SSH - Nikola's Digital Garden

# SSH ![[Linux Fundamentals - Network Services#^9at8hv]] ![[Linux Fundamentals - Network Services#^thqute]] You can use a custom private key (instead of the default one) with the `-i <PATH>` option. ## SSH Tunneling SSH can be used to establish various types of tunnels to forward traffic from a server to a client and vice-versa. When using SSH tunneling these options will come in handy: - `-C`: enable traffic compression - `-N`: will not start a shell. The connection will be used exclusively for tunneling. ### Local Port Forwarding With local port forwarding, all traffic bound for a client's port is forwarded to the server using SSH. The server then performs NAT and forwards the traffic onwards. ```sh ssh -L <local (client) port>:<destination IP address>:<destination port> <user>@<SSH server IP address> ``` e.g.: `ssh -L 8080:localhost:8443 [email protected]`. In this example all localhost connections to port 8080 will be redirected to 10.10.10.10. The server will then perform NAT and forward that traffic to `localhost:8443`. By default, the client binds to the localhost address only, but this can be changed by specifying the address to use before the local port. If you want to configure a SOCKS proxy instead use the `-D` option instead of `-L`, and omit the destination IP address/port. ### Remote Port Forwarding Remote port forwarding a.k.a reverse tunneling is the exact opposite of local port forwarding. Traffic bound for a server port is forwarded to the client using SSH. The client then performs NAT and forwards the traffic onwards. ```sh ssh -R <server port>:<destination IP address>:<destination port> <user>@<SSH server IP address> ``` e.g.: `ssh -R 8080:localhost:8443 [email protected]`. In this example all server connections to port 8080 will be redirected to the client. The client will then perform NAT and forward that traffic to `localhost:8443`. By default, the server binds to the localhost address only, but this can be changed by specifying the address to use before the server port. If the destination is not specified, the client will act as a SOCKS proxy. ## SSH Server Setup ![[Linux Fundamentals - Network Services#^hn0g11]] After the above configuration is set server can be enabled using ```sh sudo systemctl enable ssh sudo systemctl start ssh ``` ![[Linux Fundamentals - Linux Security#^9mu1b5]] ### Adding Public Key to Authorized Keys To add your public key to authorized keys you can either use `ssh-copy-id` if available or call the manual command listed above. This will essentially trigger a username/password authentication and write the key to `authorized_keys`. ```sh ssh-copy-id <USERNAME>@<IP-ADDRESS> ``` ```sh cat ~/.ssh/id_rsa.pub | ssh <USERNAME>@<IP-ADDRESS> 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys' ``` Note that logging in with an SSH key will not work if the home directory permissions are not the standard 755. ### Disabling SSH Password Authentication Make sure the following properties are set in `/etc/ssh/sshd_config`: ``` PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no PubkeyAuthentication yes RSAAuthentication yes ``` Note that if you're setting-up a Raspberry pi these settings are now automated when using the new imager utility.