3.5 KiB
| title | visible |
|---|---|
| SSH | true |
[toc]
Linux Server
Installation
Debian
# apt install openssh-server
Arch
# pacman -S openssh
# systemctl enable ssh
Configuration file
/etc/ssh/sshd_config
Make sure to restart the sshd service after changes.
Change port
Uncomment Port and set any port number
Root login
PermitRootLogin setting
yes -> Able to log in with password as root
Password Authentication
PasswordAuthentication setting
yes -> Allow login with passwords
no -> Only allow ssh keys
On OpenBSD also set KbdInteractiveAuthentication to no
Windows Server
Open PowerShell as administrator
Add-WindowsCapability -Online -Name OpenSSH.Server
Start service
Start-Service sshd
Enable service
Set-Service -Name sshd -StartupType 'Automatic'
Check whether firewall rule exists
Get-NetFirewallRule -Name *ssh*
Create firewall rule for port 22
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
Linux Client
Configuration file
/etc/ssh/ssh_config
Connect to non-standard port
$ ssh -p (port) (user)@(ip)
X11 passthrough
$ ssh -X (user)@(ip)
ssh keys
Create new key:
$ ssh-keygen
Example for ed25519 key:
$ ssh-keygen -t ed25519
The "-C" flag can be used to add comments in ssh key files.
Enable the ssh key:
$ ssh-copy-id -i (public key file) (user)@(ip/domain)
If you are copying the ssh key from a different client, use the "-f" flag
$ ssh-copy-id -f -i (public key file) (user)@(ip/domain)
Windows Client
Open PowerShell as administrator
Add-WindowsCapability -Online -Name OpenSSH.Client
SSH Tunnel systemd Service
SSH tunnels can be created as systemd services
Example tunnel:
ssh -NTfL 8080:webserver:80 user@remotehost
Tunnel settings
Save the file under /etc/systemd/system/(application/tunnel name)
PATH_TO_KEY=(ssh key path)
LOCAL_PORT=8080
REMOTE_ADDR=webserver
REMOTE_PORT=80
REMOTE_USER=user
REMOTE_HOST=remotehost
Tunnel service
This service can be used with multiple different "tunnel settings" files. Similar to how the wg-quick service works with different wireguard configs.
Save this file under /etc/systemd/system/local-tunnel@.service
[Unit]
Description=Setup a local tunnel to %I
After=network.target
[Service]
EnvironmentFile=/etc/default/local-tunnel@%i
ExecStart=/usr/bin/ssh -i ${PATH_TO_KEY} -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -nNT -L ${LOCAL_PORT}:${REMOTE_ADDR}:${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST}
RestartSec=15
Restart=always
KillMode=mixed
[Install]
WantedBy=multi-user.target
Finally, the tunnel can be enabled
# systemctl daemon-reload
# systemctl enable --now local-tunnel@(application/tunnel name)
CLI Options
No matching host key type found
Full error message:
Unable to negotiate with <host> port <port>: no matching host key type found. Their offer: <comma separated list of host keys>
This happens, when a host key is used that has been deprecated in the locally installed ssh client.
Use the option -oHostKeyAlgorithms=+<host key type> with ssh to connect regardless.