SSH



Manual Page


OpenSSH Manual Pages

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Login



ssh username@remote_host
# or
ssh username@ip_address
# or
ssh -p 80 root@demo.com     # -p specify port number (default=22)
# or
ssh severname               # login with the same username


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logout



ctrl-d
# or
logout


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Set up SSH



# On server
sudo apt install openssh-server
sudo netstat tupln                  # port 22 is opened


Set up Public/ Private Key Authentication



# On client
# Generate public and private key
ssh-keygen -t ed25519 -C "tim@debian"
## -t: Type of alogorithm (default = rsa); -C: comment
# or
ssh-keygen -t rsa -b 4096

ls ./ssh

# Add your ssh key to the ssh-agent
eval "($ssh-agent -s)"
> Agent pid 111111
ssh-add ~/.ssh/<key_name>

# Copy public key to remote ssh server
ssh-copy-id tim@demo.net
# or
scp ./ssh/id_rsa_pub ubuntu@10.0.3.170 /home/ubuntu
# or
cat ~/.ssh/id_ed25519.pub | ssh tim@demo.net "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
# or
sudo apt install x-clip
xclip -sel clip < ~/.ssh/<key_name>.pub


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Test Your SSH Connection



# On server
# Verify public key is there
ssh -T git@github.com "cat ~/.ssh/authorized_keys"

# If shell access is allowed via ssh, implement security as follow
chmod -R 700 .ssh
cp id_rsa_pub .ssh/authorized_keys


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SSH Server Hardening



Guidelines
• Disable login as root
• Disable password based login

# Change in config file
nano /etc/ssh/sshd_config
## Port 443 (optional)
## ChallengeResponseAuthentication no
## PasswordAuthentication no
## UsePAM no
## PubkeyAuthentication yes
## PermitRootLogin prohibit-password


# Restart ssh service
sudo service sshd restart
sudo netstat -tupln


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Other commands



ssh-add -l                          # list fingerprints
ssh-add /path/to/private_key
ssh-add -d /path/to/private_key
ssh-add -D                          # delete all    

# ssh tunneling
ssh -tt user@ip1 ssh -tt user2@ip2


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Using SSH SOCKS Proxy to Browse the Web Safely


• Prerequisites:
◇ An existing SSH server, accessible from the Internet
◇ Client public key in SSH server
• Protect your privacy if you're connected to the Internet over public Wi-Fi
• Client → SSH Server → Internet

# On server
sudo nano /etc/ssh/sshd_config
# In the file, uncomment Port 22 and change it to:
Port 443
# Restart service
service sshd restart


# On client
# Setup ssh tunnel
ssh -N -D 8080 user@server_address -p 443
## -N: no login
## D: bind to local port

# Setup browser
## SOCKS Host @127.0.0.1:8080


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SSH Aliases & SSH Config FIle



cat /etc/ssh/ssh_config             # system-wide config file
nano ./ssh/config                   # user config file
                                    # not exist by default


# Sample user config file
Host *
        ServerAliveInterval 300     # seconds
        ServerAliveCountMax 2

Host lxc
        HostName 10.0.3.152
        User jdenton
        Port 1999
        IdentityFile ~/.ssh/alternate.key   # optional
        
Host webdev                         # ssh local forwarding
        HostName Internet-facing.machine.com
        LocalForward 8080 192.168.80.3:80
        # all others to use this fwd
        GatewayPorts yes        


Local forwarding


• take a port of the remote machine and access it in local machine
• localhost → Internet-facing.machine.com (SSH) → webdev:80

Remote forwarding


• make a port of local machine available to remote machine

# Using ssh alias
ssh lxc
ssh -f -N webdev                    # ssh local forwarding
## -f forward
## -N no login


Further Reading


man ssh_config
Port Forwarding Explained


Index