In Ubuntu 16.04, you can install SSH server with

sudo apt-get install openssh-server

You can ensure it starts at boot with

systemctl enable ssh.socketv

To generate an RSA key pair to work with version 2 of the protocol, type the following command at a shell prompt. Accept the default file location of ~/.ssh/id_rsa. Good security practice dictates that you should enter a password that is unique.

ssh-keygen -t rsa

The public key is written to ~/.ssh/id_rsa.pub. The private key is written to ~/.ssh/id_rsa. Never distribute your private key to anyone.

Change the permissions of the .ssh directory using the following command:

chmod 755 ~/.ssh

Copy the contents of ~/.ssh/id_rsa.pub into the file ~/.ssh/authorized_keys on the machine to which you want to connect. If the file ~/.ssh/authorized_keys exist, append the contents of the file ~/.ssh/id_rsa.pub to the file ~/.ssh/authorized_keys on the other machine. An easy way to do this is by using the

ssh-copy-id

command as follows

ssh-copy-id -i ~/.ssh/id_rsa.pub username@target.example.com

Change the permissions of the authorized_keys file using the following command:

ssh username@target.example.com 'chmod 644 ~/.ssh/authorized_keys'

ssh username@target.example.com 'ls -l'

ssh username@target.example.com 'ls -l; ps -aux; whoami'

Note the -t flag. That tells SSH that you'll be interacting with remote shell. Without the -t flag,

top

will return results after which SSH will log you out of the remote host immediately. With the -t flag, SSH keeps you logged in until you exit the interactive command. The -t flag can be used with most interactive commands, including text editors like pico and vi.

ssh -t username@target.example.com 'top'

=Run Command With Single Quotes= When running remote SSH commands, you may need to escape quotes. Replace ' with '“'”'

's/%//g'

With

sed '"'"'s/%//g'"'"'

While this is dangerous, it can be useful when running some data gathering scripts on a trusted network.

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no username@target.example.com 'ls -l'

If you want to see the fingerprint that you see first time you connect to a server, run this command

ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub

You may also need the following command (but probably not)

ssh-keygen -lf /etc/ssh/ssh_host_key.pub

To list the key in the format shown by PuTTY, use

ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_rsa_key.pub

Show all

for file in /etc/ssh/*_key.pub; do ssh-keygen -lf $file; done

Determine the fingerprint of the RSA host key

ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub

Determine the fingerprint of the ED25519 host key

ssh-keygen -l -f /etc/ssh/ssh_host_ed25519_key.pub

Determine the fingerprint of the ECDSA host key

ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key.pub

By default, CentOS 6.0 and some later releases of 6.x, SELinux interferes with the root user's ability to generate SSH keys. To fix the problem, run the following commands as the root user.

chcon -t ssh_home_t ~/.ssh

By default, CentOS 6.0 and some later releases of 6.x, SELinux prevents the root user from logging into a system using SSH. This is because of SELinux attributes on the

/root/.ssh/authroized_keys

file. I believe this is due to the policy in

/etc/selinux/targeted/contexts/users/root

. To fix this, we just run the following command.

restorecon -R -v /root/.ssh

To only allow a specific list of users and groups to login, add the following to

/etc/ssh/sshd_config

AllowUsers user1 user2

AllowGroups group1 group2

To allow all users to login except for a specific list, add the following to

/etc/ssh/sshd_config

DenyUsers user1 user2

DenyGroups group1 group2

You may find that when connecting to a SSH server, the password prompt takes a long time to appear. Try setting the following line at the bottom of

/etc/ssh/sshd_config

GSSAPIAuthentication no

Then restart the sshd server with the following command

service sshd restart

If that doesn't work, try adding the following the bottom of

/etc/ssh/sshd_config

UseDNS no

chmod 600 private.pem

ssh-keygen -f private.pem -y > public.pub

To enable passwordless login, you must copy over your public key to the other sever

ssh-copy-id remote_username@server_ip_address

ssh -q -o "StrictHostKeyChecking no" admin@192.168.1.1

I had to do this to access a Cisco switch.

Add the following to the SSH command.

-oKexAlgorithms=+diffie-hellman-group1-sha1

You can also add the following to .ssh/config

Host x.x.x.x
    KexAlgorithms +diffie-hellman-group1-sha1

I found the following when trying to SSH from Ubuntu 22.04.4 to Palo Alto Networks Firewall running PAN-OS 11.0.0

Unable to negotiate with <IP> port 22: no matching host key type found. Their offer: ssh-rsa,ssh-rsa,ssh-rsa

To make it work, I had to add the following at the end of the SSH command in Ubuntu

-o HostKeyAlgorithms=+ssh-rsa -o PubkeyAcceptedAlgorithms=+ssh-rsa