Contents

  1. Usage
    1. Generate key
    2. Install publickey on remote server
    3. copy files
  2. Tunneling
    1. SOCKS5
    2. Portforwarding
  3. Config
    1. Server config
      1. Secure algorithms
      2. Restricted shell
    2. Client config
  4. Using SSH key to directly encrypt small files
    1. Encryption
    2. Decryption

Usage

Generate key

To generate a SSH key, 

ssh-keygen -t ed25519

Install publickey on remote server

To copy a publickey to the remote user's authorized-keys file 

ssh-copy-id -i <identity file> username@remoteserver.com

copy files

Make a copy of one file is extremely faster than a lot of little files. To tar a (big) directory and stream it as one file to the other site: 

tar -zc map | ssh user@server "cat > ~/file.tar.gz"

Or unpack at the other side: 

tar -zc map | ssh user@server "tar -zx -C /destination"

Tunneling

SOCKS5

Connect to a server and use a SOCKS5 proxy on local port 8080. 

ssh -D8080 user@server.name

Portforwarding

Redirect a port on a remote server to your local host. 

nwdiag is invalid diag type or not implemented yet.

ssh -L8080:internal.server:80 user@external.server

Config

Server config

Secure algorithms

Add the following to the /etc/ssh/sshd_config file to restrict broken and misused ciphers. For up-to-date ciphers, check the IETF page 

PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-512
KexAlgorithms          curve25519-sha256@libssh.org
Ciphers                chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs                   hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

Restricted shell

This example shows us a ssh server where you can login, but have no rights at all to do anything, except restricted portforwarding. AllowTcpForwarding has to be enabled for the use of PermitOpen. 

Match User testuser
   AllowTcpForwarding yes
   X11Forwarding no
   PermitTunnel no
   GatewayPorts no
   AllowAgentForwarding no
   PermitOpen localhost:80
   ForceCommand read -p "Press enter to exit"

Client config

The configfile for your client is located in ~/.ssh/config. Always place your default config on top. SSH works on last-know-is-true basis. 

Host *
   serveraliveinterval 60
   forwardagent yes
   VerifyHostKeyDNS yes
   KexAlgorithms curve25519-sha256@libssh.org
   Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
   MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
   AddKeysToAgent yes
   UseKeychain yes
   IdentityFile ~/.ssh/id_ed25519

This is an example of a special host config. All of the above used default options can also be used in the host specific config. 

Host server
   hostname 1.2.3.4
   user username
   port 2222
   verifyhostkeydns no
   LocalForward 8443 localhost:443

Using SSH key to directly encrypt small files

Unfortunally, openssl does not understand the openssl key format, so we'll have to convert both our public ánd private key to PEM.

Encryption

ssh-keygen -f ~/.ssh/id_rsa.pub -e -m PKCS8 > id_rsa.pem.pub
openssl rsautl -encrypt -pubin -inkey id_rsa.pem.pub -ssl -in message.txt -out encrypted-message.txt.enc

Decryption

Warning: this ssh-keygen command replaces the key file. Make a copy of the key first. 

ssh-keygen -p -f id_rsa_copy -m pem
openssl rsautl -decrypt -inkey id_rsa_copy -in encrypted-message.txt.enc -out decrypted-message.txt

Howto/SSH (last edited 2022-04-28 14:06:51 by Burathar)