Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. Typical applications include remote command-line, login, and remote command execution, but any network service can be secured with SSH. — Wikipedia

Keys

Create new key:

ssh-keygen -f ~/.ssh/key_id

Copy public key to server:

ssh-copy-id -i ~/.ssh/key_id user@host

In /etc/ssh/sshd_config:

Host github.com
  User github-user
  IdentityFile ~/.ssh/github_id

Tunneling

Local

ssh -L 8080:www.ubuntuforums.org:80 <host>

Dynamtic

ssh -D 8888 thomas@1.2.3.4 [-p 443]
  • -C enabled compression

Reverse

In /etc/ssh/sshd_config:

GatewayPorts yes # bind all tunnels to 0.0.0.0
GatewayPorts clientspecified # let the client decide how to bind

Start tunnel:

ssh -R 0.0.0.0:8080:localhost:1313 -N bastion
Host reverse-tunnel
  Hostname login.example.com
  RemoteForward 0.0.0.0:8080 localhost:1313

Jump client

New format; after 7.3

Host login
  Hostname login.example.com
  Port 2313

Host web01
  Hostname vm-web01.lan.example.com
  ProxyJump login

Old format; before 7.3

Host login
  Hostname login.example.com
  Port 2313

Host web01
  Hostname vm-web01.lan.example.com
  ProxyCommand ssh -q -W %h:%p login

SSHFP record

ssh-keygen -r login.example.com (-f .ssh/id_rsa)

SSH agent

eval `ssh-agent`

SFTP

Client

sftp -P 1234 thomas@login.example.com

Mount

sshfs web01:/backup/ /mnt/web01/

Without shell access

/etc/ssh/sshd_config

Match User leecher
# Match Group leechers
ForceCommand internal-sftp
PasswordAuthentication yes
ChrootDirectory /mnt/sftp
PermitTunnel no
AllowAgentForwarding no
AllowTcpForwarding no
X11Forwarding no

Server

Disable password login

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

autossh

https://www.harding.motd.ca/autossh/

autossh -M 20000 -f -N your_public_server -R 1234:localhost:22 -C
  • -M port[:echo_port] specifies the base monitoring port to use