SSH

GNU/Linux OpenSSH QuickRef

2016-08-03 / GNU/Linux / Tim van Kooten Niekerk

LocalForward/Dynamic tunnels & SFTP jumphost connection examples (commandline):

>ssh -L 1522:remote.hostname:1522 user@tunnel.hostname
>ssh -D 8080 user@tunnel.hostname
>sftp -o ProxyJump=user@jump.hostname:22 [-b ./batch.scr] user@dest.host.internal

LocalForward/Dynamic tunnels & SFTP jumphost connection examples (commandline and config):

>ssh dsthst

~/.ssh/config:
Host prxjmp
  Hostname jump.hostname
  Port 22
  User user
  LocalForward 7080 10.0.0.9:7080
  DynamicForward 8080
Host dsthst
  HostName dest.host.internal
  Port 22
  User user
  ProxyJump prxjmp
  IdentityFile ~/.ssh/other_key_location

Generate a SSH Key Pair:

>ssh-keygen -m PEM -t ecdsa -b 521
>ssh-keygen -m PEM -t ecdsa -b 521 -C "tim" -f /home/tim/tmp/id_ecdsa

Other algorithms:

>ssh-keygen -t ed25519
>ssh-keygen -t dsa 
>ssh-keygen -t rsa -b 4096

Convert SSH2 Public Key to OpenSSH Public Key

>ssh-keygen -i -f id_ssh2.pub [-m PKCS8]

Convert OpenSSH Public Key to SSH2 Public Key

>ssh-keygen -e -f id_openssh.pub

Get Key Fingerprint MD5

ssh-keyscan -p [port] [hostname] > [hostkeyfpfile]
ssh-keygen -l -f [hostkeyfpfile] -E md5

Start session with alternate key

sftp -o IdentityFile=/home/tim/.ssh/id_rsa_2 tim@server1

Implement group restrictions in /etc/ssh/sshd_config

# Group restrictions 
AllowGroups sshaccess

Match Group sshpubkeyonly
      PasswordAuthentication no

Match group sftpusers
    X11Forwarding no
    ChrootDirectory %h
    AllowTcpForwarding no
    ForceCommand internal-sftp

GNU/Linux OpenSSH QuickRef

GNU/Linux FreeBSD/FreeNAS Basics