Difference between revisions of "Ssh"
From Linuxintro
imported>ThorstenStaerk |
imported>ThorstenStaerk (ypBind) |
||
| (14 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | ssh is a command to | + | ssh is a [[command]] to [[control a computer over the network]]. |
| + | |||
| + | = Send graphical output to ssh user = | ||
| + | If you want to start a graphical program, e.g. kwrite, on your remote computer and get the display to your local computer, no problem. Just use: | ||
| + | ssh -l ''user'' ''server'' -X | ||
| + | xclock & | ||
| + | |||
| + | == what happens == | ||
| + | After logging in with ssh -X, xauth is called to create/modify .Xauthority. | ||
| + | Using netstat -putan you can find out that every ssh -X session gets a socket: | ||
| + | remote:~ # netstat -putan | ||
| + | [...] | ||
| + | tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN - | ||
| + | tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN - | ||
| + | tcp 0 0 127.0.0.1:6012 0.0.0.0:* LISTEN - | ||
| + | tcp 0 0 127.0.0.1:6013 0.0.0.0:* LISTEN - | ||
| + | [...] | ||
| + | And $DISPLAY is set automatically. | ||
| + | remote:~ # echo $DISPLAY | ||
| + | localhost:14.0 | ||
| + | And ssh listens on the respective port to forward X11 traffic: | ||
| + | remote:~ # lsof | grep 6014 | ||
| + | sshd 5257 root 6u IPv4 3755641440 TCP localhost:6014 (LISTEN) | ||
= port forwarding = | = port forwarding = | ||
ssh username@server -L localport:remoteserver:remoteport | ssh username@server -L localport:remoteserver:remoteport | ||
| − | = | + | = ssh verbose = |
| − | + | ssh -v user@server | |
| − | + | or -vv, -vvv | |
| − | + | ||
| + | |||
| + | |||
| + | = TroubleShooting = | ||
| + | |||
| + | == Remote host identification has changed == | ||
| + | ;Symptom: | ||
| + | When trying to log in via ssh you may get a message like this: | ||
| + | <pre> | ||
| + | tweedleburg:~ # ssh root@192.168.0.107 | ||
| + | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | ||
| + | @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ | ||
| + | @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ | ||
| + | IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! | ||
| + | Someone could be eavesdropping on you right now (man-in-the-middle attack)! | ||
| + | It is also possible that the RSA host key has just been changed. | ||
| + | The fingerprint for the RSA key sent by the remote host is | ||
| + | 32:78:25:83:d8:a6:de:ad:6a:0b:99:5e:05:e5:7c:e7. | ||
| + | Please contact your system administrator. | ||
| + | Add correct host key in /root/.ssh/known_hosts to get rid of this message. | ||
| + | Offending key in /root/.ssh/known_hosts:11 | ||
| + | RSA host key for 192.168.0.107 has changed and you have requested strict checking. | ||
| + | Host key verification failed. | ||
| + | </pre> | ||
| + | ;Reason: | ||
| + | This means the key of the computer that you try to reach has changed. | ||
;Solution: | ;Solution: | ||
| − | $ ssh-keygen -R | + | $ ssh-keygen -R ''hostname'' |
| + | |||
| + | == ssh -X does not work == | ||
| + | If ssh -X works, but you still do not get the graphical display from your remote machine, check /etc/ssh/sshd_config. There must be a line | ||
| + | X11Forwarding yes | ||
| + | Also, there must be a binary xauth, otherwise .Xauthority cannot be created. | ||
| + | |||
| + | If you get an error message like | ||
| + | Invalid MIT-MAGIC-COOKIE-1 keyError: Can't open display: localhost:10.0 | ||
| + | make sure to call | ||
| + | xhost + | ||
| + | on the client machine before calling ssh. | ||
| + | |||
| + | == ssh hangs == | ||
| + | '''Symptom:''' After calling something like | ||
| + | ssh root@venus | ||
| + | Nothing seems to happen for about half a minute, then the password prompt appears. | ||
| + | |||
| + | '''Solution 1:''' Check the name server configuration. Here is an example case: | ||
| + | earth:~ # ssh root@192.168.0.108 | ||
| + | Now I had to wait about 30 seconds, then I got the password prompt: | ||
| + | Password: | ||
| + | I gave the password and inspected the name server config: | ||
| + | tweedleburg:~ # cat /etc/resolv.conf | ||
| + | [...] | ||
| + | nameserver 80.237.128.144 | ||
| + | nameserver 192.168.0.1 | ||
| + | nameserver 217.0.43.113 | ||
| + | nameserver 217.0.43.97 | ||
| + | Ok, let's see if the first name server is reachable: | ||
| + | tweedleburg:~ # ping 80.237.128.144 | ||
| + | PING 80.237.128.144 (80.237.128.144) 56(84) bytes of data. | ||
| + | 64 bytes from 80.237.128.144: icmp_req=1 ttl=57 time=48.4 ms | ||
| + | 64 bytes from 80.237.128.144: icmp_req=2 ttl=57 time=48.8 ms | ||
| + | It is. I quit with CTRL_C. | ||
| + | |||
| + | Now let's see if you can reach the name service's port: | ||
| + | tweedleburg:~ # telnet 80.237.128.144 53 | ||
| + | Trying 80.237.128.144... | ||
| + | |||
| + | |||
| + | telnet: connect to address 80.237.128.144: No route to host | ||
| + | No. We wait and nothing happens. This is our root cause. | ||
| + | So let's edit /etc/resolv.conf and remove the name server 80.237.128.144 | ||
| + | tweedleburg:~ # vi /etc/resolv.conf | ||
| + | tweedleburg:~ # exit | ||
| + | logout | ||
| + | Connection to 192.168.0.108 closed. | ||
| + | earth:~ # ssh root@192.168.0.108 | ||
| + | And immediately I got the password prompt: | ||
| + | Password: | ||
| + | Problem solved. | ||
| + | |||
| + | '''Solution 2:''' Stop and disable ypbind: | ||
| + | /etc/init.d/ypbind stop | ||
= Related = | = Related = | ||
ssh-related topics: | ssh-related topics: | ||
* [[passwordless login]] | * [[passwordless login]] | ||
Latest revision as of 09:49, 30 April 2013
ssh is a command to control a computer over the network.
Contents
Send graphical output to ssh user
If you want to start a graphical program, e.g. kwrite, on your remote computer and get the display to your local computer, no problem. Just use:
ssh -l user server -X xclock &
what happens
After logging in with ssh -X, xauth is called to create/modify .Xauthority. Using netstat -putan you can find out that every ssh -X session gets a socket:
remote:~ # netstat -putan [...] tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:6012 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:6013 0.0.0.0:* LISTEN - [...]
And $DISPLAY is set automatically.
remote:~ # echo $DISPLAY localhost:14.0
And ssh listens on the respective port to forward X11 traffic:
remote:~ # lsof | grep 6014 sshd 5257 root 6u IPv4 3755641440 TCP localhost:6014 (LISTEN)
port forwarding
ssh username@server -L localport:remoteserver:remoteport
ssh verbose
ssh -v user@server or -vv, -vvv
TroubleShooting
Remote host identification has changed
- Symptom
When trying to log in via ssh you may get a message like this:
tweedleburg:~ # ssh root@192.168.0.107 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is 32:78:25:83:d8:a6:de:ad:6a:0b:99:5e:05:e5:7c:e7. Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending key in /root/.ssh/known_hosts:11 RSA host key for 192.168.0.107 has changed and you have requested strict checking. Host key verification failed.
- Reason
This means the key of the computer that you try to reach has changed.
- Solution
$ ssh-keygen -R hostname
ssh -X does not work
If ssh -X works, but you still do not get the graphical display from your remote machine, check /etc/ssh/sshd_config. There must be a line
X11Forwarding yes
Also, there must be a binary xauth, otherwise .Xauthority cannot be created.
If you get an error message like
Invalid MIT-MAGIC-COOKIE-1 keyError: Can't open display: localhost:10.0
make sure to call
xhost +
on the client machine before calling ssh.
ssh hangs
Symptom: After calling something like
ssh root@venus
Nothing seems to happen for about half a minute, then the password prompt appears.
Solution 1: Check the name server configuration. Here is an example case:
earth:~ # ssh root@192.168.0.108
Now I had to wait about 30 seconds, then I got the password prompt:
Password:
I gave the password and inspected the name server config:
tweedleburg:~ # cat /etc/resolv.conf [...] nameserver 80.237.128.144 nameserver 192.168.0.1 nameserver 217.0.43.113 nameserver 217.0.43.97
Ok, let's see if the first name server is reachable:
tweedleburg:~ # ping 80.237.128.144 PING 80.237.128.144 (80.237.128.144) 56(84) bytes of data. 64 bytes from 80.237.128.144: icmp_req=1 ttl=57 time=48.4 ms 64 bytes from 80.237.128.144: icmp_req=2 ttl=57 time=48.8 ms
It is. I quit with CTRL_C.
Now let's see if you can reach the name service's port:
tweedleburg:~ # telnet 80.237.128.144 53 Trying 80.237.128.144... telnet: connect to address 80.237.128.144: No route to host
No. We wait and nothing happens. This is our root cause. So let's edit /etc/resolv.conf and remove the name server 80.237.128.144
tweedleburg:~ # vi /etc/resolv.conf tweedleburg:~ # exit logout Connection to 192.168.0.108 closed. earth:~ # ssh root@192.168.0.108
And immediately I got the password prompt:
Password:
Problem solved.
Solution 2: Stop and disable ypbind:
/etc/init.d/ypbind stop
Related
ssh-related topics:
