Mozilla has an excellent [[https://wiki.mozilla.org/Security/Guidelines/OpenSSH|list of security guidelines for OpenSSH]]. == Copy an SSH public key to a remote machine == This: {{{#!highlight sh cat ~/.ssh/id_rsa.pub | ssh remoteuser@remotehost 'mkdir .ssh ; shat >> .ssh/authorized_keys' }}} will copy a public key to a remote machine, but most likely you want to use `ssh-copy-id` included with recent versions of OpenSSH. == Protect sshd from kernel OOM events == The kernel out-of-memory killer kills processes when a system runs out of RAM. Killing SSH typically does not help fix anything, and makes remotely-accessible systems inaccessible. {{{#!highlight sh for pid in $(pidof sshd) ; do echo "disabling oom on pid $pid" echo -17 | sudo tee /proc/$pid/oom_adj > /dev/null done }}} This is done by a few distributions, but when working on an arbitrary remote machine may be useful to run just in case. == Generate new SSH host key == Make sure /etc/ssh/sshd_config contains a path to the host key, e.g.: {{{ HostKey /etc/ssh/ssh_host_ed25519_key }}} Once it's there, create a new host key with: {{{#!highlight sh numbers=off sudo ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key }}} == Backups and transferring stuff over SSH == Using tar to transfer over SSH: {{{#!highlight sh numbers=off tar czhf - $SRC_DIR | \ ssh $SSH_USER@$SSH_HOST \ "tar xzhf - -C $DST_DIR" }}} or doing so in two commands: {{{#!highlight sh numbers=off # Backup ssh root@$SSH_HOST "tar cpf - / --exclude=/sys --exclude=/proc --exclude=/dev" | pv | gzip | cat > backup.tar.gz # Restore cat backup.tar.gz | ssh root@$SSH_HOST "pv | tar zxvf - -C /" }}} Cloning a disk with dd over SSH: {{{#!highlight sh numbers=off ssh -C $USER@$REMOTE_HOST "dd if=/dev/sda" | dd of=/dev/sda }}} == SSH tunnels == {{{#!highlight sh # $LOCAL_IP: 'localhost' or machine from local network # $LOCAL_PORT: open port on local machine # $REMOTE_IP: remote localhost or IP from remote network # $REMOTE_PORT: open port on remote site # Forward Tunnel: map port from remote machine/network on local machine ssh -L $LOCAL_PORT:$REMOTE_IP:$REMOTE_PORT $USER@$SERVER # Reverse Tunnel: make local port accesible to remote machine ssh -R $REMOTE_PORT:$LOCAL_IP:$LOCAL_PORT $USER@$SERVER }}} == Interesting reading == * [[https://stribika.github.io/2015/01/04/secure-secure-shell.html|Secure Secure Shell]], with a corresponding [[https://gist.github.com/cmavr8/eb4a9e596bd0e3e85f97d907de288c54|ansible playbook securing ssh]] ---- CategoryCheatSheet