Openssh usage

From wikinotes

Authorization

SSH keys

ssh-keygen -t edd25519                # create private key
ssh-keygen -y -f ~/.ssh/key           # public key from private key
ssh-keygen -E md5 -lf ~/.ssh/key.pub  # fingerprint of puplic key

known_hosts

The ~/.ssh/known_hosts file contains public keys of the servers you are connecting to. 

# a known_hosts pubkey (remote)
cat /etc/ssh/ssh_host_ecdsa_key.pub

# set remote host as verified (local)
# (note: ip-addresses and URLs must be separate entries)
echo "$host_ipaddr $known_hosts_key" \
  >> ~/.ssh/known_hosts

Alternatively, from the client you can accept the host.
This is a bad security practice, but no worse than blindly trusting at an ssh prompt. 

ssh-keyscan -H -t rsa ip_or_ipalias  >> ~/.ssh/known_hosts

ssh

The documentation is pretty straightforward 

ssh -p 22 user@host

tunneling

port forwarding (incl 3-party) https://www.linuxschoolonline.com/ssh-port-forwarding-advanced-usage/

ssh tunnel

Forward arbitrary TCP ports, so they are accessible on another machine.
Params summary: 

-R 2222:localhost:22  # push local  2222 -> remote 22
-L 2222:localhost:22  # pull remote 2222 -> local  22
-NT                   # do not execute a command

-L ... -L ...         # multiple -L/-R params are allowed

Forward Port (Using middleman with public-ip) 

# forward local port to remote port
ssh -R 2222:localhost:22 -p 8888 user@remotehost   # forward port 22 on remotehost's 2222
ssh -p 2222 user@remotehost

RDP over SSH (using middleman with public-ip)


Using a server with a public-ip as a middle-man. 

# on remote server
ssh -R 3389:localhost:3389 -N <server-with-public-ip>

# on my workstation
# (get user's domain:  `net user <userName> /domain` )
rdesktop -P -z -x 1 -r sound:off -g 1440x900 \
    -u 'domain\\willp' \
    -p 'mypassword' <server-with-public-ip>

systemd service (optional)


This excellent tutorial shows how to create a configurable SSH tunnel service in systemd: https://gist.github.com/drmalex07/c0f9304deea566842490 

# /etc/systemd/system/secure-tunnel@.service
[Unit]
Description=Setup a secure tunnel to %I
After=network.target

[Service]
Environment="LOCAL_ADDR=localhost"
EnvironmentFile=/etc/default/secure-tunnel@%i
ExecStart=/usr/bin/ssh -NT -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -L ${LOCAL_ADDR}:${LOCAL_PORT}:localhost:${REMOTE_PORT} ${TARGET}

# Restart every >2 seconds to avoid StartLimitInterval failure
RestartSec=5
Restart=always

[Install]
WantedBy=multi-user.target


Configure a connection 

# /etc/default/secure-tunnel@jupiter
TARGET=jupiter
LOCAL_ADDR=0.0.0.0
LOCAL_PORT=20022
REMOTE_PORT=22


Use service! 

systemctl start secure-tunnel@jupiter.service

socks proxy

TODO:

routing table to route DNS + htttp/https through socks proxy, while disabling everything else.

You can tunnel your web-browser's traffic through SSH.
(SSH over port 22, listen locally on 1337) 

ssh -D 1337 -q -C -N user@remoteserver   # create socks proxy

Configure your request to use the socks proxy

curl 


curl -x socks5h://localhost:2222 -v -k -X GET https://domain.com


firefox 


firefox:
    - download plugin: FoxyProxy
    - FoxyProxy > options:
        - proxy-type: socks5
        - ip: 127.0.0.1
        - port: 1137

youtube-dl 


youtube-dl --proxy socks5://127.0.0.1:222  https://youtube.com/foo/bar


see excellent tutorial: https://ma.ttias.be/socks-proxy-linux-ssh-bypass-content-filters/

Retrieved from "http://willpittman.net:8080/index.php?title=Openssh_usage&oldid=30900"