Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or “no”.
The default is “yes”.
If this option is set to “without-password”, password authentication is disabled for root.
If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified. Useful for backups 😉 All other authentication methods are disabled for root.
If this option is set to “no”, root is not allowed to log in.
Thus without-password allows root login only with public key authentication.
SCP or secure copy is probably the easiest of all the methods, its is designed as a replacement for rcp, which was a quick copy of cp with network funcationability. Before scp does any copying it first connects via ssh. SCP encrypts data over your network connection, but by using the -C switch you can compress the data before it goes over the network. This can significantly decrease the time it takes to copy large files.
scp -r directory user@server:~/
or default port
scp "-P 7787" -r directory user@server:~/
TAR is usually used for achiving applications, but what we are going to do in this case is tar it then pipe it over an ssh connection. TAR handles large file trees quite well and preserves all file permissions, and works quite well with symlinks.
tar -czf - directory | ssh -p 7787 user@server tar -xzf - -C .
or default port
tar -czf - directory | ssh user@server tar -xzf - -C .
tar -xzf - directory | ssh user@server "cat > /directory/tarball.tar.gz"
dpkg -l | ssh user@server "cat > /directory/dpkg-list.txt"
RSYNC speciality lies in its ability to analyse files and only copy the changes made to files rather than all files. This can lead to enormous improvements when copying a directory tree a second time.
rsync -avze "ssh -p 7787" directory user@server:~/
or default port
rsync -avze ssh directory user@server:~/
usermod --expiredate 1 username instead of
passwd -l username.
Passwd -l does not disable an account, just makes the password unusable, but the user could still login using an ssh key or other auth meth.
By the way, I know a lot of admins who made this mistake 😉
SSH logins can be limited to only certain users who need remote access.
The ssh server is configured by the file /etc/ssh/sshd_config. If you wish you can restrict remote access to specific users. For example to only allow “john” and “julia” to login add the following:
AllowUsers john julia
and restart the sshd service.
SSH from hades to earth.server.com with the -R flag. I’ll assume that you’re the root user on hades and that tech will need the root user ID to help you with the system. With the -R flag, you’ll forward instructions of port 2222 on earth.server.com to port 22 on hades. This is how you set up an SSH tunnel. Note that only SSH traffic can come into hades: You’re not putting hades out on the Internet naked.
You can do this with the following syntax:
# ssh -R 2222:localhost:22 firstname.lastname@example.org
Once you are into hades.server.com, you just need to stay logged in and enter a command like:
email@example.com:~$ while [ 1 ]; do date; sleep 300; done
to keep the machine busy and minimize the window.
Now instruct your friends to SSH as “username” into earth.server.com without using any special SSH flags. You’ll have to give them your password:
root@hades:~# ssh firstname.lastname@example.org .
BTW no need
Once user is on the hades.server.com, they can SSH to earth using the following command:
email@example.com:~$: ssh -p 2222 root@localhost
ssh -R 2222:localhost:22 firstname.lastname@example.org
while [ 1 ]; do date; sleep 300; done
ssh -p 2222 root@localhost
and we can log in into earth.somedomain.com :))
If you need to login from a serverA to a serverB using no password.
First what you have to do is login to a serverA as a user to generate a pair of authentication keys.
Do not enter a passphrase!
user@serverA:~> ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
Now use the ssh to create a directory ~/.ssh as a user “user” on a serverB. The directory may already exist there, in this case do not create that directory:
user@serverA:~> ssh user@serverB mkdir -p .ssh
Finally copy a new public key to user@serverB .ssh/authorized_keys and enter the userB password the last time:
user@serverA:~> cat .ssh/id_rsa.pub | ssh user@serverB 'cat >> .ssh/authorized_keys'
From now, you can login to a serverB as a user “user” from a serverA without typing a password.