Differences between revisions 2 and 12 (spanning 10 versions)
Revision 2 as of 2019-11-01 07:48:57
Size: 147
Editor: Sciuro
Comment:
Revision 12 as of 2020-03-06 20:03:27
Size: 1579
Editor: Sciuro
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= SSH = ## page was renamed from Howto/Ssh
#acl All:read
#lang en
Line 3: Line 5:
== Config file ==
Example		 <<TableOfContents()>>

= Tunneling =
Connect to a server and use a SOCKS5 proxy on local port 8080.
{{{
ssh -D8080 user@server.name
}}}

Redirect a port on a remote server to your local host.

{{{#!diag
nwdiag {
  network internal {
  external.server;
  internal.server [address=80];
  }

  external.server -- internet;
  internet [shape = cloud];
  internet -- user;
}
}}}

{{{
ssh -L8080:internal.server:80 user@external.server
}}}

= Config =
== Server config ==
Add the following to the ''/etc/ssh/sshd_config'' file to restrict broken and misused ciphers.
{{{
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
}}}

== Client config ==
This is an example of a personal configfile in your ''.ssh/config''.
Line 12: Line 50:

= Examples =
== Restricted shell ==
This example shows us a ssh server where you can login, but have no rights at all to do anything, except restricted portforwarding. AllowTcpForwarding has to be enabled for the use of PermitOpen.
{{{
Match User testuser
   AllowTcpForwarding yes
   X11Forwarding no
   PermitTunnel no
   GatewayPorts no
   AllowAgentForwarding no
   PermitOpen localhost:80
   ForceCommand read -p "Press enter to exit"
}}}

Contents

  1. Tunneling
  2. Config
    1. Server config
    2. Client config
  3. Examples
    1. Restricted shell

Tunneling

Connect to a server and use a SOCKS5 proxy on local port 8080. 

ssh -D8080 user@server.name

Redirect a port on a remote server to your local host. 

nwdiag is invalid diag type or not implemented yet.

ssh -L8080:internal.server:80 user@external.server

Config

Server config

Add the following to the /etc/ssh/sshd_config file to restrict broken and misused ciphers. 

KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

Client config

This is an example of a personal configfile in your .ssh/config. 

Host server
  hostname 1.2.3.4
  user username
  port 2222
  LocalForward 8443 localhost:443

Examples

Restricted shell

This example shows us a ssh server where you can login, but have no rights at all to do anything, except restricted portforwarding. AllowTcpForwarding has to be enabled for the use of PermitOpen. 

Match User testuser
   AllowTcpForwarding yes
   X11Forwarding no
   PermitTunnel no
   GatewayPorts no
   AllowAgentForwarding no
   PermitOpen localhost:80
   ForceCommand read -p "Press enter to exit"

Howto/SSH (last edited 2022-04-28 14:06:51 by Burathar)