|
Size: 691
Comment:
|
Size: 2301
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| #acl All: | ## page was renamed from Howto/Ssh #acl All:read |
| Line 6: | Line 7: |
| == Config files == This is an example of a personal configfile in your ''.ssh/config''. |
= Tunneling = == SOCKS5 == Connect to a server and use a SOCKS5 proxy on local port 8080. |
| Line 9: | Line 11: |
| Host server hostname 1.2.3.4 user username port 2222 LocalForward 8443 localhost:443 |
ssh -D8080 user@server.name |
| Line 16: | Line 14: |
| == Restricted shell == | == Portforwarding == Redirect a port on a remote server to your local host. {{{#!diag nwdiag { network internal { external.server; internal.server [address=80]; } external.server -- internet; internet [shape = cloud]; internet -- user; } }}} {{{ ssh -L8080:internal.server:80 user@external.server }}} = Config = == Server config == === Secure algorithms === Add the following to the ''/etc/ssh/sshd_config'' file to restrict broken and misused ciphers. {{{ KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com }}} === Restricted shell === |
| Line 28: | Line 56: |
== Client config == The configfile for your client is located in ''~/.ssh/config''. Always place your default config on top. SSH works on last-know-is-true basis. {{{ Host * serveraliveinterval 60 forwardagent yes VerifyHostKeyDNS yes KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com AddKeysToAgent yes UseKeychain yes IdentityFile ~/.ssh/id_ed25519 }}} This is an example of a special host config. All of the above used default options can also be used in the host specific config. {{{ Host server hostname 1.2.3.4 user username port 2222 verifyhostkeydns no LocalForward 8443 localhost:443 }}} |
Contents
Tunneling
SOCKS5
Connect to a server and use a SOCKS5 proxy on local port 8080.
ssh -D8080 user@server.name
Portforwarding
Redirect a port on a remote server to your local host.
nwdiag is invalid diag type or not implemented yet.
ssh -L8080:internal.server:80 user@external.server
Config
Server config
Secure algorithms
Add the following to the /etc/ssh/sshd_config file to restrict broken and misused ciphers.
KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
Restricted shell
This example shows us a ssh server where you can login, but have no rights at all to do anything, except restricted portforwarding. AllowTcpForwarding has to be enabled for the use of PermitOpen.
Match User testuser AllowTcpForwarding yes X11Forwarding no PermitTunnel no GatewayPorts no AllowAgentForwarding no PermitOpen localhost:80 ForceCommand read -p "Press enter to exit"
Client config
The configfile for your client is located in ~/.ssh/config. Always place your default config on top. SSH works on last-know-is-true basis.
Host *
serveraliveinterval 60
forwardagent yes
VerifyHostKeyDNS yes
KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_ed25519This is an example of a special host config. All of the above used default options can also be used in the host specific config.
Host server hostname 1.2.3.4 user username port 2222 verifyhostkeydns no LocalForward 8443 localhost:443