--- aliases: - OpenSSH website: https://www.openssh.com/ obj: application repo: https://github.com/openssh/openssh-portable --- # SSH #refactor add ssh suite applications, etc -> https://www.openssh.com/ Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH. Examples of services that can use SSH are [Git](../dev/Git.md), [rsync](rsync.md) and X11 forwarding. Services that always use SSH are SCP and SFTP. An SSH server, by default, listens on the standard TCP port 22. An SSH client program is typically used for establishing connections to an sshd daemon accepting remote connections. Both are commonly present on most modern operating systems, including [macOS](../macos/macOS.md), GNU/[Linux](../linux/Linux.md), Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist. ## Client ### Usage Connecting to a server ```shell ssh -p port user@server-address ``` Port forwarding: ```shell # Forward Remote -> Local ssh -N -f -L local_port:127.0.0.1:remote_port host # Forward Local -> Remote ssh -N -f -R remote_port:127.0.0.1:local_port host ``` Copying files (works with [rsync](cli/rsync.md) as well): ```shell scp -r files remote:/path ``` Copy ssh key to host: ```shell ssh-copy-id user@remote ``` Pipes work too over SSH: ```shell ssh remote "cat /log" | grep denied cat ~/.ssh/id_rsa.pub | ssh remote 'cat >> .ssh/authorized_keys' ``` Use a jump host: ```shell ssh -J jump_server remote ``` ### Configuration Client can be configured by the file `~/.ssh/config` ``` # global options User user # host-specific options Host myserver Hostname server-address Port port IdentityFile ~/.ssh/id_rsa ProxyJump host ProxyCommand corkscrew %h %p # HTTP Proxy ``` With this configuration the client command can be redacted to ```shell ssh myserver ``` Corkscrew is a additional programm to tunnel SSH through HTTP proxies: ```shell `ssh -o "ProxyCommand corkscrew %h %p" @` ``` ## Server `sshd` is the OpenSSH server daemon, configured with `/etc/ssh/sshd_config` and managed by `sshd.service`. Whenever changing the configuration, use `sshd` in test mode before restarting the service to ensure it will be able to start cleanly. Valid configurations produce no output. ```shell sshd -t ``` ### Configuration Limit users: ``` AllowUsers user1 user2 DenyUser user3 user4 ``` To allow access only for some groups: ``` AllowGroups group1 group2 DenyGroups group3 group4 ``` Disable password authentification: ``` PasswordAuthentication no PermitEmptyPasswords no ``` Disable root login: ``` PermitRootLogin no PermitRootLogin prohibit-password ``` Allow port forwarding: ``` AllowTcpForwarding yes ``` Allow only certain commands: ``` ForceCommand command ``` Limit port forwarding: ``` PermitListen host:port PermitOpen host:port ``` User-based settings (everything here only applies to `user1`): ``` Match User user1 PasswordAuthentication no AllowTcpForwarding yes ```