3.4 KiB
theme, _class, size, paginate, footer, marp, backgroundColor, backgroundImage
| theme | _class | size | paginate | footer | marp | backgroundColor | backgroundImage |
|---|---|---|---|---|---|---|---|
| uncover | lead | 16:9 | true | SSH advanced uses - Felix | true | url('https://marp.app/assets/hero-background.svg') |
SSH advanced uses
Cool things you can do with ssh beyond the basics (secure shell, though nobody calls it that)
TOC
- Port forwarding
- ProxyJump
- Certificates
- X11 forwarding
- outdated hosts
- Control channel reuse
- ssh_config best practices & tricks
Port forwarding
ProxyJump
The problem: remote-server can only be accessed from jumphost, so you need to connect to jumphost first and then connect to remote-server.
openssh from ca 2016 on allows you to do
ssh -J user@jumphost root@remote-server
Certificates
Awesome!
create CA
ssh-keygen -f my_ssh_cert_authority
sign a pubkey
ssh-keygen -V +1h -s my_ssh_cert_authority -I felix_via_cert my_test_user.pub
This creates my_test_user-cert.pub, get this back to the user requesting access.
inspect a signed cert
ssh-keygen -L -f my_test_user-cert.pub
my_test_user-cert.pub:
Type: ssh-ed25519-cert-v01@openssh.com user certificate
Public key: ED25519-CERT SHA256:VJyz194XhAw4HcMZ5uboj/35ZJyC9yNLP0lLtjiKCX8
Signing CA: RSA SHA256:5Fs780JRzis+3lEreIZGoo+Ao7hKX8ksUU58cI58AyQ (using rsa-sha2-512)
Key ID: "felix_via_cert"
Serial: 0
Valid: from 2024-07-14T13:46:00 to 2024-07-14T14:47:34
Principals: (none)
Critical Options: (none)
Extensions:
permit-X11-forwarding
permit-agent-forwarding
permit-port-forwarding
permit-pty
permit-user-rc
use your shiny new cert
for openssh based systems, place the $IDENTITY-cert.pub file next to the $IDENTITY file. Make sure it has the correct permissions (of 0600), and it will be used automatically when you specify to use $IDENTITY.
X11
- check out x2go
modern client, old hosts
Increasingly often, I get old (older than 2016 or so) kit that does not let me connect