SSH

SSH🔗

Config🔗

General🔗

Host xyz x* Enterprise
  HostName 123.456.78.90
  User Picard
  IdentityFile ~/.ssh/super-secret-key

# for patterns beyond simple wildcards
Match exec "echo %h | grep -E '<regex>'"
  ...

Host can be any identifier, even regular expressions
HostName is the public hostname or IP address of your remote machine
User is the username for this connection
IdentityFile is the SSH private key for this connection
Match can be used to execute shell commands for extended pattern matching⁷

Forwarding🔗

forward private keys, so they can be used on the remote host

Host xyz
  ForwardAgent yes

Proxy Command🔗

SSH-tunneling through intermediate host (jumphost). Outdated and vulnerable,⁶ use ProxyJump instead⁵

Host xyz
  ProxyCommand ssh proxy.host nc -w1 %h %p

ProxyJump🔗

Preferred way of connecting to host through intermedia host(s), which are called jump hosts or bastions (as they often are security-hardened entry points to networks)⁵

ssh -J jumphost1[,jumphost2,...] remotehost

or configure

Host jumphost
    HostName <IP address or hostname>

# remote host only accessible through jumphost
Host remotehost
    HostName <IP address or hostname>
    ProxyJump jumphost

ControlMaster🔗

use an open connection for subsequent connections, so you don’t have to enter credentials again and it’s faster

host *
    # Only one connection per host
    # Check connection status: > ssh -S ~/.ssh/$socket -O check <bogus arg>
    ControlMaster auto
    ControlPersist 1
    ControlPath ~/.ssh/controlmaster/%r@%h:%p

Check status

ssh -S /path/to/socket -O check <bogus arg>

Commands🔗

# Run local script on remote host[^1]
ssh user@host "bash -s" -- < local_script.sh arg1 arg2 ...
# skip host verification prompt (security!)
ssh -o StrictHostKeyChecking=no ...
# edit remote files
# supported protocols depend on program: sftp, rsync, https, ...
<program> scp://user@server[:port]//path/to/file

SSH-Add🔗

Add identities to the SSH agent. This allows to use keys without requiring the password every time they’re used. Consider limiting the time they’ll be held in the agent.

ssh-add -t 2h ~/.ssh/<key>

SSH-Keygen🔗

cheat cheatsheet

Algorithm recommendation¹²

ssh-keygen -t ed25519 -a 100

SOCKS proxy🔗

Tags: #tech/SSH/SOCKS
default port:³ 1080

SSH config

Host hostname
    User username
    HostName %h.domain.com
    # SOCKS proxy
    # RemoteForward 1080
    DynamicForward 1080 # corresponds to CL option -D

then configure applications to use that proxy.⁴

For example in Firefox, usage of a SOCKS proxy can be selective for certain URLs, e.g. using the extension FoxyProxy.

Tools🔗

assh (I haven’t tested it, didn’t have the need yet)

A transparent wrapper that adds support for regex, aliases, gateways, dynamic hostnames, graphviz, json output, yaml configuration, and more to SSH.

sshpass: provide password non-interactively. Security issue but haven’t found another way to enter a key pass phrase non-interactively (exposed e.g. in ps). Slightly better providing the password through a file ^sshpass

sshpass -P"passphrase for key" -p <password> ssh ...
# -P command prompt triggering password insertion (default 'assword:' ;)
# or providing a password file, slightly more secure
sshpass -f <file> ssh ...

Issues and Alternatives🔗

For flaky connections or if changing networks in something you regular do, consider mosh (mobile shell).

Remote terminal application that allows roaming, supports intermittent connectivity, and provides intelligent local echo and line editing of user keystrokes.

Mosh is a replacement for interactive SSH terminals. It’s more robust and responsive, especially over Wi-Fi, cellular, and long-distance links.

Mosh is free software, available for GNU/Linux, BSD, macOS, Solaris, Android, Chrome, and iOS.

References🔗

CVE-2024-6387: regression lead to vulnerability
- patched Ubuntu packages