(Grav GitSync) Automatic Commit from RealStickman

This commit is contained in:
RealStickman 2022-06-25 11:31:59 +02:00 committed by GitSync
parent 8a0204aacd
commit f6bf3003cd

View File

@ -0,0 +1,127 @@
---
title: SSH
---
## Linux Server
### Installation
#### Debian
`# apt install openssh-server`
#### Arch
`# pacman -S openssh`
`# systemctl enable ssh`
### Configuration file
`/etc/ssh/sshd_config`
Make sure to restart the sshd service after changes.
### Change port
Uncomment `Port` and set any port number
### Root login
`PermitRootLogin` setting
```
yes -> Able to log in with password as root
```
### Password Authentication
`PasswordAuthentication` setting
```
yes -> Allow login with passwords
no -> Only allow ssh keys
```
On OpenBSD also set `KbdInteractiveAuthentication` to `no`
## Windows Server
Open PowerShell as administrator
`Add-WindowsCapability -Online -Name OpenSSH.Server`
Start service
`Start-Service sshd`
Enable service
`Set-Service -Name sshd -StartupType 'Automatic'`
Check whether firewall rule exists
`Get-NetFirewallRule -Name *ssh*`
Create firewall rule for port 22
`New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22`
## Linux Client
### Configuration file
`/etc/ssh/ssh_config`
### Connect to non-standard port
`$ ssh -p (port) (user)@(ip)`
### X11 passthrough
`$ ssh -X (user)@(ip)`
### ssh keys
Create new key:
`$ ssh-keygen`
*Example* for ed25519 key:
`$ ssh-keygen -t ed25519`
The "-C" flag can be used to add comments in ssh key files.
Enable the ssh key:
`$ ssh-copy-id -i (public key file) (user)@(ip/domain)`
If you are copying the ssh key from a different client, use the "-f" flag
`$ ssh-copy-id -f -i (public key file) (user)@(ip/domain)`
## Windows Client
Open PowerShell as administrator
`Add-WindowsCapability -Online -Name OpenSSH.Client`
## SSH Tunnel systemd Service
SSH tunnels can be created as systemd services
*Example tunnel:*
`ssh -NTfL 8080:webserver:80 user@remotehost`
### Tunnel settings
Save the file under `/etc/systemd/system/(application/tunnel name)`
```
PATH_TO_KEY=(ssh key path)
LOCAL_PORT=8080
REMOTE_ADDR=webserver
REMOTE_PORT=80
REMOTE_USER=user
REMOTE_HOST=remotehost
```
### Tunnel service
This service can be used with multiple different "tunnel settings" files. Similar to how the wg-quick service works with different wireguard configs.
Save this file under `/etc/systemd/system/local-tunnel@.service`
```
[Unit]
Description=Setup a local tunnel to %I
After=network.target
[Service]
EnvironmentFile=/etc/default/local-tunnel@%i
ExecStart=/usr/bin/ssh -i ${PATH_TO_KEY} -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -nNT -L ${LOCAL_PORT}:${REMOTE_ADDR}:${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST}
RestartSec=15
Restart=always
KillMode=mixed
[Install]
WantedBy=multi-user.target
```
Finally, the tunnel can be enabled
`# systemctl daemon-reload`
`# systemctl enable --now local-tunnel@(application/tunnel name)`
## References
- [Windows OpenSSH Installation](https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse)
- [SSH Tunnel as systemd service](https://ivanmorenoj.medium.com/ssh-tunnel-as-systemd-service-3c53bd157ac1)