The amount of useful stuff you can do with this is amazing. Ought to document some of them in a separate document here.
ssh -L [LOCAL_PORT]:[DEST_IP]:[DEST_PORT] [USER]@[REMOTE_IP] ssh -J ...
ProxyJump
Tunneling stuff: https://linuxize.com/post/how-to-setup-ssh-tunneling/
AllowTcpForwarding yes
should be enabled to forward TCP connections. Don't forget to restart the sshd
service to allow changes to /etc/ssh/sshd_config
to be reflected.
TODO
Create a flowchart to setting up useful remote work stuff, e.g. VNC / port forwarding, etc.
Set directory to cd into via SSH config file, instead of as a command line option:
Host {{NAME}} HostName {{TARGET}} User {{USER}} IdentitiesOnly yes IdentityFile {{KEYFILE}} # Jump/bastion host ProxyJump {{PROXY_TARGET}} # Request for output if input is a terminal RequestTTY yes RemoteCommand cd {{DESTINATION}} && exec bash --login
Restricting access to SSH-based key logins: https://unix.stackexchange.com/questions/110879/restrict-password-less-backup-with-sftp
Restricted shells are not a popular method, because of the difficulties in locking down the shell to prevent full shell access. Some examples of restricted shells and associated vulnerabilities:
Articles:
sshuttle is my new favorite toy, that solves the problem of redirecting traffic without a need for remote configuration. Typical use case for me includes accessing network resources restricted only to network addresses.
user:~$ sshuttle --dns -NHr <USER>@<IP_ADDR> 10.0.0.0/8 user:~$ pkill sshuttle
See this for a guide on configuring it as a service, and performing multi-hops (>1 jump servers).
# For SSH tunneling control status: ssh -S lightstick.ctl -TO check alice up: ssh -MS lightstick.ctl -fNT -L 445:192.168.101.165:445 alice down: ssh -S lightstick.ctl -TO exit alice