This library comes pre-installed with BSD and Linux variants. The use case here is to create client keys so as to avoid password authentication.

ssh-keygen -t ed25519

create curve ed25519 key pairs, which are stored in your $HOME/.ssh directory

ssh-keygen -t ecdsa

create curve elliptic curve DSA signing key pair, which are stored in your $HOME/.ssh directory

ssh-copy-id user@hostname

copy the created keys to the authorized_keys file on the remote server. From now on you can use publickey authentication instead of password authentication

pkg install fusefs-sshfs

on freebsd

apt-get install sshfs

on Linux variants

vi /etc/fstab

sshfs#user@hostname:/path/to/share /path/to/mountpoint fuse noauto,rw,uid=username,gid=groudname,user,reconnect,IdentityFile=/path/to/home/.ssh/id_ecdsa 0 0

mount /path/to/mountpoint

the above command can be executed as a user. No need for root access

A multi purpose relay, which had multiple use cases

• You have a personal computer and various firewall rules on your work place or anywhere else are prohibiting you from using ssh to log onto your computer you can hide the ssh trafic as https trafic
• You manage a virtual machines and need to access the unix socket where the virtual machine monitor (e.g., qemu monitor) accepts connections.

pkg install socat

installs socat on freebsd

openssl req -x509 -newkey rsa:2048 -keyout client.key -out client.crt -days 300 -nodes

create certificate for the client

mv client.* $HOME/.ssh/

place the client certificates in your home ssh directory

openssl req -x509 -newkey rsa:2048 -keyout tunnel.key -out tunnel.crt -days 300 -nodes

create certificate for the server tunnel

avoid fancy parameters both at the server end (where socat runs) and the client end (your laptop from which you connect to your home ps that runs socat) as it makes it more likely for the firewall to filter your traffic, hence the RSA choice

mv tunnel.* /root/

move the tunnel certificate and key to the root home

/path/to/socat -L /run/Socat_21022_22 OPENSSL-LISTEN:21022,fork,reuseaddr,certificate=/root/tunnel.crt,key=/root/tunnel.key,verify=0 tcp:127.0.0.1:22 &

by running the above code at boot (e.g. within /etc/rc.local you can hide your ssh connections within https. The tunnel listens to incoming port 21022 and redirects it to local port 22. Since this is only for hiding traffic no keys are verified (verify=0).

vi $HOME/.ssh/config/

tell ssh to wrap your traffic into https connection by setting

Host vicktricks.net
	ProxyCommand =/usr/bin/socat STDIO OPENSSL-CONNECT:%h:21022,verify=0,cert=/path/to/home/.ssh/client.crt,key=/path/to/home/.ssh/client.key

router

with the above specifications make sure the router you have at home and connects you to the wider internet forwards port 21022 to the IP address associated with your computer (where socat tunnel.crt/tunnel.key are run