Openssh usage
Authorization
SSH keys
ssh-keygen -t edd25519 # create private key ssh-keygen -y -f ~/.ssh/key # public key from private key ssh-keygen -E md5 -lf ~/.ssh/key.pub # fingerprint of puplic keyknown_hosts
The
~/.ssh/known_hosts
file contains public keys of the servers you are connecting to.# a known_hosts pubkey (remote) cat /etc/ssh/ssh_host_ecdsa_key.pub # set remote host as verified (local) # (note: ip-addresses and URLs must be separate entries) echo "$host_ipaddr $known_hosts_key" \ >> ~/.ssh/known_hostsAlternatively, from the client you can accept the host.
This is a bad security practice, but no worse than blindly trusting at an ssh prompt.ssh-keyscan -H -t rsa ip_or_ipalias >> ~/.ssh/known_hosts
ssh
The documentation is pretty straightforward
ssh -p 22 user@host
tunneling
port forwarding (incl 3-party) https://www.linuxschoolonline.com/ssh-port-forwarding-advanced-usage/ ssh tunnel
Forward arbitrary TCP ports, so they are accessible on another machine.
Params summary:-R 2222:localhost:22 # push local 2222 -> remote 22 -L 2222:localhost:22 # pull remote 2222 -> local 22 -NT # do not execute a command -L ... -L ... # multiple -L/-R params are allowedForward Port (Using middleman with public-ip)
# forward local port to remote port ssh -R 2222:localhost:22 -p 8888 user@remotehost # forward port 22 on remotehost's 2222 ssh -p 2222 user@remotehostRDP over SSH (using middleman with public-ip)
Using a server with a public-ip as a middle-man.# on remote server ssh -R 3389:localhost:3389 -N <server-with-public-ip> # on my workstation # (get user's domain: `net user <userName> /domain` ) rdesktop -P -z -x 1 -r sound:off -g 1440x900 \ -u 'domain\\willp' \ -p 'mypassword' <server-with-public-ip>systemd service (optional)
This excellent tutorial shows how to create a configurable SSH tunnel service in systemd: https://gist.github.com/drmalex07/c0f9304deea566842490# /etc/systemd/system/secure-tunnel@.service [Unit] Description=Setup a secure tunnel to %I After=network.target [Service] Environment="LOCAL_ADDR=localhost" EnvironmentFile=/etc/default/secure-tunnel@%i ExecStart=/usr/bin/ssh -NT -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -L ${LOCAL_ADDR}:${LOCAL_PORT}:localhost:${REMOTE_PORT} ${TARGET} # Restart every >2 seconds to avoid StartLimitInterval failure RestartSec=5 Restart=always [Install] WantedBy=multi-user.target
Configure a connection# /etc/default/secure-tunnel@jupiter TARGET=jupiter LOCAL_ADDR=0.0.0.0 LOCAL_PORT=20022 REMOTE_PORT=22
Use service!systemctl start secure-tunnel@jupiter.servicesocks proxy
TODO:
routing table to route DNS + htttp/https through socks proxy, while disabling everything else.
You can tunnel your web-browser's traffic through SSH.
(SSH over port 22, listen locally on 1337)ssh -D 1337 -q -C -N user@remoteserver # create socks proxyConfigure your request to use the socks proxy
curl
curl -x socks5h://localhost:2222 -v -k -X GET https://domain.com
firefox
firefox: - download plugin: FoxyProxy - FoxyProxy > options: - proxy-type: socks5 - ip: 127.0.0.1 - port: 1137youtube-dl
youtube-dl --proxy socks5://127.0.0.1:222 https://youtube.com/foo/bar
see excellent tutorial: https://ma.ttias.be/socks-proxy-linux-ssh-bypass-content-filters/