SSH

create SSH key
ssh-keygen -q -b 4096 -f ~/.ssh/id_rsa -N '' -C "${USER}@$(hostname -f)"

Copy public key to server (/home/foo/.ssh/authorized_keys)
ssh-copy-id foo@example.com

show log
tail -f /var/log/auth.log
journalctl _COMM=sshd -f

# configuration
~/.ssh/config: user configuration
/etc/ssh/ssh_config: system-wide client configuration
/etc/ssh/sshd_config: system-wide server configurtion

http://www.panticz.de/SSH-server-enable-disable-password-authentication
http://www.panticz.de/ssh_pre-shared-key_authentication

ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@192.168.1.2

~/.ssh/config
Host 192.168.0.*
User foo
IdentityFile ~/.ssh/foo.id_rsa
BatchMode yes
EscapeChar none
Compression yes

Host tunnel.example.com
UserKnownHostsFile /dev/null
StrictHostKeyChecking no

h -o HostKeyAlgorithms=ssh-rsa -o FingerprintHash=md5

scp -i ~/ssh_bkp/id_rsa.pub ~/.ssh/id_rsa.pub root@www.example.com:/tmp/id_rsa.pub
cat ~/ssh_bkp/id_rsa.pub | ssh -i ~/ssh_bkp/id_rsa root@www.example.com 'cat >> .ssh/authorized_keys'
ssh -i ~/ssh_bkp/id_rsa root@www.example.com
cat ssh-keygen --if /tmp/id_rsa.pub >> ~/.ssh/authorized_keys

# port forward
sudo ssh -L 80:192.168.254.44:80 user@www.example.com -p 222 -N -i /home/${USER}/.ssh/id_rsa
ssh -L 127.0.0.2:8080:localhost:80 user@host

# Options
-N do not execute a remote command
-f run in background
-C compression

http://linux.die.net/man/5/ssh_config
# test
Host mysql.tunnel
HostName some-ssh-server.com
User ssh_username
IdentityFile ~/.ssh/config/id_rsa
LocalForward 3307 127.0.0.1:3306

Host tunnel.production.site.com
User ec2-user
UserKnownHostsFile /dev/null
StrictHostKeyChecking=no

Host X01 X02 ...
User my_username
Compression yes
Ciphers arcfour,blowfish-cbc
Protocol 2
ControlMaster auto
ControlPath ~/.ssh/%r@%h:%p
IdentityFile ~/.ssh/YYY/id_rsa

IdentityFile ~/.ssh/config/id_rsa
LocalForward 3307 127.0.0.1:3306

# SendEnv LANG LC_*
#HostKeyAlgorithms ssh-rsa

# reverse tunnel
# http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/
ssh -fN -R 2222:localhost:22 user@www.example.com
# connect back from www.example.com
user@www.example.com:~$ ssh me@localhost -p 2222

# SSH config options
ForwardAgent yes
IdentitiesOnly yes
IdentityFile /home/foo/.ssh/id_rsa

Host *
ForwardAgent yes
SendEnv LANG LC_*
StrictHostKeyChecking no

# add defatult domain
Host *.example.com
HostName %h
USER user

Host *
HostName %h.example.com
USER user
BatchMode yes

# ssh forwarding to sudo
sudo -E -s

echo "Defaults env_keep+=SSH_AUTH_SOCK" >> /etc/sudoers.d/ssh
service sudo restart

# test if SSH agent is running
env | grep SSH_AGENT_PID

# starts SSH agent
eval $(ssh-agent)
ssh-add

# remote X window with bash login
ssh -X USER@REMOTE_HOST -C /bin/bash -l -c "COMMAND"

# socket forward
ssh -N -D 8080 root@192.168.0.1
chromium-browser --proxy-server="socks5://localhost:8080"

?? --proxy-server="https=proxyip:8443;http=proxyip:8080"

Enamble DNS forward in Firefox:
network.proxy.socks_remote_dns: true

# port forward
ssh -N -L 8080:192.168.0.12:80 root@192.168.0.1
http://localhost:8080

# ssh forward to mailserver
# cat /etc/hosts
127.0.0.1 imap.example.com
127.0.0.1 smtp.example.com
sudo ssh -L 143:imap.example.com:143 -L 25:smtp.example.com:25 foo@vpn.example.com -i /home/foo/.ssh/id_rsa -N

deny SSH user
# /etc/ssh/sshd_config
DenyUsers foo
Match User test
PasswordAuthentication no

Host *
ServerAliveInterval 30

Removes host keys from ~/.ssh/known_hosts by hostname or IP
ssh-keygen -R www.example.com

Update SSH know hosts
ssh-keyscan -t rsa web{1..5}.example.com >> ~/.ssh/known_hosts

Forward webserver over SSH
# on client
#echo "GatewayPorts yes" >> /etc/ssh/sshd_config
echo "GatewayPorts clientspecified" >> /etc/ssh/sshd_config
service ssh restart

# on server
ssh -o StrictHostKeyChecking=no -N -R 80:192.168.0.1:80 -R 443:192.168.0.1:443 root@www.example.com

Get hostkey
ssh-keyscan SERVER

SendEnv no

Forwarding
DynamicForward 127.0.0.1:1080
RemoteForward 80 127.0.0.1:8000
LocalForward 1521 10.0.0.99:1521
GatewayPorts no

# double forward
ssh -A -R 10080:forward_from.tld:80 user@forward_to.tld "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -g -N -L 80:localhost:10080 localhost"

# Forward DB port by SSH tunnel and make public accessible
ssh -A -R 10080:localhost:3306 root@db.example.comt "ssh -g -N -L 3306:localhost:10080 localhost"

# copy block device over network with SSH
dd if=/dev/sdc | ssh -C user@host dd of=/dev/sdc
cat file | ssh -e none remote-host 'cat > file'

# show SSH status
systemctl status ssh

# SSH VPN
# https://wiki.archlinux.org/index.php/VPN_over_SSH
sudo ssh \
-i /home/foo/.ssh/id_rsa \
-o PermitLocalCommand=yes \
-o LocalCommand="sudo ifconfig tun0 192.168.99.2 pointopoint 192.168.99.1 netmask 255.255.255.0; sudo route add -net 192.168.100.0 gw 192.168.99.1 netmask 255.255.255.0" \
-o ServerAliveInterval=60 \
-w 0:0 root@gw.example.com -p 22022 \
'sudo ifconfig tun0 192.168.99.1 pointopoint 192.168.99.2 netmask 255.255.255.0; echo tun0 ready'

# sshfs
sshfs -o ServerAliveInterval=15 root@www.example.com:/var/www/ /mnt

Links
http://pentestmonkey.net/cheat-sheet/ssh-cheat-sheet
http://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts
http://matt.might.net/articles/ssh-hacks/