===== Setup =====
  sudo apt-get install openssh-server openssh-client

===== Configure =====
==== Configure reverse ssh ====
  https://www.howtogeek.com/428413/what-is-reverse-ssh-tunneling-and-how-to-use-it/

start:
  /usr/bin/ssh -R 19999:localhost:22 vissie@hosta.vis.ac
connect:
  ssh -p19999 root@localhost

==== Configure reverse ssh as a service ====
  vim /etc/systemd/system/ssh_remote.service
<sxh bash; gutter: false>
[Unit]                                                                                                                                                        
Description=SSH Tunnel
After=network.target

[Service]
Restart=always
RestartSec=20
User=vissie
ExecStart=/usr/bin/ssh -p1234  -NT -o ServerAliveInterval=60 -R 999:localhost:22 user@remote.com

[Install]
WantedBy=multi-user.target
</shx>

==== Configure SSHD ====
Some good strong options to consider when setting up sshd.


  vim /etc/ssh/sshd_config
<sxh bash; gutter: false>
...
Protocol 2

ClientAliveInterval 900
ClientAliveCountMax 3

MaxAuthTries 3

IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no

UsePrivilegeSeparation yes
StrcitModes yes
UsePam yes

AllowUsers user1 user2
PermitRootLogin no
PermitEmptyPasswords no

X11Forwarding no
...
</sxh>

===== Keys =====
If you get:
  # ssh-copy-id root@192.168.1.11
 /usr/bin/ssh-copy-id: ERROR: No identities found
Solution:
You will have to manually define the path of the public key using -i switch as shown below

  ssh-copy-id -i .ssh/id_rsa.pub 192.168.1.11

You can tehn create a alias to use that key in your bash.bashrc file
  alias name='ssh -i ~/.ssh/some_other.key my.host.com

==== Copy keys without ssh-copy-id ====
 https://openelec.tv/documentation/configuration/ssh-public-keys

  ssh-keygen
  scp -P 22 ~/.ssh/id_rsa.pub username@198.168.1.122:~/Downloads/id_rsa_localbox.pub
on the remote end:
  cat ~/Downloads/id_rsa_localbox.pub >> ~/.ssh/authorized_keys

===== File share with ssh =====
If you are a Gnome user, this is possible in Nautilus as well.

Instead of 
  fish://username@192.168.1.20

you have to enter
  ssh://username@192.168.1.20
in the address bar – protocol is ssh:// instead of fish://.

or you could try sshfs
http://fuse.sourceforge.net/sshfs.html

Before attempting to mount a directory, make sure the file permissions on the target directory allow your user correct access. To mount, invoke sshfs to mount a remote directory:
  sshfs USERNAME@HOSTNAME_OR_IP:/REMOTE_PATH LOCAL_MOUNT_POINT SSH_OPTIONS
For example:
  sshfs sessy@mycomputer:/remote/path /local/path -C -p 9876 -o allow_other
Where -p 9876 stands for the port number, -C use compression and -o allow_other to allow non-rooted users have read/write access.

===== Send email on ssh login =====
 http://askubuntu.com/questions/179889/how-do-i-set-up-an-email-alert-when-a-ssh-login-is-successful

First you need to be able to send mail from the command line. There are other questions about this. On a mail server it's probably easiest to install mailx (which is probably already installed anyway).

[[Mail]]

Then you need an executable script file login-notify.sh (I put it in /etc/ssh/ for example) with the following content. You can change the variables to change the subject and content of the e-mail notification. 
  vim /etc/ssh/login-notify.sh
<sxh bash; gutter: false>
#!/bin/bash

# Change these two lines:
sender="sender-address@example.com"
recepient="notify-address@example.org"

if [ "$PAM_TYPE" != "close_session" ]; then
    host="`hostname`"
    subject="SSH Login: $PAM_USER from $PAM_RHOST on $host"
    # Message to send, e.g. the current environment variables.
    message="`env`"
    echo "$message" | mailx -a "From: Foo Bar <$sender>" -s "$subject" "$recepient"
fi
</sxh>
  chmod +x login-notify.sh
Once you have that, you can add the following line to /etc/pam.d/sshd:
  session optional pam_exec.so seteuid /path/to/login-notify.sh
For testing purposes, the module is included as optional, so that you can still log in if the execution fails. After you made sure that it works, you can change optional to required. Then login won't be possible unless the execution of your hook script is successful (if that is what you want).

===== How To Set Up SSH Keys =====
The first step is to create the key pair on the client machine (there is a good chance that this will just be your computer):
  ssh-keygen -t rsa
You can copy the public key into the new machine's authorized_keys file with the ssh-copy-id command. Make sure to replace the example username and IP address below.
  ssh-copy-id -p22 user@123.45.56.78

===== Two-factor authentication using Google Authenticator =====
https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-14-04

https://www.digitalocean.com/community/tutorials/how-to-set-up-multi-factor-authentication-for-ssh-on-ubuntu-16-04

  sudo apt-get install libpam-google-authenticator
Next, execute google-authenticator as the user you want to protect with MFA:
  google-authenticator
There are a number of questions to answer, but generally speaking y will be a good choice for all of them. A configuration file is then written to ~/.google-authenticator.

Next, root needs to enable Google Authenticator in PAM. Add this to your auth list in /etc/pam.d/sshd:

==== Debian ====
Next up, open your SSH configuration file /etc/ssh/sshd_config
  vim /etc/ssh/sshd_config
<sxh bash; gutter: false>
 ChallengeResponseAuthentication no
 (change it to)
 ChallengeResponseAuthentication yes
and add
 AuthenticationMethods publickey,keyboard-interactive
</sxh>
And in /etc/pam.d/sshd remove the standard authentication:
  vim /etc/pam.d/sshd
<sxh bash; gutter: false>
  #@include common-auth
and add google-authenticator
  auth required pam_google_authenticator.so
</sxh>
and restart sshd
  /etc/init.d/ssh restart

==== Arch Linux ====
  yay -S libpam-google-authenticator
  google-authenticator

vim /etc/pam.d/sshd
  vim /etc/pam.d/sshd
<sxh bash; gutter: false>
#%PAM-1.0
#auth     required  pam_securetty.so     #disable remote root
auth      include   system-remote-login
account   include   system-remote-login
password  include   system-remote-login
session   include   system-remote-login
auth      required  pam_google_authenticator.so
</sxh>

Next up, open your SSH configuration file /etc/ssh/sshd_config
  vim /etc/ssh/sshd_config
<sxh bash; gutter: false>
 ChallengeResponseAuthentication no
 (change it to)
 ChallengeResponseAuthentication yes
</sxh>
And in /etc/pam.d/sshd add the following:
  vim /etc/pam.d/sshd
<sxh bash; gutter: false>
auth	  required  pam_unix.so
auth	  required  pam_google_authenticator.so
auth	  required  pam_env.so
</sxh>
and restart sshd
  sudo systemctl restart sshd

Happy days...

==== CentOS ====
https://www.vultr.com/docs/how-to-setup-two-factor-authentication-for-ssh-on-centos-6-using-google-authenticator
  sudo yum install pam pam-devel google-authenticator

---- to contunue one day  -----
  google-authenticator

vim /etc/pam.d/sshd

  #auth     required  pam_securetty.so     #disable remote root
  auth	  required  pam_unix.so
  auth	  required  pam_google_authenticator.so
  auth	  required  pam_env.so


Next up, open your SSH configuration file /etc/ssh/sshd_config
vim /etc/ssh/sshd_config
<sxh bash; gutter: false>
 ChallengeResponseAuthentication no
 (change it to)
 ChallengeResponseAuthentication yes
</sxh>
And in /etc/pam.d/sshd add the following:
  vim /etc/pam.d/sshd
<sxh bash; gutter: false>
auth	  required  pam_unix.so
auth	  required  pam_google_authenticator.so
auth	  required  pam_env.so
</sxh>
and restart sshd
  sudo systemctl restart sshd

Happy days...


====ProxyJump====
The ProxyJump, or the -J flag, was introduced in ssh version 7.3. To use it, specify the bastion host to connect through after the -J flag, plus the remote host:
  ssh -J <bastion-host> <remote-host>
You can also set specific usernames and ports if they differ between the hosts:
  ssh -J user@<bastion:port> <user@remote:port>
The ssh man (or manual) page (man ssh) notes that multiple, comma-separated hostnames can be specified to jump through a series of hosts:
  ssh -J <bastion1>,<bastion2> <remote>

====Hard-coding proxy hosts in config====
The -J flag provides flexibiltiy for easily specifying proxy and remote hosts as needed, but if a specific bastion host is regularly used to connect to a specific remote host, the ProxyJump configuration can be set in ~/.ssh/config to automatically make the connection to the bastion en-route to the remote host:
<sxh bash; gutter: false>
### The Bastion Host
Host bastion-host-nickname
  HostName bastion-hostname

### The Remote Host
Host remote-host-nickname
  HostName remote-hostname
  ProxyJump bastion-host-nickname
Using the example configuration above, when an ssh connection is made like so:
</sxh>
  ssh remote-host-nickname

=====Reverse proxy=====
 ssh -R 5901:localhost:5901 -p 1234 remote.server.com

I like to think of it this way:
  ssh -R 7000:localhost:5901 -p 1234 remote.server.com

Remote port 7000 will be created from localhost on port 5901 into remote server that has ssh on 1234
  vim ./port_forward.sh
<sxh bash; gutter: false>
#!/bin/bash
## for kvm setups
#ssh -p1234 myserver.ip.add -L 5901:127.0.0.1:5901

# For my IP cameras https://127.0.0.1:5000/
#ssh -L 5001:192.168.1.22:443 sshservername
# For my IP cameras https://127.0.0.1:5000/
ssh -L 5000:192.168.1.23:80 sshservername 

# For zmninja
#ssh -L 5000:192.168.1.2:1234 sshservername

# My Router
#ssh -L 5000:192.168.1.1:80 sshservername
</sxh>