[ About | Licence | Contacts ]
Written by Oleksandr Gavenko (AKA gavenkoa), compiled on 2024-04-01 from rev 052223c22317.


Debugging ssh client.

$ ssh -vvv ...

Maintaining key pair

Check available key types:

$ ssh -Q key

Generate keys:

$ ssh-keygen -t dsa     # for DSA
$ ssh-keygen -t rsa     # for RSA
$ ssh-keygen -t dsa -C comment     # put own comment instead user@host
$ ssh-keygen -t dsa -f my_dsa_key  # store priv key under my_dsa_key
                                   # and pub key under my_dsa_key.pub

ssh-keygen -f my.key

Recover pub key from priv:

ssh-keygen -y -f ~/.ssh/id_dsa >~/.ssh/id_dsa.pub

Show fingerprint:

ssh-keygen -l -f ~/.ssh/id_dsa
ssh-keygen -lvf ~/.ssh/id_dsa
ssh-keygen -E md5 -l -f ~/.ssh/id_dsa

Change passphrase of priv key:

$ ssh-keygen -p -N "newphrase" -P "oldphrase" -f ~/.ssh/id_dsa

To copy your public key to a remote host (for automatic login by a pubkey authentication):

$ ssh-copy-id $user@$host

$ ssh $user@$host cat ">>" "~/.ssh/authorized_keys" <~/.ssh/id_rsa.pub

Dealing with server pubkeys

To remove a host fingerprint from a local known_hosts (if you changed a server pubkey or changed a server):

$ ssh-keygen -R hostname
$ ssh-keygen -R hostname -f ~/.ssh/known_hosts

Each SSH server keeps a single priv key, sharing a common pub key with all clients. It is an identity of the server and upon a new connection you are asked to trust this pub key. After accepting the pub key it is written to ~/.ssh/known_hosts.

To list advertized pub keys by a server (-H is host hashing/hiding host name):

ssh-keyscan $HOST
ssh-keyscan -H $HOST

To list fingerprints of the server pub keys:

ssh-keygen -lf <(ssh-keyscan $HOST 2>/dev/null)

To ensure MD5 output format (which is usually displayed with vast majority of existing SSH clients):

ssh-keygen -E md5 -lf <(ssh-keyscan $HOST 2>/dev/null)

Disabling pubkey

ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@host

Shell login

$ ssh $user@$host
$ ssh $user@$host:$port

$ ssh -i ~/.ssh/my_dsa_key $user@$host


$ ssh -l $user $host
$ ssh -l $user $host:$port

X11 forwarding

Enable X11 forwarding on remote host in ~/.ssh/config or /etc/ssh_config:

X11Forwarding yes

then login to this host by:

$ ssh -X $user@$host

or by using trusted X11 forwarding:

$ ssh -Y $user@$host


X11Forwarding does not work with OpenSSH under Cygwin

Multiply private keys

ssh tries to use all provided keys:

$ ssh -i ./priv1 -i ./priv2 $user@$host

Alternatively place them to ~/.ssh/config:

Host *
IdentityFile ~/.ssh/identity # standard search path for protocol ver. 1
IdentityFile ~/.ssh/id_dsa   # standard search path for RSA key protocol ver. 2
IdentityFile ~/.ssh/id_rsa   # standard search path for DSA key protocol ver. 2
IdentityFile ~/.ssh/my_dsa
IdentityFile ~/.ssh/another_dsa

or per host private key:

Host host1                   # alias, that user provide at CLI
HostName host1.example.com   # real host name to log into
User iam
IdentifyFile ~/.ssh/iam_priv_dsa
Host host2                   # alias, that user provide at CLI
HostName         # real host IP to log into
User admin
IdentifyFile ~/.ssh/admin_priv_dsa

Installing sshd on Cygwin

To stop service use:

$ net stop sshd
$ cygrunsrv -E sshd

To delete service:

$ cygrunsrv -E sshd
$ cygrunsrv -R sshd

If you have connection closed error check permission for /home/*/.ssh directories. If you start service from user account - add write permission to /home/*/.ssh. I fix by:

$ rm -r /home/*/.ssh
cmd> icacls c:\opt\cygwin\home /t /grant:r cyg_server:(f)

In order to enable logging from sshd uncomment in /etc/ssh/sshd_config:

SyslogFacility AUTH
LogLevel INFO

and start syslogd from inetutils package (don't forget to restart sshd!):

$ /bin/syslogd-config
$ net start syslogd

Check /var/log/messages for logging messages.


In order to allow pubkey login and to avoid error:

userauth_pubkey: key type ssh-dss not in PubkeyAcceptedKeyTypes

add PubkeyAcceptedKeyTypes * or PubkeyAcceptedKeyTypes=+ssh-dss to /etc/ssh/sshd_config but DSS keys are depricated at all.