James's Ramblings

SSH

Created: June 14, 2019 (Updated: July 05, 2022)

Generate a new SSH key

On the client computer:

ssh-keygen -t ssh-ed25519
  • -a: increases rounds. Makes the key more resistant to brute force at the cost of slower verification times.

With some comments:

ssh-keygen -t ssh-ed25519 -C "- SERVICE - USERNAME - $(uuidgen) - Generated: $(date +"%y-%m-%d")"

Configuring SSH for keys stored in ~/Keys

Add the following to the end of ~/.ssh/config:

Host [HOSTNAME]
	Hostname [IP/DN]
        IdentityFile [PATH]
	User [USERNAME]

If keys are stored outside of the default directory and this identity file is NOT set, the -i /path/to/file option is needed for every login, which is a pain.

Copy SSH key the server

ssh-copy-id -i ~/keys/sapphire.pub user@host

Disable password logins

  • Edit /etc/ssh/sshd_config
  • ChallengeResponseAuthentication no
  • PasswordAuthentication no
  • UsePAM no (not supported in current versions of RHEL/Cent/Fedora)
  • PermitRootLogin no
  • sudo systemctl reload ssh

SSH forwarding

The ssh-agent may need to be started with: ssh-agent

Add a private key identity to the authentication agent:

ssh-add [KEY_FILE] # without a password set
ssh-add -c [KEY_FILE] # with a password set

List keys in the ssh-agent: ssh-add -l

The -A flag for ssh enables forwarding of the authentication agent connection.

Inside ~/.ssh/config, ForwardAgent yes can be added to avoid typing -A every time:

Host [HOSTNAME]
	Hostname [IP/DN]
        IdentityFile [PATH]
	User [USERNAME]
	ForwardAgent yes

SSH ProxyJump

  • Like forwarding except faster.
  • Uses the -J flag.
  • Private key must be somewhere known.
  • Requires ssh 7.3.
ssh -J [USER]@[BASTION_HOST] [USER@DESTINATION]

In ~/.ssh/config:

Host [BASTION_HOSTNAME]
	Hostname [IP/DN]

Host [HOSTNAME]
	Hostname [IP/DN]
	ProxyJump yes

For SSH versions prior to 7.3:

ssh -o ProxyCommand="ssh -W %h:%p bastion-host" remote-host

In ~/.ssh/config:

Host remote-host
  ProxyCommand ssh bastion-host -W %h:%p

Forward a local port to a remote server

ssh -L [LOCAL_PORT]:127.0.0.1:REMOTE_PORT] user@remote_host

Forward a remote port to the local machine

ssh -R [LOCAL_PORT]:127.0.0.1:REMOTE_PORT] user@remote_host

Recover a public key from a private key

ssh-keygen -y -f PRIVATE_KEY_FILE

Agent forwarding

An SSH agent must be active first.

ssh -A user@remote_host