knowledge/technology/applications/network/SSH.md

164 lines
3.8 KiB
Markdown
Raw Normal View History

2023-12-04 10:02:23 +00:00
---
aliases:
- OpenSSH
website: https://www.openssh.com/
obj: application
repo: https://github.com/openssh/openssh-portable
---
# SSH
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH.
2024-01-17 08:00:45 +00:00
Examples of services that can use SSH are [Git](../../dev/Git.md), [rsync](rsync.md) and X11 forwarding. Services that always use SSH are SCP and SFTP.
2023-12-04 10:02:23 +00:00
2024-01-17 08:00:45 +00:00
An SSH server, by default, listens on the standard [TCP](../../internet/TCP.md) port 22. An SSH client program is typically used for establishing connections to an sshd daemon accepting remote connections. Both are commonly present on most modern operating systems, including [macOS](../../macos/macOS.md), GNU/[Linux](../../linux/Linux.md), Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.
2023-12-04 10:02:23 +00:00
## Client
### Usage
2023-12-05 14:49:42 +00:00
Creating a SSH key:
```shell
ssh-keygen
```
2023-12-04 10:02:23 +00:00
Connecting to a server
```shell
ssh -p port user@server-address
```
Port forwarding:
```shell
# Forward Remote -> Local
ssh -N -f -L local_port:127.0.0.1:remote_port host
# Forward Local -> Remote
ssh -N -f -R remote_port:127.0.0.1:local_port host
```
Copying files (works with [rsync](cli/rsync.md) as well):
```shell
scp -r files remote:/path
```
Copy ssh key to host:
```shell
ssh-copy-id user@remote
```
Pipes work too over SSH:
```shell
ssh remote "cat /log" | grep denied
cat ~/.ssh/id_rsa.pub | ssh remote 'cat >> .ssh/authorized_keys'
```
Use a jump host:
```shell
ssh -J jump_server remote
```
2024-01-17 08:00:45 +00:00
Forward port to remote using [systemd](../../linux/systemd/Systemd.md) service:
2023-12-13 22:45:40 +00:00
```ini
[Unit]
Description=SSH Port Forwarding
After=network.target
After=systemd-resolved.service
[Service]
User=<USER>
ExecStart=/usr/bin/ssh -i <KEY> -o ExitOnForwardFailure=yes -N -R 0.0.0.0:<PORT>:127.0.0.1:<PORT> user@example.com
Restart=always
StartLimitInterval=0
StartLimitBurst=0
RestartSec=30s
[Install]
WantedBy=multi-user.target
```
2023-12-04 10:02:23 +00:00
### Configuration
Client can be configured by the file `~/.ssh/config`
```
# global options
User user
# host-specific options
Host myserver
Hostname server-address
Port port
IdentityFile ~/.ssh/id_rsa
2023-12-21 23:39:15 +00:00
User you
2023-12-04 10:02:23 +00:00
ProxyJump host
ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p # HTTP Proxy
```
With this configuration the client command can be redacted to
```shell
ssh myserver
```
2024-01-17 08:00:45 +00:00
Corkscrew is a additional programm to tunnel SSH through [HTTP](../../internet/HTTP.md) proxies:
2023-12-04 10:02:23 +00:00
```shell
`ssh -o "ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p" <ssh-username>@<ssh-server>`
```
## Server
`sshd` is the OpenSSH server daemon, configured with `/etc/ssh/sshd_config` and managed by `sshd.service`. Whenever changing the configuration, use `sshd` in test mode before restarting the service to ensure it will be able to start cleanly. Valid configurations produce no output.
```shell
sshd -t
```
### Configuration
2023-12-05 14:49:42 +00:00
Set address and port:
```
ListenAddress 0.0.0.0
Port 22
```
2023-12-04 10:02:23 +00:00
Limit users:
```
AllowUsers user1 user2
DenyUser user3 user4
```
To allow access only for some groups:
```
AllowGroups group1 group2
DenyGroups group3 group4
```
Disable password authentification:
```
PasswordAuthentication no
PermitEmptyPasswords no
```
Disable root login:
```
PermitRootLogin no
PermitRootLogin prohibit-password
```
Allow port forwarding:
```
AllowTcpForwarding yes
```
Allow only certain commands:
```
ForceCommand command
```
Limit port forwarding:
```
PermitListen host:port
PermitOpen host:port
```
2024-01-17 08:00:45 +00:00
Set [environment variables](../../linux/Environment%20Variables.md) in the session:
2023-12-05 14:49:42 +00:00
```
SetEnv KEY=VALUE
```
2023-12-04 10:02:23 +00:00
User-based settings (everything here only applies to `user1`):
```
Match User user1
PasswordAuthentication no
AllowTcpForwarding yes
```