SSH

    List algorithms

    • Ciphers: ssh -Q cipher
    • MACs: ssh -Q mac
    • KexAlgorithms: ssh -Q kex
    • PubkeyAcceptedKeyTypes: ssh -Q key

    source

    Notify login

    /etc/ssh/login-notify.sh

    #!/bin/sh
    
    sender="lbl.others@gmail.com"
    recipient="lpyparmentier@gmail.com"
    
    if [ "$PAM_TYPE" != "close_session" ]; then
        subject="SSH Login: $PAM_USER from $PAM_RHOST on $(hostname)"
        # Message to send, e.g. the current environment variables.
        msmtp ${recipient} -t <<EOF
    Subject: ${subject}
    
    ${subject}, date: $(date)
    EOF
    fi
    

    Note: be sure you msmtp or any smtp service available

    chmod u+x /etc/ssh/login-notify.sh
    
    

    /etc/pam.d/sshd:

    session optional pam_exec.so seteuid /etc/ssh/login-notify.sh
    

    Tunnel

    Simple jump on target behind private network

    First, our target need to be available, such a thing is done through ssh tunnel.

    # Open a tunnel : target (behind private network) ------> proxy (public)
    ssh -i private.key -nNTR 2222:localhost:22 proxyuser@proxy # run this on target machine
    

    Note: if you want to run the command in background you can use &, or use screen, or create a systemd process, or simply use autossh package.

    Now it is possible to connect on target (port 22, usually ssh) through proxy using port 2222.

    You can access target by different ways:

    • (not recommended) Get the port 2222 publicly accessible from proxy. To do that, change GatewayPorts to yes or clientspecified in sshd_config.
    • (if you just want ssh protocol, this method require commands installed on the proxy and eventually files available on the proxy such as keys if you use IdentityFile) ssh proxyuser@proxy -t -- ssh targetuser@target. This method will also use more resources on proxy.
    • Open another ssh tunnel from your local machine to the proxy with ssh -L localport:localhost:2222 proxyuser@proxy and now use localport on your local machine.
    • (recommended, but limited) use ProxyCommand, see below:

    Using cli:

    #         ssh                   ssh
    # local ------> proxy (public) ------> target (private network)
    ssh -i local-for-target.key -Ao ProxyCommand="ssh -i local-for-proxy.key -W %h:%p -p 22 debian@51.83.15.194" -p 2222 targetuser@localhost
    

    Or directly in config file:

    Host target
      User targetuser
      Hostname localhost
      IdentityFile local-for-target.key
      Port 2222
      ProxyCommand ssh -i local-for-proxy.key -W %h:%p -p 22 proxyuser@proxy
    

    Note: If you have more than one proxy, please take a look on multiple jumps.

    Multiple jumps

    ~/.ssh/config:

    Host jumphost1
      User username1
    Host jumphost2
      User username2
      ProxyCommand ssh -W %h:%p jumphost1
    Host jumphost3
      User username3
      ProxyCommand ssh -W %h:%p jumphost2
    Host server
      User username4
      ProxyCommand ssh -W %h:%p jumphost3
    

    Equivalent through CLI

    ssh -oProxyCommand= \
      'ssh -W %h:%p -oProxyCommand= \
        \'ssh -W %h:%p -oProxyCommand= \
          \\\'ssh -W %h:%p username1@jumphost1\\\' \
        username2@jumphost2\' \
      username3@jumphost3' \
    username4@server
    

    Example of port forwarding

    Access port 80 of private-target through ssh of domain.tld.

    ssh -N -L 8080:private-target:80 root@domain.tld
    

    Notes:

    • -N disable shell
    • -f allow to run in background

    Then just request localhost:8080

    Source