wiki-grav/pages/04.other/ssh/default.en.md

3.1 KiB

title visible
SSH true

[toc]

Linux Server

Installation

Debian

# apt install openssh-server

Arch

# pacman -S openssh

# systemctl enable ssh

Configuration file

/etc/ssh/sshd_config

Make sure to restart the sshd service after changes.

Change port

Uncomment Port and set any port number

Root login

PermitRootLogin setting

yes -> Able to log in with password as root

Password Authentication

PasswordAuthentication setting

yes -> Allow login with passwords
no -> Only allow ssh keys

On OpenBSD also set KbdInteractiveAuthentication to no

Windows Server

Open PowerShell as administrator
Add-WindowsCapability -Online -Name OpenSSH.Server

Start service
Start-Service sshd

Enable service
Set-Service -Name sshd -StartupType 'Automatic'

Check whether firewall rule exists
Get-NetFirewallRule -Name *ssh*

Create firewall rule for port 22
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

Linux Client

Configuration file

/etc/ssh/ssh_config

Connect to non-standard port

$ ssh -p (port) (user)@(ip)

X11 passthrough

$ ssh -X (user)@(ip)

ssh keys

Create new key:
$ ssh-keygen

Example for ed25519 key:
$ ssh-keygen -t ed25519

The "-C" flag can be used to add comments in ssh key files.

Enable the ssh key:
$ ssh-copy-id -i (public key file) (user)@(ip/domain)

If you are copying the ssh key from a different client, use the "-f" flag
$ ssh-copy-id -f -i (public key file) (user)@(ip/domain)

Windows Client

Open PowerShell as administrator
Add-WindowsCapability -Online -Name OpenSSH.Client

SSH Tunnel systemd Service

SSH tunnels can be created as systemd services

Example tunnel:
ssh -NTfL 8080:webserver:80 user@remotehost

Tunnel settings

Save the file under /etc/systemd/system/(application/tunnel name)

PATH_TO_KEY=(ssh key path)
LOCAL_PORT=8080
REMOTE_ADDR=webserver
REMOTE_PORT=80
REMOTE_USER=user
REMOTE_HOST=remotehost

Tunnel service

This service can be used with multiple different "tunnel settings" files. Similar to how the wg-quick service works with different wireguard configs.
Save this file under /etc/systemd/system/local-tunnel@.service

[Unit]
Description=Setup a local tunnel to %I
After=network.target

[Service]
EnvironmentFile=/etc/default/local-tunnel@%i
ExecStart=/usr/bin/ssh -i ${PATH_TO_KEY} -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -nNT -L ${LOCAL_PORT}:${REMOTE_ADDR}:${REMOTE_PORT} ${REMOTE_USER}@${REMOTE_HOST}
RestartSec=15
Restart=always
KillMode=mixed

[Install]
WantedBy=multi-user.target

Finally, the tunnel can be enabled
# systemctl daemon-reload
# systemctl enable --now local-tunnel@(application/tunnel name)

References