100
votes
Accepted
Limit SSH access to specific clients by IP address
You can limit which hosts can connect by configuring TCP wrappers or filtering network traffic (firewalling) using iptables. If you want to use different authentication methods depending on the client ...
- 15.8k
69
votes
Accepted
Why do portions of SSH public (and private) keys overlap?
The string is base64 encoded. When decoded, it produces the string \0\0\0\vssh-ed25519\0. This identifies the type of the key. In this case an EdDSA key.
- 13.7k
48
votes
Limit SSH access to specific clients by IP address
Here some additional configuration for SSH daemon to extend previous answer:
Add user filtering with AllowUsers option in sshd_config file:
AllowUsers [email protected].* [email protected].* otherid1 ...
- 2,179
37
votes
Accepted
How to cleanup SSH reverse tunnel socket after connection closed?
TL;DR;
The solution is to set the value of StreamLocalBindUnlink to yes in sshd configuration on the server: sudo sh -c 'echo "StreamLocalBindUnlink yes" >> /etc/ssh/sshd_config'.
Long ...
- 703
34
votes
Accepted
ssh - why can I login with partial passwords?
In the chat, it turned out the system was using traditional (non-shadow) password storage and traditional Unix password hashing algorithm. Both are poor choices in today's security environment.
...
- 114k
31
votes
Accepted
How can I truly shut down ssh server?
The systemd SSH socket is active, and the SSH service is socket-activated. You need to disable the socket as well:
systemctl disable --now ssh.socket
In fact, on my Arch system, the sshd daemon runs ...
- 77.9k
31
votes
Accepted
ssh working on all devices but scp from some devices gives "Connection closed" error
Quick version (TL;DR)
Update: For those that just want a quick-and-dirty with minimal reading.
Know:
This actually had nothing to do with Termux - it affects any Linux using OpenSSH 8.8+. I also ran ...
- 1,113
29
votes
Accepted
Is it possible to have 2 ports open on SSH with 2 different authentication schemes?
So, it turns out the answer was actually way, way simpler than I thought it would be.
I do however have to thank '@jeff schaller' for his comments, if it hadn't of been for him I wouldn't have ...
- 471
28
votes
Accepted
How to compare different SSH fingerprint (public key hash) formats?
ssh
# ssh -o "FingerprintHash sha256" testhost
The authenticity of host 'testhost (256.257.258.259)' can't be established.
ECDSA key fingerprint is SHA256:pYYzsM9jP1Gwn1K9xXjKL2t0HLrasCxBQdvg/mNkuLg.
...
- 94.5k
27
votes
ssh fails to start due to missing host keys
On WSL, this worked:
sudo ssh-keygen -A
sudo service ssh --full-restart
- 2,052
27
votes
Accepted
How to enable ssh-rsa in sshd of OpenSSH 8.8?
To permit using old RSA keys for OpenSSH 8.8+, add the following lines to your sshd_config:
HostKeyAlgorithms=ssh-rsa,[email protected]
PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-rsa-cert-v01@...
- 415
25
votes
Accepted
Unable to login with SSH-RSA key
You will get this behaviour if the file mode of the user's home directory on the destination host is not set correctly. It's not just the mode of the .ssh directory that has to be correctly set!
ssh ...
- 366
24
votes
Authentication refused: bad ownership or modes for directory /root
Well, I should really thank @jeff-schaller, it was broken ownership of folder. I've done
chown root /root
chown root /root/.ssh
And from there it worked flawlessly.
- 663
21
votes
Accepted
Add key to authorized_users without needing to restart sshd
Is the restart of sshd needed?
Not usually. Linux distributions usually ship with a default configuration that allows public key authentication, so you usually don't even have to edit configuration to ...
- 4,729
21
votes
Accepted
How to disable weak HMAC Algorithms? Not found in ssh_config or sshd_config file
The list of supported MAC algorithms is determined by the MACs option, both in ssh_config and in sshd_config. If it's absent, the default is used. If you want to change the value from the default, ...
19
votes
how to use different SSH banner for various SSH connections?
well, if you mean show a different banner either per user or IP address connecting through ssh, you have options for these both as following using Match command;
different banner based on username:
# ...
- 41.9k
18
votes
"client_loop: send disconnect: Broken pipe" for chroot sftp user, with correct password?
chown myuser01:myuser01 /var/sftp/myuser01
...
ChrootDirectory /var/sftp/%u
The OpenSSH SSH server's ChrootDirectory directive requires that the chroot directory and its parent directories be owned ...
- 3,587
17
votes
Accepted
Why is zsh listening on port 22?
Why is zsh listening on port 22?
It is not. Instead you are interpreting the shown information wrongly:
/proc/pid/net/ shows network information about the full namespace the process is in, i.e. not ...
- 2,909
16
votes
Accepted
Read key properties
Based on the question tags, I’m assuming you’re asking about SSH keys.
For public keys, you can ask ssh-keygen:
ssh-keygen -lf /path/to/key.pub
This will show you the key type (at the end of the ...
- 481k
15
votes
Accepted
Commands to know the version of OpenSSH client and server?
for client:
$ ssh -V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020
for server:
$ sshd -V
unknown option -- V
OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f 31 Mar 2020
or
nc -w1 ...
- 36.5k
13
votes
In sshd_config 'MaxAuthTries' limits the number of auth failures per connection. What is a connection?
In the case of SSH, a connection is one established connection to the sshd's TCP port (usually port 22). Once sshd stops accepting further authentication attempts, it closes the connection, and at ...
- 114k
13
votes
Accepted
sshd failed due to network not yet available
As A.B indicated, your ssh config has likely been adjusted to listen on a specific IP address. If that IP address is not available when sshd starts, then the service will fail.
By default, sshd is ...
- 73.9k
12
votes
Ubuntu Windows10 App -- X11 Forwarding -- $DISPLAY Error
I was seeing the message debug1: X11 forwarding requested but DISPLAY not set because I was not setting the DISPLAY environment variable in the shell before connecting to the host. I am using 'Bash on ...
- 271
12
votes
Accepted
Tmux sessions get killed on ssh logout
After some research, I found the solution to my problem.
The reason for the killing of the tmux sessions was the default setting of KillUserProcesses=yes in /etc/systemd/logind.conf.
From the man page ...
- 649
11
votes
Accepted
sshd_config - "Match Address <IPv6>" not matching
After trying just about everything I could think of, I was able to find a solution that worked for me. I wanted to allow password auth to users on my LAN but only allow key based auth from outside the ...
- 126
10
votes
sshd_config using a match statement inside an included file
Turns out this a known bug in OpenSSH portable:
https://bugzilla.mindrot.org/show_bug.cgi?id=3122
- 401
9
votes
Accepted
ssh-copy-id succeeded, but still prompt password input
Thanks to https://unix.stackexchange.com/a/55481/106419, which told me how to debug ssh.
To enable ssh debug to see what happen
systemctl stop sshd
/usr/sbin/sshd -d -p 22
I found:
Authentication ...
- 565
9
votes
Accepted
Changing SSH Default Port 22 to 444
I'm assuming your question is "why sshd keeps stopping after you've changed the port?"
CentOS has SELinux enabled by default, and sshd is one of the system services targeted by the SELinux policy. ...
- 114k
8
votes
Accepted
OS X ignoring sshd_config
sshd_config only affects the ssh daemon, while you're testing the ssh client, which uses ssh_config.
- 14.9k
Only top scored, non community-wiki answers of a minimum length are eligible