SSH
The amount of useful stuff you can do with this is amazing. Ought to document some of them in a separate document here.
ssh -L [LOCAL_PORT]:[DEST_IP]:[DEST_PORT] [USER]@[REMOTE_IP] ssh -J ...
ProxyJump
Tunneling stuff: https://linuxize.com/post/how-to-setup-ssh-tunneling/
AllowTcpForwarding yes should be enabled to forward TCP connections. Don't forget to restart the sshd service to allow changes to /etc/ssh/sshd_config to be reflected.
TODO
Create a flowchart to setting up useful remote work stuff, e.g. VNC / port forwarding, etc.
Set directory to cd into via SSH config file, instead of as a command line option:
Host {{NAME}}
HostName {{TARGET}}
User {{USER}}
IdentitiesOnly yes
IdentityFile {{KEYFILE}}
# Jump/bastion host
ProxyJump {{PROXY_TARGET}}
# Request for output if input is a terminal
RequestTTY yes
RemoteCommand cd {{DESTINATION}} && exec bash --login
Restricting access to SSH-based key logins: https://unix.stackexchange.com/questions/110879/restrict-password-less-backup-with-sftp
Restricted shells are not a popular method, because of the difficulties in locking down the shell to prevent full shell access. Some examples of restricted shells and associated vulnerabilities:
Articles:
-
- SSH keys limit:
sshuttle
sshuttle is my new favorite toy, that solves the problem of redirecting traffic without a need for remote configuration. Typical use case for me includes accessing network resources restricted only to network addresses.
user:~$ sshuttle --dns -NHr <USER>@<IP_ADDR> 10.0.0.0/8 user:~$ pkill sshuttle
See this for a guide on configuring it as a service, and performing multi-hops (>1 jump servers).
Plain SSH
# For SSH tunneling control
status:
ssh -S lightstick.ctl -TO check alice
up:
ssh -MS lightstick.ctl -fNT -L 445:192.168.101.165:445 alice
down:
ssh -S lightstick.ctl -TO exit alice