SSH Delete Edit

ssh client

Generate new keys with

ssh-keygen -o -a 100 -t ed25519

List current keys and their type

for keyfile in ~/.ssh/id_*; do ssh-keygen -l -f "${keyfile}"; done | uniq

Forward local port 9090 to smex.dk 8384

ssh -L local_port:remote_host:remote_port user@ssh_server
ssh -N -L 9090:127.0.0.1:8384 smex.dk

Remove entry from known_hosts

ssh-keygen -R <host/ip>

To generate the missing public key again from the private key

ssh-keygen -y -f id_file

authorized_keys

binding a specific command and host to a key

no-port-forwarding,no-X11-forwarding,no-pty,restrict,command="/usr/lib/ssh/sftp-server",from="10.0.0.30" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaX949OfzZmg32hbjFdiZKnQvm3v5zjWzpdh9K+Z4Fi vociferous@skylake

run this command only and exit

command="/bin/echo You invoked: $SSH_ORIGINAL_COMMAND",from="10.0.0.30" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaX949OfzZmg32hbjFdiZKnQvm3v5zjWzpdh9K+Z4Fi vociferous@skylake

Supported escape sequences

(Note that escapes are only recognized immediately after newline.)

 ~.   - terminate connection (and any multiplexed sessions)
 ~B   - send a BREAK to the remote system
 ~C   - open a command line
 ~R   - request rekey
 ~V/v - decrease/increase verbosity (LogLevel)
 ~^Z  - suspend ssh
 ~#   - list forwarded connections
 ~&   - background ssh (when waiting for connections to terminate)
 ~?   - this message
 ~~   - send the escape character by typing it twice

Securing sshd_config

Port 22
AddressFamily inet
#ListenAddress 0.0.0.0
#ListenAddress ::
ChallengeResponseAuthentication no
PasswordAuthentication no
UseDNS no
X11Forwarding no
PrintMotd no
AcceptEnv LANG LC_*
PermitRootLogin without-password

Currently considered the secure algorithms (Updated 2025-11-05)

KexAlgorithms       sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256
MACs                umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
HostKeyAlgorithms   rsa-sha2-256,rsa-sha2-512

No more password login

PermitEmptyPasswords no
PasswordAuthentication no

Match Example

Match Address 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.1/32
    PermitRootLogin prohibit-password
    PasswordAuthentication yes
    # or other exemptions you want

ssh-agent

## Starting ssh-agent from bashrc ##
    # check if ssh-agent is running, if not start it
    if ! pgrep -u "$USER" ssh-agent > /dev/null; then
        ssh-agent > ~/.ssh-agent-thing
        ssh-add -t 5h
    fi
    # Check if we have a ssh-agent PID, if not grab it from file
    if [[ "$SSH_AGENT_PID" == "" ]]; then
        eval "$(<~/.ssh-agent-thing)"
    fi
    # Check that we have keys in keyring if not add them with 5 hours experiration
    ssh-add -l &> /dev/null || ssh-add -t 5h

authorized_keys:

binding a specific command and host to a key

no-port-forwarding,no-X11-forwarding,no-pty,restrict,command="/usr/lib/ssh/sftp-server",from="10.0.0.30" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaX949OfzZmg32hbjFdiZKnQvm3v5zjWzpdh9K+Z4Fi vociferous@skylake

run this command only and exit

command="/bin/echo You invoked: $SSH_ORIGINAL_COMMAND",from="10.0.0.30" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaX949OfzZmg32hbjFdiZKnQvm3v5zjWzpdh9K+Z4Fi vociferous@skylake

Sources: - http://blog.tjll.net/ssh-kung-fu/