3.2 KiB
| aliases | website | obj | repo | |
|---|---|---|---|---|
|
https://www.openssh.com/ | application | https://github.com/openssh/openssh-portable |
SSH
#refactor add ssh suite applications, etc
-> https://www.openssh.com/
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH.
Examples of services that can use SSH are Git, rsync and X11 forwarding. Services that always use SSH are SCP and SFTP.
An SSH server, by default, listens on the standard TCP port 22. An SSH client program is typically used for establishing connections to an sshd daemon accepting remote connections. Both are commonly present on most modern operating systems, including macOS, GNU/Linux, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.
Client
Usage
Connecting to a server
ssh -p port user@server-address
Port forwarding:
# Forward Remote -> Local
ssh -N -f -L local_port:127.0.0.1:remote_port host
# Forward Local -> Remote
ssh -N -f -R remote_port:127.0.0.1:local_port host
Copying files (works with rsync as well):
scp -r files remote:/path
Copy ssh key to host:
ssh-copy-id user@remote
Pipes work too over SSH:
ssh remote "cat /log" | grep denied
cat ~/.ssh/id_rsa.pub | ssh remote 'cat >> .ssh/authorized_keys'
Use a jump host:
ssh -J jump_server remote
Configuration
Client can be configured by the file ~/.ssh/config
# global options
User user
# host-specific options
Host myserver
Hostname server-address
Port port
IdentityFile ~/.ssh/id_rsa
ProxyJump host
ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p # HTTP Proxy
With this configuration the client command can be redacted to
ssh myserver
Corkscrew is a additional programm to tunnel SSH through HTTP proxies:
`ssh -o "ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p" <ssh-username>@<ssh-server>`
Server
sshd is the OpenSSH server daemon, configured with /etc/ssh/sshd_config and managed by sshd.service. Whenever changing the configuration, use sshd in test mode before restarting the service to ensure it will be able to start cleanly. Valid configurations produce no output.
sshd -t
Configuration
Limit users:
AllowUsers user1 user2
DenyUser user3 user4
To allow access only for some groups:
AllowGroups group1 group2
DenyGroups group3 group4
Disable password authentification:
PasswordAuthentication no
PermitEmptyPasswords no
Disable root login:
PermitRootLogin no
PermitRootLogin prohibit-password
Allow port forwarding:
AllowTcpForwarding yes
Allow only certain commands:
ForceCommand command
Limit port forwarding:
PermitListen host:port
PermitOpen host:port
User-based settings (everything here only applies to user1):
Match User user1
PasswordAuthentication no
AllowTcpForwarding yes