SSH
Enabling ssh
# Enable SSH
sudo systemsetup -f -setremotelogin on
# Disable SSH
sudo systemsetup -f -setremotelogin off
# Check if SSH is enabled/disabled
sudo systemsetup -getremotelogin
- Generating an SSH key on your computer - # Specifying bits of entropy is optional
ssh-keygen -b 4096
 
- Removing a comment from an SSH key - ssh-keygen -c -C '' -f ~/.ssh/id_rsa
 
- Converting a private GPG authorization secret RSA subkey (RFC 4880 compliant) to a PEM-encoded private SSH PKCS #1 v2.2 authorization key (RFC 8017 compliant) - gpg --export-secret-subkeys <auth_key_id>! | openpgp2ssh <auth_key_id> > ~/.ssh/id_rsa
 
Once you have that key, you ought to convert it into make a bunch of different types
- Making a PKCS #1 v2.2 private key (RFC 8017) - cp ~/.ssh/id_rsa ~/.ssh/id_pkcs1
ssh-keygen -p -m pem -f ~/.ssh/id_pkcs1
head !$
# -----BEGIN RSA PRIVATE KEY----- #
 
- Making a PKCS #8 private key (RFC 5958) - cp ~/.ssh/id_rsa ~/.ssh/id_pkcs8
ssh-keygen -p -m pem -f ~/.ssh/id_pkcs8
head !$
# -----BEGIN PRIVATE KEY----- #
 
- Making an SSH v2 private key (RFC 4716) - cp ~/.ssh/id_rsa ~/.ssh/id_ssh
ssh-keygen -p -m rfc4716 ~/.ssh/id_ssh
head !$
# -----BEGIN OPENSSH PRIVATE KEY----- #
 
Public Key Conversions
- Obtaining the public key corresponding with an RSA private key - id_rsa.pub(RFC 4253)
 - # Note: this key format is supported by the SSH server
#       running on macOS, Linux, and Windows
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
 
- Making an SSH2 public key (RFC 4716) - # Note: this key format is rarely used in practice
ssh-keygen -y -m rfc4716 -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
 
- View the ASCII randomart of an SSH key - ssh-keygen -lv -f ~/.ssh/id_rsa
 
Copying your ssh keys to someone else's computer
There are two ways for you to have your ssh key added to another person's computer. Say you are the user tommy and you want tina to give you permission to enter her computer without a password.
# Option one: from tommy's computer
ssh-copy-id tina@172.20.10.7
# Option two: from tina's computer
curl https://github.com/tommy.keys >> ~/.ssh/authorized_keys
Using ssh to log into a known user
Opening applications on remote computer
You can use the DISPLAY=0.0 command to tell your ssh session to open the application on the remote computer. You won't be able to see the app being opened, but it will launch on the remote computer.
Opening a single application
DISPLAY=:0.0 open -a Safari
export DISPLAY=:0.0
open -a Safari
open -a Mail
Seeing if anyone is logged into your computer
# shows the IP address of all local/remote users (including you!)
who
# (prints just your active session)
who am i
# (kills the session associated with ttys001)
pkill ttys001
Transferring clipboard content from local machine to remote machine
# local machine -> remote machine
pbpaste | ssh USER@HOST pbcopy
Sockets
When you combine an IP address and a port number, the pair is known as a socket. An example of a local socket is 127.0.0.1:1234. An example of a remote socket is 41.82.15.112:5678
In order for a connection attempt to a socket to succeed, something must be "listening" on that socket.
The port that a SSH server listens with in order to accept incoming connections is known as the target port.
The port that a SSH client listens with to receive information from the SSH server is known as the source port.
Therefore, the source socket or client socket is the combination of the client's IP address and the source port. The target socket or remote socket is the combination of the server's IP address and the target port
Multiple clients can connect using the same target socket.
ssh Tunneling
Tunneling, also known as "port forwarding" reroutes a connection to pass through a ssh connection. ssh uses the TCP/IP protocol on port 22 as a transport mechanism. It's useful not only for forwarding ssh data, but also for encrypting data passed through SMTP, IMAP, HTTP, etc.
A bastion refers to a small computer, hosted remotely, that works as a jump box to help you reach the computer that has initiated a "reverse tunnel" or "inbound port forwarding" to that bastion.
Configuring your SSH Client
Configuring your SSH Server
The config file for a computer's SSH server (used to handle incoming SSH connections) is located at /etc/ssh/sshd_config
If you open up this file (use sudo) you'll notice that most of the settings are commented out. If a setting is commented out, that means that it's a default setting. If you uncomment it, nothing would change, so don't go nuts uncommenting files. It's useful to leave the comments. That way, when a preference is not commented out, you know it's a setting you've manually reconfigured.
Configuring SSH on Windows
Enabling/Disabling Access to Users
If you're having trouble connecting to a user on a server, modify the AllowUsers setting in sshd_config. To configure remote users login permissions for local users tommy, tina, and billy, add this line to the super user's sshd_config
AllowUsers tommy tina
DenyUsers billy
You can also allow login functionality to all users within a certain group by modifying the `AllowGroups` setting. To configure login permission for all users in the `trojan` and `bruin` groups, add this line to the super user's `sshd_config`
```txt
AllowGroups trojans
DenyGroups bruins
Accepting remote connections
You'll have to edit the sshd_config file to support incoming connections from a remote user.
Go into the bastion, and add/change the line in /etc/ssh/sshd_config that says #GatewayPorts no to GatewayPorts yes
Then, on your local machine (not the bastion) give your computer the following instructions:
- Build reverse tunnel, allowing users to enter your computer if they first jump through the bastion host - # When connections are made to
# user: "jump"
# port: 1337
# ip: 12.34.56.78
ssh -fNR 1337:127.0.0.1:22 jump@12.34.56.78
# ...forward it to my local machine (127.0.0.1), on port 22
 
- Make an SSH connection, jumping from bastion host port 22, to bastion host port 1337 (which forwards to the remote machine) - # Connect to the machine that opened the connection
ssh -J jump@remote.net ssh://user@127.0.0.1:1337
 
Restarting the SSH Server
- On macOS - sudo launchctl kickstart -kp system/com.openssh.sshd
 
- On Linux 
Running Local Machine Commands
You don't have to exit the session if you forgot to send over a file, or need to
run a local command. Simply press ~, followed by C and you
will be given a prompt on your local machine.
ssh> !scp ~/Desktop/forgot.txt jump@remote.net:~/Desktop
If you want to change ~ to be a different key, you can change it in the file ~/.ssh/config
Now, you could type "⏎ C C !" to open up the >ssh prompt and issue commands on your local machine
scp
The Secure Copy Protocol or SCP is designed to make sending and receiving files from the terminal as secure as possible. You can use the scp program in the terminal to send and receive files as follows:
# Option 1: Specifying the path relative to the user's home directory
vi scp://jump@remote.net:22/Desktop/file.txt
# Option 2: Specifying the absolute path
vi scp://jump@remote.net:22//home/jump/Desktop/file.txt
If you have a jupyter notebook running on port 8888 of your computer, you could
allow users on your network to view your notebook in their web browsers when
they typed in your hostname.
ssh -fNR 0.0.0.0:80:127.0.0.1:8888 jump@remote.net
SOCKS5 Proxy
If you're in a pinch and you need a VPN, but all you have to work with is a server, you can still get most of the advantages of feigning your location by using a SOCKS5 proxy. On macOS, the commands are as follows:
ssh -fN -D 127.0.0.1:6789 user@remote.net
sudo networksetup -setsocksfirewallproxy Wi-Fi 127.0.0.1 6789
sudo networksetup -setsocksfirewallproxystate Wi-Fi on
macOS Keychain
If your SSH key has a password, you can cache the password for the SSH key in your macOS keychain, which saves you the trouble of typing it out every single time.
SSH with VirtualBox
Credit goals to
Prof. Marco Paolieri, the man who
taught me computer systems, and how to SSH into a headless virtual machine
- Configure the virtual machine VM_NAME to listen on PORT for SSH connections and forward them to port 22 on the virtual machine - VBoxManage modifyvm VM_NAME --natpf1 'ssh,tcp,,PORT,,22'
 
- Launch the virtual machine in headless mode - # To leave the session in the foreground, omit the '&'
VBoxHeadless -s VM_NAME &
 
- Access the host via SSH (note: you may have to wait a few seconds for the
machine to boot up) - ssh 'ssh://USER@HOST:PORT'
 
- Shutting down the virtual machine safely 
- Supposedly this enables caching of HTTPS credentials when working with remote git repositories - git config --global credential.helper cache
 
If you're trying to
use Visual Studio Code through SSH
and you're not having any luck, try adding the following configuration to the
settings.json configuration file.
"remote.SSH.showLoginTerminal": true