ssh.md
· 4.6 KiB · Markdown
Eredeti
# Agent Forwarding
Adding and removing keys to the agent:
```
waja at Brotschneidemaschine in ~
$ eval "$(ssh-agent -s)"
Agent pid 7715
waja at Brotschneidemaschine in ~
$ ssh-add -L
The agent has no identities.
waja at Brotschneidemaschine in ~
$ ssh-add ~/.ssh/id_rsa
Identity added: /Users/waja/.ssh/id_rsa (waja@Brotschneidemaschine.local)
waja at Brotschneidemaschine in ~
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfovU+pdwsO4ubyG8kldmtFwVcfNIbJX8Qvi+4rWKmkcEx7xdz27o+CrCXyu3eSbw8q/BVNZImwbs3C4dCBZ+o7ZtHmJGYzyrIOkY1AD1kdf0tbH3boEqoL46xOx8zGIUWCcuJd+bzMw/ub/5Qf+yW6a00h4szFiREyM6k2y+0gF21ewoSKPZp+XTFFXfOoGAllJ1rhQq+PScUHHu81Ft9bl18e0SWKRJd/EOiI+2/GAb/jtYo0lxyIk1GrmZDA80Tew7Mv636zWfXUaL1Tr4Y8Wxmeetr97MLcVcY9hMZmQlcmurDqeIJdWn1IAr8IRieLJZPiMjt09LZ2EAd/TmI2lbfy3c+013qmc4YoOhXDlRgoS5qeQr/zupP1/0ATzG37pGtkomO1zz9WBafFy5ewzIU1YUArV+/PNWbVdrnIEOKmHF/YM/ZCA5JwFp7M/8FOHZrM6KvCwcnmtHOzU+0y7eHYejUHTBOIrk9/SfP37IFEELaNrEJdDokQBXpT38= waja@Brotschneidemaschine.local
waja at Brotschneidemaschine in ~
$ tail -2 .ssh/config
Host *
ForwardAgent yes
waja at Brotschneidemaschine in ~
$ ssh-add -d ~/.ssh/id_rsa
Identity removed: /Users/waja/.ssh/id_rsa RSA (waja@Brotschneidemaschine.local)
```
Identities are not permanent, maybe use something like `echo 'AddKeysToAgent yes' >> ~/.ssh/config`.
```
waja in 🌐 jumphost in ~
✦ ❯ kill -9 7715
waja in 🌐 jumphost in ~
✦ ❯ ssh-add -L
Error connecting to agent: Connection refused
waja in 🌐 jumphost in ~
✦ ❯ eval "$(ssh-agent -s)"
Agent pid 7795
waja in 🌐 jumphost in ~
✦ ❯ ssh-add -L
The agent has no identities.
```
You can [start](https://unix.stackexchange.com/a/390631) `ssh-agent` even via `systemd`.
## SSH Agent forwarding is nice but...
[You should only add servers you trust and that you intend to use with agent forwarding.](https://docs.github.com/en/developers/overview/using-ssh-agent-forwarding)
[Why using SSH agent-forwarding is a Bad Idea](https://medium.com/kernel-space/why-using-ssh-agent-forwarding-is-a-bad-idea-6cbdff31bbee)
# SSH ProxyCommand / ProxyJump
```
~ via ☕ via
✦ ❯ tail -7 .ssh/config
Host 192.168.66.*
# https://www.cyberciti.biz/faq/linux-unix-ssh-proxycommand-passing-through-one-host-gateway-server/
# https://goteleport.com/blog/ssh-proxyjump-ssh-proxycommand/
# https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts
#ProxyJump user1@10.42.5.6:22
#ProxyCommand ssh -q -W %h:%p user1@10.42.5.6
ProxyCommand ssh -o 'ForwardAgent yes' 10.42.5.6 'ssh-add && nc %h %p'
```
ProxyJump can be chained by `ssh -J <host> -J <host>`.
# SSH Multiplexing
```
~ via ☕ via
✦ ❯ tail -8 .ssh/config
Host *
# https://www.cyberciti.biz/faq/linux-unix-reuse-openssh-connection/
# https://blog.scottlowe.org/2015/12/11/using-ssh-multiplexing/
# https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing
ControlPath ~/.ssh/controlmasters/%r@%h:%p
ControlMaster auto
ControlPersist yes
MaxSessions 10
```
# [SSHFS](https://de.wikipedia.org/wiki/SSHFS)
```
sshfs [user@]hostname:[directory] mountpoint
```
[More](https://www.digitalocean.com/community/tutorials/how-to-use-sshfs-to-mount-remote-file-systems-over-ssh) information, [macFUSE and SSHFS](https://osxfuse.github.io/) and even [SSHFS-Win](https://osxfuse.github.io/). (mc is the amry knife)
# Port Forwarding / Tunneling
## Reverse Tunneling
[Adding / Removing Tunnels within an established connection](https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Tunnels#Adding_or_Removing_Tunnels_within_an_Established_Connection)
# sshuttle: where transparent proxy meets VPN meets ssh
https://sshuttle.readthedocs.io/en/stable/manpage.html:
> sshuttle allows you to create a VPN connection from your machine to any remote server that you can connect to via ssh, as long as that server has a sufficiently new Python installation.
>
> To work, you must have root access on the local machine, but you can have a normal account on the server.
>
> It’s valid to run sshuttle more than once simultaneously on a single client machine, connecting to a different server every time, so you can be on more than one VPN at once.
>
> If run on a router, sshuttle can forward traffic for your entire subnet to the VPN.
# SSH and Visual Studio Code
[Remote development over SSH](https://code.visualstudio.com/docs/remote/ssh-tutorial)
[Remote Development using SSH](https://code.visualstudio.com/docs/remote/ssh)
https://www.maketecheasier.com/kill-unresponsive-ssh-session/
Agent Forwarding
Adding and removing keys to the agent:
waja at Brotschneidemaschine in ~
$ eval "$(ssh-agent -s)"
Agent pid 7715
waja at Brotschneidemaschine in ~
$ ssh-add -L
The agent has no identities.
waja at Brotschneidemaschine in ~
$ ssh-add ~/.ssh/id_rsa
Identity added: /Users/waja/.ssh/id_rsa (waja@Brotschneidemaschine.local)
waja at Brotschneidemaschine in ~
$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfovU+pdwsO4ubyG8kldmtFwVcfNIbJX8Qvi+4rWKmkcEx7xdz27o+CrCXyu3eSbw8q/BVNZImwbs3C4dCBZ+o7ZtHmJGYzyrIOkY1AD1kdf0tbH3boEqoL46xOx8zGIUWCcuJd+bzMw/ub/5Qf+yW6a00h4szFiREyM6k2y+0gF21ewoSKPZp+XTFFXfOoGAllJ1rhQq+PScUHHu81Ft9bl18e0SWKRJd/EOiI+2/GAb/jtYo0lxyIk1GrmZDA80Tew7Mv636zWfXUaL1Tr4Y8Wxmeetr97MLcVcY9hMZmQlcmurDqeIJdWn1IAr8IRieLJZPiMjt09LZ2EAd/TmI2lbfy3c+013qmc4YoOhXDlRgoS5qeQr/zupP1/0ATzG37pGtkomO1zz9WBafFy5ewzIU1YUArV+/PNWbVdrnIEOKmHF/YM/ZCA5JwFp7M/8FOHZrM6KvCwcnmtHOzU+0y7eHYejUHTBOIrk9/SfP37IFEELaNrEJdDokQBXpT38= waja@Brotschneidemaschine.local
waja at Brotschneidemaschine in ~
$ tail -2 .ssh/config
Host *
ForwardAgent yes
waja at Brotschneidemaschine in ~
$ ssh-add -d ~/.ssh/id_rsa
Identity removed: /Users/waja/.ssh/id_rsa RSA (waja@Brotschneidemaschine.local)
Identities are not permanent, maybe use something like echo 'AddKeysToAgent yes' >> ~/.ssh/config.
waja in 🌐 jumphost in ~
✦ ❯ kill -9 7715
waja in 🌐 jumphost in ~
✦ ❯ ssh-add -L
Error connecting to agent: Connection refused
waja in 🌐 jumphost in ~
✦ ❯ eval "$(ssh-agent -s)"
Agent pid 7795
waja in 🌐 jumphost in ~
✦ ❯ ssh-add -L
The agent has no identities.
You can start ssh-agent even via systemd.
SSH Agent forwarding is nice but...
You should only add servers you trust and that you intend to use with agent forwarding. Why using SSH agent-forwarding is a Bad Idea
SSH ProxyCommand / ProxyJump
~ via ☕ via
✦ ❯ tail -7 .ssh/config
Host 192.168.66.*
# https://www.cyberciti.biz/faq/linux-unix-ssh-proxycommand-passing-through-one-host-gateway-server/
# https://goteleport.com/blog/ssh-proxyjump-ssh-proxycommand/
# https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts
#ProxyJump user1@10.42.5.6:22
#ProxyCommand ssh -q -W %h:%p user1@10.42.5.6
ProxyCommand ssh -o 'ForwardAgent yes' 10.42.5.6 'ssh-add && nc %h %p'
ProxyJump can be chained by ssh -J <host> -J <host>.
SSH Multiplexing
~ via ☕ via
✦ ❯ tail -8 .ssh/config
Host *
# https://www.cyberciti.biz/faq/linux-unix-reuse-openssh-connection/
# https://blog.scottlowe.org/2015/12/11/using-ssh-multiplexing/
# https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing
ControlPath ~/.ssh/controlmasters/%r@%h:%p
ControlMaster auto
ControlPersist yes
MaxSessions 10
SSHFS
sshfs [user@]hostname:[directory] mountpoint
More information, macFUSE and SSHFS and even SSHFS-Win. (mc is the amry knife)
Port Forwarding / Tunneling
Reverse Tunneling
Adding / Removing Tunnels within an established connection
sshuttle: where transparent proxy meets VPN meets ssh
https://sshuttle.readthedocs.io/en/stable/manpage.html:
sshuttle allows you to create a VPN connection from your machine to any remote server that you can connect to via ssh, as long as that server has a sufficiently new Python installation.
To work, you must have root access on the local machine, but you can have a normal account on the server.
It’s valid to run sshuttle more than once simultaneously on a single client machine, connecting to a different server every time, so you can be on more than one VPN at once.
If run on a router, sshuttle can forward traffic for your entire subnet to the VPN.
SSH and Visual Studio Code
Remote development over SSH Remote Development using SSH
https://www.maketecheasier.com/kill-unresponsive-ssh-session/