Symbolbild
Alle unterstützten Keytypen auf dem System anzeigen
ssh -Q key
Starke Keyfile vom Type ed25519 erzeugen
ssh-keygen -t ed25519 \
-f ~/.ssh/keyname.ed25519 \
-a 420 \
-C "key von backlogmann"
-t - Type des Keys (ed25519 sollte ab Debian 8 und Ubuntu 14 funktionieren - ssh2)
-f - Filename (sinnvoll ist Keyname.Type)
-a - Gibt die verwendeten KDF-Runden (Key Derivation Function) an. Höhere Zahlen führen zu einer langsameren Passphrase-Überprüfung und erhöhen die Widerstandsfähigkeit gegen Brute-Force-Angriffe zum Knacken von Passwörtern
-C - Name am Ende des öffentlichen Schlüssels in der .pub
Bestimmte Keyfile verwenden (temp. ohne config o. add to keychain)
ssh -i keyname.ed25519 user@zielhost
authorized_keys auf Zielhost härten, Zugriff per Keyfile nur für bestimmte IPs zulassen
#Achtung, es muss ein Leerzeichen zwischen Komma (,) und ssh- sein.
from="IPv4,IPv6", ssh-(..) key von backlogmann
authorized_keys auf Zielhost härten, Zugriff per Keyfile nur für bestimmte IPs zulassen (strenger, u.a. pseudo terminal [pty] ausschalten)
from="IPv4,IPv6",no-pty,no-agent-forwarding,no-pty,no-X11-forwarding,no-port-forwarding ssh-(..) key von backlogmann
Verbindung mit bestimmter IP erzwingen (z.B. IPv4) statt z.B. IPv6
ssh -4 -b 192.168.179.x - user@zielhost
Journal nach ssh Verbindungen durchsuchen (Zielhost)
journalctl -u ssh -f
Jumphost nutzen, Verbindung vom Auth Agent weiterleiten (temp. Keyfile "Sharing")
#Enables forwarding of connections from an authentication agent such as ssh-agent
ssh -A user@jumphost
ssh man Page durchsuchen nach Parametern (am Beispiel -A)
#Insensitiv (i)
man ssh | grep -in "\-A"
27: -A Enables forwarding of connections from an authentication agent such as ssh-agent(1). This can also be specified on a per-host basis in a configuration file.
33: -a Disables forwarding of the authentication agent connection.
86: ssh-agent(1) when the private key file is not present locally. The default is ~/.ssh/id_rsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ecdsa_sk, ~/.ssh/id_ed25519, ~/.ssh/id_ed25519_sk and ~/.ssh/id_dsa.
116: -M Places the ssh client into “master” mode for connection sharing. Multiple -M options places ssh into “master” mode but with confirmation required using ssh-askpass(1) before each operation that
237: Queries for the algorithms supported by one of the following features: cipher (supported symmetric ciphers), cipher-auth (supported symmetric ciphers that support authenticated encryption), help
347: The most convenient way to use public key or certificate authentication may be with an authentication agent. See ssh-agent(1) and (optionally) the AddKeysToAgent directive in ssh_config(5) for more in‐
432: If the ForwardAgent variable is set to “yes” (or see the description of the -A and -a options above) and the user is using an authentication agent, the connection to the agent is automatically forwarded
618: scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-argv0(1), ssh-keygen(1), ssh-keyscan(1), tun(4), ssh_config(5), ssh-keysign(8), sshd(8)
650: OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer
#Sensitiv - Groß- und Kleinschreibung berücksichtigen
man ssh | grep -n "\-A"
27: -A Enables forwarding of connections from an authentication agent such as ssh-agent(1). This can also be specified on a per-host basis in a configuration file.
432: If the ForwardAgent variable is set to “yes” (or see the description of the -A and -a options above) and the user is using an authentication agent, the connection to the agent is automatically forwarded
Quellen:
https://media.ccc.de/v/gpn20-8-besser-leben-mit-ssh (Besser leben mit SSH - GPN20)
https://martin.leyrer.priv.at/downloads/talks/2022/2022-05%20-%20gpn20%20-%20Besser%20leben%20mit%20SSH.pdf
man ssh
man ssh-keygen