SSH¶

DIY SSH Bastion Host - https://smallstep.com/blog/diy-ssh-bastion-host

AWS Bastion host quick start - https://docs.aws.amazon.com/quickstart/latest/linux-bastion/architecture.html

Security recomendations for OpenSSH - https://infosec.mozilla.org/guidelines/openssh

Generate SSH public key from SSH private key:

# to file
ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub

# to stdout
ssh-keygen -f ~/.ssh/id_rsa -y

Disable SSH host key checking¶

The authenticity of host ‘192.168.0.100 (192.168.0.100)’ can’t be established. RSA key fingerprint is 3f:1b:f4:bd:c5:aa:c1:1f:bf:4e:2e:cf:53:fa:d8:59. Are you sure you want to continue connecting (yes/no)?

Add following lines in ssh config:

Host 192.168.0.*
    StrictHostKeyChecking no
    UserKnownHostsFile=/dev/null

SSH options anf features¶

ssh [options] <user>@<host>
    -L                  tunneling
    -N                  non entering to bash
    -f                  background run
    -i  <private_key>   path to private key
    -p  <port>

# remove existing entry
ssh-keygen -R "hostname"

# change connection timeout limit (seconds)
ssh -o ConnectTimeout=10  <hostName>

X11 application¶

Run GUI app;ication on remote desctop. Connect, export the display in-line and start the application in a way that won’t close it after the ssh session dies:

ssh <user@server> "DISPLAY=:0 nohup firefox"

Run remote GUI application on local desktop:

ssh -XC <user@server> firefox
# or
ssh -YC <user@server> firefox

Multiple SSH private keys on one client¶

EXPERIMENTAL Add into your ~/.profile to add all id_rsa* keys from your home .ssh dir. Applied after system relogin.:

find $HOME/.ssh/ -type f -name "id_rsa*" ! -name "*.*" -exec ssh-add "{}" \;
# Also you can manually run this command

.ssh/config:

Host myshortname realname.example.com
    HostName realname.example.com
    IdentityFile ~/.ssh/realname_rsa # private key for realname
    User remoteusername

Host myother realname2.example.org
    HostName realname2.example.org
    IdentityFile ~/.ssh/realname2_rsa
    User remoteusername

Or:

ssh-add <path_to_private_key>

SSH tunneling¶

ssh -NL <local_port>:<remote_address>:<remote_port> <remote_user>@<remote_host>

SSH aliases¶

Type following in ~/.ssh/config:

Host <name>
  Hostname      <host>
  User          <username>
  IdentityFile  <path_to_private_ssh_key>

Usage:

ssh <name>