CINXE.COM

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="X-UA-Compatible" content="IE=Edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="shortcut icon" href="/htdocs/favicon.ico"> <script type="text/javascript" src="/htdocs/bugstatus.js"></script> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> <meta name="robots" content="noindex,nofollow"> <title>SSH - Debian Wiki</title> <script type="text/javascript" src="/htdocs/common/js/common.js"></script> <script type="text/javascript">  </script> <link rel="stylesheet" type="text/css" charset="utf-8" media="all" href="/htdocs/debwiki/css/common.css"> <link rel="stylesheet" type="text/css" charset="utf-8" media="screen" href="/htdocs/debwiki/css/screen.css"> <link rel="stylesheet" type="text/css" charset="utf-8" media="print" href="/htdocs/debwiki/css/print.css"> <link rel="stylesheet" type="text/css" charset="utf-8" media="projection" href="/htdocs/debwiki/css/projection.css"> <link rel="stylesheet" type="text/css" charset="utf-8" media="all" href="/htdocs/debian-wiki-1.0.css">   <link rel="alternate" title="Debian Wiki: SSH" href="/SSH?diffs=1&show_att=1&action=rss_rc&unique=0&page=SSH&ddiffs=1" type="application/rss+xml"> <link rel="Start" href="/FrontPage"> <link rel="Alternate" title="Wiki Markup" href="/SSH?action=raw"> <link rel="Alternate" media="print" title="Print View" href="/SSH?action=print"> <link rel="Search" href="/FindPage"> <link rel="Index" href="/TitleIndex"> <link rel="Glossary" href="/WordIndex"> <link rel="Help" href="/HelpOnFormatting"> </head> <body lang="en" dir="ltr"> <div id="logo"><a href="https://www.debian.org" title="Debian Homepage"><img src="https://www.debian.org/Pics/openlogo-50.png" alt="Debian" width="50" height="61"></a></div> <div id="header"> <div id="wikisection"> <a href="/FrontPage" title="Debian Wiki Homepage">Wiki</a> <div id="username"><a href="/SSH?action=login" id="login" rel="nofollow">Login</a></div> </div> <div id="navbar"> <ul id="navibar"> <li class="wikilink"><a href="/FrontPage">FrontPage</a></li><li class="wikilink"><a href="/RecentChanges">RecentChanges</a></li><li class="wikilink"><a href="/FindPage">FindPage</a></li><li class="wikilink"><a href="/HelpContents">HelpContents</a></li><li class="current"><a href="/SSH">SSH</a></li> </ul> </div> <form id="searchform" method="get" action="/SSH"> <div> <input type="hidden" name="action" value="fullsearch"> <input type="hidden" name="context" value="180"> <label for="searchinput">Search:</label> <input id="searchinput" type="text" name="value" value="" size="20" onfocus="searchFocus(this)" onblur="searchBlur(this)" onkeyup="searchChange(this)" onchange="searchChange(this)" alt="Search"> <input id="titlesearch" name="titlesearch" type="submit" value="Titles" alt="Search Titles"> <input id="fullsearch" name="fullsearch" type="submit" value="Text" alt="Search Full Text"> </div> </form> <script type="text/javascript">  </script> <div id="logo"><a href="https://www.debian.org" title="Debian Homepage"><img src="https://www.debian.org/Pics/openlogo-50.png" alt="Debian" width="50" height="61"></a></div> <div id="breadcrumbs"><a href="/FrontPage" title="Debian Wiki Homepage">Wiki</a>/ </div> <ul class="editbar"><li><a href="/SSH?action=login" id="login-1" rel="nofollow">Login</a></li><li class="toggleCommentsButton" style="display:none;"><a href="#" class="nbcomment" onClick="toggleComments();return false;">Comments</a></li><li><a class="nbinfo" href="/SSH?action=info" rel="nofollow">Info</a></li><li><a class="nbattachments" href="/SSH?action=AttachFile" rel="nofollow">Attachments</a></li><li> <form class="actionsmenu" method="GET" action="/SSH"> <div> <label>More Actions:</label> <select name="action" onchange="if ((this.selectedIndex != 0) && (this.options[this.selectedIndex].disabled == false)) { this.form.submit(); } this.selectedIndex = 0;"> <option value="raw">Raw Text</option> <option value="print">Print View</option> <option value="RenderAsDocbook">Render as Docbook</option> <option value="show" disabled class="disabled">Delete Cache</option> <option value="show" disabled class="disabled">------------------------</option> <option value="SpellCheck">Check Spelling</option> <option value="LikePages">Like Pages</option> <option value="LocalSiteMap">Local Site Map</option> <option value="show" disabled class="disabled">------------------------</option> <option value="RenamePage" disabled class="disabled">Rename Page</option> <option value="DeletePage" disabled class="disabled">Delete Page</option> <option value="show" disabled class="disabled">------------------------</option> <option value="show" disabled class="disabled">Subscribe User</option> <option value="show" disabled class="disabled">------------------------</option> <option value="show" disabled class="disabled">Remove Spam</option> <option value="show" disabled class="disabled">Revert to this revision</option> <option value="PackagePages">Package Pages</option> <option value="show" disabled class="disabled">------------------------</option> <option value="Load">Load</option> <option value="Save">Save</option> <option value="SlideShow">SlideShow</option> </select> <input type="submit" value="Do"> </div> <script type="text/javascript">  </script> </form> </li></ul> <h1 id="locationline"> <ul id="pagelocation"> <li><a href="/SSH">SSH</a></li> </ul> </h1> </div> <div id="page" lang="en" dir="ltr"> <div dir="ltr" id="content" lang="en"> <a href="/DebianWiki/EditorGuide#translation">Translation(s)</a>: <a href="/de/SSH">Deutsch</a> - <a href="/SSH">English</a> - <a href="/fr/SSH">Fran莽ais</a> - <a href="/it/SSH">Italiano</a> - <a href="/es/SSH">Espa帽ol</a> - <a href="/pt_BR/SSH">Portugu锚s (Brasil)</a> <div class="table-of-contents">Contents<ol><li> <a href="#Introduction">Introduction</a></li><li> <a href="#Installation">Installation</a><ol><li> <a href="#Installation_of_the_client">Installation of the client</a></li><li> <a href="#Installation_of_the_server">Installation of the server</a></li></ol></li><li> <a href="#Configuration_files">Configuration files</a><ol><li> <a href="#Regenerating_host_keys">Regenerating host keys</a></li></ol></li><li> <a href="#Remote_login">Remote login</a><ol><li> <a href="#With_password">With password</a></li><li> <a href="#Using_shared_keys">Using shared keys</a></li></ol></li><li> <a href="#Keys_management">Keys management</a><ol><li> <a href="#Using_GUI">Using GUI</a></li></ol></li><li> <a href="#Securing">Securing</a><ol><li> <a href="#SSH_Server">SSH Server</a><ol><li> <a href="#Good_practices_with_SSH_Server">Good practices with SSH Server</a></li><li> <a href="#Configuration_Options">Configuration Options</a></li><li> <a href="#External_Utilities">External Utilities</a></li></ol></li><li> <a href="#SSH_Client">SSH Client</a><ol><li> <a href="#Good_practices_with_SSH_Client">Good practices with SSH Client</a></li></ol></li></ol></li><li> <a href="#Additional_Functions">Additional Functions</a><ol><li> <a href="#View_files_in_GUI">View files in GUI</a></li></ol></li><li> <a href="#Additional_Commands">Additional Commands</a><ol><li> <a href="#scp">scp</a></li><li> <a href="#sftp">sftp</a><ol><li> <a href="#text_mode">text mode</a></li><li> <a href="#graphical_mode">graphical mode</a></li></ol></li><li> <a href="#clusterssh">clusterssh</a></li><li> <a href="#ssh-agent_and_ssh-add">ssh-agent and ssh-add</a></li><li> <a href="#keychain">keychain</a></li><li> <a href="#ssh-askpass">ssh-askpass</a></li><li> <a href="#libpam-usb">libpam-usb</a></li></ol></li><li> <a href="#Remote_commands">Remote commands</a></li><li> <a href="#SSH_into_Debian_from_another_OS">SSH into Debian from another OS</a></li><li> <a href="#Good_practices_of_SSH_usage">Good practices of SSH usage</a></li><li> <a href="#Troubleshooting">Troubleshooting</a><ol><li> <a href="#OpenSSL_version_mismatch._Built_against_1000105f.2C_you_have_10001060">OpenSSL version mismatch. Built against 1000105f, you have 10001060</a></li><li> <a href="#SSH_hangs">SSH hangs</a><ol><li> <a href="#Resolution_with_IPQoS_0x00">Resolution with IPQoS 0x00</a></li><li> <a href="#Resolution_with_netcat">Resolution with netcat</a></li></ol></li><li> <a href="#Keep_SSH_connection_alive">Keep SSH connection alive</a><ol><li> <a href="#For_Debian_7.x_server">For Debian 7.x server</a></li></ol></li></ol></li><li> <a href="#See_also">See also</a></li></ol></li></ol></div> <a href="/ToDo">ToDo</a>: merge (and translate) this page and the french one (more complete) <h2 id="Introduction">Introduction</h2> SSH stands for Secure Shell and is a protocol for secure remote login and other secure network services over an insecure network<a href="#fnref-0b2e6c997d8b83e2b9fc0c2fba2896d27f6d74f8" id="fndef-0b2e6c997d8b83e2b9fc0c2fba2896d27f6d74f8-0">1</a>. See <a class="interwiki" href="https://en.wikipedia.org/wiki/Secure_Shell" title="WikiPedia">Wikipedia - Secure Shell</a> for more general information and <a class="interwiki" href="https://packages.debian.org/ssh" title="DebPkg">ssh</a>, <a class="interwiki" href="https://packages.debian.org/lsh-client" title="DebPkg">lsh-client</a> or <a class="interwiki" href="https://packages.debian.org/dropbear" title="DebPkg">dropbear</a> for the SSH software implementations out of which <a class="https" href="https://www.openssh.com/">OpenSSH</a> is the most popular and most widely used<a href="#fnref-e22c581d3d1d0688c833f4f4c96cac1cf62b715d" id="fndef-e22c581d3d1d0688c833f4f4c96cac1cf62b715d-1">2</a>. SSH replaces the unencrypted <a class="interwiki" href="https://en.wikipedia.org/wiki/Telnet" title="WikiPedia">telnet</a>,<a class="interwiki" href="https://en.wikipedia.org/wiki/Rlogin" title="WikiPedia">rlogin</a> and <a class="interwiki" href="https://en.wikipedia.org/wiki/Remote_shell" title="WikiPedia">rsh</a> and adds many features. In this document we'll be using the OpenSSH command suite, it will also be assumed that the following two variables are defined: <pre>remote_host=<the remote computer> remote_user=<your user name on $remote_host></pre>So, if you want to use the recipes below, first set these variables to the remote computer name and the user name on that remote computer. Then cut and paste of the commands below should work. remote_host may also be an IP-address. <h2 id="Installation">Installation</h2> <h3 id="Installation_of_the_client">Installation of the client</h3> Normally the client is installed by default. If not it suffices to run as root: <pre>apt install openssh-client</pre> <h3 id="Installation_of_the_server">Installation of the server</h3> The server allows to connect remotely and gets installed by running as root: <pre>apt install openssh-server</pre> <h2 id="Configuration_files">Configuration files</h2> The main configuration files are in the directory /etc/ssh : <ul><li>ssh_config : client configuration file </li><li>sshd_config : server configuration file </li></ul>Starting with Bullseye, configuration files will also be read from the following subfolders : <ul><li>/etc/ssh/ssh_config.d/*.conf : client configuration file </li><li>/etc/ssh/sshd_config.d/*.conf : server configuration file </li></ul>These have been enabled with the Include parameter in ssh_config and sshd_config. Making changes locally using these directories can ease configuration management, and avoid issues with upgrades that make changes to package managed configuration files. In addition the /etc/ssh directory contains the private/public key pairs identifying your host : <ul><li>ssh_host_dsa_key </li><li>ssh_host_dsa_key.pub </li><li>ssh_host_rsa_key </li><li>ssh_host_rsa_key.pub </li></ul>Since OpenSSH 5.7<a href="#fnref-1b2604300e2bae33087c1965b50e2af382e1febf" id="fndef-1b2604300e2bae33087c1965b50e2af382e1febf-2">3</a>, a new private/public key pair is available: <ul><li>ssh_host_ecdsa_key </li><li>ssh_host_ecdsa_key.pub </li></ul>Since OpenSSH 6.5<a href="#fnref-fe3f706215a8e77b637c23403ae7efbd968ff825" id="fndef-fe3f706215a8e77b637c23403ae7efbd968ff825-3">4</a>, a new private/public key pair is available: <ul><li>ssh_host_ed25519_key </li><li>ssh_host_ed25519_key.pub </li></ul> <h3 id="Regenerating_host_keys">Regenerating host keys</h3> <pre>rm /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server</pre> <h2 id="Remote_login">Remote login</h2> <h3 id="With_password">With password</h3> If you want to login to $remote_host as user $remote_user simply type <pre>ssh $remote_user@$remote_host</pre>and then type in your password. If the usernames on the local and the remote computer are identical, you can drop the $remote_user@-part and simply write <pre>ssh $remote_host</pre>If this is the first time you login to the remote computer, ssh will ask you whether you are sure you want to connect to the remote computer. Answer 'yes' after you verified the remote computer's fingerprint, type in your password, and ssh will connect you to the remote host. <h3 id="Using_shared_keys">Using shared keys</h3> One of the functions of ssh is using a pair of private/public keys to connect to a remote host. Also known as SSH keys. This method allows you to login to a remote host without typing your password every time. To do this you must generate a pair of private/public keys on your local machine and deposit the public key on the remote host. To generate the key, use the program ssh-keygen as follows <pre>ssh-keygen -t rsa</pre>This program generates a pair of private/public keys in the directory ~/.ssh. The program first asks for the destination files for the keys, by default located in ~/.ssh. Afterwards a passphrase is requested. Note: We recommend not to leave the passphrase empty. An attacker who gets hold of your private key can otherwise connect to the hosts where you deposited you public key since the passphrase is empty. Choose a long and complex passphrase. Your private key is id_rsa (don't give it to someone else), your public key is id_rsa.pub. You copy your public key to a remote host with the command ssh-copy-id <pre>ssh-copy-id -i ~/.ssh/id_rsa.pub $remote_user@$remote_host</pre>Now you can connect simply to the remote host and the passphase is asked for. Once done, you get connected to the remote host. In case of a new connection the passphrase does not get asked for again during your entire session. <h2 id="Keys_management">Keys management</h2> <h3 id="Using_GUI">Using GUI</h3> Optionally, <a class="interwiki" href="https://packages.debian.org/seahorse" title="DebPkg">seahorse</a> is a GNOME application which easily manage encryption keys and passwords through an intuitive Graphical User Interface (GUI). Seahorse is able to do various operations. Such as create SSH or PGP keys, configure them, and cache them. <a href="/Seahorse">Read more</a>. <h2 id="Securing">Securing</h2> <h3 id="SSH_Server">SSH Server</h3> By default a SSH server is relatively secure. With the help of some good practices, configuration options, and external utilities it is possible to make it even harder for 'robots' and crackers <h4 id="Good_practices_with_SSH_Server">Good practices with SSH Server</h4> <ul><li><img alt="/!\" height="16" src="/htdocs/debwiki/img/alert.png" title="/!\" width="16" /> Apply <a class="interwiki" href="https://packages.debian.org/openssh-server" title="DebPkg">openssh-server</a> security updates as soon as possible. Which allows to protect against known security holes. </li><li><a href="/SSH#Configuration_Options">Activate SSH keys authentication</a> only with passwords/passphrases. Deactivate password only authentication. </li><li>Consider using <a class="interwiki" href="https://packages.debian.org/fail2ban" title="DebPkg">fail2ban</a> which is a log file monitor that automatically bans an IP address after a predefined number of failed login attempts. Which automatically guards against <a class="https" href="https://en.wikipedia.org/wiki/Brute-force_attack">brute-force attacks</a>. </li><li>More good practices for using ssh at <a class="https" href="https://lackof.org/taggart/hacking/ssh/">https://lackof.org/taggart/hacking/ssh/</a> </li><li>Mozilla's recommendations on configuring SSH servers and clients at <a class="https" href="https://infosec.mozilla.org/guidelines/openssh.html">https://infosec.mozilla.org/guidelines/openssh.html</a> </li></ul> <h4 id="Configuration_Options">Configuration Options</h4> <img alt="(!)" height="16" src="/htdocs/debwiki/img/idea.png" title="(!)" width="16" /> One should edit the file /etc/ssh/sshd_config to change the parameters and then restart the ssh server with <pre>service ssh restart</pre><ul><li>Deactivate using passwords for authentication (PasswordAuthentication no). </li><li>Deactivate using the root account (PermitRootLogin no). </li><li>Only allow login by certain users or groups (AllowUsers and AllowGroups) </li></ul><img alt="{i}" height="16" src="/htdocs/debwiki/img/icon-info.png" title="{i}" width="16" /> The options AllowUsers and AllowGroups do not improve the security of a SSH server. But in certain cases their use allows to resist a brute force attack a little longer. You can list your current sshd settings with the following command: <pre>sshd -T | sort</pre> <h4 id="External_Utilities">External Utilities</h4> <ul><li><a class="interwiki" href="https://packages.debian.org/fail2ban" title="DebianPkg">fail2ban</a> : allows to automatically blacklist IPs attempting to brute force a SSH server with the help of <a class="interwiki" href="https://packages.debian.org/iptables" title="DebianPkg">iptables</a>. </li><li><a class="interwiki" href="https://packages.debian.org/denyhosts" title="DebianPkg">denyhosts</a> : as <a class="interwiki" href="https://packages.debian.org/fail2ban" title="DebianPkg">fail2ban</a>, <a class="interwiki" href="https://packages.debian.org/denyhosts" title="DebianPkg">denyhosts</a> allows to block IP addresses trying to brute force a connection to ssh. But in contrast to <a class="interwiki" href="https://packages.debian.org/fail2ban" title="DebPkg">fail2ban</a> it does not use <a class="interwiki" href="https://packages.debian.org/iptables" title="DebPkg">iptables</a>, but the file /etc/hosts.deny. </li></ul> <h3 id="SSH_Client">SSH Client</h3> <h4 id="Good_practices_with_SSH_Client">Good practices with SSH Client</h4> <ul><li><img alt="/!\" height="16" src="/htdocs/debwiki/img/alert.png" title="/!\" width="16" /> Apply <a class="interwiki" href="https://packages.debian.org/openssh-client" title="DebPkg">openssh-client</a> security updates as soon as possible. Which allows to protect against known security holes. </li><li>Use <a href="/SSH#Using_shared_keys">SSH keys</a> authentication. Rather than password authentication. </li><li>Add <a class="interwiki" href="https://en.wikipedia.org/wiki/Password_strength#Guidelines_for_strong_passwords" title="WikiPedia">strong passwords</a>/passphrases to your SSH keys. This reduce risk of <a class="interwiki" href="https://en.wikipedia.org/wiki/Brute-force_attack" title="WikiPedia">brute-force attacks</a>. </li></ul> <h2 id="Additional_Functions">Additional Functions</h2> <h3 id="View_files_in_GUI">View files in GUI</h3> In file managers like Konqueror, Dolphin, Krusader and Midnight Commander you can use FISH to view files in a GUI using: <pre>fish://username@server_name_or_ip</pre> <h2 id="Additional_Commands">Additional Commands</h2> <h3 id="scp">scp</h3> scp is a command line utility allowing to transfer files between two machines. <ul><li>Sending a file: </li></ul><pre>scp $source_file $remote_user@$remote_host:$destination_file</pre><ul><li>Copying a file to the local machine: </li></ul><pre>scp $remote_user@$remote_host:$source_file $destination_file</pre> <h3 id="sftp">sftp</h3> [empty for now] <h4 id="text_mode">text mode</h4> [empty for now] <h4 id="graphical_mode">graphical mode</h4> [empty for now] <h3 id="clusterssh">clusterssh</h3> [empty for now] <h3 id="ssh-agent_and_ssh-add">ssh-agent and ssh-add</h3> ssh-agent is a useful utility to manage private keys and their passphrases. Most desktop environments in Debian will already be setup to run ssh-agent (through systemd user services or /etc/X11/Xsession), so you shouldn't need to start it manually. <pre># Check if ssh-agent is running env | grep -i ssh</pre>You will still need to tell the agent to manage your keys. <pre># List keys managed by the agent ssh-add -l # Add your ssh key ssh-add ~/.ssh/your_private_key</pre>When a private key is first needed, you are prompted for its passphrase. ssh-agent will then remember the key so that your passphrase doesn't get asked anymore. <h3 id="keychain">keychain</h3> <a class="https" href="https://www.funtoo.org/Keychain">Keychain</a>, provided by the package <a class="interwiki" href="https://packages.debian.org/keychain" title="DebPkg">keychain</a>, is a shell script allowing to use the ssh agent in multiple sessions of the same computer. In effect after the first start ssh-agent creates a permanent socket allowing the communication with ssh. This socket is referenced only in the environment of the session in which the agent was started. Keychain allows to detect the agent and propagate the access to this agent to other sessions; this allows to use a single instance of ssh-agent per user on a machine. <h3 id="ssh-askpass">ssh-askpass</h3> <a class="interwiki" href="https://packages.debian.org/ssh-askpass" title="DebPkg">ssh-askpass</a> is an utility to simply the question for the password of a private key when using it. Several implementations exist: <ul><li>x11-ssh-askpass : version for X11 </li><li>kaskpass : integration of ssh-askpass into the KDE environment </li><li>ssh-askpass-gnome : integration of ssh-askpass into the Gnome environment </li></ul> <h3 id="libpam-usb">libpam-usb</h3> <a class="interwiki" href="https://packages.debian.org/libpam-usb" title="DebianPkg">libpam-usb</a> is an utility (only available up to Debian Jessie) allowing authentication with an USB stick. This package includes a useful utilty : pamusb-agent. This utility, once correctly configured, allows to load the SSH keys present on the USB stick once it is connected and to unload them when it is disconnected. <hr /> <h2 id="Remote_commands">Remote commands</h2> If you just want to run one command on the remote computer, you don't need to login. You can tell ssh to run the command without login, for instance, <pre>ssh $remote_user@$remote_host 'ls *.txt'</pre>lists all files with extension .txt on the remote computer. This works with single tick quotes '...' as shown here, with double tick quotes "...", and without quotes. There may be differences between these three cases, though, not yet documented here. <h2 id="SSH_into_Debian_from_another_OS">SSH into Debian from another OS</h2> <ul><li><a class="https" href="https://www.chiark.greenend.org.uk/~sgtatham/putty/">PuTTY</a> is a <a href="/TerminalEmulator">terminal emulator</a> application which can act as a client for ssh. It's widely used by Windows users. </li><li>Wikipedia has <a class="interwiki" href="https://en.wikipedia.org/wiki/Comparison_of_SSH_clients" title="WikiPedia">Comparison_of_SSH_clients</a> </li></ul> <h2 id="Good_practices_of_SSH_usage">Good practices of SSH usage</h2> You must read this: <a class="https" href="https://lackof.org/taggart/hacking/ssh/">https://lackof.org/taggart/hacking/ssh/</a> This document sums up many good practices that regular SSH users should follow in order to avoid compromising the security of their accounts (and of the whole machine at the same time). Configure your <tt>~/.ssh/config</tt> to send only the right key. <pre>Host master.debian.org User account IdentityFile ~/.ssh/id_rsa IdentitiesOnly yes</pre> <h2 id="Troubleshooting">Troubleshooting</h2> <h3 id="OpenSSL_version_mismatch._Built_against_1000105f.2C_you_have_10001060">OpenSSL version mismatch. Built against 1000105f, you have 10001060</h3> If you get an error message like this when starting the <tt class="backtick">ssh</tt> daemon, you need to run: <pre>apt install openssh-server openssh-client</pre>Also see <a class="interwiki" href="https://bugs.debian.org/732940" title="DebianBug">bug #732940</a>. <h3 id="SSH_hangs">SSH hangs</h3> Issue You are trying to SSH into a remote computer. But during SSH log-in the session hangs/freezes indefinitely. Thus you are not presented with the command prompt. And you are not able to use any SSH commands <img alt=":(" height="16" src="/htdocs/debwiki/img/sad.png" title=":(" width="16" /> When using SSH debug mode the session hangs at this line <tt>debug2: channel 0: open confirm rwindow 0 rmax 32768</tt> Possible cause With some routers behind NAT and when using OpenSSH. During session setup, after the password has been given, OpenSSH sets the TOS (type of service) field in the IP datagram. The router choke on this. The effect is that your SSH session hangs indefinitely. In other words, SSH commands or connections are seldom working or not working at all. <h4 id="Resolution_with_IPQoS_0x00">Resolution with IPQoS 0x00</h4> Until your router manufacturer fix their firmware. Here is one option to resolve that issue: <ol type="1"><li>Double check your <a class="interwiki" href="https://packages.debian.org/openssh-server" title="DebPkg">openssh-server</a> and <a class="interwiki" href="https://packages.debian.org/openssh-client" title="DebPkg">openssh-client</a> version are 5.7 or more recent. For example the resolution below should work with Debian 7.11 Wheezy or more recent as it comes with OpenSSH version 6.0. </li><li>Edit one of the following two files located at: <pre>~/.ssh/config</pre> or <pre>/etc/ssh/ssh_config</pre> Note: <tt>config</tt> file is per user and <tt>ssh_config</tt> file is for all users and system wide. If unsure edit the appropriate user <tt>config</tt> file.File content before <pre>Host *</pre>File content after <pre>Host * IPQoS 0x00</pre></li><li>If you have any Terminal/Console window(s) already open. Fully close all of them. Doing so will close any active SSH sessions. </li><li>No need to restart OpenSSH or your Debian. Try again to SSH into any remote server. It should work. Done you have successfully fixed that issue <img alt=":)" height="16" src="/htdocs/debwiki/img/smile.png" title=":)" width="16" /> Thanks to Joe and catmaker for this tip <img alt=":)" height="16" src="/htdocs/debwiki/img/smile.png" title=":)" width="16" /> Related documentation at <a class="https" href="https://www.openssh.com/txt/release-5.7">https://www.openssh.com/txt/release-5.7</a> </li></ol> <h4 id="Resolution_with_netcat">Resolution with netcat</h4> <img alt="/!\" height="16" src="/htdocs/debwiki/img/alert.png" title="/!\" width="16" /> WARNING: It is suggested to consider using <a href="/SSH#Resolution_with_IPQoS_0x00">that other resolution with IPQoS 0x00</a> instead of using netcat/<tt>ProxyCommand nc %h %p</tt> option. Because <tt>IPQoS 0x00</tt> is the official built-in OpenSSH option. Also <tt>IPQoS 0x00</tt> is a more direct way to resolve that issue, and potentially more secure option. Because <tt>IPQoS 0x00</tt> uses SSH's built in encryption for secure transfers. Compare to netcat's not encrypted transfers. Sources: <a class="https" href="https://nc110.sourceforge.io/">1</a> <a class="https" href="https://www.ndchost.com/wiki/server-administration/netcat-over-ssh#using-dd-over-netcat">2</a>. If you choose to use netcat/<tt>ProxyCommand nc %h %p</tt> option read on. Another option to resolve that SSH hangs issue is to use <tt>ProxyCommand nc %h %p</tt>. To do so follow the same steps as <a href="/SSH#Resolution_with_IPQoS_0x00">that above resolution with IPQoS 0x00</a>. But replace <tt>IPQoS 0x00</tt> with<pre>ProxyCommand nc %h %p</pre> <h3 id="Keep_SSH_connection_alive">Keep SSH connection alive</h3> For security reason, by default a SSH connection is automatically closed after a set period of time. But in some cases you want to keep that connection open. Such as cloud storage over SSH connection. <img alt="/!\" height="16" src="/htdocs/debwiki/img/alert.png" title="/!\" width="16" /> WARNING: Before activating that keep SSH connection alive option. It is suggested to consider <a href="/SSH#Securing">securing</a> both your SSH Client and SSH Server. Because for example, there is a risk that if your users leave their SSH session open, and their computer unattended and unlocked. Anyone can approach that computer, then exploit that open SSH connection. For example by using the <tt>passwd</tt> command, and change the password. And thus gain access to the server. In other words, before activating that keep SSH connection alive option, it is suggested to use your best judgment and good security practices. <h4 id="For_Debian_7.x_server">For Debian 7.x server</h4> Steps to keep SSH connection alive. On the SSH server edit <tt>/etc/ssh/sshd_config</tt> file and add the following at the bottom of that file. <pre># Keep client SSH connection alive by sending every 300 seconds a small keep-alive packet to the server in order to use ssh connection. 300 seconds equal 5 minutes. ClientAliveInterval 300 # Disconnect client after 3333 "ClientAlive" requests. Format is (ClientAliveInterval x ClientAliveCountMax). In this example (300 seconds x 3333) = ~999,900 seconds = ~16,665 minutes = ~277 hours = ~11 days. ClientAliveCountMax 3333</pre>As <tt>root</tt> user restart the SSH service: <pre>service sshd restart</pre>Please note that on recent Debian systems (e.g. Wheezy 7 with current updates as of Nov. 2015), the above command no longer works and returns the error: <pre>sudo service sshd restart sshd: unrecognized service</pre>However, the following works: <pre>sudo service ssh restart [ ok ] Restarting OpenBSD Secure Shell server: sshd.</pre> <h2 id="See_also">See also</h2> <ul><li><a class="interwiki" href="https://packages.debian.org/screen" title="DebianPkg">screen</a> - terminal multiplexer with VT100/ANSI terminal emulation </li><li><a class="interwiki" href="https://packages.debian.org/tmux" title="DebianPkg">tmux</a> - alternative terminal multiplexer </li></ul><hr /> <a href="/CategoryNetwork">CategoryNetwork</a> <a href="/CategorySoftware">CategorySoftware</a> <a href="/CategorySystemAdministration">CategorySystemAdministration</a> <a href="/CategorySystemSecurity">CategorySystemSecurity</a> <div class="footnotes"><ol><li><a id="fnref-0b2e6c997d8b83e2b9fc0c2fba2896d27f6d74f8"></a><a class="https" href="https://tools.ietf.org/html/rfc4252">https://tools.ietf.org/html/rfc4252</a> (<a href="#fndef-0b2e6c997d8b83e2b9fc0c2fba2896d27f6d74f8-0">1</a>)</li><li><a id="fnref-e22c581d3d1d0688c833f4f4c96cac1cf62b715d"></a><a class="https" href="https://www.openssh.com/users.html">https://www.openssh.com/users.html</a> (<a href="#fndef-e22c581d3d1d0688c833f4f4c96cac1cf62b715d-1">2</a>)</li><li><a id="fnref-1b2604300e2bae33087c1965b50e2af382e1febf"></a><a class="https" href="https://www.openssh.com/txt/release-5.7">https://www.openssh.com/txt/release-5.7</a> (<a href="#fndef-1b2604300e2bae33087c1965b50e2af382e1febf-2">3</a>)</li><li><a id="fnref-fe3f706215a8e77b637c23403ae7efbd968ff825"></a><a class="https" href="https://www.openssh.com/txt/release-6.5">https://www.openssh.com/txt/release-6.5</a> (<a href="#fndef-fe3f706215a8e77b637c23403ae7efbd968ff825-3">4</a>)</li></ol></div></div><div id="pagebottom"></div> </div> <div id="footer"> SSH (<a class="nbinfo" href="/SSH?action=info" rel="nofollow">last modified 2023-11-09 23:33:12</a>) <ul id="credits"> <li>Debian <a href="https://www.debian.org/legal/privacy">privacy policy</a>, Wiki <a href="/Teams/DebianWiki">team</a>, <a href="https://bugs.debian.org/wiki.debian.org">bugs</a> and <a href="https://salsa.debian.org/debian/wiki.debian.org">config</a>.</li><li>Powered by <a href="https://moinmo.in/" title="This site uses the MoinMoin Wiki software.">MoinMoin</a> and <a href="https://moinmo.in/Python" title="MoinMoin is written in Python.">Python</a>, with hosting provided by <a href="https://www.man-da.de/">Metropolitan Area Network Darmstadt</a>.</li> </ul> </div> </body> </html>