Ederbit

Recent Notes

Sep 24, 20242 min read

Secure Shell (SSH)

  • scp — Copy files over ssh
  • sshfs — Mount remote file system
  • screen — Run commands safely in remote session

Configuration

  • Create SSH aliases in ~/.ssh/config
Host *
   ServerAliveInterval 60
   ServerAliveCountMax 5
   AddKeysToAgent yes

## GENERAL

Host gitlab.com
   HostName gitlab.com
   User git
   IdentitiesOnly yes
   IdentityFile ~/.ssh/id_rsa
   UpdateHostKeys no

Host homelab*
   PreferredAuthentications=publickey
   IdentitiesOnly yes
   IdentityFile ~/.ssh/id_rsa-homelab

Host homelab.nas 
   HostName *****
   Port 5002
   User fabian

...

SSH Keys

File permission

.ssh 700 (drwx------)
public key (.pub) 644 (-rw-r--r--)
private key (id_rsa) 600 (-rw-------)
 
# required permissions
chmod 755 ~
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub

Create SSH key

ssh-keygen -t rsa -b 4096 -N '' -C "user@host"

Create public key from private key

ssh-keygen -y -f <PRIVATE-KEY> > xxx.pub

Copy public SSH key to server

ssh-copy-id -i ~/.ssh/id_rsa-maintainer.pub -p 22023 -o PubkeyAuthentication=no unfa@10.0.0.130
ssh -p 22023 -vvv unfa@10.0.0.130 -o IdentitiesOnly=yes -i ~/.ssh/id_rsa-maintainer.pub

Launch local script remotely in screen session

# launch in background
ssh -t server screen -S backup -dm backup-nas.sh
# attach session
ssh -t server screen -r backup

SSH Forwarding

Local Port Forwarding

# forward the local port to the server on remote port
ssh -p "$PORT" "$USER"@"$HOST" -L "$LocalPort":localhost:"$RemotePort"

Remote Port Forwarding

# forward requests on remote port to $SERVER:$ServerPort
ssh -p "$PORT" "$USER"@"$HOST" -R "$LocalPort":$SERVER:"$ServerPort"
 
# forward requests on remote port to local port 2222
ssh -p "$PORT" "$USER"@"$HOST" -R "$LocalPort":localhost:2222

Advanced

Reverse SOCKS Proxy

  • two networks: home & company network
  • home network allows inbound connections
  • setup up ssh jump box in home network
  • we want to setup ssh socks tunnel from jump box to company network but because we cannot to company network from outside, we create a connection from within to the jump box then we use remote port-forwarding to connect the jump box back to the company network when we setup the socks tunnel, we specify a local proxy port and our remote forwarded port
  • configure jump box as socks proxy on client and browse the web through the eyes of the company network
# from within company box
PROXY_PORT=8888
REMOTE_PORT=5555
ssh jump@home -t \ # connect to jump box from withing company
-R $REMOTE_PORT:localhost:22 \ # forward some remote port from jump box to localhost
"ssh -vND $PROXY_PORT localhost -p $REMOTE_PORT" # setup socks proxy on jump box to forwarded port

Recent Notes

Graph View

Backlinks