Skip to content

SSH

SSH

Scan SSH for bad configurations
Scan SSH for bad configurations
SSH Cheat Sheet

Generating Keys

Generate new ED25519 Curve Keys:

ssh-keygen -t ed25519 -b 521 -f ~/.ssh/id_ed25519_$(date +%Y-%m-%d)

Generate Keys on a YubiKey

Generate Key with other Authentication Factors:

#No PIN or touch are required
ssh-keygen -t ed25519-sk -O resident -O no-touch-required

#PIN but no touch required
ssh-keygen -t ed25519-sk -O resident -O verify-required -O no-touch-required

#No PIN but touch is required
ssh-keygen -t ed25519-sk -O resident

#A PIN and a touch are required (most secure)
ssh-keygen -t ed25519-sk -O resident -O verify-required

Adding Keys:

#Enable ssh-agent
eval "$(ssh-agent -s)"

#Temporarily add the YubiKey to the agent
ssh-add -K

#Permanently add the YubiKey to the agent
ssh-keygen -K

SSH User Config

Located at ~/.ssh/config

Host *
     Port 2222

Host remoteserver
     HostName remoteserver.thematrix.io
     User neo
     Port 2112
     IdentityFile /home/test/.ssh/remoteserver.private_key
     #Run Command after connecting
     #RemoteCommand tmux new -A -s default


Host my-ec2-public
   Hostname ec2???.compute-1.amazonaws.com
   User ubuntu
   IdentityFile ~/.ssh/my-ec2-key.pem

SSH Multiplex using ControlPath

ControlPerisist keeps the socket open for X mins after the shell has been closed. This allows easier reconnection.

ControlMaster this makes it faster to make multiple connections to the same server.

ControlPath where to store the information 

Host remoteserver
        HostName remoteserver.example.org
        ControlMaster auto
        ControlPath ~/.ssh/control/%r@%h:%p
        ControlPersist 10m

Proxy using SOCKS

ssh -D 8888 user@remoteserver

Enable Socks Proxy on Chrome

In Firefox select Preferences -> General | Network settings and add 127.0.0.1 and 8888 for the port. There is also an option to proxy DNS requests using the SOCKS proxy.

Enable Socks Proxy on Chrome

Using the Command below the browser will proxy the data over the SOCKS proxy and will also proxy the DNS requests.

google-chrome --proxy-server="socks5://192.168.1.10:8888"

Using Proxychains

proxychains rdesktop $RemoteWindowsServer

Reverse Proxy

The example below sets up a proxy from the remoteserver port 1999 to the localhost. Then the remoteserver is able to set up a SOCKS proxy using localhost:1999 and be forwarded through to client ssh computer.

ssh -v -R 0.0.0.0:1999 192.168.1.100 user@remoteserver

SSH Port Forwarding (Tunneling)

The example below uses ssh to forward the remote port 80 to the local port 9999. This means that going to 127.0.0.1:9999 will tunnel out to the remoteserver and connect to port 80. Since the ssh will go to server port 80 does not need to be accessible to the rest of the internet.

ssh  -L 9999:127.0.0.1:80 user@remoteserver

SSH Tunnel Forward to Secondary Remote host

The example below uses the remoteserver as a jumpbox to connect to another system with the ip address 10.10.10.10 in the local network of the remoteserver. It then forwards the localhost port 1999 to the internal IP of 10.10.10.10:80

ssh  -L 0.0.0.0:9999:10.10.10.10:80 user@remoteserver

SSH reverse Port Forwarding (Tunneling)

The example below forwards the remoteserver port 1999 to the localhost port 902. This means that if an external client connects to port 1999 on the remote server they will get the localhost port 902 instead.

localhost:~$ ssh -v -R 0.0.0.0:1999:127.0.0.1:902 192.168.1.100 user@remoteserver

Establish a VPN over SSH

Must have sudo/root access on both the client and server.
You might also need to change the sshd_config.

PermitRootLogin yes
PermitTunnel yes

The ssh command is:

ssh -v -w any root@remoteserver

SSH Client Side:

ip addr add 10.10.10.2/32 peer 10.10.10.10 dev tun0
ip tun0 up

SSH Server Side:

ip addr add 10.10.10.10/32 peer 10.10.10.2 dev tun0
ip tun0 up

SSH Client Side:
Now it is possible to make the internal subnet accessible. This makes it a half tunnel VPN.

route add -net 10.10.10.0 netmask 255.255.255.0 dev tun0

SSH Server Side:

echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -s 10.10.10.2 -o enp7s0 -j MASQUERADE

Copy SSH id file to remote host

ssh-copy-id user@remoteserver -i ~/.ssh/id_ecc.pub

Run commands

Non-interactive command

Run the command on the remote computer and then use grep locally.

ssh remoteserver "cat /var/log/nginx/access.log" | grep badstuff.php

Send piped information to remote server.

cat ~/.ssh/id_rsa.pub | ssh remoteserver 'cat >> .ssh/authorized_keys'

Remote Packet Capture in Wireshark

Capture packets on remote host and view locally in Wireshark.

ssh root@remoteserver 'tcpdump -c 1000 -nn -w - not port 22' | wireshark -k -i -

SSH Copy Folder from Local to Remote

Tar and send a directory through a pipe to the remoteserver and untar the data.

tar -cvj /datafolder | ssh remoteserver "tar -xj -C /datafolder"

Run a GUI application remotely

X11Forwarding needs to be enabled in the sshd_config

ssh -X remoteserver vmware

Edit Files with vim over SSH

vim scp://user@remoteserver//etc/hosts

Copy files remotely with rsync and SSH

rsync -az /home/testuser/data remoteserver:backup/

SSH over TOR Network

torsocks ssh myuntracableuser@remoteserver

Mount SSH to a directory

sshfs user@remoteserver:/media/data ~/data/

VLC to Stream over SSH

vlc sftp://remoteserver//media/uploads/myvideo.mkv

2FA

Setup Two factor (2FA) SSH with Google Authenticator

Bouncing through jump hosts

ssh -J host1,host2,host3 [email protected]

To use this ability in the ssh_config use the ProxyJump configuration option. If you regularly have to jump through multiple hosts; use the config file and your alias to host4 will save you a lot of time.

Securing sshd_config

Change the default SSH Port

Port 37972

Modify Port Forwarding within a session with ~C

Within a SSH session using ~C[ENTER] will show forwarding options.

localhost:~$ ~C
ssh> -h
Commands:
      -L[bind_address:]port:host:hostport    Request local forward
      -R[bind_address:]port:host:hostport    Request remote forward
      -D[bind_address:]port                  Request dynamic forward
      -KL[bind_address:]port                 Cancel local forward
      -KR[bind_address:]port                 Cancel remote forward
      -KD[bind_address:]port                 Cancel dynamic forward
ssh> -D 9999 
Forwarding port.

Note

zsh doesnt work with this. You need to use bash

Close Hung SSH connection

"Enter" then ~ then . will kill a hung SSH connection, instead of having to close the terminal tab