|
Size: 1579
Comment:
|
← Revision 28 as of 2022-04-28 14:06:51 ⇥
Size: 3693
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ## page was renamed from Howto/Ssh #acl All:read |
|
| Line 7: | Line 5: |
| = Usage = == Generate key == To generate a SSH key, {{{ ssh-keygen -t ed25519 }}} == Install publickey on remote server == To copy a publickey to the remote user's authorized-keys file {{{ ssh-copy-id -i <identity file> username@remoteserver.com }}} == copy files == Make a copy of one file is extremely faster than a lot of little files. To tar a (big) directory and stream it as one file to the other site: {{{ tar -zc map | ssh user@server "cat > ~/file.tar.gz" }}} Or unpack at the other side: {{{ tar -zc map | ssh user@server "tar -zx -C /destination" }}} |
|
| Line 8: | Line 29: |
| == SOCKS5 == | |
| Line 13: | Line 35: |
| == Portforwarding == | |
| Line 34: | Line 57: |
| === Secure algorithms === | |
| Line 35: | Line 59: |
| For up-to-date ciphers, check [[https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/ | the IETF page]] | |
| Line 36: | Line 61: |
| KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com |
PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-512 KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com |
| Line 41: | Line 67: |
| == Client config == This is an example of a personal configfile in your ''.ssh/config''. {{{ Host server hostname 1.2.3.4 user username port 2222 LocalForward 8443 localhost:443 }}} = Examples = == Restricted shell == |
=== Restricted shell === |
| Line 64: | Line 79: |
== Client config == The configfile for your client is located in ''~/.ssh/config''. Always place your default config on top. SSH works on last-know-is-true basis. {{{ Host * serveraliveinterval 60 forwardagent yes VerifyHostKeyDNS yes KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com AddKeysToAgent yes UseKeychain yes IdentityFile ~/.ssh/id_ed25519 }}} This is an example of a special host config. All of the above used default options can also be used in the host specific config. {{{ Host server hostname 1.2.3.4 user username port 2222 verifyhostkeydns no LocalForward 8443 localhost:443 }}} = Using SSH key to directly encrypt small files = Unfortunally, openssl does not understand the openssl key format, so we'll have to convert both our public ánd private key to PEM. == Encryption == {{{#!bash ssh-keygen -f ~/.ssh/id_rsa.pub -e -m PKCS8 > id_rsa.pem.pub openssl rsautl -encrypt -pubin -inkey id_rsa.pem.pub -ssl -in message.txt -out encrypted-message.txt.enc }}} == Decryption == Warning: this ssh-keygen command replaces the key file. Make a copy of the key first. {{{#!bash ssh-keygen -p -f id_rsa_copy -m pem openssl rsautl -decrypt -inkey id_rsa_copy -in encrypted-message.txt.enc -out decrypted-message.txt }}} |
Contents
Usage
Generate key
To generate a SSH key,
ssh-keygen -t ed25519
Install publickey on remote server
To copy a publickey to the remote user's authorized-keys file
ssh-copy-id -i <identity file> username@remoteserver.com
copy files
Make a copy of one file is extremely faster than a lot of little files. To tar a (big) directory and stream it as one file to the other site:
tar -zc map | ssh user@server "cat > ~/file.tar.gz"
Or unpack at the other side:
tar -zc map | ssh user@server "tar -zx -C /destination"
Tunneling
SOCKS5
Connect to a server and use a SOCKS5 proxy on local port 8080.
ssh -D8080 user@server.name
Portforwarding
Redirect a port on a remote server to your local host.
nwdiag is invalid diag type or not implemented yet.
ssh -L8080:internal.server:80 user@external.server
Config
Server config
Secure algorithms
Add the following to the /etc/ssh/sshd_config file to restrict broken and misused ciphers. For up-to-date ciphers, check the IETF page
PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-512 KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
Restricted shell
This example shows us a ssh server where you can login, but have no rights at all to do anything, except restricted portforwarding. AllowTcpForwarding has to be enabled for the use of PermitOpen.
Match User testuser AllowTcpForwarding yes X11Forwarding no PermitTunnel no GatewayPorts no AllowAgentForwarding no PermitOpen localhost:80 ForceCommand read -p "Press enter to exit"
Client config
The configfile for your client is located in ~/.ssh/config. Always place your default config on top. SSH works on last-know-is-true basis.
Host * serveraliveinterval 60 forwardagent yes VerifyHostKeyDNS yes KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com AddKeysToAgent yes UseKeychain yes IdentityFile ~/.ssh/id_ed25519
This is an example of a special host config. All of the above used default options can also be used in the host specific config.
Host server hostname 1.2.3.4 user username port 2222 verifyhostkeydns no LocalForward 8443 localhost:443
Using SSH key to directly encrypt small files
Unfortunally, openssl does not understand the openssl key format, so we'll have to convert both our public ánd private key to PEM.
Encryption
ssh-keygen -f ~/.ssh/id_rsa.pub -e -m PKCS8 > id_rsa.pem.pub openssl rsautl -encrypt -pubin -inkey id_rsa.pem.pub -ssl -in message.txt -out encrypted-message.txt.enc
Decryption
Warning: this ssh-keygen command replaces the key file. Make a copy of the key first.
ssh-keygen -p -f id_rsa_copy -m pem openssl rsautl -decrypt -inkey id_rsa_copy -in encrypted-message.txt.enc -out decrypted-message.txt