Differences between revisions 6 and 16 (spanning 10 versions)
Revision 6 as of 2019-12-12 23:21:43
Size: 1090
Editor: Sciuro
Comment:
Revision 16 as of 2020-03-07 11:25:57
Size: 2272
Editor: Sciuro
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
## page was renamed from Howto/Ssh
Line 5: Line 6:

= Tunneling =
== SOCKS5 ==
Connect to a server and use a SOCKS5 proxy on local port 8080.
{{{
ssh -D8080 user@server.name
}}}

== Portforwarding ==
Redirect a port on a remote server to your local host.

{{{#!diag
nwdiag {
  network internal {
  external.server;
  internal.server [address=80];
  }

  external.server -- internet;
  internet [shape = cloud];
  internet -- user;
}
}}}

{{{
ssh -L8080:internal.server:80 user@external.server
}}}
Line 16: Line 44:
This is an example of a personal configfile in your ''.ssh/config''. The configfile for your client is located in ''~/.ssh/config''. Always place your default config on top. SSH works on last-know-is-true basis.

{{{
Host *
    serveraliveinterval 60
    forwardagent yes
    VerifyHostKeyDNS yes
    KexAlgorithms curve25519-sha256@libssh.org
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
    AddKeysToAgent yes
    UseKeychain yes
    IdentityFile ~/.ssh/id_ed25519
}}}

This is an example of a special host config. All of the above used default options can also be used in the host specific config.
Line 22: Line 65:
  verifyhostkeydns no

Contents

  1. Tunneling
    1. SOCKS5
    2. Portforwarding
  2. Config
    1. Server config
    2. Client config
    3. Restricted shell

Tunneling

SOCKS5

Connect to a server and use a SOCKS5 proxy on local port 8080. 

ssh -D8080 user@server.name

Portforwarding

Redirect a port on a remote server to your local host. 

nwdiag is invalid diag type or not implemented yet.

ssh -L8080:internal.server:80 user@external.server

Config

Server config

Add the following to the /etc/ssh/sshd_config file to restrict broken and misused ciphers. 

KexAlgorithms curve25519-sha256@libssh.org
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com

Client config

The configfile for your client is located in ~/.ssh/config. Always place your default config on top. SSH works on last-know-is-true basis. 

Host *
    serveraliveinterval 60
    forwardagent yes
    VerifyHostKeyDNS yes
    KexAlgorithms curve25519-sha256@libssh.org
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
    AddKeysToAgent yes
    UseKeychain yes
    IdentityFile ~/.ssh/id_ed25519

This is an example of a special host config. All of the above used default options can also be used in the host specific config. 

Host server
  hostname 1.2.3.4
  user username
  port 2222
  verifyhostkeydns no
  LocalForward 8443 localhost:443

Restricted shell

This example shows us a ssh server where you can login, but have no rights at all to do anything, except restricted portforwarding. AllowTcpForwarding has to be enabled for the use of PermitOpen. 

Match User testuser
   AllowTcpForwarding yes
   X11Forwarding no
   PermitTunnel no
   GatewayPorts no
   AllowAgentForwarding no
   PermitOpen localhost:80
   ForceCommand read -p "Press enter to exit"

Howto/SSH (last edited 2022-04-28 14:06:51 by Burathar)