knowledge/technology/applications/SSH.md
2023-12-13 23:45:40 +01:00

163 lines
No EOL
3.8 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
aliases:
- OpenSSH
website: https://www.openssh.com/
obj: application
repo: https://github.com/openssh/openssh-portable
---
# SSH
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH.
Examples of services that can use SSH are [Git](../dev/Git.md), [rsync](rsync.md) and X11 forwarding. Services that always use SSH are SCP and SFTP.
An SSH server, by default, listens on the standard [TCP](../internet/TCP.md) port 22. An SSH client program is typically used for establishing connections to an sshd daemon accepting remote connections. Both are commonly present on most modern operating systems, including [macOS](../macos/macOS.md), GNU/[Linux](../linux/Linux.md), Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.
## Client
### Usage
Creating a SSH key:
```shell
ssh-keygen
```
Connecting to a server
```shell
ssh -p port user@server-address
```
Port forwarding:
```shell
# Forward Remote -> Local
ssh -N -f -L local_port:127.0.0.1:remote_port host
# Forward Local -> Remote
ssh -N -f -R remote_port:127.0.0.1:local_port host
```
Copying files (works with [rsync](cli/rsync.md) as well):
```shell
scp -r files remote:/path
```
Copy ssh key to host:
```shell
ssh-copy-id user@remote
```
Pipes work too over SSH:
```shell
ssh remote "cat /log" | grep denied
cat ~/.ssh/id_rsa.pub | ssh remote 'cat >> .ssh/authorized_keys'
```
Use a jump host:
```shell
ssh -J jump_server remote
```
Forward port to remote using [systemd](../linux/Systemd.md) service:
```ini
[Unit]
Description=SSH Port Forwarding
After=network.target
After=systemd-resolved.service
[Service]
User=<USER>
ExecStart=/usr/bin/ssh -i <KEY> -o ExitOnForwardFailure=yes -N -R 0.0.0.0:<PORT>:127.0.0.1:<PORT> user@example.com
Restart=always
StartLimitInterval=0
StartLimitBurst=0
RestartSec=30s
[Install]
WantedBy=multi-user.target
```
### Configuration
Client can be configured by the file `~/.ssh/config`
```
# global options
User user
# host-specific options
Host myserver
Hostname server-address
Port port
IdentityFile ~/.ssh/id_rsa
ProxyJump host
ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p # HTTP Proxy
```
With this configuration the client command can be redacted to
```shell
ssh myserver
```
Corkscrew is a additional programm to tunnel SSH through [HTTP](../internet/HTTP.md) proxies:
```shell
`ssh -o "ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p" <ssh-username>@<ssh-server>`
```
## Server
`sshd` is the OpenSSH server daemon, configured with `/etc/ssh/sshd_config` and managed by `sshd.service`. Whenever changing the configuration, use `sshd` in test mode before restarting the service to ensure it will be able to start cleanly. Valid configurations produce no output.
```shell
sshd -t
```
### Configuration
Set address and port:
```
ListenAddress 0.0.0.0
Port 22
```
Limit users:
```
AllowUsers user1 user2
DenyUser user3 user4
```
To allow access only for some groups:
```
AllowGroups group1 group2
DenyGroups group3 group4
```
Disable password authentification:
```
PasswordAuthentication no
PermitEmptyPasswords no
```
Disable root login:
```
PermitRootLogin no
PermitRootLogin prohibit-password
```
Allow port forwarding:
```
AllowTcpForwarding yes
```
Allow only certain commands:
```
ForceCommand command
```
Limit port forwarding:
```
PermitListen host:port
PermitOpen host:port
```
Set [environment variables](../linux/Environment%20Variables.md) in the session:
```
SetEnv KEY=VALUE
```
User-based settings (everything here only applies to `user1`):
```
Match User user1
PasswordAuthentication no
AllowTcpForwarding yes
```