James's Ramblings

SSH

Created: December 19, 2024

Generate a new SSH key

ssh-keygen -t ssh-ed25519
  • -a: increases rounds. Makes the key more resistant to brute force at the cost of slower verification times.

With some useful comments:

ssh-keygen -t ssh-ed25519 -C "$(uuidgen) - Generated: $(date +"%y-%m-%d")"

SSH Config File

Add the following to the end of ~/.ssh/config:

Host [HOSTNAME]
	Hostname [IP/DN]
        IdentityFile [PATH]
	User [USERNAME]

NOTE: If keys are stored outside of the default directory and this identity file is NOT set, the -i /path/to/file option is needed for every login, which is a pain.

Copy SSH Key to a Server

ssh-copy-id -i PATH_TO.pub user@host

Disable Password Logins

NOTE: Possibly out of date.

  • Edit /etc/ssh/sshd_config
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no (not supported in current versions of RHEL/Cent/Fedora)
PermitRootLogin no
  • sudo systemctl reload ssh

SSH Forwarding

The ssh-agent may need to be started with: ssh-agent

Add a private key identity to the authentication agent:

ssh-add [KEY_FILE] # without a password set
ssh-add -c [KEY_FILE] # with a password set

List keys in the ssh-agent: ssh-add -l

The -A flag for ssh enables forwarding of the authentication agent connection.

Inside ~/.ssh/config, ForwardAgent yes can be added to avoid typing -A every time:

Host [HOSTNAME]
	Hostname [IP/DN]
        IdentityFile [PATH]
	User [USERNAME]
	ForwardAgent yes

SSH ProxyJump

  • Like forwarding except faster.
  • Uses the -J flag.
  • Private key must be somewhere known.
  • Requires ssh 7.3.
ssh -J [USER]@[BASTION_HOST] [USER@DESTINATION]

In ~/.ssh/config:

Host [BASTION_HOSTNAME]
	Hostname [IP/DN]

Host [HOSTNAME]
	Hostname [IP/DN]
	ProxyJump yes

For SSH versions prior to 7.3:

ssh -o ProxyCommand="ssh -W %h:%p bastion-host" remote-host

In ~/.ssh/config:

Host remote-host
  ProxyCommand ssh bastion-host -W %h:%p

Forward a Local Port to a Remote Server

ssh -L [LOCAL_PORT]:127.0.0.1:REMOTE_PORT] user@remote_host

Forward a Remote Port to the Local Machine

ssh -R [LOCAL_PORT]:127.0.0.1:REMOTE_PORT] user@remote_host

Recover a Public Key from a Private Key

ssh-keygen -y -f PRIVATE_KEY_FILE

Agent Forwarding

NOTE: An SSH agent must be active first.

ssh -A user@remote_host