Small additions to ssh article

- Section about forced commands - Loads of small edits
2024-11-29 04:13:51 +01:00 · 2022-09-29 19:53:35 +02:00 · 2022-09-29 19:53:35 +02:00 · 33f424cd71
parent ecd0f85ef3
commit 33f424cd71
1 changed files with 50 additions and 13 deletions
--- a/content/rambles/ssh-configuration.md
+++ b/content/rambles/ssh-configuration.md
@ -3,7 +3,7 @@ title: "SSH Configuration"
 date: "2022-09-27T11:40:31+02:00"
 author: "$HUMANOID"
 tags: ["ssh", "technology"]
-description: "An article on configuring SSH from the ground up to something that can grow out into my monster of a configuration"
+description: "An article on configuring SSH from the ground up to something that can grow out into something like my monster of a config file"
 toc: true
 ---
@ -25,22 +25,22 @@ I typically generate mine using:
 ssh-keygen -t ed25519 -f ~/.ssh/<new-key>
 ```
 Without any parameters, it will generate an rsa3072 key.
-This form of cryptography isn't the recommended as it's become a bit flimsy with computers becoming stronger.
+This form of cryptography isn't recommended as it's become a bit flimsy with computers becoming stronger.
-Instead I recommend at least adding the `-t ed25519` flag to generate a ed25519 key instead.
+Instead I recommend at least adding the `-t ed25519` flag to generate a ed25519 key.
 When prompted for a passphrase, **_always_** give it one.
-The only reason where _not_ using a passphrase is acceptable is when you are planning on using the key for a [forced command]().
+The only situation where _not_ using a passphrase is acceptable is when you are planning on using the key for a [forced command](#forced-commands).
 # Server Configuration
-This is all done under the assumption that the you use OpenSSH implementation on your server.
+This is all done under the assumption that the you use the OpenSSH implementation on your server.
 If you use something like Dropbear, I can't help you as haven't properly dug through it's configuration file (yet).
 The thing I see way to often on the internet is
 * People not disabling password authentication.
-* Changing the default port or only allowing.
+* People not changing the default port <!--or only allowing a range of IPs to log in-->.
-* Don't disable root login and never use it.
+* People not disabling root login and never using it.
 So lets go through these steps one by one.
@ -109,7 +109,7 @@ A solution next to this is to use `fail2ban` along side changing the port.
 > "Won't this mean I have to add the port to my login command every time I go to this server?"
-No, more in this in [the client configuration] section
+No, more in this in [the client configuration](#client-configuration) section
 In `/etc/ssh/sshd_config` look for 
 ```sshd_config
@ -123,7 +123,7 @@ In `/etc/ssh/sshd_config` look for
 and change the `Port` to your liking, I tend to change this to something like 6969 or some other meme number.
 Another thing I tend to do is not open a port in my firewall, thus preventing any normal outside connections all together.
-Instead opting to only connecting over Yggdrasil and/or Tor.
+Instead opting to only connect over Yggdrasil and/or Tor.
 # Client configuration
@ -136,20 +136,22 @@ The very first thing I do after setting up a server, is add an entry to my `~/.s
 A basic configuration section looks like the following:
 ```ssh_config
 Host <host> # this is something you can easily identify
-	Host <host-name> # this does need to be an IP address or DNS record pointing to an IP address
+	Host <hostname> # this does need to be an IP address or DNS record pointing to an IP address
 	IdentityFile ~/.ssh/<key-file>
 	User <user-name>
 	Port <meme-number>
 ```
 This allows you to log into host `<host>` with on port `<meme-number>` with key `~/.ssh/<key-file>` as user `<user-name>` without by typing:
 ```sh
-ssh <user-name>@<host-name> -p <meme-number> -i ~/.ssh/<key-file>
+ssh <user-name>@<hostname> -p <meme-number> -i ~/.ssh/<key-file>
 ```
 Instead the following command will work:
 ```sh
 ssh <host>
 ```
 More information on the SSH config file can be found in the `ssh_config` manpage.
 Some other frequently used settings for me are:
 * `AddKeysToAgent`
 * `IdentitiesOnly`
@ -165,7 +167,7 @@ This is useful if you frequently log in and out of a certain host and don't want
 Ignore whatever keys your agent has and only use the contents of `IdentityFile`.
-Useful for when you want to be able to log into the same host using multiple keys.
+Useful for when you want to be able to log into the same host using multiple keys while using an SSH agent session.
 ### `ProxyCommand`
@ -178,7 +180,7 @@ I use this for my Tor hosts:
 ```ssh_config
 Host tor-<host>
        Hostname <lengthy-56-character-string>.onion
-	# this is dependent on the netcat implementation of the OpenBSD project
+	# this is dependent on the netcat implementation of the OpenBSD project, often packaged as "netcat-openbsd"
        ProxyCommand nc -X 5 -x localhost:9050 %h %p # this assumes you are running a tor proxy on your local system and attempts to make a connection through that
        Identityfile ~/.ssh/<key-file>
        User <user>
@ -227,3 +229,38 @@ eval $(keychain --agents 'gpg,ssh' --eval)
 ...
 ```
 As you can see, it can also keep track of your GPG agent.
 # Forced Commands
 Another amazing feature of SSH is forced commands.
 The name is relatively self explanatory.
 You give a public key the privilege to execute a single command and nothing else.
 This is really useful if there is something that you frequently do on a server which is simple enough that it can be automated but still requires interaction from device.
 I make use of a forced command to open NCMPCPP on my MPD server.
 Logging in every time and typing `ncmpcpp` every time I wanted to add or remove some songs from the current playlist got annoying really fast.
 On my client machines I have an entry in my `~/.ssh/config` with roughly the following:
 ```ssh_config
 Host <host>-radio
 	Hostname <hostname>
 	User <mpd-user>
 	Port <meme-number>
 	Identityfile ~/.ssh/<host>-radio
 	IdentitiesOnly yes # here's where forcing it to ignore the ssh agent comes in useful
 ```
 On my MPD server, I have the following in `~/.ssh/authorized_keys`:
 ```authorized_keys
 command="ncmpcpp" ssh-ed25519 <contents of <host>-radio.pub>
 ```
 When I `ssh` to `<host>-radio`, all I get is an NCMPCPP session.
 On one of my Raspberry Pis, I make use of a forced command to toggle my desk lamp using a little wrapper I wrote around the Pi's GPIO interface.
 It has the following line in `~/.ssh/authorized_keys`:
 ```authorized_keys
 no-pty,command="/path/to/script/lamp toggle" ssh-ed25519 <contents of lamp-key.pub>
 ```
 The `no-pty` option prevents any sessions opened with this key from starting an interactive shell session.
 Documentation of the `authorized_keys` file can be found in the `sshd` manpage under the `AUTHORIZED_KEYS FILE FORMAT` section.