This page is part of my digital gargen.

This page might be unfinished or have typos. These pages are meant as part of a public living notebook to be edited over time. For more, visit the page explaining the concept of a digitial garden.

SSH

SSH is an extremely useful tool worth an entire page on various ways to use it.

Some tips:

  1. Always disable password authentication and use SSH Keys instead
  2. Ensure your SSH server config is modified to be secure
    • Disable login as root (which requires adding a user to login as)
    • Disable bad ciphers/etc. (See Mozilla Guide)
    • Disable all logins via password
    • Disable features which will not be used
  3. For cloud it’s best to create a single host which is public which all internal hosts only accept SSH connections coming from that host
    • SSH Supports “Jumping” via a host to another.

SSH Reverse Tunneling Trick

This trick will let you SSH in to a server and then scp files back to your local machine interactively without needing to make your local machine directly accessible via the internet or anything.

This requires either the key on the server or some key in your agent to be authorized to connect to your local computer. I will just assume you want to reuse the key you’re already using to connect to the server.

  1. Add the key you’re using to your server’s $HOME/.ssh/authorized_keys and also to your local $HOME/.ssh/authorized_keys
  2. Ensure your key is added to your agent: ssh-add $HOME/.ssh/id_ed25519
  3. SSH with a reverse tunnel: SSH -A -R 8022:localhost:22 example.com
    • This will create a tunnel to your local device’s port 22 which the remote host can connect to over 8022.
    • This also passes your agent to the remote host so it has access to your keys
      • Do not do this with someone’s random server. Only on servers you trust. This lets them use your keys.
  4. On the remote host you can now run scp -P 8022 /path/to/file/remotely.tar.gz chris@localhost:/tmp/
    • The 8022 is local to the server. So we tell it the “host” is localhost, but use port 8022 which goes back to our local machine
    • The user is probably different so you need to tell it to use your actual user and where to put the files as usual with scp.

Certificates

OpenSSH supports creating SSH Keys which sign each other and provide access based on that signing.

All the keys are simply SSH Keys. I recommend keeping the Key signing your other keys to be inside of some secure enclave like a YubiKey or AWS KMS.

Last updated on