ssh / scp / rsync¶
there's a lot of stuff you can do!
add ssh-key to ssh-agent¶
motd (message of the day) for user¶
create this file with whatever you want to execute when logging in as the user:
rc will be executed during login, this means if you want to print something out you need to
echo the contents, like this:
this is quite new in openssh, use
-J to connect to your target host through (multiple) jump host(s):
ssh -J user@first-hop user@final-destination # one hop ssh -J user@first-hop,user@second-hop user@final-destination # two hops to get to 3rd server ssh -J user@first-hope,user@second-hop:22022 user@final-destination -p2222 # two hops, second hop with custom port, third one as well (check for the : and -p difference... wtf ssh what am I doing wrong?) ssh -J user@first-hope,user@second-hop:22022 user@final-destination -p2222 -L8384:localhost:8384 # same as above just with port forwarding from the last hop!
use a jumphost in
example: I want to run
ssh nibbler on my local machine and connect through
bender to it. nibbler is using autossh to connect to bender (I hope this makes sense, future Jonas):
create a socks proxy, route traffic using the proxy encrypted through your destination host:
now configure your browser/client to use
localhost with port
8080 using a socks5 proxy.
to drop the whole thing into the background:
if you put it in the background you might want to consider autossh (see
limit ssh connection to creating a tunnel¶
put this in your server's
then, create a tunnel like shown above.
add / remove passphrase from key¶
forward credentials to host¶
if you need to login through a middle man it might come in handy:
interactive ssh session¶
forward a port then, for example:
restrict agent, x11, port forwarding in ssh for clients¶
there's a handy way to restrict all of the above and more with a single option:
restrict, use it like so in your
limit shell (git-shell) to certain users¶
use-case: you have one user on a linux system and multiple applications / users ssh'ing in. I want to limit the public ssh key of my phone's git client to only be able to use
git-shell and not be able to login with bash or zsh.
- put git-shell in
/etc/shells- as described here
- limit the public ssh key in
authorized_keysto only run git-shell
this one key can only use git-shell commands now, like
git clone but not execute bash or something like that.
convert ssh key from openssh format to RFC4716:
scp / rsync¶
scp between two servers¶
copy files between two servers, use the system executing the command as the connection in between.
scp -3 between two systems with different ports¶
scp /rsync through extra hosts (middleman)¶
we'll connect to the middleman with the
-J flag and custom port
1337 and connect to your
dest using port
rsync exclude muliple folders / directories¶
… m( - exclude
dist folder from rsync
limit rsync to only allow downloading / pulling data¶
for this, you need to use
rrsync, it's a script usually part of the
rsync package and can be found in
/usr/share/doc/rsync/scripts on ubuntu/debian, but also directly on the web.
unpack it, put it into your local bin directory, or somewhere else:
restrict rsync for specific ssh keys to only allow pulling from
~/downloads, this downloads folder will also be the new entry point for the clients to rsync. so if they pull from
~/, it'll be the downloads folder.
put this in your
poor man's ngrok or make-my-dev-machine-available-from-outside¶
GatewayPortsin your sshd config:
- use the
bind_addressfeature in ssh to open up the port on the remote machine. we're just going to use
autosshhere. so log in to your source machine and execute
important bit from the man page:
An empty bind_address, or the address
- maybe you need to open up port
2224(my example) in your firewall on the target-server as well and then you can just connect to your target server using port 2224 like this:
do not offer public keys to server¶