SSH
List algorithms
- Ciphers:
ssh -Q cipher
- MACs:
ssh -Q mac
- KexAlgorithms:
ssh -Q kex
- PubkeyAcceptedKeyTypes:
ssh -Q key
Notify login
/etc/ssh/login-notify.sh
#!/bin/sh
sender="lbl.others@gmail.com"
recipient="lpyparmentier@gmail.com"
if [ "$PAM_TYPE" != "close_session" ]; then
subject="SSH Login: $PAM_USER from $PAM_RHOST on $(hostname)"
# Message to send, e.g. the current environment variables.
msmtp ${recipient} -t <<EOF
Subject: ${subject}
${subject}, date: $(date)
EOF
fi
Note: be sure you msmtp
or any smtp service available
chmod u+x /etc/ssh/login-notify.sh
/etc/pam.d/sshd:
session optional pam_exec.so seteuid /etc/ssh/login-notify.sh
Tunnel
Simple jump on target behind private network
First, our target
need to be available, such a thing is done through ssh tunnel.
# Open a tunnel : target (behind private network) ------> proxy (public)
ssh -i private.key -nNTR 2222:localhost:22 proxyuser@proxy # run this on target machine
Note: if you want to run the command in background you can use &
, or use screen
, or create a systemd process, or simply use autossh
package.
Now it is possible to connect on target (port 22, usually ssh)
through proxy
using port 2222
.
You can access target
by different ways:
- (not recommended) Get the port
2222
publicly accessible fromproxy
. To do that, changeGatewayPorts
toyes
orclientspecified
insshd_config
. - (if you just want ssh protocol, this method require commands installed on the proxy and eventually files available on the proxy such as keys if you use
IdentityFile
)ssh proxyuser@proxy -t -- ssh targetuser@target
. This method will also use more resources onproxy
. - Open another ssh tunnel from your local machine to the
proxy
withssh -L localport:localhost:2222 proxyuser@proxy
and now uselocalport
on your local machine. - (recommended, but limited) use
ProxyCommand
, see below:
Using cli:
# ssh ssh
# local ------> proxy (public) ------> target (private network)
ssh -i local-for-target.key -Ao ProxyCommand="ssh -i local-for-proxy.key -W %h:%p -p 22 debian@51.83.15.194" -p 2222 targetuser@localhost
Or directly in config file:
Host target
User targetuser
Hostname localhost
IdentityFile local-for-target.key
Port 2222
ProxyCommand ssh -i local-for-proxy.key -W %h:%p -p 22 proxyuser@proxy
Note: If you have more than one proxy, please take a look on multiple jumps.
Multiple jumps
~/.ssh/config:
Host jumphost1
User username1
Host jumphost2
User username2
ProxyCommand ssh -W %h:%p jumphost1
Host jumphost3
User username3
ProxyCommand ssh -W %h:%p jumphost2
Host server
User username4
ProxyCommand ssh -W %h:%p jumphost3
Equivalent through CLI
ssh -oProxyCommand= \
'ssh -W %h:%p -oProxyCommand= \
\'ssh -W %h:%p -oProxyCommand= \
\\\'ssh -W %h:%p username1@jumphost1\\\' \
username2@jumphost2\' \
username3@jumphost3' \
username4@server
Example of port forwarding
Access port 80 of private-target through ssh of domain.tld
.
ssh -N -L 8080:private-target:80 root@domain.tld
Notes:
-N
disable shell-f
allow to run in background
Then just request localhost:8080
FAQ
client_loop: send disconnect: Broken pipe
Host *
ServerAliveInterval 20
TCPKeepAlive no