{{tag>Sécurité Réseau ssh}}

= SSH

https://github.com/FiloSottile/whosthere

Voir 
* http://en.wikibooks.org/wiki/OpenSSH/Pattern_Matching_in_OpenSSH_Configuration
* https://raymii.org/s/tutorials/Limit_access_to_openssh_features_with_the_Match_keyword.html
* https://git-annex.branchable.com/tips/using_git_annex_with_no_fixed_hostname_and_optimising_ssh/
* http://william.shallum.net/random-notes/random-ssh-agent-tricks

Voir ''man ssh_config''

''~/.ssh/config'' ou ''/etc/ssh/ssh_config''

''~/.ssh/config''
<code ini>

Host *
    ServerAliveInterval 300
    ServerAliveCountMax 3
    ControlMaster auto
    ControlPath ~/.ssh/master-%r@%h:%p
    ControlPersist 4h
    EscapeChar ~

Host srvlnxvm1
    User root
    HostName srvlnxvm1
    ProxyCommand ssh -W %h:%p srvlnxrbd

Host srvlnxdir1
    HostName srvlnxdir1
    LocalForward 1389 127.0.0.1:389
    LocalForward 1636 127.0.0.1:636

Host srvlnxvm2 192.168.22.42
    Hostname srvlnxvm2
    ProxyCommand ssh -W %h:%p srvlnxrbd

Host *
    User root

Host gtw
    Hostname 192.168.22.78
    PubkeyAuthentication=no
    Port 6322
    #lftp sftp://user:pass@gtw

Host 192.168.22.63
    Hostname 192.168.22.63
    ProxyCommand ssh -W %h:%p srvlnxrbd
    ForwardAgent yes
    #ProxyCommand ssh srvlnxrbd nc %h %p

Host test1
    User root
    Hostname 192.168.2.41
    IdentityFile ~/.ssh/clefs/id_rsa_test1
</code>


Pour débugger ssh_config :
<code bash>
ssh -G user@somehost.example.com
</code>


== Notes 


/etc/ssh/sshd_not_to_be_run

-

Réutiliser la connexion existante au lieu de refaire une nouvelle connexion. Accélère 

Source http://www.linuxjournal.com/content/speed-multiple-ssh-connections-same-server

''~/.ssh/config''
<code ->
Host *
   ControlMaster auto
   ControlPath ~/.ssh/master-%r@%h:%p
   ControlPersist 4h
</code>

Pour cette connexion (temporairement) ne pas utiliser l'authentification par clef

<code bash>
ssh -o "PreferredAuthentications keyboard-interactive,password" user@192.168.1.18
</code>


== SSH Escape Sequences (aka Kill Dead SSH Sessions)

''~/.ssh/config''
<code ->
Host *
        EscapeChar ~
</code>

<code ->
Supported escape sequences:
 ~.   - terminate connection (and any multiplexed sessions)
 ~B   - send a BREAK to the remote system
 ~C   - open a command line
 ~R   - request rekey
 ~V/v - decrease/increase verbosity (LogLevel)
 ~^Z  - suspend ssh
 ~#   - list forwarded connections
 ~&   - background ssh (when waiting for connections to terminate)
 ~?   - this message
 ~~   - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.
</code>



== Sécurité

<code bash>
ssh-keygen -G moduli-3072.candidates -b 3072
</code>

Voir : https://entropux.net/article/openssh-moduli/

''/etc/ssh/moduli''

== Pb déconnexion 

Déconnexion SSH au bout de 30 secondes avec ''Write Failed: broken pipe''

Doublon d'adresses IP


== Autres

ssh force password / Ne pas utiliser la clef mais demander le mot de passe
<code bash>
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no 192.168.1.22
</code>

A l'inverse, options SSH sans mot de passe, pour script
<code bash>
ssh -o PasswordAuthentication=no -o ChallengeResponseAuthentication=no -o PreferredAuthentications=publickey -o StrictHostKeyChecking=no -o ConnectTimeout=2 -o BatchMode=yes 192.168.1.22
</code>