ssh-keygen
linux:
ssh-copy-id -i ~/.ssh/mykey user@host -p 22
windows:
type $env:USERPROFILE\.ssh\id_rsa.pub | ssh {IP-ADDRESS-OR-FQDN} -p 22 "cat >> .ssh/authorized_keys"
Test connections
ssh -i ~/.ssh/mykey user@host -p 22
Host [Any Host name that will be used to connect]
User [username]
HostName [IP or domain]
Host linux_bastion
User [username]
HostName [IP or domain]
Port 2222
IdentityFile [RSA Private key]
Host internalsystem
User [username]
HostName [IP or domain]
ProxyJump linux_bastion
IdentityFile [RSA Private key]
LocalForward 3306 loocalhost:8090
# others
Host internalsystem
User [username]
HostName [IP or domain]
ProxyJump linux_bastion
IdentityFile [RSA Private key]
StrictHostKeyChecking
AddKeysToAgent ['yes', (default) 'no', 'ask', 'confirm']
UserKnownHostsFile /dev/null
Host some_bastion
Port 222
User user
DynamicForward 1337
Yes, you have to specify a destination IP and port when using local forwarding. From man ssh:
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be
forwarded to the given host and port on the remote side.
Clearly, only the bind address is optional.
No, you can't specify a destination host or port when using dynamic forwarding. In dynamic forwarding, SSH acts as a SOCKS proxy. Again from the manpage (emphasis mine):
-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server.
With -L, SSH makes no attempt to understand the traffic. It just sends everything it receives on the local port to the target port - you determine the target port at the time the connection is made. With -D, SSH acts as a proxy server, and therefore can handle connections from multiple ports (for example, a browser configured to use it as a SOCKS proxy can then access HTTP, HTTPS, FTP, etc. over the same connection). And like with other proxy servers, it will use the traffic to determine the destination.