Home / Notes / SSH Notes
========================
1. SSH Key Fingerprint
To get a SSH key fingerprint, do the following:
$ ssh-keygen -l -f [public_key]
For example the key fingerprint for the dsa host key
can be obtained as follows:
$ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub
2. Tunneling
To create an SSH tunnel for a tcp service running on a
[server], do the following on the [client]:
$ ssh -N -L [client_port]:localhost:[server_port] [user]@[server]
[client_port] is the port to connect to on the [client]
[server_port] is the port on which the tcp service that
needs to be tunneled is running on the [server]
Generally I pick 50000 + [server_port] for the [client_port].
Examples:
a. AppleShare:
$ ssh -N -L 50548:localhost:548 [user]@[afpserver]
b. SMB:
$ ssh -N -L 50445:localhost:445 [user]@[smbserver]
c. VNC:
$ ssh -N -L 55900:localhost:5900 [user]@[vncserver]
From: http://www.aerospacesoftware.com/samba-ssh-tunnel-howto.htm
(Dead link).
For instructions on creating nested tunnels, see J. Schauma,
Nested SSH Tunnels, Signs of Tiviality (Feb. 23, 2007)
3. SSH Agent
a. To start ssh-agent:
$ eval `ssh-agent`
b. To add a ssh key to ssh-agent:
$ ssh-add [key]
c. To stop ssh-agent:
$ ssh-agent -k
From: http://www.cs.utk.edu/~england/ssh.html (dead link).
4. SSH Keepalives
Add the following to $HOME/.ssh/config to prevent dropped
connections:
Host *
ServerAliveInterval 120
ServerAliveCountMax 3
See: http://www.kehlet.cx/articles/129.html (dead link);
http://www.snailbook.com/faq/timeouts.auto.html.
5. Connecting to older SSH servers
a. Some older SSH servers (for example, MacOSX 10.4 (Tiger)),
require diffie-hellman-group1-sha1 key exchange algorithm,
so to connect to such servers, add the following to
~/.ssh/config:
Host [server]
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
Alternatively, use the command line option
-oKexAlgorithms=+diffie-hellman-group1-sha1 to connect to
such servers:
$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [user]@[server]
If you don't already have a RSA key, you may need to
create one as follows:
$ ssh-keygen -t rsa -f ~/.ssh/id_rsa -P ''
b. OpenSSH 8.8 and later have disabled RSA keys with SHA1
signatures, but some older servers do not support newer
signature, so to connect to those servers, add the
following to ~/.ssh/config::
Host [server]
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
Alternatively, one can add the command line option
-oHostKeyAlgorithms=+ssh-rsa to connect to such servers:
$ ssh -oHostKeyAlgorithms=+ssh-rsa [user]@[server]
As above, if you don't already have a RSA key, you may need
to create one.
Sources: OpenSSH Legacy Options,
OpenSSH 8.8 client incompatibility and workaround
SSH Problems After MacOS 13 Ventura Upgrade