Differences between revisions 18 and 27 (spanning 9 versions)
Revision 18 as of 2020-03-07 15:12:54
Size: 2457
Editor: Sciuro
Comment:
Revision 27 as of 2021-02-03 21:28:17
Size: 3042
Editor: Burathar
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
## page was renamed from Howto/Ssh
#acl All:read
Line 8: Line 6:
== Generate key ==
To generate a SSH key,
{{{
ssh-keygen -t ed25519
}}}
== Install publickey on remote server ==
To copy a publickey to the remote user's authorized-keys file
{{{
ssh-copy-id -i <identity file> username@remoteserver.com
}}}
Line 9: Line 18:
To tar a (big) directory and stream it to the other site: Make a copy of one file is extremely faster than a lot of little files. To tar a (big) directory and stream it as one file to the other site:
Line 11: Line 20:
tar -zc ./map | ssh user@server "cat > ~/file.tar.gz" tar -zc map | ssh user@server "cat > ~/file.tar.gz"
}}}

Or unpack at the other side:
{{{
tar -zc map | ssh user@server "tar -zx -C /destination"
Line 45: Line 59:
For up-to-date ciphers, check [[https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/ | the IETF page]]
Line 46: Line 61:
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com		 PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-512
KexAlgorithms          curve25519-sha256@libssh.org
Ciphers                chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs                   hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
Line 69: Line 85:
  serveraliveinterval 60
    forwardagent yes
  VerifyHostKeyDNS yes
    KexAlgorithms curve25519-sha256@libssh.org
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
  MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
    AddKeysToAgent yes
    UseKeychain yes
  IdentityFile ~/.ssh/id_ed25519		    serveraliveinterval 60
   forwardagent yes
   VerifyHostKeyDNS yes
   KexAlgorithms curve25519-sha256@libssh.org
   Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
   MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
   AddKeysToAgent yes
   UseKeychain yes
   IdentityFile ~/.ssh/id_ed25519
Line 83: Line 99:
  hostname 1.2.3.4
  user username
  port 2222
  verifyhostkeydns no
  LocalForward 8443 localhost:443		   hostname 1.2.3.4
   user username
   port 2222
  verifyhostkeydns no
  LocalForward 8443 localhost:443

Contents

  1. Usage
    1. Generate key
    2. Install publickey on remote server
    3. copy files
  2. Tunneling
    1. SOCKS5
    2. Portforwarding
  3. Config
    1. Server config
      1. Secure algorithms
      2. Restricted shell
    2. Client config

Usage

Generate key

To generate a SSH key, 

ssh-keygen -t ed25519

Install publickey on remote server

To copy a publickey to the remote user's authorized-keys file 

ssh-copy-id -i <identity file> username@remoteserver.com

copy files

Make a copy of one file is extremely faster than a lot of little files. To tar a (big) directory and stream it as one file to the other site: 

tar -zc map | ssh user@server "cat > ~/file.tar.gz"

Or unpack at the other side: 

tar -zc map | ssh user@server "tar -zx -C /destination"

Tunneling

SOCKS5

Connect to a server and use a SOCKS5 proxy on local port 8080. 

ssh -D8080 user@server.name

Portforwarding

Redirect a port on a remote server to your local host. 

nwdiag is invalid diag type or not implemented yet.

ssh -L8080:internal.server:80 user@external.server

Config

Server config

Secure algorithms

Add the following to the /etc/ssh/sshd_config file to restrict broken and misused ciphers. For up-to-date ciphers, check the IETF page 

PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-512
KexAlgorithms          curve25519-sha256@libssh.org
Ciphers                chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs                   hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

Restricted shell

This example shows us a ssh server where you can login, but have no rights at all to do anything, except restricted portforwarding. AllowTcpForwarding has to be enabled for the use of PermitOpen. 

Match User testuser
   AllowTcpForwarding yes
   X11Forwarding no
   PermitTunnel no
   GatewayPorts no
   AllowAgentForwarding no
   PermitOpen localhost:80
   ForceCommand read -p "Press enter to exit"

Client config

The configfile for your client is located in ~/.ssh/config. Always place your default config on top. SSH works on last-know-is-true basis. 

Host *
   serveraliveinterval 60
   forwardagent yes
   VerifyHostKeyDNS yes
   KexAlgorithms curve25519-sha256@libssh.org
   Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
   MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
   AddKeysToAgent yes
   UseKeychain yes
   IdentityFile ~/.ssh/id_ed25519

This is an example of a special host config. All of the above used default options can also be used in the host specific config. 

Host server
   hostname 1.2.3.4
   user username
   port 2222
   verifyhostkeydns no
   LocalForward 8443 localhost:443

Howto/SSH (last edited 2022-04-28 14:06:51 by Burathar)