Cleanly terminated ssh sessions on Debian without using systemd control group hierarchy

26 03 2019

In a Debian 9 server, if you disable “Register user sessions in the systemd control group hierarchy” with “pam-auth-update” or you remove the package “libpam-systemd”, the ssh sessions doesn’t terminate correctly at restart or shutdown.

To fix it, enable the ssh cleanup session service unit:
cp /usr/share/doc/openssh-client/examples/ssh-session-cleanup.service /etc/systemd/system/
systemctl enable ssh-session-cleanup.service
systemctl start ssh-session-cleanup.service

And desactivate the registration of the user sessions under the systemd control group hierarchy:
sed -i '/pam_systemd/s/^/#/g' /etc/pam.d/common-session



Ssh Remote Port Forwarding

2 07 2018

First of all, check in the remote host the option “GatewayPorts yes” is enabled in “/etc/sshd/sshd_config“.
That is the switch that specifies whether remote hosts are allowed to connect to ports forwarded for the client, because, by default, sshd binds remote port forwardings to the loopback address only.

An then, execute the following commando to forward a remote tcp port from a remote server to a local server:

# ssh -NR 8080:localhost:80

Test it, for example, if you have a local web server running on port :80:

# curl

More info:

Deny ssh access to one user

18 05 2017

If you want to deny the access of one user (or group) to a server via ssh, these are the steps for a Debian/Ubuntu server:

Add the user to /etc/security/access.conf
- : user1 : ALL

Assure that “/etc/ssh/sshd_config” have the following line (by default yes):
UsePAM yes

Assure that “/etc/pam.d/sshd” have uncommented the following line:
account required

Ssh error Too many authentication failures for root

8 02 2017

ssh -o PubkeyAuthentication=no root@host

Linode ssh login problem

14 12 2016

If you try to connect to a Linode server by ssh and receive the following message:

Received disconnect from 2: Too many authentication failures

It’s related to the ssh keys, try again with the following argument:

ssh -o PubkeyAuthentication=no user@

More info:

Run ssh-agent at login and load keys with an alias

27 07 2016

Add the following lines to the “~/.bashrc” for start automatically the ssh-agent service in each login and create and alias for load the keys and write the passphrase:

if [ -z "$SSH_AUTH_SOCK" ] ; then
eval `ssh-agent -s`
alias ssh-keys='ssh-add ~/.ssh/name_of_key_one ~/.ssh/name_of_key_two'