Momolem's Knowledge

Momolem's Knowledge

Search

SearchSearch

SSH

Jul 15, 2024

SSH

Autostart SSH-Agent with Zsh

Add Plugin in ~/.zshrc:

plugins(git ssh-agent)

And then reload the zsh session from the config file

source ~/.zshrc

Config-Hierarchie

  1. CMD-Line Options
  2. User-Config (~/.ssh/config)
  3. Systemwide-Config (/etc/ssh/ssh_config)

Warning

For each parameter, the first obtained value will be used So more specific config entries should be at the top of the configs Defaults at the end

Hostname Alias

Simple

Host demo
 HostName ssh-server.example.com

Multiple

Host demo d1 popocatepetl
 HostName ssh-server.example.com

Dynamic Hostname

Host smtp imap www
 HostName %h.example.com

SSH Public Key authentication

Generate Key

ssh-keygen -t ed25519 \
 -a 420 \
 -f ~/.ssh/demo.ed25519 \
 -C "Sinnvoller Kommentar!"

WICHTIG

IMMER eine Passphrase definieren!

Result

~/.ssh/demo.ed25519
~/.ssh/demo.ed25519.pub

Warning

Nur die .pub Datei darf öffentlich gemacht werden

Best Practice

Create one for each server, customer or service you connect to.

Get Key to Server

  • Automatic

    ssh-copy-id \
 -i ~/.ssh/demo.ed25519.pub \
 demo

  • Manual

    • copy content of local ~/.ssh/demo.ed25519.pub
    • paste it into ~/.ssh/authorized_keys on servers

Enable Key Auth in Config

Host demo bastion
 PreferredAuthentications publickey
 IdentityFile ~/.ssh/demo.ed25519

Full Config Example

Host demo bastion
	HostName ssh.example.com
	User demoUser
	PreferredAuthentications publickey
	IdentityFile ~/.ssh/demo.ed25519

Enable ssh-agent

Why? Saves key Passphrase

  • ssh-add
    • “-c” ask for permission before use
    • “-d” removes key from ssh-agent
ssh-add ~/.ssh/demo.ed25519

Sane Defaults

Host *
 IdentitiesOnly yes
 UseRoaming no
 SendEnv LANG LC_*
 Compression yes

~/.ssh/conf.d

Multiple files i.E for multiple Customers

Bastion/Jump Hosts

bd2f3210eee44a8b121a6ec9a35a1bfa_MD5 1.png

Manual

$ ssh bastion
Welcome to demo.example.com
 
leyrer@demo:~$ ssh target.local
Welcome to target.local

Explicit

ssh -J bastion target.local

Elegant

Host demo bastion
	HostName ssh.example.com
	User leyrer
	PreferredAuthentications publickey
	IdentityFile ~/.ssh/demo.ed25519
 
Host internal
	HostName target.local
	ProxyJump bastion
	User leyrer
	PreferredAuthentications publickey
	IdentityFile ~/.ssh/demo.ed25519

Fallback

ssh \
 -o ProxyCommand="ssh -W %h:%p bastion" \
 target.local
.ssh/config:
	Host internal
	ProxyCommand ssh -W %h:%p bastion

Warning

Do not use Agent Forwarding (ssh -A)

Graph View

Backlinks

  • No backlinks found