SSH client configurations

Feed

date: 2023-02-28 09:39:25

categories: linux

firstPublishDate: 2023-02-28 09:39:25

Here is a set of SSH client configurations I usually use and find useful.

The SSH client configuration is stored in

~/.ssh/config

When a NAT router is involved between the client and server, it closes the TCP connections after a long time of inactivity (about 10 minutes for my router). To prevent the router from closing the connection, I keep connection alive with these options in the config file:

Host *
    ServerAliveInterval 290
    ServerAliveCountMax 2

I generate my Identity keys like this:

ssh-keygen -t rsa -b 4096
# or
ssh-keygen -t ed25519
ssh-keygen -t ed25519 -f filename

A password can be set on the key to protect it. The key password is asked at each new connection unless the key is loaded in SSH-agent (more information about SSH-agent below). The public key has to be copied to `~/.ssh/authorized_keys` in the server and the client has to use the private key to connect with key instead of password:

ssh -i ~/.ssh/id_rsa myuser@example.com

It is possible to replace this command line with something shorter:

ssh server

In order to do that, add a configuration in `~/.ssh/config`:

host server
        HostName example.com
        IdentityFile ~/.ssh/id_rsa
        Port 22
        User myuser

With SSH, one can do server hop and connect to a machine not reachable from the public internet.

Client -> host1 Server on Internet -> host2 Server in LAN

Without configuration, it is done like this:

ssh -J myuser@server auser@host2

It is configured like this in `~/.ssh/config`:

host insideServer
        Hostname host2
        User auser
        IdentityFile ~/.ssh/id_rsa_InsideServer
        ProxyCommand ssh server -W %h:%p

Multiple jump host can be in a chain to a destination. All the identity files (the secret keys) have to be in the client machine.

Sometimes I want to connect to a host not reachable from the public internet without a jump host, then I use reverse tunneling like this:

# I connect the server (not reachable from the internet) to the client (example.com)
ssh -i ~/.ssh/id_rsa -R 19999:localhost:22 -C user@example.com
# On the client, I connect to port 19999
ssh userOnServer@localhost -p 19999

I use SSH agent to load the keys with password, the password is asked only when the key is loaded:

eval $(ssh-agent)
# add keys
ssh-add ~/.ssh/id_rsa

SHA-1 signature has been disable after version 8.8 (2021-09-26), so older ssh clients can't connect to newer ssh servers and newer clients can't connect to older servers. A solution is to upgrade the client to a newer version, another solution is to accept legacy hostkey using ssh-rsa algorithm for the machine with the old ssh server:

Set the configuration for the old server in `~/.ssh/config` like this:

host oldserver
        HostName example.com
        IdentityFile ~/.ssh/id_rsa
        Port 22
        User myuser
        PubkeyAcceptedAlgorithms +ssh-rsa
        HostkeyAlgorithms +ssh-rsa

When I can't upgrade or change configuration, I setup an ftp server, see:

How to transfer files between devices

or I use a third machine:

I copy the files from A to C through B with pipes and `tar` (or `cat` for single file):

# From C
# Copy a file in A to C:
ssh B 'ssh A "cat file"' > file
# Copy multiple files in A to C, the data is compressed with bzip2 on the network:
ssh B 'ssh A "/bin/tar cj file1 dir2 file3"' | tar xj

It is possible to store ssh keys in tpm 2.0, I haven't tried yet: =>

https://jade.fyi/blog/tpm-ssh/

=>

https://blog.ledger.com/ssh-with-tpm/

Related articles:

How to tunnel firefox through ssh

Zfs commands

SSH clients in ios

How to transfer files between devices

Using tor

Tag: #ssh

Feed