#lang en <> = Usage = == Generate key == To generate a SSH key, {{{ ssh-keygen -t ed25519 }}} == Install publickey on remote server == To copy a publickey to the remote user's authorized-keys file {{{ ssh-copy-id -i username@remoteserver.com }}} == copy files == Make a copy of one file is extremely faster than a lot of little files. To tar a (big) directory and stream it as one file to the other site: {{{ tar -zc map | ssh user@server "cat > ~/file.tar.gz" }}} Or unpack at the other side: {{{ tar -zc map | ssh user@server "tar -zx -C /destination" }}} = Tunneling = == SOCKS5 == Connect to a server and use a SOCKS5 proxy on local port 8080. {{{ ssh -D8080 user@server.name }}} == Portforwarding == Redirect a port on a remote server to your local host. {{{#!diag nwdiag { network internal { external.server; internal.server [address=80]; } external.server -- internet; internet [shape = cloud]; internet -- user; } }}} {{{ ssh -L8080:internal.server:80 user@external.server }}} = Config = == Server config == === Secure algorithms === Add the following to the ''/etc/ssh/sshd_config'' file to restrict broken and misused ciphers. For up-to-date ciphers, check [[https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/ | the IETF page]] {{{ PubkeyAcceptedKeyTypes ssh-ed25519,rsa-sha2-512 KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com }}} === Restricted shell === This example shows us a ssh server where you can login, but have no rights at all to do anything, except restricted portforwarding. AllowTcpForwarding has to be enabled for the use of PermitOpen. {{{ Match User testuser AllowTcpForwarding yes X11Forwarding no PermitTunnel no GatewayPorts no AllowAgentForwarding no PermitOpen localhost:80 ForceCommand read -p "Press enter to exit" }}} == Client config == The configfile for your client is located in ''~/.ssh/config''. Always place your default config on top. SSH works on last-know-is-true basis. {{{ Host * serveraliveinterval 60 forwardagent yes VerifyHostKeyDNS yes KexAlgorithms curve25519-sha256@libssh.org Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com AddKeysToAgent yes UseKeychain yes IdentityFile ~/.ssh/id_ed25519 }}} This is an example of a special host config. All of the above used default options can also be used in the host specific config. {{{ Host server hostname 1.2.3.4 user username port 2222 verifyhostkeydns no LocalForward 8443 localhost:443 }}} = Using SSH key to directly encrypt small files = Unfortunally, openssl does not understand the openssl key format, so we'll have to convert both our public ánd private key to PEM. == Encryption == {{{#!bash ssh-keygen -f ~/.ssh/id_rsa.pub -e -m PKCS8 > id_rsa.pem.pub openssl rsautl -encrypt -pubin -inkey id_rsa.pem.pub -ssl -in message.txt -out encrypted-message.txt.enc }}} == Decryption == Warning: this ssh-keygen command replaces the key file. Make a copy of the key first. {{{#!bash ssh-keygen -p -f id_rsa_copy -m pem openssl rsautl -decrypt -inkey id_rsa_copy -in encrypted-message.txt.enc -out decrypted-message.txt }}}