date: 2023-02-28 09:39:25
categories: linux
firstPublishDate: 2023-02-28 09:39:25
Here is a set of SSH client configurations I usually use and find useful.
The SSH client configuration is stored in
~/.ssh/config
When a NAT router is involved between the client and server, it closes the TCP connections after a long time of inactivity (about 10 minutes for my router). To prevent the router from closing the connection, I keep connection alive with these options in the config file:
Host * ServerAliveInterval 290 ServerAliveCountMax 2
I generate my Identity keys like this:
ssh-keygen -t rsa -b 4096 # or ssh-keygen -t ed25519 ssh-keygen -t ed25519 -f filename
A password can be set on the key to protect it. The key password is asked at each new connection unless the key is loaded in SSH-agent (more information about SSH-agent below). The public key has to be copied to `~/.ssh/authorized_keys` in the server and the client has to use the private key to connect with key instead of password:
ssh -i ~/.ssh/id_rsa myuser@example.com
It is possible to replace this command line with something shorter:
ssh server
In order to do that, add a configuration in `~/.ssh/config`:
host server HostName example.com IdentityFile ~/.ssh/id_rsa Port 22 User myuser
With SSH, one can do server hop and connect to a machine not reachable from the public internet.
Client -> host1 Server on Internet -> host2 Server in LAN
Without configuration, it is done like this:
ssh -J myuser@server auser@host2
It is configured like this in `~/.ssh/config`:
host insideServer Hostname host2 User auser IdentityFile ~/.ssh/id_rsa_InsideServer ProxyCommand ssh server -W %h:%p
Multiple jump host can be in a chain to a destination. All the identity files (the secret keys) have to be in the client machine.
Sometimes I want to connect to a host not reachable from the public internet without a jump host, then I use reverse tunneling like this:
# I connect the server (not reachable from the internet) to the client (example.com) ssh -i ~/.ssh/id_rsa -R 19999:localhost:22 -C user@example.com # On the client, I connect to port 19999 ssh userOnServer@localhost -p 19999
I use SSH agent to load the keys with password, the password is asked only when the key is loaded:
eval $(ssh-agent) # add keys ssh-add ~/.ssh/id_rsa
SHA-1 signature has been disable after version 8.8 (2021-09-26), so older ssh clients can't connect to newer ssh servers and newer clients can't connect to older servers. A solution is to upgrade the client to a newer version, another solution is to accept legacy hostkey using ssh-rsa algorithm for the machine with the old ssh server:
Set the configuration for the old server in `~/.ssh/config` like this:
host oldserver HostName example.com IdentityFile ~/.ssh/id_rsa Port 22 User myuser PubkeyAcceptedAlgorithms +ssh-rsa HostkeyAlgorithms +ssh-rsa
When I can't upgrade or change configuration, I setup an ftp server, see:
How to transfer files between devices
or I use a third machine:
I copy the files from A to C through B with pipes and `tar` (or `cat` for single file):
# From C # Copy a file in A to C: ssh B 'ssh A "cat file"' > file # Copy multiple files in A to C, the data is compressed with bzip2 on the network: ssh B 'ssh A "/bin/tar cj file1 dir2 file3"' | tar xj
It is possible to store ssh keys in tpm 2.0, I haven't tried yet: =>
https://jade.fyi/blog/tpm-ssh/
=>
https://blog.ledger.com/ssh-with-tpm/
Related articles:
How to tunnel firefox through ssh
How to transfer files between devices
Tag: #ssh