Skip to content

Latest commit

 

History

History
141 lines (91 loc) · 5.27 KB

File metadata and controls

141 lines (91 loc) · 5.27 KB
alias
tag IT/DevOps IT/technologies IT/cybersecurity CodeNotebook

SSH stuff

Basics

Most basic usage ssh user@host where host can be IPv4, IPv6 or DNS address, including utf-8 characters and no top-level-domain for local machines. (It's called FQDN xd)

Specify port

ssh -p number user@host

Specify key files

If your keys don't live in expected places e.g. .ssh/key name or aren't made aware to ssh-agent, you may specify them wih -i path/to/key e.g.:

ssh -i ~/.ssh/key user@host

SSH jump through to another host

ssh -J host1 host2

SSH tunneling (port-forward and reverse proxy)

ssh -L [LOCAL_IP:]LOCAL_PORT:DESTINATION:DESTINATION_PORT [USER@]SSH_SERVER
#or
ssh -R [REMOTE:]REMOTE_PORT:DESTINATION:DESTINATION_PORT [USER@]SSH_SERVER

Binds local 3336 to db.interla 3306 via public.host: ssh -L 3336:db.internal:3306 user@public.host

Bind remote 8080 at remote.host to 3000 on localhost: ssh -R 8080:127.0.0.1:3000 -N -f user@remote.host

Generating keys

ssh-keygen generates private & public key, optional to add passphrase, option are following with example below. Ideally, use Ed25519 as DSA ssh-dss and RSA not using SHA-2 are deprecated.

  • -t for cypher [dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa]
  • -b to specify bits
  • -f output filename
  • -C key comment
  • -N passphrase
  • -m format
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
ssh-keygen -t ed25519 -C "your_email@example.com"

Private: either no extension or .ppk

  • different formats e.g. OpenSSH, OpenSSL, Putty (Puttygen keys can be converted to OpenSSH)
  • perms: 600 i.e. ugo -wr------

Public: .pub, .cert, .pem

  • various formats i.e. Putty but standard is [cypher-type] [key-string] [some comment] [more comment]
  • perms: public means public

usually saved in $HOME/.ssh/"cypher-name" or name of your private key file

Existing keys

If you wanna use some other specially named key files without -i all the time, they have to be added to agent with ssh-add [file] where options are:

  • -v for verbose
  • -l/L list fingerprint, List full public key
  • -d/L , delete specified key, Delete all.

To start the agent, use eval `ssh-agent`

Fingerprint

If you wanna find the fingerprint of particular key, use ssh-keygen -lvf key/path, remove -v if you don't like pretty art :c

Putting public keys on other machine

Public keys need to be added (appended on one new line) to .ssh/authorized_key or special place on particular website e.g. Github/SSH&GPG keys, easiest done with ssh-copy-id [-i /key/location] user@host. If you don't have copy-id module installed, you may use the following command for UNIX and Windows respectively:

`ssh-keygen && cat $envuserprofile/.ssh/id_rsa.pub | ssh user@linuxserver 'cat >> .ssh/authorized_keys'`
type C:\Users\user\.ssh\id_rsa.pub | ssh user@host 'cat >> .ssh/authorized_keys'

Securing SSH

Disabling direct root logins usually default options in most distros. However, it's highly advised to enable asymmetric keys based exclusive authentication. It's important to note that key management can get quite messy quite fast if thorough housekeeping isn't performed and medium and large organizations should be using CA certificate authority issued revocable keys along with TOTP (time-based one-time password). For reducing the number of bot bruteforcing and amount of logs, it's recommended to change default port and install fail2ban and utilizing reverse proxy (e.g. Cloudflare) with IP filtering allowing only connections from said proxy.

X11 Forwarding

in /etc/ssh/sshd_config

X11Forwarding yes

pass export DISPLAY=localhost:10.0 connect to remote with ssh -[X|Y] user@host. For Putty, enable ticker box in forwarding tab

VS Code env variable:

"terminal.integrated.env.linux": {
    "DISPLAY": "localhost:10.0",
}

Config

Client config files are in ~/.ssh/ssh_config (user) or /etc/ssh/ssh_config(global). For daemon, edit /etc/ssh/sshd_config where popular options to change include:

Port 22

PermitRootLogin yes #allows directly to login as root fully
PermitRootLogin prohibit-password (default) #disallows passwords
PermitRootLogin without-password #prohibits completely

PubkeyAuthentication yes #allows keys
PasswordAuthentication yes #enables password auth
PermitEmptyPasswords no #disables empty password

ForwardAgent yes
AllowAgentForwarding yes #for ssh-agent forwarding allowing SSO over multiple connections

NOTE: old Putty version doesn't work with some openSSH server after autumn 2022 due to deprecations of oldest RSA, if you wanna use it for some reason add PubkeyAcceptedAlgorithms=+ssh-rsa into /etc/ssh/sshd_config. Preferably use cmd/powershell built in ssh command (nearly same functionality as on unix machines).

Sources