knowledge/technology/applications/SSH.md
2023-12-04 11:02:23 +01:00

3.2 KiB

aliases website obj repo
OpenSSH
https://www.openssh.com/ application https://github.com/openssh/openssh-portable

SSH

#refactor add ssh suite applications, etc
-> https://www.openssh.com/
Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH.

Examples of services that can use SSH are Git, rsync and X11 forwarding. Services that always use SSH are SCP and SFTP.

An SSH server, by default, listens on the standard TCP port 22. An SSH client program is typically used for establishing connections to an sshd daemon accepting remote connections. Both are commonly present on most modern operating systems, including macOS, GNU/Linux, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.

Client

Usage

Connecting to a server

ssh -p port user@server-address

Port forwarding:

# Forward Remote -> Local
ssh -N -f -L local_port:127.0.0.1:remote_port host
# Forward Local -> Remote
ssh -N -f -R remote_port:127.0.0.1:local_port host

Copying files (works with rsync as well):

scp -r files remote:/path

Copy ssh key to host:

ssh-copy-id user@remote

Pipes work too over SSH:

ssh remote "cat /log" | grep denied
cat ~/.ssh/id_rsa.pub | ssh remote 'cat >> .ssh/authorized_keys'

Use a jump host:

ssh -J jump_server remote

Configuration

Client can be configured by the file ~/.ssh/config

# global options
User user

# host-specific options
Host myserver
    Hostname server-address
    Port     port
    IdentityFile ~/.ssh/id_rsa
    ProxyJump host
    ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p # HTTP Proxy

With this configuration the client command can be redacted to

ssh myserver

Corkscrew is a additional programm to tunnel SSH through HTTP proxies:

`ssh -o "ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p" <ssh-username>@<ssh-server>`

Server

sshd is the OpenSSH server daemon, configured with /etc/ssh/sshd_config and managed by sshd.service. Whenever changing the configuration, use sshd in test mode before restarting the service to ensure it will be able to start cleanly. Valid configurations produce no output.

sshd -t

Configuration

Limit users:

AllowUsers user1 user2
DenyUser user3 user4

To allow access only for some groups:

AllowGroups group1 group2
DenyGroups group3 group4

Disable password authentification:

PasswordAuthentication no
PermitEmptyPasswords no

Disable root login:

PermitRootLogin no
PermitRootLogin prohibit-password

Allow port forwarding:

AllowTcpForwarding yes

Allow only certain commands:

ForceCommand command

Limit port forwarding:

PermitListen host:port
PermitOpen host:port

User-based settings (everything here only applies to user1):

Match User user1
    PasswordAuthentication no
    AllowTcpForwarding yes