SSH

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line login and remote command execution, but any network service can be secured with SSH.

Examples of services that can use SSH are Git, rsync and X11 forwarding. Services that always use SSH are SCP and SFTP.

An SSH server, by default, listens on the standard TCP port 22. An SSH client program is typically used for establishing connections to an sshd daemon accepting remote connections. Both are commonly present on most modern operating systems, including macOS, GNU/Linux, Solaris and OpenVMS. Proprietary, freeware and open source versions of various levels of complexity and completeness exist.

Client

Usage

Creating a SSH key:

ssh-keygen

Connecting to a server

ssh -p port user@server-address

Port forwarding:

# Forward Remote -> Local
ssh -N -f -L local_port:127.0.0.1:remote_port host
# Forward Local -> Remote
ssh -N -f -R remote_port:127.0.0.1:local_port host

Copying files (works with rsync as well):

scp -r files remote:/path

Copy ssh key to host:

ssh-copy-id user@remote

Pipes work too over SSH:

ssh remote "cat /log" | grep denied
cat ~/.ssh/id_rsa.pub | ssh remote 'cat >> .ssh/authorized_keys'

Use a jump host:

ssh -J jump_server remote

Forward port to remote using systemd service:

[Unit]
Description=SSH Port Forwarding
After=network.target
After=systemd-resolved.service
 
[Service]
User=<USER>
ExecStart=/usr/bin/ssh -i <KEY> -o ExitOnForwardFailure=yes -N -R 0.0.0.0:<PORT>:127.0.0.1:<PORT> user@example.com
Restart=always
StartLimitInterval=0
StartLimitBurst=0
RestartSec=30s
 
[Install]
WantedBy=multi-user.target

Signing

Creating a signature:

ssh-keygen -Y sign -f ~/.ssh/id_ed25519 -n file <file_to_sign>

Verifying signatures is a bit more involved. First you need to create an allowed signers file which maps email addresses to public keys, like this:

alice@example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINq4q0EHXacxMzmcG7TNC1DJpSxpK5dhJA6uAlZ/x8O7
alice@example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfHGCK5jjI/Oib4vRBLB9rG30A8y/Br9U75rfAYsitwFPFfl/CaTAvfRlW1lIBqOCshLWxGsN+PFiJCiCWzpW4iILkD5X5KcBBYHTq1ojYXb70BrQXQ+QBDcGxqQjcOp/uTq1D9Z82mYq/usI5wdz6f1KNyqM0J6ZwRXMu6u7NZaAwmY7j1fV4DRiYdmIfUDIyEdqX4a1Gan+EMSanVUYDcNmeBURqmTkkOPYSg8g5xYgcXBMOZ+V0ZUjreV9paKraUD/mVDlZbb/VyWhJGT4FLMNXHU6UHC2FFgqANMUKIlL4vhqc23MoygKbfF3HgNB6BNfv3s+GYlaQ3+66jc5j
bob@example.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgQuuEvhUXerOTIZ2zoOx60M/HHJ/tcHnD84ZvTiX5b
eve@example.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFxsKcWHB9hamTXCPWKVUw0WM0S3IXH0YArf8iJE0dMG

Once you have your allowed signers file, verification works like this:

ssh-keygen -Y verify -f allowed_signers -I alice@example.com -n file -s file_to_verify.sig < file_to_verify

Here are the arguments you may need to change:

• allowed_signers is the path to the allowed signers file.
• alice@example.com is the email address of the person who allegedly signed the file. This email address is looked up in the allowed signers file to get possible public keys.
• file is the “namespace”, which must match the namespace used for signing as described above.
• file_to_verify.sig is the path to the signature file.
• file_to_verify is the path to the file to be verified. Note that this file is read from standard in. In the above command, the < shell operator is used to redirect standard in from this file.

If the signature is valid, the command exits with status 0 and prints a message like this:

Good "file" signature for alice@example.com with ED25519 key SHA256:ZGa8RztddW4kE2XKPPsP9ZYC7JnMObs6yZzyxg8xZSk

Otherwise, the command exits with a non-zero status and prints an error message.

Configuration

Client can be configured by the file ~/.ssh/config

# global options
User user

# host-specific options
Host myserver
    Hostname server-address
    Port     port
    IdentityFile ~/.ssh/id_rsa
    User you
    ProxyJump host
    ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p # HTTP Proxy

With this configuration the client command can be redacted to

ssh myserver

Corkscrew is a additional programm to tunnel SSH through HTTP proxies:

`ssh -o "ProxyCommand corkscrew <proxy-host> <proxy-port> %h %p" <ssh-username>@<ssh-server>`

Server

sshd is the OpenSSH server daemon, configured with /etc/ssh/sshd_config and managed by sshd.service. Whenever changing the configuration, use sshd in test mode before restarting the service to ensure it will be able to start cleanly. Valid configurations produce no output.

sshd -t

Configuration

Set address and port:

ListenAddress 0.0.0.0
Port 22

Limit users:

AllowUsers user1 user2
DenyUser user3 user4

To allow access only for some groups:

AllowGroups group1 group2
DenyGroups group3 group4

Disable password authentification:

PasswordAuthentication no
PermitEmptyPasswords no

Disable root login:

PermitRootLogin no
PermitRootLogin prohibit-password

Allow port forwarding:

AllowTcpForwarding yes

Allow only certain commands:

ForceCommand command

Limit port forwarding:

PermitListen host:port
PermitOpen host:port

Set environment variables in the session:

SetEnv KEY=VALUE

User-based settings (everything here only applies to user1):

Match User user1
    PasswordAuthentication no
    AllowTcpForwarding yes

authorized_keys

The ~/.ssh/authorized_keys file is used to enable passwordless authentication using SSH keys. You can specify multiple allowed SSH keys one per line. The syntax is:

[options] key_type key [user@host]

Example:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA7V4+1E...

Common Options:

• command="command_to_run": Restricts the key to only execute a specific command. The SSH session will automatically execute this command upon login, and the user won’t get an interactive shell.
• from="hostname_or_ip_address": Limits the use of the key to a specific hostname or IP address, or a range of addresses.
• no-port-forwarding: Disables port forwarding for the key.
• no-agent-forwarding: Disables SSH agent forwarding for the key.
• no-X11-forwarding: Disables X11 forwarding for the key.
• no-pty: Disables the allocation of a pseudo-terminal for the key. This means the user won’t get an interactive shell session.
• permitopen="host:port": Restricts port forwarding to a specific host and port.
• environment="VAR=value": Sets environment variables for the session when the key is used to log in.

Options are comma-seperated if you want to specify multiple.

.ssh/rc

The ~/.ssh/rc file is a script that can be executed automatically whenever an SSH session is established. This can be configured globally with /etc/ssh/sshrc.