External OpenSSL Command-line FAQ
This OpenSSL HowTo/FAQ deals with the command-line openssl.
ssh config tweaks
These are changes I always make to /etc/ssh/sshd_config. See fail2ban for protecting against bots doing dictionary attacks.
# this sometimes speeds up logins. UseDNS no # Don't make this 1. Public keys count as 1 try. If that fails it will not try password. MaxAuthTries 2 # bots often check these accounts for weak passwords: DenyUsers root test admin guest nobody # for extra security, limit access to only these users: AllowUsers user1 user2 user3
Use the following to support SSH1. I no longer use this.
# this is required if you want to support SSH1 Protocol 2,1 # this is required if you want to support SSH1 PasswordAuthentication yes
Edit the client side ssh_config if you are getting slow logins.
# This sometimes fixes slow logins on Ubuntu. # Don't use this if you use Kerberos or GSSAPI. GSSAPIAuthentication no
simple port forwarding (SSH tunnel)
This example creates a tunnel for HTTP. This will forward port 80 of your localhost to port 80 of www.example.com.
ssh -f -N -q -L 80:localhost:80 firstname.lastname@example.org
This example creates a tunnel for IMAP. Here we forward port 1143 on localhost to 143 (IMAP) on imap.example.com.
ssh -f -N -q -L 1143:localhost:143 email@example.com
-f tells ssh to go into the background (daemonize).
-N tells ssh that you don't want to run a remote command. That is, you only want to forward ports.
-q tells ssh to be quiet
-L specifies the port forwarding
port forwarding through an intermediary
You can have the remote machine forward ports to a third machine. This is useful where your have your local machine outside a firewall; a visible machine on the DMZ; and a third machine invisible to the outside.
This creates a tunnel from your localhost port 81 to 192.168.1.69 port 80 through dmz.example.com. This lets you see the web server from outside a LAN.
ssh -f -N -q -L 81:192.168.1.69:80 firstname.lastname@example.org
This example creates a tunnel for IMAP. Here we forward port 1143 on localhost to 143 (IMAP) on 192.168.1.100 through dmz.example.com.
ssh -f -N -q -L 1143:192.168.1.100:143 email@example.com
Remote Server Security Enhancement with SSH Keys
You can make port forwarding even more secure by limiting what a privileged account can do. When you add a key to authorized_key you may pass parameters to fine tune the connection. This can be used to restrict what the client is allowed to do. On the remote server, add the following to ~username/.ssh/authorized_keys:
from="192.168.1.69",command="/bin/false",no-pty,no-X11-forwarding,no-agent-forwarding,no-port-forwarding,permitopen="localhost:143" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8XIr8LEXdvc4VZEvNenWkJrerTzNhqTT7QvCD+Y2EjCUPQwfBcSnvhY3oasNigNonghQFqm7/HqWBLpcN+4mqDUrXrEdj6HQmHvCV6WozNUVb5jjiyQ/JF4hqcQd6oelCkVw8wD32I2jlYqydpqOGY4xqakWDAfm3SOx5il3Kl49mKCg5B3GQPexhTujaTT3y/Q1eeT3zGpHE9Mp7k20X8rMxSjp5ncLAmdf42fRh05HY5f1GrupQIEdi0/TDcPNWL1ml89zttrDOLgDnwny7P0x2jmcX41cSxL/8svER7BAk2sroyQe6L21pJ7o2MYz1IwnsQgji/GjJoaA7hTNCQ== firstname.lastname@example.org
- from="192.168.1.69": accept connection only from the given IP address
- command="/bin/false": forces this command to be run no matter what is passed via ssh from the client
- no-pty: never allocate a PTY for interactivity
- no-X11-forwarding: No X11
- no-agent-forwarding: we don't want or need ssh-agent
- no-port-forwarding: prevent ssh -R ...
- permitopen="localhost:143": allow only localhost connections to port 143 for `ssh -L` requests
reverse port forwarding
Sometimes I need to make an internal LAN machine expose a service to the outside WAN. For example, I have a database server that will only accept connections from a specific development box. That dev box is inside the firewall. I want to connect to the database from outside the firewall.
ssh -t -L 5432:localhost:1999 email@example.com ssh -t db_server ssh -t -R 1999:127.0.0.1:5432 my_name@firewall
SSH for Windows
MindTerm SSH client Java Applet
MindTerm_2.1 (non-commercial). This was the last free version of MindTerm.
Put this applet on a web page and point the <applet> "archive" attribute to the URL of the JAR file:
<applet archive="mindterm.jar" code="com.mindbright.application.MindTerm.class" width="580" height="400"> <param name="te" value="xterm-color"> <!-- "vt102" --> <param name="fs" value="18"> <param name="gm" value="80x32+0+0"> <param name="port" value="22"> <param name="cipher" value="blowfish"> <!-- "des" --> <param name="usrname" value=""> <param name="sepframe" value="false"> <param name="quiet" value="false"> <param name="cmdsh" value="false"> <param name="verbose" value="true"> <pa ram name="autoprops" value="none"> <param name="idhost" value="false"> <param name="alive" value="10"> <param name="appletbg" value="white"> </applet>