Home / Notes / SSH Notes ======================== 1. SSH Key Fingerprint To get a SSH key fingerprint, do the following: $ ssh-keygen -l -f [public_key] For example the key fingerprint for the dsa host key can be obtained as follows: $ ssh-keygen -l -f /etc/ssh/ssh_host_dsa_key.pub 2. Tunneling To create an SSH tunnel for a tcp service running on a [server], do the following on the [client]: $ ssh -N -L [client_port]:localhost:[server_port] [user]@[server] [client_port] is the port to connect to on the [client] [server_port] is the port on which the tcp service that needs to be tunneled is running on the [server] Generally I pick 50000 + [server_port] for the [client_port]. Examples: a. AppleShare: $ ssh -N -L 50548:localhost:548 [user]@[afpserver] b. SMB: $ ssh -N -L 50445:localhost:445 [user]@[smbserver] c. VNC: $ ssh -N -L 55900:localhost:5900 [user]@[vncserver] From: http://www.aerospacesoftware.com/samba-ssh-tunnel-howto.htm (Dead link). For instructions on creating nested tunnels, see J. Schauma, Nested SSH Tunnels, Signs of Tiviality (Feb. 23, 2007) 3. SSH Agent a. To start ssh-agent: $ eval `ssh-agent` b. To add a ssh key to ssh-agent: $ ssh-add [key] c. To stop ssh-agent: $ ssh-agent -k From: http://www.cs.utk.edu/~england/ssh.html (dead link). 4. SSH Keepalives Add the following to $HOME/.ssh/config to prevent dropped connections: Host * ServerAliveInterval 120 ServerAliveCountMax 3 See: http://www.kehlet.cx/articles/129.html (dead link); http://www.snailbook.com/faq/timeouts.auto.html. 5. Connecting to older SSH servers a. Some older SSH servers (for example, MacOSX 10.4 (Tiger)), require diffie-hellman-group1-sha1 key exchange algorithm, so to connect to such servers, add the following to ~/.ssh/config: Host [server] KexAlgorithms +diffie-hellman-group1-sha1 HostKeyAlgorithms +ssh-rsa PubkeyAcceptedKeyTypes +ssh-rsa Alternatively, use the command line option -oKexAlgorithms=+diffie-hellman-group1-sha1 to connect to such servers: $ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 [user]@[server] If you don't already have a RSA key, you may need to create one as follows: $ ssh-keygen -t rsa -f ~/.ssh/id_rsa -P '' b. OpenSSH 8.8 and later have disabled RSA keys with SHA1 signatures, but some older servers do not support newer signature, so to connect to those servers, add the following to ~/.ssh/config:: Host [server] HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa Alternatively, one can add the command line option -oHostKeyAlgorithms=+ssh-rsa to connect to such servers: $ ssh -oHostKeyAlgorithms=+ssh-rsa [user]@[server] As above, if you don't already have a RSA key, you may need to create one. Sources: OpenSSH Legacy Options, OpenSSH 8.8 client incompatibility and workaround SSH Problems After MacOS 13 Ventura Upgrade