restructure
This commit is contained in:
parent
ef7661245b
commit
598a10bc28
GPG key ID:
901B2ADDF27C2263
182 changed files with 342 additions and 336 deletions
164
technology/applications/network/SSH.md
Normal file
164
technology/applications/network/SSH.md
Normal file
|
|
@ -0,0 +1,164 @@
|
|||
---
|
||||
aliases:
|
||||
- OpenSSH
|
||||
website: https://www.openssh.com/
|
||||
obj: application
|
||||
repo: https://github.com/openssh/openssh-portable
|
||||
---
|
||||
# SSH
|
||||
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH.
|
||||
|
||||
Examples of services that can use SSH are [Git](../../dev/Git.md), [rsync](rsync.md) and X11 forwarding. Services that always use SSH are SCP and SFTP.
|
||||
|
||||
An SSH server, by default, listens on the standard [TCP](../../internet/TCP.md) port 22. An SSH client program is typically used for establishing connections to an sshd daemon accepting remote connections. Both are commonly present on most modern operating systems, including [macOS](../../macos/macOS.md), GNU/[Linux](../../linux/Linux.md), Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.
|
||||
|
||||
## Client
|
||||
### Usage
|
||||
Creating a SSH key:
|
||||
```shell
|
||||
ssh-keygen
|
||||
```
|
||||
|
||||
Connecting to a server
|
||||
```shell
|
||||
ssh -p port user@server-address
|
||||
```
|
||||
|
||||
Port forwarding:
|
||||
```shell
|
||||
# Forward Remote -> Local
|
||||
ssh -N -f -L local_port:127.0.0.1:remote_port host
|
||||
# Forward Local -> Remote
|
||||
ssh -N -f -R remote_port:127.0.0.1:local_port host
|
||||
```
|
||||
|
||||
Copying files (works with [rsync](cli/rsync.md) as well):
|
||||
```shell
|
||||
scp -r files remote:/path
|
||||
```
|
||||
|
||||
Copy ssh key to host:
|
||||
```shell
|
||||
ssh-copy-id user@remote
|
||||
```
|
||||
|
||||
Pipes work too over SSH:
|
||||
```shell
|
||||
ssh remote "cat /log" | grep denied
|
||||
cat ~/.ssh/id_rsa.pub | ssh remote 'cat >> .ssh/authorized_keys'
|
||||
```
|
||||
|
||||
Use a jump host:
|
||||
```shell
|
||||
ssh -J jump_server remote
|
||||
```
|
||||
|
||||
Forward port to remote using [systemd](../../linux/systemd/Systemd.md) service:
|
||||
```ini
|
||||
[Unit]
|
||||
Description=SSH Port Forwarding
|
||||
After=network.target
|
||||
After=systemd-resolved.service
|
||||
|
||||
[Service]
|
||||
User=<USER>
|
||||
ExecStart=/usr/bin/ssh -i <KEY> -o ExitOnForwardFailure=yes -N -R 0.0.0.0:<PORT>:127.0.0.1:<PORT> user@example.com
|
||||
Restart=always
|
||||
StartLimitInterval=0
|
||||
StartLimitBurst=0
|
||||
RestartSec=30s
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
```
|
||||
|
||||
### Configuration
|
||||
Client can be configured by the file `~/.ssh/config`
|
||||
```
|
||||
# global options
|
||||
User user
|
||||
|
||||
# host-specific options
|
||||
Host myserver
|
||||
Hostname server-address
|
||||
Port port
|
||||
IdentityFile ~/.ssh/id_rsa
|
||||
User you
|
||||
ProxyJump host
|
||||
ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p # HTTP Proxy
|
||||
```
|
||||
|
||||
With this configuration the client command can be redacted to
|
||||
```shell
|
||||
ssh myserver
|
||||
```
|
||||
|
||||
Corkscrew is a additional programm to tunnel SSH through [HTTP](../../internet/HTTP.md) proxies:
|
||||
```shell
|
||||
`ssh -o "ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p" <ssh-username>@<ssh-server>`
|
||||
```
|
||||
|
||||
## Server
|
||||
`sshd` is the OpenSSH server daemon, configured with `/etc/ssh/sshd_config` and managed by `sshd.service`. Whenever changing the configuration, use `sshd` in test mode before restarting the service to ensure it will be able to start cleanly. Valid configurations produce no output.
|
||||
```shell
|
||||
sshd -t
|
||||
```
|
||||
|
||||
### Configuration
|
||||
Set address and port:
|
||||
```
|
||||
ListenAddress 0.0.0.0
|
||||
Port 22
|
||||
```
|
||||
|
||||
Limit users:
|
||||
```
|
||||
AllowUsers user1 user2
|
||||
DenyUser user3 user4
|
||||
```
|
||||
|
||||
To allow access only for some groups:
|
||||
```
|
||||
AllowGroups group1 group2
|
||||
DenyGroups group3 group4
|
||||
```
|
||||
|
||||
Disable password authentification:
|
||||
```
|
||||
PasswordAuthentication no
|
||||
PermitEmptyPasswords no
|
||||
```
|
||||
|
||||
Disable root login:
|
||||
```
|
||||
PermitRootLogin no
|
||||
PermitRootLogin prohibit-password
|
||||
```
|
||||
|
||||
Allow port forwarding:
|
||||
```
|
||||
AllowTcpForwarding yes
|
||||
```
|
||||
|
||||
Allow only certain commands:
|
||||
```
|
||||
ForceCommand command
|
||||
```
|
||||
|
||||
Limit port forwarding:
|
||||
```
|
||||
PermitListen host:port
|
||||
PermitOpen host:port
|
||||
```
|
||||
|
||||
Set [environment variables](../../linux/Environment%20Variables.md) in the session:
|
||||
```
|
||||
SetEnv KEY=VALUE
|
||||
```
|
||||
|
||||
User-based settings (everything here only applies to `user1`):
|
||||
```
|
||||
Match User user1
|
||||
PasswordAuthentication no
|
||||
AllowTcpForwarding yes
|
||||
```
|
||||
Loading…
Add table
Add a link
Reference in a new issue