this repo has no description
dunkirk.sh
1# SSH Service
2
3## Service Name
4- `ssh` or `sshd` (works on most distributions)
5
6## Check Service Status
7```bash
8systemctl status ssh
9systemctl status sshd # Also works
10```
11
12## Configuration Location
13
14Main directory: `/etc/ssh/`
15
16Key files:
17- `/etc/ssh/sshd_config` - Server configuration (most important)
18- `/etc/ssh/ssh_config` - Client configuration
19- `/etc/ssh/ssh_host_*_key` - Server private keys (multiple algorithms)
20- `/etc/ssh/ssh_host_*_key.pub` - Server public keys
21
22## Important sshd_config Options
23
24```bash
25Port 22 # Default SSH port
26ListenAddress 0.0.0.0 # Listen on all IPs (or specify one)
27PermitRootLogin prohibit-password # Or "yes" or "no"
28```
29
30### Port
31Default is 22. Can change to non-standard port for security.
32
33### ListenAddress
34- `0.0.0.0` = listen on all IP addresses
35- Or specify a single IP to restrict access
36
37### PermitRootLogin
38- `no` - root cannot SSH in at all
39- `yes` - root can SSH in with password
40- `prohibit-password` - root must use key authentication
41
42## Connecting to SSH Server
43
44Basic syntax:
45```bash
46ssh username@ip_address
47ssh username@hostname.com
48```
49
50Example:
51```bash
52ssh sandbox@192.168.1.100
53```
54
55First connection prompts to accept server's fingerprint (say yes).
56
57## Host Keys (Server-Side)
58
59SSH server has multiple key pairs in `/etc/ssh/`:
60- RSA keys: `ssh_host_rsa_key` and `ssh_host_rsa_key.pub`
61- ECDSA keys: `ssh_host_ecdsa_key` and `ssh_host_ecdsa_key.pub`
62- ED25519 keys: `ssh_host_ed25519_key` and `ssh_host_ed25519_key.pub`
63
64These are **asymmetric key pairs**:
65- Private key stays on server (read-only to root)
66- Public key shared with clients
67- Data encrypted with one key only decrypts with the other
68
69## Regenerating Host Keys
70
71If keys are compromised (or cloned VMs have identical keys):
72
73```bash
74sudo ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
75```
76
77Options:
78- `-t ecdsa` - key type (also: rsa, ed25519)
79- `-f /path/to/key` - where to save
80- Will prompt to overwrite existing key
81- Can add passphrase or leave blank
82
83## Client-Side Known Hosts
84
85Location: `~/.ssh/known_hosts`
86
87Contains public keys of servers you've connected to before.
88
89If server key changes, you'll get a warning. To fix:
90```bash
91# Remove old entry for that IP
92ssh-keygen -R 192.168.1.100
93
94# Or delete the entire file and re-accept connections
95rm ~/.ssh/known_hosts
96```
97
98## Passwordless Authentication
99
100Allows login without password using key pairs.
101
102**Setup process:**
103
1041. Generate key pair on client (or server acting as admin):
105```bash
106ssh-keygen -t ecdsa -f ~/id_bob_key
107```
108
1092. Create `.ssh` directory for user:
110```bash
111sudo mkdir /home/bob/.ssh
112sudo chmod 700 /home/bob/.ssh
113sudo chown bob:bob /home/bob/.ssh
114```
115
1163. Copy public key to authorized_keys:
117```bash
118sudo cp id_bob_key.pub /home/bob/.ssh/authorized_keys
119sudo chmod 644 /home/bob/.ssh/authorized_keys
120sudo chown bob:bob /home/bob/.ssh/authorized_keys
121```
122
1234. Transfer private key to client using SCP:
124```bash
125scp sandbox@192.168.1.100:/path/to/id_bob_key .
126```
127
1285. Connect using the key:
129```bash
130ssh -i id_bob_key bob@192.168.1.100
131```
132
133**Critical permissions:**
134- `.ssh/` directory: `700` (drwx------)
135- `authorized_keys` file: `644` (-rw-r--r--)
136- Private keys: `600` (-rw-------)
137- Public keys: `644` (-rw-r--r--)
138
139## SCP (Secure Copy)
140
141Copy files over SSH:
142
143```bash
144# Copy from remote to local
145scp user@remote:/path/to/file .
146
147# Copy from local to remote
148scp localfile user@remote:/path/
149
150# Use sudo on remote side
151sudo scp user@remote:/root/file .
152```
153
154## Exit SSH Session
155
156```bash
157exit
158```
159
160## Restart After Config Changes
161
162```bash
163sudo systemctl restart ssh
164```