jmarya/knowledge
jmarya/knowledge
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
knowledge/technology/applications/network/SSH.md
JMARyA 93045830d9
update ssh
2024-08-26 14:05:40 +02:00

192 lines
5.2 KiB
Markdown
Raw Blame History

---
aliases:
- OpenSSH
website: https://www.openssh.com/
obj: application
repo: https://github.com/openssh/openssh-portable
rev: 2024-08-26
---
# SSH
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH.
Examples of services that can use SSH are [Git](../../dev/Git.md), [rsync](../cli/rsync.md) and X11 forwarding. Services that always use SSH are SCP and SFTP.
An SSH server, by default, listens on the standard [TCP](../../internet/TCP.md) port 22. An SSH client program is typically used for establishing connections to an sshd daemon accepting remote connections. Both are commonly present on most modern operating systems, including [macOS](../../macos/macOS.md), GNU/[Linux](../../linux/Linux.md), Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.
## Client
### Usage
Creating a SSH key:
```shell
ssh-keygen
```
Connecting to a server
```shell
ssh -p port user@server-address
```
Port forwarding:
```shell
# Forward Remote -> Local
ssh -N -f -L local_port:127.0.0.1:remote_port host
# Forward Local -> Remote
ssh -N -f -R remote_port:127.0.0.1:local_port host
```
Copying files (works with [rsync](../cli/rsync.md) as well):
```shell
scp -r files remote:/path
```
Copy ssh key to host:
```shell
ssh-copy-id user@remote
```
Pipes work too over SSH:
```shell
ssh remote "cat /log" | grep denied
cat ~/.ssh/id_rsa.pub | ssh remote 'cat >> .ssh/authorized_keys'
```
Use a jump host:
```shell
ssh -J jump_server remote
```
Forward port to remote using [systemd](../../linux/systemd/Systemd.md) service:
```ini
[Unit]
Description=SSH Port Forwarding
After=network.target
After=systemd-resolved.service
[Service]
User=<USER>
ExecStart=/usr/bin/ssh -i <KEY> -o ExitOnForwardFailure=yes -N -R 0.0.0.0:<PORT>:127.0.0.1:<PORT> user@example.com
Restart=always
StartLimitInterval=0
StartLimitBurst=0
RestartSec=30s
[Install]
WantedBy=multi-user.target
```
### Configuration
Client can be configured by the file `~/.ssh/config`
```
# global options
User user
# host-specific options
Host myserver
Hostname server-address
Port port
IdentityFile ~/.ssh/id_rsa
User you
ProxyJump host
ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p # HTTP Proxy
```
With this configuration the client command can be redacted to
```shell
ssh myserver
```
Corkscrew is a additional programm to tunnel SSH through [HTTP](../../internet/HTTP.md) proxies:
```shell
`ssh -o "ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p" <ssh-username>@<ssh-server>`
```
## Server
`sshd` is the OpenSSH server daemon, configured with `/etc/ssh/sshd_config` and managed by `sshd.service`. Whenever changing the configuration, use `sshd` in test mode before restarting the service to ensure it will be able to start cleanly. Valid configurations produce no output.
```shell
sshd -t
```
### Configuration
Set address and port:
```
ListenAddress 0.0.0.0
Port 22
```
Limit users:
```
AllowUsers user1 user2
DenyUser user3 user4
```
To allow access only for some groups:
```
AllowGroups group1 group2
DenyGroups group3 group4
```
Disable password authentification:
```
PasswordAuthentication no
PermitEmptyPasswords no
```
Disable root login:
```
PermitRootLogin no
PermitRootLogin prohibit-password
```
Allow port forwarding:
```
AllowTcpForwarding yes
```
Allow only certain commands:
```
ForceCommand command
```
Limit port forwarding:
```
PermitListen host:port
PermitOpen host:port
```
Set [environment variables](../../linux/Environment%20Variables.md) in the session:
```
SetEnv KEY=VALUE
```
User-based settings (everything here only applies to `user1`):
```
Match User user1
PasswordAuthentication no
AllowTcpForwarding yes
```
#### `authorized_keys`
The `~/.ssh/authorized_keys` file is used to enable passwordless authentication using SSH keys. You can specify multiple allowed SSH keys one per line. The syntax is:
```
[options] key_type key [user@host]
```
Example:
```
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA7V4+1E...
```
Common Options:
- `command="command_to_run"`: Restricts the key to only execute a specific command. The SSH session will automatically execute this command upon login, and the user won't get an interactive shell.
- `from="hostname_or_ip_address"`: Limits the use of the key to a specific hostname or IP address, or a range of addresses.
- `no-port-forwarding`: Disables port forwarding for the key.
- `no-agent-forwarding`: Disables SSH agent forwarding for the key.
- `no-X11-forwarding`: Disables X11 forwarding for the key.
- `no-pty`: Disables the allocation of a pseudo-terminal for the key. This means the user won't get an interactive shell session.
- `permitopen="host:port"`: Restricts port forwarding to a specific host and port.
- `environment="VAR=value"`: Sets environment variables for the session when the key is used to log in.
Options are comma-seperated if you want to specify multiple.
#### `.ssh/rc`
The `~/.ssh/rc` file is a script that can be executed automatically whenever an SSH session is established. This can be configured globally with `/etc/ssh/sshrc`.
Reference in a new issue View git blame Copy permalink