Auto-Login, File Mount Point, Tunneling / Proxy, SSH Over Non-Default Port
Topics:
Entering a Username and Password every time you need to manage a remote resource is just about the most tedious and annoying thing in the world. Thankfully using key based authentication we can avoid the hassle. My Primary Use Cases for this feature are (Github, AWS EC2, and Raspberry Pi management functions).
1) Generate Keys
ssh-keygen -t rsa -b 4096 -C "your_email"
That command generates these keys by default:
~/.ssh/id_rsa
(Private Key)~/.ssh/id_rsa.pub
(Public Key used for Authentication)2) Add Key to ~/.ssh/authorized_keys
on the Remote Host
ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostname
3) Login :)
ssh user@hostname
No Password Required! Also no need to specify any keys as id_rsa.pub is the default.
If you are not using the default or have named it something else can always fall back to:
ssh -i ~/.ssh/*KEY* user@hostname
Additional Info on ssh-copy-id
SSHFS (Secure Shell FileSystem) provides an extremely handy ad-hoc filesystem mount over SSH. In My Opinion this has a few advantages over something like SAMBA:
Install SSHFS via Apt-Get
sudo apt-get install sshfs
Modify /etc/fuse.conf
sudo nano /etc/fuse.conf
# /etc/fuse.conf - Configuration file for Filesystem in Userspace (FUSE)
# Set the maximum number of FUSE mounts allowed to non-root users.
# The default is 1000.
#mount_max = 1000
# Allow non-root users to specify the allow_other or allow_root mount options.
user_allow_other
Mount
sshfs -o idmap=user,allow_other tyrel@192.168.1.254:/SRC_PATH/ ~/DST_PATH
Why would I need a SSH Proxy?
Proxy Diagram +--------+ +-------+ +--------+ | Client | +----------------------------> | Proxy | +----------------------------> | Server | +--------+ +-------+ +--------+
Simple SSH Forward Proxy +-------------------+ +------------+ SSH Tunnel +------------+ | Some Other Client | +--------------> | SSH Client | +--------------------+ | SSH Server | +-------------------+ | Proxy | +------------+ +------------+ Localhost:8080 +-------------------------> :80
Simple SSH Reverse Proxy +------------+ SSH Tunnel +------------+ +-------------------+ | SSH Client | +--------------------+ | SSH Server | <--------------+ | Some Other Client | +------------+ | Proxy | +-------------------+ +------------+ :80 <--------------------------+ Remote:8080
Connect
With Shell:
ssh pi@pi -L 8080:pi:80
Without Shell:
ssh -N pi@pi -L 8080:pi:80
Background:
ssh -f -N pi@pi -L 8080:pi:80
VNC Example:
ssh -t -L 5901:localhost:5908 tyrel@tyrel-lenovo 'x11vnc -localhost -display :0 -rfbport 5908'
Modify /etc/ssh/sshd_config
GatewayPorts yes
Restart SSH
sudo systemctl restart sshd
Connect
ssh -f -N pi@pi -R 8080:localhost:80
Why would you want to run SSH over a non-default port?
Simple Answer: Circumvent a Firewall or Security Policy. (Typically a traditional "statefull" firewall, "next-gen" firewalls can detect and block non-default protocols IF configured to do so.)
Scenario:
Sometimes you're at the office and corporate security policy dictates SSH is not allowed outbound (Typical, across many industries). However I've never seen a company that did not allow HTTPS outbound... After all what would be the purpose of having an internet connection if the employees couldn't access the web. So why not run our public SSH server over 443?
Setup:
Edit SSH Config
sudo nano /ect/ssh/sshd_config
Add:
Port 22
Port 443
Restart SSHD
sudo systemctl sshd restart
Verify
sudo netstat -anp |grep ":22\|:443\|PID"
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:\* LISTEN 1195/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:\* LISTEN 1195/sshd