Common network functions of ssh under deepin

what is SSH?

SSH is the most common remote login service under Linux. Through asymmetric encryption, a secure transmission environment can be established in an insecure network environment.

How to install?

The deepin system integrates OpenSSH by default, no manual installation is required. But for security reasons, the ssh service is not enabled by default, use sudo systemctl start ssh to enable the ssh service.

Note:There are a lot of ssh scans on the network. If your account uses a weak password, please turn off the ssh password authentication mode.

Log in

password login

Use ssh username@hostname to log in to the specified host with the specified user. If the username is the same as the username of the account you are currently using, the username can be omitted. For example, ssh localhost can log in to this machine, and ssh deepin@x.x.x.x can log in to the deepin account on the x.x.x.x host.

By default, the user password needs to be verified for login, and the ssh fingerprint of the host needs to be confirmed when logging in to the host for the first time to avoid man-in-the-middle attacks. If the host does not operate, but the ssh fingerprint changes, a warning WARNING: POSSIBLE DNS SPOOFING DETECTED! will be returned during ssh login. Please beware of man-in-the-middle attacks. If you have just reinstalled the host’s operating system, you can use ssh according to the ssh warning prompt. ssh -keygen -f Remove the previous host fingerprint record, and then log in.

Public key password-free login

Use ssh-copy-id localhost to automatically configure password-free login, and when you log in with ssh again, you don't need to enter a password. If ssh-copy-id returns No identities found error, use ssh-keygen to generate your public key first (ssh-keygen just press Enter).

You can also manually copy your public key (the default location is ~/.ssh/id_rsa.pub) to the host's ~/.ssh/authorized_keys file to configure password-free login.

After password-free login is configured, password login for ssh can be disabled to avoid password brute force cracking. Use the command echo PasswordAuthentication no | sudo tee -a /etc/ssh/sshd_config

To modify the configuration, use the command sudo systemctl start ssh to restart the ssh service to take effect.

Warning: Please make sure that the password-free configuration is successful and then close the password login, otherwise your host may no longer be able to log in.

Password-free jump login

If you have multiple hosts, you may need to perform a jump login, that is, log in to the A host first, and then log in to the B host through the A host, because you may not be able to directly access the B host.

There are two ways to achieve jump login: ssh -A and ssh -J. After using ssh -A hostA to log in to host A without password, you can continue to use ssh hostB to log in to host B without password on the command line. ssh -J hostA hostB can log in to hostB through hostA jump in one step.

## port forwarding

local forwarding

ssh can forward remote ports to local, here are some common examples.

Forward local port 80 to local port 8080, which can be used for temporary TCP port mapping ssh -L 8080:localhost:80 localhost

Forward the 3306 port of the hostA host to the local 13306 port, which is usually used for local debugging and using remote services. ssh -L 127.0.0.1:3306:127.0.0.1:3306 hostA

For security reasons, it is best to add 127.0.0.1 to the front of the meal transfer, so that the forwarded port is bound to the local 127.0.0.1 address to avoid scanning the port on the local LAN.

Through the hostA host, forward the 80 port of the 192.192.0.1 host to the local port 8080, which is usually used for remote access gateways, routers, etc. ssh -L 127.0.0.1:8080:192.192.0.1:80 hostA

Remote forwarding

ssh can forward local ports to remote ones. Here are a few common examples.

Forward local port 8000 to local port 8080, which can be used for temporary TCP port mapping ssh -R 8080:localhost:8000 localhost

Forward local port 8080 to port 8000 of hostA, usually used to map ports when there is no public IP in the local area ssh -R 8000:localhost:8080 hostA

For security reasons, ssh remote forwarding is bound to 127.0.0.1 by default. If you need to access the forwarded port through hostA externally, you can modify the sshd configuration file of the remote host and enable the GatewayPorts option

Forward port 80 of 192.168.0.1 to port 8000 of hostA, usually used for intranet machine port mapping ssh -R 8000:192.168.0.1:80 hostA

Socks5 proxy

ssh can set up a socks proxy locally and use hostA to access any TCP address through the proxy.

Create a socks proxy on the local port 7000 ssh -D 127.0.0.1:7000 hostA, other software can access the network through the socks proxy, if you need to use your local socks proxy on other hosts, use ssh -D 7000 hostA.

## TUN tunnel Whether it is port forwarding or Socks5 proxy, ssh only supports tcp protocol, if you need to forward udp protocol, you can try to use ssh’s tun tunnel, tun tunnel can form a virtual network between hosts.

To use the tun function of ssh, you need to modify the ssh service configuration file of the remote host and enable the PermitTunnel option.

Although ssh will try to automatically create a tun device, the tun device needs to be created by the root user. It is generally not recommended to log in with the root account, so at the beginning, let’s manually create the tun device on the local and remote hosts respectively.

Create tun device on localhost and set IP address 192.168.111.2

sudo ip tuntap add dev tun0 mode tun

sudo ip link set tun0 up

sudo ip address add 192.168.111.2 peer 192.168.111.3 dev tun0

Create tun device on remote host and set IP address 192.168.111.3

sudo ip tuntap add dev tun0 mode tun

sudo ip link set tun0 up

sudo ip address add 192.168.111.3 peer 192.168.111.2 dev tun0

After the device is created, use ssh -w 0:0 hostA to connect to the tun device through ssh. The 192.168.111.3 address can be used locally to send any TCP/UDP protocol data to the remote host, and the 192.168.111.2 address can also be used on the remote host. Sending data locally is no longer limited to a certain port or a certain protocol.

This time sharing is here, welcome to join us for a chat.

Telegram: t.me/deepin

Discord:discord.gg/xjjkcp6H2P