jmarya/knowledge
jmarya/knowledge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
knowledge/technology/applications/network/SSH.md
JMARyA 93045830d9
update ssh
2024-08-26 14:05:40 +02:00

5.2 KiB
Raw Blame History

aliases website obj repo rev
OpenSSH
https://www.openssh.com/ application https://github.com/openssh/openssh-portable 2024-08-26

SSH

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH.

Examples of services that can use SSH are Git, rsync and X11 forwarding. Services that always use SSH are SCP and SFTP.

An SSH server, by default, listens on the standard TCP port 22. An SSH client program is typically used for establishing connections to an sshd daemon accepting remote connections. Both are commonly present on most modern operating systems, including macOS, GNU/Linux, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.

Client

Usage

Creating a SSH key:

ssh-keygen

Connecting to a server

ssh -p port user@server-address

Port forwarding:

# Forward Remote -> Local
ssh -N -f -L local_port:127.0.0.1:remote_port host
# Forward Local -> Remote
ssh -N -f -R remote_port:127.0.0.1:local_port host

Copying files (works with rsync as well):

scp -r files remote:/path

Copy ssh key to host:

ssh-copy-id user@remote

Pipes work too over SSH:

ssh remote "cat /log" | grep denied
cat ~/.ssh/id_rsa.pub | ssh remote 'cat >> .ssh/authorized_keys'

Use a jump host:

ssh -J jump_server remote

Forward port to remote using systemd service:

[Unit]
Description=SSH Port Forwarding
After=network.target
After=systemd-resolved.service

[Service]
User=<USER>
ExecStart=/usr/bin/ssh -i <KEY> -o ExitOnForwardFailure=yes -N -R 0.0.0.0:<PORT>:127.0.0.1:<PORT> user@example.com
Restart=always
StartLimitInterval=0
StartLimitBurst=0
RestartSec=30s

[Install]
WantedBy=multi-user.target

Configuration

Client can be configured by the file ~/.ssh/config

# global options
User user

# host-specific options
Host myserver
    Hostname server-address
    Port     port
    IdentityFile ~/.ssh/id_rsa
    User you
    ProxyJump host
    ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p # HTTP Proxy

With this configuration the client command can be redacted to

ssh myserver

Corkscrew is a additional programm to tunnel SSH through HTTP proxies:

`ssh -o "ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p" <ssh-username>@<ssh-server>`

Server

sshd is the OpenSSH server daemon, configured with /etc/ssh/sshd_config and managed by sshd.service. Whenever changing the configuration, use sshd in test mode before restarting the service to ensure it will be able to start cleanly. Valid configurations produce no output.

sshd -t

Configuration

Set address and port:

ListenAddress 0.0.0.0
Port 22

Limit users:

AllowUsers user1 user2
DenyUser user3 user4

To allow access only for some groups:

AllowGroups group1 group2
DenyGroups group3 group4

Disable password authentification:

PasswordAuthentication no
PermitEmptyPasswords no

Disable root login:

PermitRootLogin no
PermitRootLogin prohibit-password

Allow port forwarding:

AllowTcpForwarding yes

Allow only certain commands:

ForceCommand command

Limit port forwarding:

PermitListen host:port
PermitOpen host:port

Set environment variables in the session:

SetEnv KEY=VALUE

User-based settings (everything here only applies to user1):

Match User user1
    PasswordAuthentication no
    AllowTcpForwarding yes

authorized_keys

The ~/.ssh/authorized_keys file is used to enable passwordless authentication using SSH keys. You can specify multiple allowed SSH keys one per line. The syntax is:

[options] key_type key [user@host]

Example:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA7V4+1E...

Common Options:

  • command="command_to_run": Restricts the key to only execute a specific command. The SSH session will automatically execute this command upon login, and the user won't get an interactive shell.
  • from="hostname_or_ip_address": Limits the use of the key to a specific hostname or IP address, or a range of addresses.
  • no-port-forwarding: Disables port forwarding for the key.
  • no-agent-forwarding: Disables SSH agent forwarding for the key.
  • no-X11-forwarding: Disables X11 forwarding for the key.
  • no-pty: Disables the allocation of a pseudo-terminal for the key. This means the user won't get an interactive shell session.
  • permitopen="host:port": Restricts port forwarding to a specific host and port.
  • environment="VAR=value": Sets environment variables for the session when the key is used to log in.

Options are comma-seperated if you want to specify multiple.

.ssh/rc

The ~/.ssh/rc file is a script that can be executed automatically whenever an SSH session is established. This can be configured globally with /etc/ssh/sshrc.