Differences

This shows you the differences between two versions of the page.

--- cheatsheet:ssh [2023/02/16 20:13] – [tunnel a specific local port to a specific remote port] kamaradski
+++ cheatsheet:ssh [2023/02/21 12:24] (current) – kamaradski
@@ Line 1: / Line 1: @@
 ====== ssh command cheatsheet ======
-Related folders:
+===== what are ssh and sshd =====
-/etc/ssh/ => OS level setup and configuration
-~/.ssh => host for all userland config files (config, knownhosts, authorized keys, public & private keys)
+SSH (Secure Shell) is a network protocol that provides secure communication between two computers, typically a client and a server. It is commonly used to enable remote access and management of a server or other networked device. The SSH protocol encrypts all traffic between the client and the server, making it resistant to eavesdropping, tampering, and other forms of network attacks.
+To establish an SSH connection, a client program sends a request to the server to initiate the SSH protocol. The server runs the SSH daemon (sshd) that listens for incoming SSH connections on a designated port (usually 22). Once a connection is established, the client and server negotiate the encryption algorithm and authentication method to be used for the session.
+The SSH protocol supports a variety of authentication methods, including password authentication and public key authentication. With password authentication, the client sends a username and password to the server to authenticate the user. Public key authentication uses a pair of cryptographic keys - a public key and a private key - to authenticate the user. The public key is stored on the server, and the private key is kept by the user.
+The SSH and SSHD services provide a secure way to manage remote systems, transfer files securely, and execute remote commands securely over the network. These services are widely used in various environments, including system administration, network management, and cloud computing. It's important to properly configure and secure SSH and SSHD to prevent unauthorized access and protect sensitive data.
+===== connect to a remote server =====
+<code bash>
+$ ssh username@hostname
+</code>
+===== connect using a non-default SSH port =====
+<code bash>
+$ ssh -p <port> username@hostname
+</code>
+===== connect using a specific identity file =====
+<code bash>
+$ ssh -i /path/to/private/key username@hostname
+</code>
+===== run a remote command =====
+<code bash>
+$ ssh username@hostname "command"
+</code>
+===== keys and certificates =====
+==== create id_rsa ssh key ====
+<code bash>
+$ ssh-keygen -t rsa
+or
+$ ssh-keygen -t rsa -b 4096 -C "<comment>"
+</code>
+==== copy local public key to remote "known_hosts" ====
+<code bash>
+$ ssh-copy-id -i ~/.ssh/id_rsa.pub -p 1234 user@host
+</code>
+==== remove a specific host from the known_hosts file ====
+<code bash>
+$ ssh-keygen -f "/home/ubuntu/.ssh/known_hosts" -R "10.0.0.10"
+# Host 10.0.0.10 found: line 39
+# Host 10.0.0.10 found: line 40
+/home/ubuntu/.ssh/known_hosts updated.
+Original contents retained as /home/ubuntu/.ssh/known_hosts.old
+</code>
 ===== create "alias" configuration for a host =====
@@ Line 30: / Line 82: @@
 </code>
-===== tunneling =====
+===== start/restart/stop ssh or sshd service =====
-==== open SOCKS tunnel (used for browsing for example) ====
+Ubuntu, Debian, CentOS, Fedora and other systems that use systemd
 <code bash>
-$ ssh -D 6666 -vTCN [email protected] -p1234
+sudo systemctl start|restart|stop ssh|sshd
-# where:
-# -D 6666 is the local port to use (pick open port at will)
-# -p 1234 is the remote port at which the remote ssh-server is listening for you
 </code>
-==== tunnel a specific local port to a specific remote port ====
+Systems that use SysV init:
-This is very useful is you want to tunnel into an ssh jumphost in a remote network, and then reach a service on another server
-inside the target network. For example, you can tunnel a mail local mail client, via an ssh jumphost, to a private email server somewhere on the remote network.
 <code bash>
-ssh -L 6666:192.168.1.100:1234 [email protected] -p 8080 -vTN
+sudo service ssh|sshd start|restart|stop
+</code>
-# where
-# 6666 is the local port to use (pick open port at will)
-# 192.168.1.100 is the ip-address of the remote server (reachable from the ssh jumphost)
-# 1234 is the remote port to use on the remote server
-# -p 1234 is the remote port at which the remote ssh-server is listening
-ssh -L opens a local port. Everything that you send to that port is put through the ssh connection and leaves through the server.
-If you do, e.g., ssh -L 4444:google.com:80, if you open http://localhost:4444 on your browser, you'll actually see google's page.
-ssh -D opens a local port, but it doesn't have a specific endpoint like with -L. Instead, it pretends to be a SOCKS proxy.
-If you open, e.g., ssh -D 7777, when you tell your browser to use localhost:7777 as your SOCKS proxy, everything your browser
-requests goes through the ssh tunnel. To the public internet, it's as if you were browsing from your ssh server instead of from your computer.
-</code>
 ===== important files =====
@@ Line 95: / Line 127: @@
 Overall, the sshd_config file is an essential tool for system administrators to manage and configure SSH server connections and maintain a secure and reliable remote access environment.
-==== start/restart/stop ====
-Ubuntu, Debian, CentOS, Fedora and other systems that use systemd
+==== logfiles ====
+The related log files for SSH and SSHD can also vary depending on the operating system and version, but here are the common ones for several popular Linux distributions:
+Ubuntu, Debian, and other systems that use systemd:\\
+The SSH log file is typically located at ''/var/log/auth.log'', and the SSHD log file is typically located at ''/var/log/syslog''.
+CentOS, Fedora, and other systems that use systemd:\\
+The SSH log file is typically located at ''/var/log/secure'', and the SSHD log file is typically located at ''/var/log/secure''.
+Systems that use SysV init:\\
+The SSH log file is typically located at ''/var/log/secure'', and the SSHD log file is typically located at ''/var/log/messages''.
+In general, the SSH log file records information about SSH client connections, including successful and failed login attempts, the time and date of the connection, and the IP address of the connecting client. The SSHD log file records information about the SSH server, including successful and failed connection attempts, system errors, and other server-related events.
+===== tunneling =====
+The SSH command with the -L and -D options allows you to create secure connections between two computers, which can be useful in many situations.
+The -L option creates a secure tunnel that connects your computer to another computer through a third computer. This can be helpful when you need to access a computer that's behind a firewall or is not accessible from your computer directly.
+For example, imagine you need to access a computer at work, but it's only accessible from your work network. By creating an SSH tunnel with the -L option, you can connect to a different computer that is accessible from your computer, and that computer will connect to the work computer for you.
+The -D option creates a different type of tunnel that lets you use a remote computer as a proxy. This is useful if you want to access resources that are only available from a remote computer.
+For example, imagine you need to access a website that is only available from a computer in a different country. By creating an SSH tunnel with the -D option, you can use the remote computer as a proxy to access the website from your computer.
+Overall, the -L and -D options are powerful tools that allow you to securely connect to remote computers and access resources that might otherwise be unavailable to you.
+==== -D option (dynamic port forwarding) (SOCKS proxy) ====
+Let's say you're traveling abroad and need to access a website that's only accessible from your home country. By using the -D option, you can create a SOCKS proxy that routes all your web traffic through a remote computer in your home country.
+The command to create the proxy would look like this:
 <code bash>
-sudo systemctl start|restart|stop ssh|sshd
+ssh -D 1080 [email protected]
+# where:
+# -D 1080 is the local port to use (pick any open port [above 1024] at will)
 </code>
-Systems that use SysV init:
+In this example, you're connecting to the "home.com" computer and creating a SOCKS proxy on port 1080. You can then configure your web browser to use the SOCKS proxy on your local computer (by specifying localhost:1080 as target), and all your web traffic will be securely routed through the "home.com" computer. This will make it appear as if you're accessing the web from your home country, even if you're physically located in a different country.
+==== -L option (remote port forwarding) ====
+Let's say you have a server that's only accessible from your office network, but you need to access it from your home computer. By using the -L option, you can create a secure tunnel that connects your home computer to the server through another computer that's accessible from your home computer.
+The command to create the tunnel would look like this:
 <code bash>
-sudo service ssh|sshd start|restart|stop
+ssh -L 8888:server.example.com:22 [email protected]
+# where
+# 8888 is the local port to use (pick any open port [above 1024] at will)
+# server.example.com is the target server we want to reach
+# 22 is the remote port we want to reach on the target server
+# accessible.com is the server in the middle (jumphost)
 </code>
+In this example, you're connecting to the "accessible.com" computer and creating a tunnel on port 8888. Any traffic sent to port 8888 on your home computer will be securely forwarded to the "server.example.com" server through the "accessible.com" computer. This is commonly in use in secure networks where you only can or want to expose 1 server to the internet, and you use this as jumphost to reach other services that are in the network behind.
-==== logfiles ====
-The related log files for SSH and SSHD can also vary depending on the operating system and version, but here are the common ones for several popular Linux distributions:
+===== SSHd settings =====
-Ubuntu, Debian, and other systems that use systemd:
+Related file: /etc/ssh/sshd_config
-The SSH log file is typically located at <code>/var/log/auth.log</code>, and the SSHD log file is typically located at <code>/var/log/syslog</code>.
-CentOS, Fedora, and other systems that use systemd:
+==== disable the use of passwords to login ====
-The SSH log file is typically located at <code>/var/log/secure</code>, and the SSHD log file is typically located at <code>/var/log/secure</code>.
+Note: make sure you have a working key-based login in place before doing this (or local access via a real keyboard/monitor or KVM)
+<code>
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+UsePAM no
+</code>
+==== disable the root account from logging in ====
+<code>
+PermitRootLogin no
+#PermitRootLogin prohibit-password
+</code>
-Systems that use SysV init:
-The SSH log file is typically located at <code>/var/log/secure</code>, and the SSHD log file is typically located at <code>/var/log/messages</code>.
-In general, the SSH log file records information about SSH client connections, including successful and failed login attempts, the time and date of the connection, and the IP address of the connecting client. The SSHD log file records information about the SSH server, including successful and failed connection attempts, system errors, and other server-related events.

wiki.kamaradski.com

User Tools

Site Tools

Differences

Page Tools