niraj zade :::: ~/articles ~/tools ~/hire
[this website is a work in progress]

SSH notes

By Niraj Zade | 2024 Sep 22 | 2m read |

SSH tunneling templates, how to diagnose errors, quick fixes for usual errors

Tunneling templates

2024/09/22

SSH config templates for various scenarios

Theory in short

Use LocalForward, RemoteForward or ProxyJump to implement the SSH setup.

LocalForward - Forward local port to remote server
RemoteForward - Forward remote machine's port to local machine or other server
ProxyJump - Route SSH through intermediate server(jumphost/bastion/proxy), to reach final server

~/.ssh/config examples

Simple direct remote ssh shell

Open SSH connection to remote server

Host remoteserver
  HostName dev.example.com
  User dev
  IdentityFile ~/.ssh/id_rsa
  Port 22

Forward local port to remote server port

Forward local's port 8080 to remote server's port 8080

local:8080 -> remote:8080

Host devserver
    User user
    Hostname domain.subdomain.tld
    IdentityFile ~/.ssh/id_rsa
    LocalForward 8080 127.0.0.1:8080

Forward remote server port to local port

Forward remote server's port 8080 to local's port 8080

local:8080 <- remote:8080

Host devserver
    User user
    Hostname domain.subdomain.tld
    IdentityFile ~/.ssh/id_rsa
    RemoteForward 8080 127.0.0.1:8080

SSH via jumphost/bastion/proxy

Host jump-host
    HostName jump1.example.com
    User user
    IdentityFile ~/.ssh/id_rsa

    Host target-server
        HostName target.example.com
        User user
        IdentityFile ~/.ssh/id_rsa
        ProxyJump jump-host

Note: Can nest as many jump hosts as required.

OR, If jump host is shared across many target servers, declare jump host independently, and use it in target server configs:

Host jump-host
    HostName jump1.example.com
    User user
    IdentityFile ~/.ssh/id_rsa

Host target-server
    HostName target.example.com
    User user
    IdentityFile ~/.ssh/id_rsa
    ProxyJump jump-host

Ensuring resillience despite network failures

Tunnels timeout/break all the time. Make sure you use auto-healing tunnels/connections.

Solutions: - Use autossh. This is the simplest solution. - Create a systemd service that takes care of the ssh process, and auto-restarts the process whenever it exits (whenever the tunnel breaks) (example blog post).

Diagnosing connection issues

2023/07/09

ssh -v <host> – issues on your end (client)
ssh -vv – good enough logs of both client and server side
ssh -vvv – detailed logs from both client and server

ssh -vT <hostname>
v: verbose
T: Disable pseudo-terminal allocation

Eg: Debug why git via ssh isn't working:

ssh -vT [email protected]

Quick fixes

2023/07/09

Usual issues:

Your key doesn't have restricted permissions, so openssh refuses to use it.
You specified a non-existent key in the ssh config

Set proper permissions

# permission of the ssh dir itself
chmod 700 ~/.ssh/
# baseline permissions for all files in ssh dir
chmod 600 ~/.ssh/*
# set more open permissions for public keys in the ssh dir
chmod 644 ~/.ssh/*.pub