basic network/networking service instead

Troubleshooting Slow SSH Connections

SSH should take less than a second to connect. These suggestions are especially relevant if it takes longer than 10 seconds to make a connection.

DNS

SSHd will do a DNS lookup on the client's hostname to make sure it's not being spoofed; this might be important if you did any sort of host-based authentication. This is a problem that was being seen on a RHEL5 machine.

To fix the problem, either add the client's hostname to the server's "/etc/hosts" file, or add the following line to "/etc/ssh/sshd_config":

UseDNS no

GSSAPIAuthentication

This was causing problems with a CentOS4 virtual machine that I installed. I don't think anyone uses this sort of authentication.

Change the following lines in "/etc/ssh/sshd_config" (if they exist):

GSSAPIAuthentication yes
GSSAPICleanupCredentials yes

To:

GSSAPIAuthentication no
GSSAPICleanupCredentials no

Diagnosing Other Issues

First try setting the client to be verbose (add '-v's to the command line; I don't know if PuTTY can do this, so you may have to install OpenSSH if using Windows), for instance:

ssh -vvv hostname

Look for places where it pauses for a long time.

If you can't see anything there, try turning on debug output for the server.

SSH ProxyCommand

For connecting to a machine via SSH which is only accessible through another SSH-able machine (not directly). I haven't tried this yet.

Links:

Instead of using nc on the "jump host", you can also make a SOCKS5 proxy with the -D option (called "Dynamic" tunnel in PuTTY). Putty can use this directly (in its "Proxy" settings). I'm not sure yet how to use the proxy with ssh.

info/ssh.txt · Last modified: 2016-01-22 23:21 by sam