SSH daemon (server)
The first time sshd runs, it generates three cryptographic key pairs and stores the keys in the /private/etc/ directory.
- ssh_host_key and ssh_host_key.pub (v1)
- ssh_host_dsa_key and ssh_host_dsa_key.pub (v2 DSA)
- ssh_host_rsa_key and ssh_host_rsa_key.pub (v2 RSA)
SSH communicates over TCP port 22 by default. The global server configuration file is:
To disable the less secure v1 SSH protocol, set this value in the sshd_config file:
To disable X forwading, set this value in the sshd_config file:
To disable keyboard password logins (force public/private key authentication), set this value in the sshd_config file:
Note: because of its sensitive nature, the $HOME/.ssh/ directory and most of the files in it MUST be read/write for the user and not accessible to group or other. For example, the file permissions should look like this:
Otherwise, SSH will ignore them. If you copy personal SSH files to a new system and they don't work, check the permissions.
The default client configuration file is:
The user configuration file, $HOME/.ssh/config takes precedence over the default configuration.
To connect to an SSH server using a different user ID:
To securely copy a local file(s) to a remote server, use scp:
scp localfile userid@server-name-or-IP:remotefile
To securely copy remote file(s) to the local machine, use scp:
scp userid@server-name-or-IP:remotefile localfile
First, generate a keypair for logins without passwords:
ssh-keygen -t dsa
The system will prompt you for a secret key passphrase, then create the key pair in two files:
id_dsa (v2 private key)
id_dsa.pub (v2 public key)
Next, append the v2 public key to your $HOME/.ssh/authorized_keys2 file on the server(s) where you want to login.
To bypass the passphrase that unlocks your secret key every time it is needed, load the key into ssh-agent.SSH-Agent
To load secret keys in the ssh-agent manually, execute:
- ssh-add keyfile (once for each key)
It is usually more convenient to run ssh-agent and load keys in a BASH login. Linux users can use the keychain script.Port Forwarding
SSH can port forward local and remote connections securely. Only root can forward privileged ports (<=1024)
To redirect a local port to a remote host port:
ssh userid@remotehost -L localport:remotehost:remoteport
To redirect a remote port to a local or remote host port:
ssh userid@remotehost -R remoteport:host:localport