From 3b226d19bb19a87eb565f3e1d16e14f446b56e76 Mon Sep 17 00:00:00 2001 From: johannst Date: Tue, 27 Aug 2024 22:25:00 +0000 Subject: deploy: 9b47b98b7c5efce0bf50d57aa5d7e374bcbabf23 --- network/ssh.html | 329 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 329 insertions(+) create mode 100644 network/ssh.html (limited to 'network/ssh.html') diff --git a/network/ssh.html b/network/ssh.html new file mode 100644 index 0000000..a3c0e69 --- /dev/null +++ b/network/ssh.html @@ -0,0 +1,329 @@ + + + + + + ssh - Notes + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+ + + + + + + + + + + + + + + + + + + +
+ +
+ + + + + + + + +
+
+

ssh (1)

+

ssh tunnel

+

Abbreviations used:

+
    +
  • LPORT: local port
    • +
  • LADDR: local address
    • +
  • RPORT: remote port
    • +
  • RADDR: remote address
    • +
+

The -L flag sets up a ssh tunnel to forward port LPORT on the local host to +RADDR:RPORT via the machine gateway (ssh tunnel endpoint).

+
# Forward local port to remote port on gateway.
+ssh -L LPORT:RPORT gateway
+
+# Forward local port to remote port on remote address via gateway.
+ssh -L LPORT:RADDR:RPORT gateway
+
+

In this scenario, requests are issued on the local machine and target some +remote resource, effectively making a remote resource accessible on the local +machine, which may be hidden behind the tunnel endpoint (gateway).

+

The -R flag sets up a ssh tunnel to expose the local port LPORT as RPORT +on the remote machine gateway.

+
# Expose local port via remote port on gateway.
+ssh -R RPORT:LPORT gateway
+
+# Expose local port of machine with local address via remote port on gateway.
+ssh -R RPORT:LADDR:LPORT gateway
+
+

In this scenario, requests are issued on the gateway and target some resource +in the local network, effectively exposing the local resource on the remote +machine (gateway).

+

The trick to memorize the syntax is to read the forwarding rules left +(source) to right (destination) while -L means that requests are issued +locally and -R means that requests are issued remotely.

+

The following flags are useful for setting up ssh tunnels:

+
    +
  • -N just stop before running the command on the remote side (w/o cmd dont +drop into shell)
    • +
  • -f run ssh command in the background
    • +
+

Example

+
# Forward requests on localhost:8080 to moose:1234 and keep ssh in forground
+# but dont drop into a shell.
+ssh -N -L 8080:1234 moose
+
+# Forward requests on moose:80 to localhost:8080 and keep ssh in forground but
+# dont drop into a shell.
+ssh -N -R 80:8080 moose
+
+

ssh keys

+

Utility script to generate ssh key pairs.

+
NAME=${1:?Pass new keyname as first arg}
+
+TYPE=ed25519
+FILE=${HOME}/.ssh/${NAME}-${TYPE}
+
+if [[ -f ${FILE} || -f ${FILE}.pub ]]; then
+    echo "Key with name '${NAME}' already exists, remove following files explicitly:"
+    echo "  ${FILE} ${FILE}.pub"
+    exit 1;
+fi
+
+set -x
+ssh-keygen -C "${NAME}.${USER}@${HOSTNAME}" -f ${FILE} -t ${TYPE} -a 100
+
+
+

In case one needs to generate many keys at one, one can provide a passphrase +by -N "toor" or an empty one as -N "".

+
+

ssh config - ~/.ssh/config

+

Frequently used configs for single match.

+
# When ssh-ing into FOO or BAR do it as user git with given key.
+host foo bar
+    user git
+    identityfile ~/.ssh/some-key
+
+# When ssh-ing into moose actually log into host with ip addr 1.2.3.4.
+# Can be used as alias for machines w/o DNS entries.
+host moose
+    user root
+    port 8022
+    hostname 1.2.3.4
+    identityfile ~/.ssh/some-key
+
+

Pattern matching and evaluation order.

+
# For parameters, the first valued obtained will be used.
+# Therefore, more host-specific blocks should come first.
+
+host tree7
+    user banana
+
+hoste tree*
+    user cherry
+    # can reference matched hostname with %h
+    hostname %h.some-dns-path
+
+# ssh tree7 -> banana@tree7.some-dns-path
+# ssh tree5 -> cherry@tree5.some-dns-path
+
+ +
+ + +
+
+ + + +
+ + + + + + + + + + + + + + + + + + +
+ + -- cgit v1.2.3