SSH¶
DIY SSH Bastion Host - https://smallstep.com/blog/diy-ssh-bastion-host
AWS Bastion host quick start - https://docs.aws.amazon.com/quickstart/latest/linux-bastion/architecture.html
Security recomendations for OpenSSH - https://infosec.mozilla.org/guidelines/openssh
Generate SSH public key from SSH private key:
# to file
ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub
# to stdout
ssh-keygen -f ~/.ssh/id_rsa -y
Disable SSH host key checking¶
The authenticity of host ‘192.168.0.100 (192.168.0.100)’ can’t be established. RSA key fingerprint is 3f:1b:f4:bd:c5:aa:c1:1f:bf:4e:2e:cf:53:fa:d8:59. Are you sure you want to continue connecting (yes/no)?
Add following lines in ssh config:
Host 192.168.0.*
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
SSH options anf features¶
ssh [options] <user>@<host>
-L tunneling
-N non entering to bash
-f background run
-i <private_key> path to private key
-p <port>
# remove existing entry
ssh-keygen -R "hostname"
# change connection timeout limit (seconds)
ssh -o ConnectTimeout=10 <hostName>
X11 application¶
Run GUI app;ication on remote desctop. Connect, export the display in-line and start the application in a way that won’t close it after the ssh session dies:
ssh <user@server> "DISPLAY=:0 nohup firefox"
Run remote GUI application on local desktop:
ssh -XC <user@server> firefox
# or
ssh -YC <user@server> firefox
Multiple SSH private keys on one client¶
EXPERIMENTAL
Add into your ~/.profile
to add all id_rsa* keys from your home .ssh dir. Applied after system relogin.:
find $HOME/.ssh/ -type f -name "id_rsa*" ! -name "*.*" -exec ssh-add "{}" \;
# Also you can manually run this command
.ssh/config
:
Host myshortname realname.example.com
HostName realname.example.com
IdentityFile ~/.ssh/realname_rsa # private key for realname
User remoteusername
Host myother realname2.example.org
HostName realname2.example.org
IdentityFile ~/.ssh/realname2_rsa
User remoteusername
Or:
ssh-add <path_to_private_key>
SSH tunneling¶
ssh -NL <local_port>:<remote_address>:<remote_port> <remote_user>@<remote_host>
SSH aliases¶
Type following in ~/.ssh/config
:
Host <name>
Hostname <host>
User <username>
IdentityFile <path_to_private_ssh_key>
Usage:
ssh <name>