SSH

1. Description
2. Configuration
3. SSH tunneling
- 3.1. SOCKS5 Proxy
  - 3.1.1. Connecting to an HTTP server only accessible on a remote localhost
4. Server logs

1. Description

General notes about OpenSSH

2. Configuration

2.1. Client configuration

ssh_config(5)

Host custom_name
  User user
  Hostname 192.168.1.7
  IdentityFile /path/to/private_key

2.1.1. Environment variables and `SendEnv`

https://stackoverflow.com/a/63935109

On Debian the system client configuration in /etc/ssh/ssh_config use SendEnv by default, see ssh_config(5)

ssh(1) obtains configuration data from the following sources in the following order:

command-line options

user’s configuration file (~/.ssh/config)

system-wide configuration file (/etc/ssh/ssh_config)

The user client configuration using SendEnv with variables prefixed with - is not enough to prevent sending locales

Host custom_name
  # ..
  SendEnv -LANG -LC_*

Adding the following to the remote user Bash configuration seems to fix locale errors

export LC_MONETARY=
export LC_PAPER=
export LC_MEASUREMENT=
export LC_TIME=
export LC_NUMERIC=

2.1.2. List key length and type, e.g. sha256 and ed25519

ssh-add -l

2.2. Server configuration

See sshd template from ansible-dotfiles repository and sshd_config(5)

/etc/ssh/sshd_config.d/*.conf files are included at the start of the configuration file, so options set there will override those in /etc/ssh/sshd_config.

Output the effective configuration to stdout

sshd -T

2.3. Generate a new SSH key pair

ssh-keygen -t ed25519 -f ~/.ssh/<REMOTE_HOSTNAME>_id_ed25519 -C "alan@$hostname to alan@<REMOTE_HOSTNAME>"

2.4. Copy the public key to the remote

ssh-copy-id -p <REMOTE_PORT> -i ~/.ssh/<REMOTE_HOSTNAME>_id_ed25519.pub user@remote_ip

3. SSH tunneling

Configuration for SSH tunneling

Host tunnel
  User <username>
  Hostname <ip_address>
  Port 12345
  IdentitiesOnly yes
  IdentityFile /path/to/private_key
  DynamicForward 6789
  SessionType none
  ExitOnForwardFailure yes
  LogLevel QUIET

The SessionType keyword is available on Debian 12+, use -N flag on previous releases ssh -N tunnel

3.1. SOCKS5 Proxy

3.1.1. Connecting to an HTTP server only accessible on a remote localhost

Setup SSH tunneling to the HTTP server and configure Firefox SOCKS5 Proxy to connect to the HTTP server

4. Server logs

https://unix.stackexchange.com/q/130850

Someone from <IP ADDRESS> and from port 34866 (client/source port not the destination/server port) trying to login as user root

sshd-session[265954]: Connection closed by invalid user root <IP ADDRESS> port 34866 [preauth]

SSH

Table of Contents