Differences

This shows you the differences between two versions of the page.

--- cheatsheet:ssh [2023/02/16 20:25] – kamaradski
+++ cheatsheet:ssh [2023/02/21 12:24] (current) – kamaradski
@@ Line 11: / Line 11: @@
 The SSH and SSHD services provide a secure way to manage remote systems, transfer files securely, and execute remote commands securely over the network. These services are widely used in various environments, including system administration, network management, and cloud computing. It's important to properly configure and secure SSH and SSHD to prevent unauthorized access and protect sensitive data.
+===== connect to a remote server =====
+<code bash>
+$ ssh username@hostname
+</code>
+===== connect using a non-default SSH port =====
+<code bash>
+$ ssh -p <port> username@hostname
+</code>
+===== connect using a specific identity file =====
+<code bash>
+$ ssh -i /path/to/private/key username@hostname
+</code>
+===== run a remote command =====
+<code bash>
+$ ssh username@hostname "command"
+</code>
+===== keys and certificates =====
+==== create id_rsa ssh key ====
+<code bash>
+$ ssh-keygen -t rsa
+or
+$ ssh-keygen -t rsa -b 4096 -C "<comment>"
+</code>
+==== copy local public key to remote "known_hosts" ====
+<code bash>
+$ ssh-copy-id -i ~/.ssh/id_rsa.pub -p 1234 user@host
+</code>
+==== remove a specific host from the known_hosts file ====
+<code bash>
+$ ssh-keygen -f "/home/ubuntu/.ssh/known_hosts" -R "10.0.0.10"
+# Host 10.0.0.10 found: line 39
+# Host 10.0.0.10 found: line 40
+/home/ubuntu/.ssh/known_hosts updated.
+Original contents retained as /home/ubuntu/.ssh/known_hosts.old
+</code>
 ===== create "alias" configuration for a host =====
@@ Line 36: / Line 80: @@
 $ ssh yetanothername
 $ scp /local/file.ext someothername:/remote/target/folder/
-</code>
-===== tunneling =====
-==== open SOCKS tunnel (used for browsing for example) ====
-<code bash>
-$ ssh -D 6666 -vTCN [email protected] -p1234
-# where:
-# -D 6666 is the local port to use (pick open port at will)
-# -p 1234 is the remote port at which the remote ssh-server is listening for you
-</code>
-==== tunnel a specific local port to a specific remote port ====
-This is very useful is you want to tunnel into an ssh jumphost in a remote network, and then reach a service on another server
-inside the target network. For example, you can tunnel a mail local mail client, via an ssh jumphost, to a private email server somewhere on the remote network.
-<code bash>
-ssh -L 6666:192.168.1.100:1234 [email protected] -p 8080 -vTN
-# where
-# 6666 is the local port to use (pick open port at will)
-# 192.168.1.100 is the ip-address of the remote server (reachable from the ssh jumphost)
-# 1234 is the remote port to use on the remote server
-# -p 1234 is the remote port at which the remote ssh-server is listening
-ssh -L opens a local port. Everything that you send to that port is put through the ssh connection and leaves through the server.
-If you do, e.g., ssh -L 4444:google.com:80, if you open http://localhost:4444 on your browser, you'll actually see google's page.
-ssh -D opens a local port, but it doesn't have a specific endpoint like with -L. Instead, it pretends to be a SOCKS proxy.
-If you open, e.g., ssh -D 7777, when you tell your browser to use localhost:7777 as your SOCKS proxy, everything your browser
-requests goes through the ssh tunnel. To the public internet, it's as if you were browsing from your ssh server instead of from your computer.
 </code>
@@ Line 131: / Line 142: @@
 In general, the SSH log file records information about SSH client connections, including successful and failed login attempts, the time and date of the connection, and the IP address of the connecting client. The SSHD log file records information about the SSH server, including successful and failed connection attempts, system errors, and other server-related events.
+===== tunneling =====
+The SSH command with the -L and -D options allows you to create secure connections between two computers, which can be useful in many situations.
+The -L option creates a secure tunnel that connects your computer to another computer through a third computer. This can be helpful when you need to access a computer that's behind a firewall or is not accessible from your computer directly.
+For example, imagine you need to access a computer at work, but it's only accessible from your work network. By creating an SSH tunnel with the -L option, you can connect to a different computer that is accessible from your computer, and that computer will connect to the work computer for you.
+The -D option creates a different type of tunnel that lets you use a remote computer as a proxy. This is useful if you want to access resources that are only available from a remote computer.
+For example, imagine you need to access a website that is only available from a computer in a different country. By creating an SSH tunnel with the -D option, you can use the remote computer as a proxy to access the website from your computer.
+Overall, the -L and -D options are powerful tools that allow you to securely connect to remote computers and access resources that might otherwise be unavailable to you.
+==== -D option (dynamic port forwarding) (SOCKS proxy) ====
+Let's say you're traveling abroad and need to access a website that's only accessible from your home country. By using the -D option, you can create a SOCKS proxy that routes all your web traffic through a remote computer in your home country.
+The command to create the proxy would look like this:
+<code bash>
+ssh -D 1080 [email protected]
+# where:
+# -D 1080 is the local port to use (pick any open port [above 1024] at will)
+</code>
+In this example, you're connecting to the "home.com" computer and creating a SOCKS proxy on port 1080. You can then configure your web browser to use the SOCKS proxy on your local computer (by specifying localhost:1080 as target), and all your web traffic will be securely routed through the "home.com" computer. This will make it appear as if you're accessing the web from your home country, even if you're physically located in a different country.
+==== -L option (remote port forwarding) ====
+Let's say you have a server that's only accessible from your office network, but you need to access it from your home computer. By using the -L option, you can create a secure tunnel that connects your home computer to the server through another computer that's accessible from your home computer.
+The command to create the tunnel would look like this:
+<code bash>
+ssh -L 8888:server.example.com:22 [email protected]
+# where
+# 8888 is the local port to use (pick any open port [above 1024] at will)
+# server.example.com is the target server we want to reach
+# 22 is the remote port we want to reach on the target server
+# accessible.com is the server in the middle (jumphost)
+</code>
+In this example, you're connecting to the "accessible.com" computer and creating a tunnel on port 8888. Any traffic sent to port 8888 on your home computer will be securely forwarded to the "server.example.com" server through the "accessible.com" computer. This is commonly in use in secure networks where you only can or want to expose 1 server to the internet, and you use this as jumphost to reach other services that are in the network behind.
+===== SSHd settings =====
+Related file: /etc/ssh/sshd_config
+==== disable the use of passwords to login ====
+Note: make sure you have a working key-based login in place before doing this (or local access via a real keyboard/monitor or KVM)
+<code>
+ChallengeResponseAuthentication no
+PasswordAuthentication no
+UsePAM no
+</code>
+==== disable the root account from logging in ====
+<code>
+PermitRootLogin no
+#PermitRootLogin prohibit-password
+</code>

wiki.kamaradski.com

User Tools

Site Tools

Differences

Page Tools