Differences between revisions 15 and 22 (spanning 7 versions)
Revision 15 as of 2020-03-07 11:25:13
Size: 2249
Editor: Sciuro
Comment:
Revision 22 as of 2021-02-03 18:41:35
Size: 2662
Editor: Burathar
Comment: Fix indentation
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
## page was renamed from Howto/Ssh
#acl All:read
Line 6: Line 4:

= Usage =
== Generate key ==
To generate a SSH key,
{{{
ssh-keygen -t ed25519
}}}

== copy files ==
Make a copy of one file is extremely faster than a lot of little files. To tar a (big) directory and stream it as one file to the other site:
{{{
tar -zc map | ssh user@server "cat > ~/file.tar.gz"
}}}

Or unpack at the other side:
{{{
tar -zc map | ssh user@server "tar -zx -C /destination"
}}}
Line 36: Line 52:
=== Secure algorithms ===
Line 43: Line 60:
== Client config ==
The configfile for your client is located in ''~/.ssh/config''. Always place your default config on top. SSH works on last-know-is-true basis.

{{{
Host *
    serveraliveinterval 60
    forwardagent yes
    VerifyHostKeyDNS yes
    KexAlgorithms curve25519-sha256@libssh.org
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
    AddKeysToAgent yes
    UseKeychain yes
    IdentityFile ~/.ssh/id_ed25519
}}}

This is an example of a special host config. All of the above used default options can also be used in the host specific config.
{{{
Host server
  hostname 1.2.3.4
  user username
  port 2222
  LocalForward 8443 localhost:443
}}}

== Restricted shell ==		 === Restricted shell ===
Line 80: Line 72:

== Client config ==
The configfile for your client is located in ''~/.ssh/config''. Always place your default config on top. SSH works on last-know-is-true basis.

{{{
Host *
   serveraliveinterval 60
   forwardagent yes
   VerifyHostKeyDNS yes
   KexAlgorithms curve25519-sha256@libssh.org
   Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
   MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
   AddKeysToAgent yes
   UseKeychain yes
   IdentityFile ~/.ssh/id_ed25519
}}}

This is an example of a special host config. All of the above used default options can also be used in the host specific config.
{{{
Host server
   hostname 1.2.3.4
   user username
   port 2222
   verifyhostkeydns no
   LocalForward 8443 localhost:443
}}}

Contents

  1. Usage
    1. Generate key
    2. copy files
  2. Tunneling
    1. SOCKS5
    2. Portforwarding
  3. Config
    1. Server config
      1. Secure algorithms
      2. Restricted shell
    2. Client config

Usage

Generate key

To generate a SSH key, 

ssh-keygen -t ed25519

copy files

Make a copy of one file is extremely faster than a lot of little files. To tar a (big) directory and stream it as one file to the other site: 

tar -zc map | ssh user@server "cat > ~/file.tar.gz"

Or unpack at the other side: 

tar -zc map | ssh user@server "tar -zx -C /destination"

Tunneling

SOCKS5

Connect to a server and use a SOCKS5 proxy on local port 8080. 

ssh -D8080 user@server.name

Portforwarding

Redirect a port on a remote server to your local host. 

nwdiag is invalid diag type or not implemented yet.

ssh -L8080:internal.server:80 user@external.server

Config

Server config

Secure algorithms

Add the following to the /etc/ssh/sshd_config file to restrict broken and misused ciphers. 

KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

Restricted shell

This example shows us a ssh server where you can login, but have no rights at all to do anything, except restricted portforwarding. AllowTcpForwarding has to be enabled for the use of PermitOpen. 

Match User testuser
   AllowTcpForwarding yes
   X11Forwarding no
   PermitTunnel no
   GatewayPorts no
   AllowAgentForwarding no
   PermitOpen localhost:80
   ForceCommand read -p "Press enter to exit"

Client config

The configfile for your client is located in ~/.ssh/config. Always place your default config on top. SSH works on last-know-is-true basis. 

Host *
   serveraliveinterval 60
   forwardagent yes
   VerifyHostKeyDNS yes
   KexAlgorithms curve25519-sha256@libssh.org
   Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
   MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
   AddKeysToAgent yes
   UseKeychain yes
   IdentityFile ~/.ssh/id_ed25519

This is an example of a special host config. All of the above used default options can also be used in the host specific config. 

Host server
   hostname 1.2.3.4
   user username
   port 2222
   verifyhostkeydns no
   LocalForward 8443 localhost:443

Howto/SSH (last edited 2022-04-28 14:06:51 by Burathar)