Access remote systems using SSH
Access remote systems using SSH
I have vm server called bali1 with no ssh-key generated, and two other called bali2 and bali3 with their IPs as follows
[root@bali1 home]# cat hosts.txt
192.168.100.246 #bali2
192.168.100.150 #bali3 #port 55022
[root@bali1 home]# ls -lah ~/.ssh/
total 0
drwx------. 2 root root 6 Jan 20 07:20 .
dr-xr-x---. 4 root root 178 Jan 20 21:56 ..
[root@bali1 home]# Access remote server with passwod on its default port 22
When I connect to bali2 on its defailt port 22, two files with name know_hosts* would be created on my own .ssh directory on bali1
[root@bali1 home]# ssh root@192.168.100.246
The authenticity of host '192.168.100.246 (192.168.100.246)' can't be established.
ED25519 key fingerprint is SHA256:nh2fJ1gLPn9ZtoVpg5jPabgDVi40Gp597iR3w75VGyA.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.100.246' (ED25519) to the list of known hosts.
root@192.168.100.246's password:
Last login: Wed Feb 14 00:53:46 2024
[root@bali2 ~]# hostname
bali2.vpsWhen I loging out from bali2 I found two generated files in the directory, the known_hosts file contain information about the hosts that I connected to. Everytime I have connected to another host, this file will append its content with the connected host information comprised IP addresses and several type of ssh-keys
[root@bali2 ~]# exit
logout
Connection to 192.168.100.246 closed.
[root@bali1 home]# ls -lah ~/.ssh/
total 8.0K
drwx------. 2 root root 48 Feb 14 01:34 .
dr-xr-x---. 4 root root 178 Jan 20 21:56 ..
-rw-------. 1 root root 843 Feb 14 01:34 known_hosts
-rw-r--r--. 1 root root 97 Feb 14 01:34 known_hosts.old
[root@bali1 home]# cat ~/.ssh/known_hosts
192.168.100.246 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5xpZwBX3LYuRn2EyY0uumnwAmVYZsdtzLbhYrKgzgj
192.168.100.246 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+YxufueYUsftzbyAwaJPRSjF2sRoemxnONEsCRwBiQdRZXMok45CfvryYGh9igiayWBO4LluoJvGBYYH9TtupFILu76zdPtBdmDxkXst/vBU3JYfRFog1P4rUxn80F0Nzo9Zd49olG0bdGu2jQg/GwQpG+imp5r5rp3QUFxvK5ADlMtp/BqCv1X2W+e79WJDcm3lMCkVxn96mx0dUVSukbWrAgE9zY0dY5nfTh8aI+9fZkBpL3r2YmNLnQiUlTngylqBU/2My7JA/klqBRyQOTRQJ6ScwdtRt6Gzt8sFE70Po5x0LKVLi9p+pOcv3K4C+T1+q+iz1OElQ8NTc+hp6G4Ig2aDIO+2zJKdj4NstExzPi/77v1T1flvNc8pDYz6xndVuoDFr9XboDojW1Ru+PXOj/iKVo655c3iX1JNEoxk/6iBdRKobOcvvMlW194pqzoOPGoDK6ZzwX0iiFH66OyqsoNiLbXq0hhv5YFPpnvVm5CtAHxe51i9Z2oLE5zM=
192.168.100.246 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMRuGjkGNw5itkSWGFv7d4haHurWtlClcOG6R4JND2927Ig5s6ovg0Jub69GRZK/D6ntu9EzDbo2OAxWkiusJ5c=Connect to remote host with ssh-key instead of password
In order to connect with ssh-key we need to generate at least one key-gen with this command ssh-keygen
[root@bali1 home]# ssh -V
OpenSSH_8.7p1, OpenSSL 3.0.7 1 Nov 2022usage: ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile]
[-m format] [-N new_passphrase] [-O option]
[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
[-w provider] [-Z cipher]
ssh-keygen -p [-a rounds] [-f keyfile] [-m format] [-N new_passphrase]
[-P old_passphrase] [-Z cipher]
ssh-keygen -i [-f input_keyfile] [-m key_format]
ssh-keygen -e [-f input_keyfile] [-m key_format]
ssh-keygen -y [-f input_keyfile]
ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase]
ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile]
ssh-keygen -B [-f input_keyfile]
ssh-keygen -D pkcs11
ssh-keygen -F hostname [-lv] [-f known_hosts_file]
ssh-keygen -H [-f known_hosts_file]
ssh-keygen -K [-a rounds] [-w provider]
ssh-keygen -R hostname [-f known_hosts_file]
ssh-keygen -r hostname [-g] [-f input_keyfile]
ssh-keygen -M generate [-O option] output_file
ssh-keygen -M screen [-f input_file] [-O option] output_file
ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider]
[-n principals] [-O option] [-V validity_interval]
[-z serial_number] file ...
ssh-keygen -L [-f input_keyfile]
ssh-keygen -A [-a rounds] [-f prefix_path]
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]
file ...
ssh-keygen -Q [-l] -f krl_file [file ...]
ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file
ssh-keygen -Y check-novalidate -n namespace -s signature_file
ssh-keygen -Y sign -f key_file -n namespace file ...
ssh-keygen -Y verify -f allowed_signers_file -I signer_identity
-n namespace -s signature_file [-r revocation_file]I am going to create ssh-key ed25519 this time, since it is an easy/shortest ssh-key available
[root@bali1 home]# ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_ed25519
Your public key has been saved in /root/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:UwA9DmqEhjkflAor+Bc5ppYTblye9j/Ic+3i7MUsUBk root@bali1.vps
The key's randomart image is:
+--[ED25519 256]--+
+----[SHA256]-----+
[root@bali1 home]# ls -lah ~/.ssh/
total 16K
drwx------. 2 root root 88 Feb 14 02:15 .
dr-xr-x---. 4 root root 178 Jan 20 21:56 ..
-rw-------. 1 root root 411 Feb 14 02:15 id_ed25519
-rw-r--r--. 1 root root 96 Feb 14 02:15 id_ed25519.pub
-rw-------. 1 root root 978 Feb 14 02:01 known_hosts
-rw-------. 1 root root 843 Feb 14 01:34 known_hosts.old
[root@bali1 home]# cat ~/.ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+1eWSa+WCUEpPJ8mOBVN/KtbyIsQWIFSACIF9/3rwk root@bali1.vpsIn order to connect to remote host bali2, we need to pass the content of id_ed25519.pub to the host’s authorized_keys file located on the root’s .ssh directory. The easy way to do so is by using ssh-copy-id command, as follows:
[root@bali1 home]# ssh-copy-id -i ~/.ssh/id_ed25519.pub -p22 root@192.168.100.246
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.100.246's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '22' 'root@192.168.100.246'"
and check to make sure that only the key(s) you wanted were addedNow we can login to bali2 host without password and found that authorized_keys file has generated and our ssh-key has set on it
[root@bali1 home]# ssh root@192.168.100.246
Last login: Wed Feb 14 01:34:41 2024 from 192.168.100.169
[root@bali2 ~]# hostname
bali2.vps
[root@bali2 ~]# ls -lah .ssh/
total 4.0K
drwx------. 2 root root 29 Feb 14 02:26 .
dr-xr-x---. 4 root root 178 Jan 20 21:56 ..
-rw-------. 1 root root 96 Feb 14 02:26 authorized_keys
[root@bali2 ~]# cat .ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+1eWSa+WCUEpPJ8mOBVN/KtbyIsQWIFSACIF9/3rwk root@bali1.vpsAccess remote server on its custom port
Lets do the same thing to bali3 host with port 55022, we will pass our ssh-key to the remote host.
[root@bali1 home]# ssh-copy-id -i ~/.ssh/id_ed25519.pub -p55022 root@192.168.100.150
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_ed25519.pub"
The authenticity of host '[192.168.100.150]:55022 ([192.168.100.150]:55022)' can't be established.
ED25519 key fingerprint is SHA256:nh2fJ1gLPn9ZtoVpg5jPabgDVi40Gp597iR3w75VGyA.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:1: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.100.150's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '55022' 'root@192.168.100.150'"
and check to make sure that only the key(s) you wanted were added.Now when we try logging into the host, no need password anymore and we will find our ssh-key set up in the authorized_keys file on the remote machine
[root@bali1 home]# ssh -p55022 root@192.168.100.150
Last login: Wed Feb 14 02:50:20 2024 from 192.168.100.169
[root@bali3 ~]# hostname
bali3.vps
[root@bali3 ~]# cat ~/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE+1eWSa+WCUEpPJ8mOBVN/KtbyIsQWIFSACIF9/3rwk root@bali1.vpsWhen we go back to host bali1, we have newer host information registered to our known_hosts file
[root@bali3 ~]# exit
logout
Connection to 192.168.100.150 closed.
[root@bali1 home]# cat ~/.ssh/known_hosts
|1|DDkcGD9fZDaqY9I2wvNch3oQQoo=|H4dNIbjsoVMtlSmf6PnD9cPEeNY= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5xpZwBX3LYuRn2EyY0uumnwAmVYZsdtzLbhYrKgzgj
|1|ivEpqQy1ANnu6lPsmYB6XZzYYN8=|7XW/hbz2R2IlU9YaEaAbouGgMxI= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+YxufueYUsftzbyAwaJPRSjF2sRoemxnONEsCRwBiQdRZXMok45CfvryYGh9igiayWBO4LluoJvGBYYH9TtupFILu76zdPtBdmDxkXst/vBU3JYfRFog1P4rUxn80F0Nzo9Zd49olG0bdGu2jQg/GwQpG+imp5r5rp3QUFxvK5ADlMtp/BqCv1X2W+e79WJDcm3lMCkVxn96mx0dUVSukbWrAgE9zY0dY5nfTh8aI+9fZkBpL3r2YmNLnQiUlTngylqBU/2My7JA/klqBRyQOTRQJ6ScwdtRt6Gzt8sFE70Po5x0LKVLi9p+pOcv3K4C+T1+q+iz1OElQ8NTc+hp6G4Ig2aDIO+2zJKdj4NstExzPi/77v1T1flvNc8pDYz6xndVuoDFr9XboDojW1Ru+PXOj/iKVo655c3iX1JNEoxk/6iBdRKobOcvvMlW194pqzoOPGoDK6ZzwX0iiFH66OyqsoNiLbXq0hhv5YFPpnvVm5CtAHxe51i9Z2oLE5zM=
|1|XjKCyTvDvTsBwytEWC/cMcwutoE=|0/mLRIlkKTM0Qx4KaVoqfXOy29U= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMRuGjkGNw5itkSWGFv7d4haHurWtlClcOG6R4JND2927Ig5s6ovg0Jub69GRZK/D6ntu9EzDbo2OAxWkiusJ5c=
[192.168.100.150]:55022 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE5xpZwBX3LYuRn2EyY0uumnwAmVYZsdtzLbhYrKgzgjThat’s all for this topic, will continue update this page if there is any other tips worth to share
This material is refers to the rhca objectives