Differences between revisions 23 and 27 (spanning 4 versions)
Revision 23 as of 2021-02-03 18:45:00
Size: 2835
Editor: Burathar
Comment:
Revision 27 as of 2021-02-03 21:28:17
Size: 3042
Editor: Burathar
Comment:
Deletions are marked like this. Additions are marked like this.
Line 59: Line 59:
For up-to-date ciphers, check [[https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/ | the IETF page]]
Line 60: Line 61:
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com		 PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-512
KexAlgorithms          curve25519-sha256@libssh.org
Ciphers                chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs                   hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

Contents

  1. Usage
    1. Generate key
    2. Install publickey on remote server
    3. copy files
  2. Tunneling
    1. SOCKS5
    2. Portforwarding
  3. Config
    1. Server config
      1. Secure algorithms
      2. Restricted shell
    2. Client config

Usage

Generate key

To generate a SSH key, 

ssh-keygen -t ed25519

Install publickey on remote server

To copy a publickey to the remote user's authorized-keys file 

ssh-copy-id -i <identity file> username@remoteserver.com

copy files

Make a copy of one file is extremely faster than a lot of little files. To tar a (big) directory and stream it as one file to the other site: 

tar -zc map | ssh user@server "cat > ~/file.tar.gz"

Or unpack at the other side: 

tar -zc map | ssh user@server "tar -zx -C /destination"

Tunneling

SOCKS5

Connect to a server and use a SOCKS5 proxy on local port 8080. 

ssh -D8080 user@server.name

Portforwarding

Redirect a port on a remote server to your local host. 

nwdiag is invalid diag type or not implemented yet.

ssh -L8080:internal.server:80 user@external.server

Config

Server config

Secure algorithms

Add the following to the /etc/ssh/sshd_config file to restrict broken and misused ciphers. For up-to-date ciphers, check the IETF page 

PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-512
KexAlgorithms          curve25519-sha256@libssh.org
Ciphers                chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs                   hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

Restricted shell

This example shows us a ssh server where you can login, but have no rights at all to do anything, except restricted portforwarding. AllowTcpForwarding has to be enabled for the use of PermitOpen. 

Match User testuser
   AllowTcpForwarding yes
   X11Forwarding no
   PermitTunnel no
   GatewayPorts no
   AllowAgentForwarding no
   PermitOpen localhost:80
   ForceCommand read -p "Press enter to exit"

Client config

The configfile for your client is located in ~/.ssh/config. Always place your default config on top. SSH works on last-know-is-true basis. 

Host *
   serveraliveinterval 60
   forwardagent yes
   VerifyHostKeyDNS yes
   KexAlgorithms curve25519-sha256@libssh.org
   Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
   MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
   AddKeysToAgent yes
   UseKeychain yes
   IdentityFile ~/.ssh/id_ed25519

This is an example of a special host config. All of the above used default options can also be used in the host specific config. 

Host server
   hostname 1.2.3.4
   user username
   port 2222
   verifyhostkeydns no
   LocalForward 8443 localhost:443

Howto/SSH (last edited 2022-04-28 14:06:51 by Burathar)