List algorithms

    • Ciphers: ssh -Q cipher
    • MACs: ssh -Q mac
    • KexAlgorithms: ssh -Q kex
    • PubkeyAcceptedKeyTypes: ssh -Q key


    Notify login


    if [ "$PAM_TYPE" != "close_session" ]; then
        subject="SSH Login: $PAM_USER from $PAM_RHOST on $(hostname)"
        # Message to send, e.g. the current environment variables.
        msmtp ${recipient} -t <<EOF
    Subject: ${subject}
    ${subject}, date: $(date)

    Note: be sure you msmtp or any smtp service available

    chmod u+x /etc/ssh/


    session optional seteuid /etc/ssh/


    Simple jump on target behind private network

    First, our target need to be available, such a thing is done through ssh tunnel.

    # Open a tunnel : target (behind private network) ------> proxy (public)
    ssh -i private.key -nNTR 2222:localhost:22 proxyuser@proxy # run this on target machine

    Note: if you want to run the command in background you can use &, or use screen, or create a systemd process, or simply use autossh package.

    Now it is possible to connect on target (port 22, usually ssh) through proxy using port 2222.

    You can access target by different ways:

    • (not recommended) Get the port 2222 publicly accessible from proxy. To do that, change GatewayPorts to yes or clientspecified in sshd_config.
    • (if you just want ssh protocol, this method require commands installed on the proxy and eventually files available on the proxy such as keys if you use IdentityFile) ssh proxyuser@proxy -t -- ssh targetuser@target. This method will also use more resources on proxy.
    • Open another ssh tunnel from your local machine to the proxy with ssh -L localport:localhost:2222 proxyuser@proxy and now use localport on your local machine.
    • (recommended, but limited) use ProxyCommand, see below:

    Using cli:

    #         ssh                   ssh
    # local ------> proxy (public) ------> target (private network)
    ssh -i local-for-target.key -Ao ProxyCommand="ssh -i local-for-proxy.key -W %h:%p -p 22 debian@" -p 2222 targetuser@localhost

    Or directly in config file:

    Host target
      User targetuser
      Hostname localhost
      IdentityFile local-for-target.key
      Port 2222
      ProxyCommand ssh -i local-for-proxy.key -W %h:%p -p 22 proxyuser@proxy

    Note: If you have more than one proxy, please take a look on multiple jumps.

    Multiple jumps


    Host jumphost1
      User username1
    Host jumphost2
      User username2
      ProxyCommand ssh -W %h:%p jumphost1
    Host jumphost3
      User username3
      ProxyCommand ssh -W %h:%p jumphost2
    Host server
      User username4
      ProxyCommand ssh -W %h:%p jumphost3

    Equivalent through CLI

    ssh -oProxyCommand= \
      'ssh -W %h:%p -oProxyCommand= \
        \'ssh -W %h:%p -oProxyCommand= \
          \\\'ssh -W %h:%p username1@jumphost1\\\' \
        username2@jumphost2\' \
      username3@jumphost3' \

    Example of port forwarding

    Access port 80 of private-target through ssh of domain.tld.

    ssh -N -L 8080:private-target:80 root@domain.tld


    • -N disable shell
    • -f allow to run in background

    Then just request localhost:8080



    client_loop: send disconnect: Broken pipe

    Host *
        ServerAliveInterval 20
        TCPKeepAlive no