My Favorite SSH Tricks

Updated by Tyrel on 2020-07-09

Summary

Auto-Login, File Mount Point, Tunneling / Proxy, SSH Over Non-Default Port

Topics:

Auto-Login
File Mount Point
Tunneling / Proxy
SSH Over Non-Default Port

SSH Auto-Login

Entering a Username and Password every time you need to manage a remote resource is just about the most tedious and annoying thing in the world. Thankfully using key based authentication we can avoid the hassle. My Primary Use Cases for this feature are (Github, AWS EC2, and Raspberry Pi management functions).

Cheat Sheet:

1) Generate Keys

ssh-keygen -t rsa -b 4096 -C "your_email"

That command generates these keys by default:

~/.ssh/id_rsa (Private Key)
~/.ssh/id_rsa.pub (Public Key used for Authentication)

2) Add Key to ~/.ssh/authorized_keys on the Remote Host

ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname

3) Login :)

ssh user@hostname

No Password Required! Also no need to specify any keys as id_rsa.pub is the default.

If you are not using the default or have named it something else can always fall back to:

ssh -i ~/.ssh/*KEY* user@hostname

Additional Info on ssh-keygen

Additional Info on ssh-copy-id

Additional Info on ssh

SSH File Mount Point

SSHFS (Secure Shell FileSystem) provides an extremely handy ad-hoc filesystem mount over SSH. In My Opinion this has a few advantages over something like SAMBA:

Easier to Set Up / Use / Troubleshoot
More Flexible
- SAMBA is typically used on Layer 2 network segments (OSI Model) e.g. 192.168.0.x/24 and requires tweeking to enable access to shares beyond the Layer 3 boundary (Whether that be a home router or corporate multi-layer switch)
- SSHF has no Layer2/3 limitations right out of the gate!
No need to enter Creds
- When used in Conjunction with SSH Auto-Login

Basic Setup:

Install SSHFS via Apt-Get

sudo apt-get install sshfs

Modify /etc/fuse.conf

sudo nano /etc/fuse.conf

# /etc/fuse.conf - Configuration file for Filesystem in Userspace (FUSE)

# Set the maximum number of FUSE mounts allowed to non-root users.
# The default is 1000.
#mount_max = 1000

# Allow non-root users to specify the allow_other or allow_root mount options.
user_allow_other

Mount

sshfs -o idmap=user,allow_other tyrel@192.168.1.254:/SRC_PATH/ ~/DST_PATH

Additional Info on sshfs

SSH Proxy

Why would I need a SSH Proxy?

Secure an otherwise non-secure port
- HTTP/FTP/DNS/TELNET
Circumvent a Firewall

Illustration

                                        Proxy Diagram

+--------+                                +-------+                                 +--------+
| Client | +----------------------------> | Proxy | +---------------------------->  | Server |
+--------+                                +-------+                                 +--------+


                                   Simple SSH Forward Proxy


+-------------------+                   +------------+        SSH Tunnel        +------------+
| Some Other Client | +-------------->  | SSH Client |  +--------------------+  | SSH Server |
+-------------------+                   |   Proxy    |                          +------------+
                                        +------------+

                                        Localhost:8080  +------------------------->  :80


                                   Simple SSH Reverse Proxy


+------------+        SSH Tunnel        +------------+                   +-------------------+
| SSH Client |  +--------------------+  | SSH Server |  <--------------+ | Some Other Client |
+------------+                          |    Proxy   |                   +-------------------+
                                        +------------+

     :80  <--------------------------+    Remote:8080

Forward Proxy

Connect

With Shell:

ssh pi@pi -L 8080:pi:80

Without Shell:

ssh -N pi@pi -L 8080:pi:80

Background:

ssh -f -N pi@pi -L 8080:pi:80

VNC Example:

ssh -t -L 5901:localhost:5908 tyrel@tyrel-lenovo 'x11vnc -localhost -display :0 -rfbport 5908'

Reverse Proxy

Modify /etc/ssh/sshd_config

GatewayPorts yes
Restart SSH

sudo systemctl restart sshd
Connect

ssh -f -N pi@pi -R 8080:localhost:80

SSH Over Non-Default Port

Why would you want to run SSH over a non-default port?

Simple Answer: Circumvent a Firewall or Security Policy. (Typically a traditional "statefull" firewall, "next-gen" firewalls can detect and block non-default protocols IF configured to do so.)

Scenario:

Sometimes you're at the office and corporate security policy dictates SSH is not allowed outbound (Typical, across many industries). However I've never seen a company that did not allow HTTPS outbound... After all what would be the purpose of having an internet connection if the employees couldn't access the web. So why not run our public SSH server over 443?

Setup:

Edit SSH Config

sudo nano /ect/ssh/sshd_config

Add:
```
Port 22
Port 443
```
Restart SSHD

sudo systemctl sshd restart
Verify

sudo netstat -anp |grep ":22\|:443\|PID"

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:22              0.0.0.0:\*               LISTEN      1195/sshd
tcp        0      0 0.0.0.0:443             0.0.0.0:\*               LISTEN      1195/sshd

tyrel.cloud

All posts tagged: