HomeNotesNetwork › SSH

SSH

SSH


rsync -av --rsync-path="sudo rsync" dfe-root:/etc ./

# login and switch to root
ssh -t -i file.pem user@name2 'sudo -i'

# same in .ssh/config
Host name2
    HostName 192.168.1.148
    RequestTTY yes
    RemoteCommand sudo -i

# agent
ssh-add -L
ssh-add ~/.ssh/key.pem
ssh -A ... or add ForwardAgent yes to ~/.ssh/config

# gen a new key
ssh-keygen -t rsa -b 4096 -C "your_email@example.com" -f namethefile
# seeing this more
ssh-keygen -t ed25519 -b 4096 -C "{username@emaildomain.com}" -f {ssh-key-name}

# get public key from pem file
ssh-keygen -y -f myprod.pem |pbcopy

# gather SSH public keys from servers. Might not use much
ssh-keyscan -t ed25519 bitbucket.org > known_hosts

# When you see: WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
ssh-keygen -R hostname or IP

# login become root with tty
ssh -t 10.20.22.12 'sudo -i'
  • SSH and switch to root
    # login and switch to root
ssh -t -i file.pem user@name2 'sudo -i'

Host name2
    HostName 192.168.1.148
    RequestTTY yes
    RemoteCommand sudo -i

rsync -av --rsync-path="sudo rsync" cp-stage:/mnt/efs2/xxx ./
  • Config snipets 
    # ----------
Host host-beyond-bastion
    HostName 10.x.x.x
    User ec2-user
    IdentityFile ~/.ssh/EngProd-Admin.pem
    ProxyCommand ssh bastion -W %h:%p -q
# ----------
Host a alias list # valid for ssh, scp, rsync and others
    HostName fqdn or IP
    User ubuntu # ec2-user on redhat
    IdentityFile ~/.ssh/my-key.pem
# ----------
# AWS IP Defaults
Host 52.* 50.* 54.* 35.* 34.* 107.*
    User ubuntu
    #User ec2-user
    IdentityFile ~/.ssh/aws-key.pem
# ----------
Host portforwarding
  HostName x.x.com
  LocalForward 8080 localhost:8080
  LocalForward 2222 localhost:2222
# ----------
Host pi-then-newuser
  Hostname pi
  User pi
  RemoteCommand sudo -u newuser -i
# ----------
# All hosts 
Host *
    AddressFamily inet
    Protocol 2
    Compression yes
    ServerAliveInterval 30
    TCPKeepAlive yes
  • AWS code commit 
    # .ssh/config snipet
# 
Host aa
     HostName x.x.x.x
     User ubuntu
     IdentityFile ~/.ssh/mykey.pem

Host git-codecommit.*.amazonaws.com
  User xxx
  IdentityFile ~/.ssh/aws_key

# End
  • Who used a key to get in?
    journalctl -S 2022-02-01 |grep 'Accepted publickey' # shows fingerprint
ssh-keygen -E SHA256 -lf ~/.ssh/authorized_keys     # decode fingerprints
ssh-keygen -E MD5 -lf ~/.ssh/authorized_keys        # or MD5
  • Tunneling
    export TARGET_IP=remotenameorip
ssh -vnNT -L localhost:8080:$TARGET_IP:80 u@gw
# fui-stage solr -f to background
ssh -vnNT -L localhost:8888:172.31.14.166:8983 df-fui-stage
    • Reverse Tunnel sample ssh config from howto
      Host remotehost
  Hostname remotehost.org # or IP
  User remoteuser
  HostKeyAlias remotehost
  ConnectionAttempts 3
  TCPKeepAlive no
  CheckHostIp no
  RemoteForward 20023 localhost:22
  RemoteForward 2221 lhost1:22
  RemoteForward 2222 lhost2:22
  RemoteForward 2389 lhost3:389
  RemoteForward 2390 lhost4:389
  RemoteForward 2391 lhost5:389
  RemoteForward 20080 lhost6:80
  RemoteForward 20443 lhost6:443
  LocalForward 3001 remotehost:3000
  LocalForward 8001 remotehost:8000
  ForwardAgent yes
  ForwardX11 yes
  Protocol 2
    • Tunneling Ports
      • 2021-04-21 test
        • Use Wireguard instead
        • On PVE
          • ssh_config
            root@pve:~# cat .ssh/config
Host bh
    HostName home.overton-design.com
    User alpine
    RemoteForward 0.0.0.0:20022 localhost:22
    RemoteForward 8080 localhost:80
    RemoteForward 8443 localhost:443
    #LocalForward 3001 remotehost:3000
    ConnectionAttempts 1
    TCPKeepAlive yes
    CheckHostIp no
    ForwardAgent yes
    ForwardX11 no
    Protocol 2

Host *
    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
          • tunnel-service.sh
            root@pve:~# cat tunnel-service.sh
#!/bin/sh

# all the way to the Internet
# ssh -vnNT -R 172.31.55.133:20022:10.10.10.253:22 bh

# to localhost
#ssh -vnNT -R 20022:10.10.10.253:22 bh

# use .ssh/config
ssh -nNT bh
          • systemd
            systemctl edit --full bhome.service

[Unit]
Description=Be Home Service
After=network.target

[Service]
Type=simple
Restart=always
RestartSec=15
ExecStart=/root/tunnel-service.sh
User=root

[Install]
WantedBy=multi-user.target
        • Bastion
          # alpine bastion
sudo -i
vi /etc/ssh/sshd_config
AllowTcpForwarding yes
GatewayPorts yes

apk update && apk add socat

# to get ACME certs
socat TCP-LISTEN:80,fork TCP:localhost:8080
socat TCP-LISTEN:443,fork TCP:localhost:8443

socat TCP-LISTEN:1234,reuseaddr,fork TCP:localhost:80
        • Laptop
          ssh -vp 20022 root@home.overton-design.com

  • Reverse from target to proxy host
    ssh -nNT -R remote:19999:localhost:22 user@host
# bind to external interface. requires modification to server. see below.
ssh -vnNT -R \*:8080:localhost:8080 u@h
  • Login from proxy
    ssh -p 19999 -i user.pem user@localhost
  • binding for external access
    sudo -i
vi /etc/ssh/sshd_config

# Allow TCP forwarding and reverse proxy to bind to 0.0.0.0

AllowTcpForwarding yes
GatewayPorts yes

service sshd restart # does not affect current connections

# if backgrounded, find with
ps -elf |grep ssh
  • Add key to remote
    cat pub_key |ssh <name|ip> '(echo; cat -) >> .ssh/authorized_keys' # echo insures newline but seems to workout