Skip to content

SSH

Install and Configure

Windows 10

Install SSH

View Options: Get-WindowsCapability -Online | ? Name -like 'OpenSSH*'

Install SSH Client and or Server

Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Configure SSH

Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'

Firewall settings

There should be a firewall rule named "OpenSSH-Server-In-TCP", which should be enabled

Get-NetFirewallRule -Name *ssh*

If the firewall does not exist, create one

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH-Server-In-TCP' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

Login

Login to azure server "azureserver" with user "user" and private ssh keyfile "private.key". The passphrase will be queried after executing the command.

ssh -i private.key user@azureserver.westeurope.cloudapp.azure.com

When you SSH into another machine using public key authentication, the key pair from either ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, or ~/.ssh/id_rsa is used by default. The -i option can be used to specify a different key pair file.

Use the -L flag to forward a connection to a remote server

ssh server -L3000:localhost:3000

Configuration

Edit ~/.ssh/config for multiple SSH Hops

Host bastion
Hostname bastion.domain.com
User bastion-user

Host server
Hostname server.local.lan
User server-user
ProxyCommand ssh bastion -W %h:%p

Edit ~/.ssh/authorized_keys to restrict SSH User Access

from="10.20.30.0/24,44.55.66.77",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,command="/usr/local/bin/whatever" ssh-rsa [...]

Create Secure SSH Key

ssh-keygen -o -a 100 -t ed25519

Add Key to Remote Server

ssh-copy-id -i ~/.ssh/id_ed25519.pub username@remote

Security

When SSH tries to authenticate via public key, it sends the server all your public keys, one by one, until the server accepts one. One can take advantage of this to enumerate all the client's installed public keys.

If this behavior is problematic for you, you can tell SSH not to present your public keys to the server by default.

Add these lines at the end of your ~/.ssh/config (after other "Host" directives)

Host *
    PubkeyAuthentication no
    IdentitiesOnly yes

Then specify what keys should be used for each host

Host github.com
    PubkeyAuthentication yes
    IdentityFile ~/.ssh/github_id_rsa

SSH Escape Sequences

To see all escape sequences press ~?.

 ~.   - terminate connection (and any multiplexed sessions)
 ~B   - send a BREAK to the remote system
 ~C   - open a command line
 ~R   - request rekey
 ~V/v - decrease/increase verbosity (LogLevel)
 ~^Z  - suspend ssh
 ~#   - list forwarded connections
 ~&   - background ssh (when waiting for connections to terminate)
 ~?   - this message
 ~~   - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

Creating an SSH key

  • Generate a key: ssh-keygen -t ed25519 -a 100 -q -N "" -f ~/.ssh/id_ed25519
  • Generate a key in the current directory: ssh-keygen -t ed25519 -a 100 -q -N "" -f "$PWD"/renameme
  • Generate a key with a given name: ssh-keygen -t ed25519 -a 100 -q -N "" -f "$PWD"/deploy_key_1 -C deploy_key_1

Creating an SSH key for Github

# Create
ssh-keygen -t rsa -b 4096 -N "" -C "" -f keyname
mv keyname* ~/.ssh
chmod 700 ~/.ssh && chmod 600 ~/.ssh/*
Host github
HostName github.com
User git
IdentityFile ~/.ssh/keyname

# Copy public key to server.
ssh-copy-id -i ~/.ssh/keyname user@remote_machine

# Checking the ssh procesd
ssh -T git@github.com
eval $(ssh-agent -s)
ssh-add ~/.ssh/keyname
ssh -T git@github.com

Helpful commands

  • Change Password: ssh-keygen -p -f C:\Users\0xfab1\.ssh\id_ed25519
  • Forward Multiple Ports Over SSH: ssh dev@server.com -L 3000:localhost:3000 -L 9009:localhost:9009
  • Test SSH (e.g. to gitlab): ssh -vT git@gitlab.com
  • Close stuck SSH session: Press: Enter then ~ then .
  • Get SSH key fingerprint: ssh-keygen -l -E md5 -f ~/.ssh/my-ssh-key