How to install client-server software

Set up complete remote access to a computer via OpenSSH

At the client computer with OpenSSH.

Generate the access keys via, for example, the following command:

ssh-keygen -t ecdsa -b 521
It will provide two files with the private key and public key.
You can keep the keys in the client's computer in "~/.ssh/" directory or move elsewhere.

In the client computer's "~/.ssh/config" file, can use as following for the OpenSSH configuration:

Host funny.com
    User warrawan
    IdentityFile ~/path/keys/id_ecdsa
    Port 12391

At the server computer with OpenSSH.

The public key generated as instructed above must be located in the server's "/etc/ssh/users" directory with the special set of file permissions.
"/etc/ssh/users" owned by root, rwxr-xr-x.
"/etc/ssh/users/username" owned by root, rwxr-xr-x.
"/etc/ssh/users/username/id_ecdsa.pub" owned by the target user "username", rw-r--r--.

Edit "/etc/ssh/sshd_config" to allow only needed users, change the server's port, and make sure to have the following options:

AuthorizedKeysFile /etc/ssh/users/%u/id_ecdsa.pub
AuthenticationMethods publickey
PubkeyAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
PermitRootLogin prohibit-password

Make the SSH server start on boot, and start it now (for OpenBSD):

rcctl enable sshd
rcctl start sshd

Check the SSH server is running:

ps -A | grep 'ssh'
Check the listening network ports:
netstat

Use the following commands if you want to display the SSH server public key fingerprint:

ssh-keygen -l
ssh-keygen -l -E md5

SOCKS proxy server with OpenSSH-based tunneling

In the given example server "funny.com" (gateway front-end, with user "warrawan") with OpenSSH server listening on the TCP port 12391 will be requested to start a SOCKS proxy listening to TCP port 12362 and tunnel it to the back-end.
Network resources available to the back-end will be accessible through the SOCKS proxy to everybody that can connect to "funny.com".

Set a service for the back-end's file "/etc/systemd/system/ssh_gateway_init.service" (for GNU/Linux/systemd):

[Unit]
Description=Initiate an OpenSSH connection.
After=network.target

[Service]
ExecStart=/usr/bin/ssh -NT -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -R 12362 -p 12391 warrawan@funny.com

# Restart every >2 seconds to avoid StartLimitInterval failure
RestartSec=5
Restart=always

[Install]
WantedBy=multi-user.target

Enable and start the service:
sysctl enable ssh_gateway_init.service
sysctl start ssh_gateway_init.service

Set up OpenSSH server on the front-end computer (described above).
Beware of security settings and enable the gateway feature in "/etc/ssh/sshd_config":

GatewayPorts yes

Trademark notices

Linux(R) is registered trademark of Linus Torvalds in the United States and other countries.


Copyright (c) 2022 Leonid Dorogin