SSH How To

How to mount SSHFS as root via sudo

Add NOPASSWD command to your user's sudoer (sudo visudo)
user    ALL=(root) NOPASSWD: /usr/lib/openssh/sftp-server
Mount using the -o sftp_server option
sshfs server.com:/ /media/server.com -o sftp_server="/usr/bin/sudo /usr/lib/openssh/sftp-server"
You can get the sftp-server location from
sudo grep Subsystem /etc/ssh/sshd_config

How to copy public key using ssh-copy-id on a non-default port

ssh-copy-id "user@host -p 8129"

How to limit SSH access to specific users

Add the following line to your /etc/ssh/sshd_config
AllowUsers user
With this setting all users other than these listed will be denied an SSH connect, even if they use a correct password. To prevent only certain users to connect over SSH use DenyUsers or DenyGroups, but remember that blacklisting is inherently less secure than whitelisting.
Also, consider setting the following to "no" to deny remote root logins
PermitRootLogin no
Restart sshd after changing your file
sudo service ssh restart

How to configure cygwin SSH to start as a service

  • Right click My Computer, Properties, Advanced, "Environment Variables", under "System variables" add variable CYGWIN set to "ntsec tty"
  • In the same place, edit the PATH variable and ;c:\cygwin\bin to the end
  • Start cygwin's cmd and run
ssh-host-config
  • Answer yes to all questions and "ntsec tty" to the CYGWIN value question
  • Now start the CYGWIN SSH service. You can configure it by editing /etc/sshd_config (chmod 644 first if needed)

Note: If you have permission issues you may want to try the following in cygwin's command prompt:

chmod 644 /etc/sshd_config
chmod 644 /etc/passwd
chmod 644 /etc/group
chmod 755 /var
touch /var/log/sshd.log
chmod 644 /var/log/sshd.log

How to mount remote file system over SSH and debug it

To mount, create a mount point and run
sshfs -o port=1234 host.name.com: /media/mountpoint
To debug add the -o sshfs_debug (although it might not be that helpful). If you are connecting under a different identity add -o IdentityFile=/home/user/.ssh/other_key
If you are heaving connection resets first check that your port is correct, then try connecting by IP, not the host name.
To unmount run
fusermount -u /media/mountpoint

How to set up passwordless login using a separate identity

First, make sure that your ssh server is on port 22 since ssh-copy-id does not appear to have a port option. If it is not and you can not change the server port number do "less" on ssh-copy-id (it is a shell script) and mimic what it is doing with the command line.
ssh-keygen -t rsa -f ~/.ssh/other_identity
ssh-copy-id -i ~/.ssh/other_identity.pub user@host
Test by running
ssh -i ~/.ssh/other_identity.pub user@host

How to control, setup and shutdown an ssh tunnel

Use control sockets (need the M and the S option):
ssh -fNM -L <localport>:<host from remote machine>:<remote port> -S ~/.ssh/some_control_socket -p 28322 -i ~/.ssh/identity e91311@pcl0323
then check status or terminate by calling
ssh -O check -S ~/.ssh/control_socket localhost
ssh -O exit -S ~/.ssh/control_socket localhost

How to enable external ssh to wrt54g

iptables -I INPUT 1 -p tcp --dport 22 -j logaccept

How to multiplex SSH connections over one

Configure the default settings in your ~/.ssh/config file
ControlMaster auto
ControlPath /tmp/master-%r@%h:%p

How to setup an SSH tunnel

ssh -fNgL 3389:targethost.com:3389 xxxx@sshproviderhost
-f - Run in background -N do not open remote shell -g allow remote hosts to connect to the remote connection (use if you want to route traffic from other hosts through this tunnel)

How to forward a privileged port using a ssh shared key login by a non-root user

sudo ssh -L 80:192.168.1.1:80 -i ~user/.ssh/id_rsa root@sshhost.net

How to forward the X ports

Make sure your x can accept tcp
sudo gedit /etc/gdm/gdm.conf

[security]
DisallowTCP=false

Restart gdm (Ctrl-Alt-Backspace to kill X) or kill the gdm process Then use ssh -X to forward X If you set DISPLAY on the remote host it will send traffic unencrypted in parallel to the ssh tunnel.

How to stick a password into an SSH prompt

This is not as secure as using a public cert, but may help in certain situations
expect -c 'spawn ssh user@host ; expect assword ; send "passw0rd\n" ; interact'

How to suppress host key warning when using multiple hosts on the same ip

in your ~/.ssh/config file
Host myphone
HostName 127.0.0.1
Port 3023
User mobile
UserKnownHostsFile ~/.ssh/myphone_known_hosts

Host labphone
HostName 127.0.0.1
Port 3023
User mobile
UserKnownHostsFile ~/.ssh/labphone_known_hosts


How to use established SSH tunnel from a host side

If you have a tunnel from a client to a host and do not want to create a tunnel from the host to the client to copy files or smthing (say there is a NAT firewall on the client side) Add the following to ~/.ssh/config
Host myphone
  RemoteForward 2202 localhost:22

Then use 2202 on the host to leverage the tunnel

@HowTo @Security @Networking