OpenSSH

ssh -p port user@server

ssh -t username@hostname /bin/sh

ssh user@server -o PreferredAuthentications=keyboard-interactive
# or:
ssh user@server -o PreferredAuthentications=password

export SSH_AUTH_SOCK=""; ssh user@server

Never disclose your private key (also called privkey) to anybody! It's private. A public key (also called pubkey) is used to identify you on a remote system and you can copy it to any system you want to authenticate with.

ssh-keygen -t ed25519 -f ~/.ssh/new_key

You will find two files in your ~/.ssh/ directory: new_key (your private key) and new_key.pub (your public key).

ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

ssh-keygen -f ".ssh/known_hosts" -R servername/ip

~/.ssh/config

Host arbitraryhostname
  HostName realhostnameorIPhere
  User usernamehere
  Port 12345

more ideas: http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/

• Standard key is ~/.ssh/id_rsa.pub
• copy with ssh-copy-id user@server:port
• ssh-copy-id script: https://gist.github.com/vamf12/1639381
• Alternative:

  cat ~/.ssh/id_rsa.pub | ssh user@server "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys"

/etc/ssh/sshd_config

Port 12345
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
UsePrivilegeSeparation yes
 
KeyRegenerationInterval 3600
ServerKeyBits 768
 
SyslogFacility AUTH
LogLevel INFO
 
LoginGraceTime 60
PermitRootLogin without-password
StrictModes yes
 
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys
IgnoreRhosts yes
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
#IgnoreUserKnownHosts yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
#PasswordAuthentication yes
 
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes

• use `sshguard` instead of `fail2ban`

/etc/ssh/sshd_config

Subsystem sftp internal-sftp
 
Match Group sftponly
 ForceCommand internal-sftp
 ChrootDirectory /wwwhome

The ChrootDirectory must have chmod 750 and permissions of root:sftponly!

If you want to connect to target computer on the target port of your SSH computer through localhost:

ssh -L 8888:targetcomputer:targetport ssh-computername -N

With ssh -L 8888:webserver:80 dmz-server -N you can make a webserver which is only available in the destination network available on localhost:8888.

If you want to reverse tunnel a connection (i.e. make the destination port available to connect from the outside), you can use

ssh -o "GatewayPorts=yes" -L 80:localhost:8080 destination -N

This will forward the remote port 8080 to the local 80. Keep in mind you also have to open the firewall on the remote machine.

You can pipe to/from SSH. (Quelle)

ssh user@server 'echo 0' | cat - > echo.out

echo 0 | ssh user@server 'cat - > echo.out'

The command-line tool ssh should be installed already. If it isn't, consult your package manager and install the OpenSSH package.

see SSH on Windows wiki page

If your SSH session doesn't close on reboot or shutting down, you might lack a timeout in the OpenSSHd config or the corresponding systemd package so the session gets closed cleanly.

Debian:

apt install libpam-systemd dbus

Check that you actually use the PAM module:

/etc/ssh/sshd_config

UsePAM=yes

cp /usr/share/doc/openssh-client/examples/ssh-session-cleanup.service /etc/systemd/system/
systemctl  enable ssh-session-cleanup.service

Host *
   ServerAliveInterval 15
   ServerAliveCountMax 5