OpenSSH Concepts: Difference between revisions
| Line 39: | Line 39: | ||
{{External|https://smallstep.com/blog/ssh-agent-explained/}} | {{External|https://smallstep.com/blog/ssh-agent-explained/}} | ||
<code>ssh-agent</code> is a key manager for SSH. It holds keys and certificates in memory, unencrypted and ready for use by <code>ssh</code>. It runs in the background, separately from <code>ssh</code>. The ssh agent does not write any key material on disk and it does not allow private keys to be exported. The private keys stored in the agent can only be used for signing messages. | <code>ssh-agent</code> is a key manager for SSH. It holds keys and certificates in memory, unencrypted and ready for use by <code>ssh</code>. It runs in the background, separately from <code>ssh</code>. The ssh agent does not write any key material on disk and it does not allow private keys to be exported. The private keys stored in the agent can only be used for signing messages. | ||
Also see [[Ssh Agent Forwarding|ssh Agent Forwarding]] | Also see [[Ssh Agent Forwarding|ssh Agent Forwarding]] | ||
Latest revision as of 04:35, 11 May 2023
Internal
sshd
The OpenSSH server.
Tunneling
Local Forwarding
Local forwarding configures ssh tunneling to listen on a local port and forward the data sent into that port to a remote server, on the specified "remote" port.
-L [bind_address:]port:host:hostport -L [bind_address:]port:remote_socket -L local_socket:host:hostport -L local_socket:remote_socket
This works by allocating a socket to listen to either a TCP "port" on the local side, optionally bound to the specified "bind_address", or to a Unix socket. Whenever a connection is made to the local port or socket, the connection is forwarded over the secure channel, and a connection is made to either "host" port "hostport", or the Unix socket "remote_socket", from the remote machine.
Remote Forwarding
Remote forwarding configures ssh tunneling to listen on a port on the remote side of the tunnel and forward requests to a local port.
-R [bind_address:]port:host:hostport -R [bind_address:]port:local_socket -R remote_socket:host:hostport -R remote_socket:local_socket -R [bind_address:]port
This works by allocating a socket to listen to either a TCP port or to a Unix socket on the remote side. Whenever a connection is made to that port or Unix socket, the connection is forwarded over the secure channel, and a connection is made from the local machine to either an explicit destination specified by "host" port "hostport", or "local_socket", or, if no explicit destination was specified, ssh will act as a SOCKS 4/5 proxy and forward connections to the destinations requested by the remote SOCKS client.
Tunneling Operations
ssh Agent
ssh-agent is a key manager for SSH. It holds keys and certificates in memory, unencrypted and ready for use by ssh. It runs in the background, separately from ssh. The ssh agent does not write any key material on disk and it does not allow private keys to be exported. The private keys stored in the agent can only be used for signing messages.
Also see ssh Agent Forwarding
Jump Host
An ssh jump host (also known as a jump server) is an intermediary host or an SSH gateway to a remote network, through which an SSH connection can be made to another host that is inaccessible from the host that initiates the SSH connection. This access patter is widely used with bastion hosts, which in this case are also acting as jump hosts. A step by step guide on how to make a connection through a jump host is described here: