SSH/sshd.
Check available key types:
$ ssh -Q key
Generate keys:
$ ssh-keygen -t dsa # for DSA
$ ssh-keygen -t rsa # for RSA
$ ssh-keygen -t dsa -C comment # put own comment instead user@host
$ ssh-keygen -t dsa -f my_dsa_key # store priv key under my_dsa_key
# and pub key under my_dsa_key.pub
ssh-keygen -f my.key
Recover pub key from priv:
ssh-keygen -y -f ~/.ssh/id_dsa >~/.ssh/id_dsa.pub
Show fingerprint:
ssh-keygen -l -f ~/.ssh/id_dsa
ssh-keygen -lvf ~/.ssh/id_dsa
ssh-keygen -E md5 -l -f ~/.ssh/id_dsa
Change passphrase of priv key:
$ ssh-keygen -p -N "newphrase" -P "oldphrase" -f ~/.ssh/id_dsa
To copy your public key to a remote host (for automatic login by a pubkey authentication):
$ ssh-copy-id $user@$host
$ ssh $user@$host cat ">>" "~/.ssh/authorized_keys" <~/.ssh/id_rsa.pub
To remove a host fingerprint from a local known_hosts (if you changed a server pubkey or changed
a server):
$ ssh-keygen -R hostname
$ ssh-keygen -R hostname -f ~/.ssh/known_hosts
Each SSH server keeps a single priv key, sharing a common pub key with all clients. It is an
identity of the server and upon a new connection you are asked to trust this pub key. After
accepting the pub key it is written to ~/.ssh/known_hosts.
To list advertized pub keys by a server (-H is host hashing/hiding host name):
ssh-keyscan $HOST
ssh-keyscan -H $HOST
To list fingerprints of the server pub keys:
ssh-keygen -lf <(ssh-keyscan $HOST 2>/dev/null)
To ensure MD5 output format (which is usually displayed with vast majority of existing SSH
clients):
ssh-keygen -E md5 -lf <(ssh-keyscan $HOST 2>/dev/null)
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@host
$ ssh $user@$host
$ ssh $user@$host:$port
$ ssh -i ~/.ssh/my_dsa_key $user@$host
or:
$ ssh -l $user $host
$ ssh -l $user $host:$port
ssh tries to use all provided keys:
$ ssh -i ./priv1 -i ./priv2 $user@$host
Alternatively place them to ~/.ssh/config:
Host *
IdentityFile ~/.ssh/identity # standard search path for protocol ver. 1
IdentityFile ~/.ssh/id_dsa # standard search path for RSA key protocol ver. 2
IdentityFile ~/.ssh/id_rsa # standard search path for DSA key protocol ver. 2
IdentityFile ~/.ssh/my_dsa
IdentityFile ~/.ssh/another_dsa
or per host private key:
Host host1 # alias, that user provide at CLI
HostName host1.example.com # real host name to log into
User iam
IdentifyFile ~/.ssh/iam_priv_dsa
Host host2 # alias, that user provide at CLI
HostName 192.168.1.2 # real host IP to log into
User admin
IdentifyFile ~/.ssh/admin_priv_dsa
Install base packages and openssh.
Create Windows user and set its password.
Recreate /etc/passwd:
$ mkpasswd -l -u user >>/etc/passwd
or:
$ mkpasswd -l >/etc/passwd
Register sshd:
$ mkdir -p /home/user
$ ssh-host-config -y
Start:
$ net start sshd
or:
$ cygrunsrv -S sshd
Check from remote host:
$ ssh $gygwin_host -l user
To stop service use:
$ net stop sshd
$ cygrunsrv -E sshd
To delete service:
$ cygrunsrv -E sshd
$ cygrunsrv -R sshd
If you have connection closed error check permission for /home/*/.ssh
directories. If you start service from user account - add write permission
to /home/*/.ssh. I fix by:
$ rm -r /home/*/.ssh
cmd> icacls c:\opt\cygwin\home /t /grant:r cyg_server:(f)
In order to enable logging from sshd uncomment in /etc/ssh/sshd_config:
SyslogFacility AUTH
LogLevel INFO
and start syslogd from inetutils package (don't forget to restart
sshd!):
$ /bin/syslogd-config
$ net start syslogd
Check /var/log/messages for logging messages.
Note
In order to allow pubkey login and to avoid error:
userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes
add PubkeyAcceptedKeyTypes * or PubkeyAcceptedKeyTypes=+ssh-dss to
/etc/ssh/sshd_config but DSS keys are depricated at all.