# LPI Essentials Notices
* [Managing Users and Groups](#8)
* [Managing File Ownership and Permissions](#9)
* [Archiving Files](#10)
* [Managing Linux Processes and Log Files](#11)
* [Connecting Linux to a Network](#13)
## 8 Managing Users and Groups
* How Linux User Accounts Work
- Authentication - provide who you are to system, username, password
- PAM
- root has also /home dir, it's /root
- finger - show info about the user
```
finger someone
Directory: /home/someone Shell: /bin/bash
On since Wed Jun 28 05:08 (EDT) on pts/0 from gateway
1 minute 24 seconds idle
No mail.
No Plan.
```
- id - show UID, GID, groups
```
id someone
uid=1000(someone) gid=1000(somegrp1) groups=1000(somegrp1),10(somegrp2),54321(somegrp3)
```
* Where Linux User Accounts Are Stored
- local /etc/passwd
- LDAP
- NIS
- Windows domain
- Local files:
```
/etc/passwd - user info
/etc/shadow - user passwords
/etc/group - group info
```
- /etc/passwd
```
normal user
someone:x:1000:1000:somone fullname:/home/someone:/bin/bash
user_name:legacy_password_only_x:UID:GID:full_name:home_dir:shell
system user UID (from 0, to 999)
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
```
- /etc/shadow
```
someone:$6$m:17301:0:99999:7:::
username:encrypted_password:last_modified:min_days(0):max_days(99999):days_warn(7):disabled_days:expire(null = infinite passw never expire)
```
- pwck - utility to check validity and synchronization of /etc/passwd and /etc/shadow files
- pwconv - synchronize missing accouts in /etc/passwd and /etc/shadow
* Creating and Managing User Accounts from the Command Line
- useradd:
```
1, default file in /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
2, for login default is /etc/login.defs
controls password expiration, UID, GID, HOME creation etc.
3, /etc/skel - contains skeleton files will be copied to new user home
useradd someone
```
- passwd
```
1, to report account status
passwd -S someone
someone LK 2017-06-27 0 99999 7 -1 (Password locked.)
2, to set password for user
passwd someone
New password:
Retype new password:
3, to report account status after password was set
passwd -S someone
someone PS 2017-06-27 0 99999 7 -1 (Password set, SHA512 crypt.)
```
- usermod:
```
usermod options username
e.g
usermod -c "Someone Fullname" someone
someone:x:54323:54330:Someone Fullname:/home/someone:/bin/bash
```
- userdel:
```
1, delete user account without deleting users home
userdel someone
2, delete with users home
userdel -r someone
```
* Managing Linux Group Accounts
- /etc/group
- groupadd
```
groupadd -g 8001 mygroup
grep -i --color mygroup /etc/group
```
- groupmod
- groupdel
* Using su
- su
```
with:
- load user variables
c switch to user and issue cmd
m switch user but preserve variables
```
* Using sudo
- /etc/sudoers
- visudo
```
e.g
User_Alias POWRUSR = someone1,someone2
Cmnd_Alias KILLPROCS = kill, killall
Host_Alias MYHOST = myhost1
User_Alias Host_Alias = (user) Cmnd_Alias
POWRUSR MYHOST = (root) KILLPROCS
```
* Using Log Files to view authentication attempts
- /var/log/wtmp - binary, succesfully authentication attempts, command to view last
- /var/log/faillog - binary, failed authentication attempts, command to view faillog
```
faillog -u user_name
```
- who - show who is logged
- w - who is logged a what is he doing right now
## 9 Managing File Ownership and Permissions
* Permisions:
Permission | File | Directory | Value
-----------|------|-----------|------
Read (r) | Open,view | List Dir contents | 4
Write (w) | Open,view,modify,save | Add or Del contect to Dir | 2
Execute (x) | Run executable file | Enter the Dir | 1
- Permissions are not additive
```
-r---w---x 1 user1 group1 43 28. Jun 06:49 runme.sh
What is true:
user1 - can only read file, but not write to file,
so if permission where additive than user1 should
by able to read/write/execute
group1 - can only write to file, e.g so as user2 member of group1
can 'cat "Changed" > runme.sh'
others - can execute, but without read permission can't really
execute the script
```
> Links:
- [file-permission-execute-only](https://unix.stackexchange.com/questions/16623/file-permission-execute-only)
- To be able to change directory (x) permission must by set on complete path we want to change
```
as user1
--x--x--x user1 /dir1/dir2/dir3
--x--x--x dir1
--x--x--x dir2
cd /dir1/dir2/dir3 - works
if one from the path doesn't have permission, it want let you to change one dir after
as user1
--x--x--x dir1
-----x--x dir2
cd /dir1/dir2/dir3 want let you enter dir3
```
- Syntaxes to get:
```
-rwxrw-r-- 1 user1 group1 41 Jun 28 07:02 runme.sh
```
- chmod -v u=rwx,g=rw,o=r runme.sh
- chmod -v u+rwx,g+rw,o+r runme.sh
- chmod -v 764 runme.sh
* Working with Default Permissions
- Linux create files/directories with default permission:
- files 666 rw-rw-rw-
- directories 777 rwxrwxrwx
- umask
- default is 022
- represents a numeric permission value to be removed
```
default by linux:
with umask 000:
touch myfile.txt
rw-rw-rw- myfile.txt
with to umask 022:
default: rw-rw-rw- myfile.txt
umask ----w--w-
finally: rw-r--r-- myfile.txt
```
- change umask
```
umask 026 - g-w, o-rw
```
- umask for directories
```
umask 027 - g-w, o-rwx
mkdir mydir1
default: rwxrwxrwx mydir1
umask 027 : rwxr-x--- mydir1
```
- 'umask xxxx' not persistent
- must by added /etc/profile or /etc/login.defs
* Working with Special Permissions
- SUID(4): can only applied to binary files (not shell scripts),
user becomes temp. file owner when run executable binary file
```
chmod -v u+s dir1
(rwsrwxr-x)
```
- GUID(2): can only applied to binary files (not shell scripts),
- file:
user becomes temp. group member when run executable binary file
- directory:
when create file, group is set from parent dir, not the user primary group
```
chmod -v g+s dir1
(rwxrwsr-x)
```
- Sticky bit(1):
- directory (only):
when set should allowed to delete files within directory
where he doesn't have w-permission
```
chmod -v o+t dir1
(rwxrwsr-t)
```
> Links:
- [Setuid](https://en.wikipedia.org/wiki/Setuid)
- [Sticky bit](http://www.thegeekstuff.com/2013/02/sticky-bit/?utm_source=feedburner)
## 10 Archiving Files
- Backup types:
- Full - all files are backup (slow)
- Incremental - only files updated from last backup incremental or full (restore in order)
- Differential - only files updated from last full backup (so it increase in size, but restore is fast, we pick the last)
- Selecting a Backup Schedule:
- pick one day a week to full backup, other week days incremenetal or diferential backup
- Determining What to Back Up:
- /etc
- /home
- /opt
- /var
- /root
- /srv
- Using Linux Backup Utilities
- tar,cpio,dd
- Using tar
- gzip uses Lempel-Ziv
- bzip uses Burrows-Wheeler
```
e.g of tar backup insted of file to SCSI tape, which is /dev/st0
tar –cvf /dev/st0 /home
e.g. excludes (suppose myfile.txt and mytxt.txt exist in curren dir)
vi excl
myfile.txt
mytxt.txt
:wq
tar -cvf my.tar -X excl ./*
will tar without myfile.txt, mytxt.txt
```
- gzip
```
e.g compress
gzip myfile.txt
ls myfile.txt.*
myfile.txt.gz
e.g decompress
gunzip myfile.txt.gz
gzip -d myfile.txt.gz
```
- bzip2
```
e.g compress
bzip2 myfile.txt
ls myfile.txt.*
myfile.txt.bz2
e.g decompress
bunzip2 myfile.txt.bz2
bzip2 -d myfile.txt.gz
```
- Using cpio
```
e.g will only backup files
compress:
ls | cpio –ov > ./backup.cpio
decompress:
cpio –iv > ./backup.cpio
e.g backup files with dirs
compress:
find . -depth -print | cpio -ov > /home/someone/backup2.cpio
decompress:
cpio –iv > /home/someone/backup2.cpio
e.g gzip
compress:
ls | cpio –ov | gzip > /home/someone/backup.cpio.gz
decompress:
gnuzip -c backup.cpio.gz | cpio -i
```
- Creating an Archive with dd
- backup entire partitions
```
dd if=input_file of=output_file
e.g entire disk
dd if=/dev/sda of=/home/mybigbackup
e.g partition
dd if=/dev/sda1 of=/home/mybigbackup
e.g MBR record backup
dd if=/dev/sda of=/home/mbr.copy bs=512 count=1
bs - block size
count - how many
```
## 11 Managing Linux Processes and Log Files
* Understanding Linux Processes
- Binary executables
- Internal shell commands
- Shell scripts
* How Linux Processes Are Loaded
- Parent/Child process
- PID - Process ID Number
- PPID - Parent Process ID Number
- init process PID 1, PPID 0 , which is Kernel process PID 0
- forking e.g. (execute) $ vi
```
bash (PPID=111, PID=211) --> start --> subshell (PPID=211, PID=311) --> vi (PPID=311, PID=411)
so:
a, vi (PPID=311, PID=411) runs within subshell (PPID=211, PID=311)
b, when vi ends than also subshell (PPID=211, PID=311) ends
c, returned back to bash (PPID=111, PID=211) process
TODO not shure if this is still true
```
* Viewing Running Processes
- top - see h for help to manipulate top format output
```
Run top for user foo and with unwrapping command column
top -u foo -c
```
> Links:
- [linux.die.net - top](https://linux.die.net/man/1/top)
```
Run top with threads displayed within the process of PID and with unwrapping command column
top -H -p PID -c
```
> Links:
- [view-threads-process-linux](http://ask.xmodulo.com/view-threads-process-linux.html)
```
Display memory in different memory units b/kb/mb/gb/tb .etc at top window summary
Now it's in MB
MiB Mem : 31794.33+total, 20088.98+free, 6975.496 used, 4729.855 buff/cache
MiB Swap: 31803.99+total, 31803.99+free, 0.000 used. 23910.77+avail Mem
Display memory in different memory units b/kb/mb/gb/tb .etc at top process view window
804 someone+ 20 0 1147.5m 166.8m 45.3m S 9.0 0.5 0:13.78 chrome
4546 someone+ 20 0 1259.1m 280.6m 55.8m S 5.6 0.9 23:02.07 chrome
```
- ps
```
ps - display processes only belogs to current shell
ps -e (-A) - display all processes, PID, TTY, TIME, COMD
ps -ef - like previous plus, UID, PPID, C, STIME
ps -efl - like previous plus, F, S, PRI, ADDR, NI, SZ, WCHAN(if running than - )
```
> Links:
- [inspect-manage-processes-ps](https://fedoramagazine.org/inspect-manage-processes-ps/)
- free
```
free -mt
-m megabytes
-t total
```
```
Update 'free' periodically in seconds
free -mt -s 10
-m megabytes
-t total
-s update every [s]
```
* Prioritizing Processes
- priority (PR) - higher number -> lower priority of process, default is 80
- nice (-20 +19) - lower number -> higher priority of process, default is 0
- to execute nice, user must by root, if not than cannot set nice values lower than 0
```
as root
nice -n -15 vi
PRI will be 65
NI will be -15
```
```
as normal user
nice -n +5 vi
PRI will be 85
NI will be 5
nice -n -5 vi
will violate premissions
```
* Setting Priorities of Running Processes with renice
- renice
```
vi process runs under normal user
as root user
current process
0 S 54321 3809 3790 0 91 11 - 31561 poll_s pts/0 00:00:00 vi
PID is 3809
PRI is 91
NI is 11
renice 5 3809
PRI will be 85
NI will be 5
0 S 54321 3809 3790 0 85 5 - 31561 poll_s pts/0 00:00:00 vi
as normal user, only higher number are allowed so:
renice 6 3809 - will
0 S 54321 3809 3790 0 86 6 - 31561 poll_s pts/0 00:00:00 vi
renice back to
renice 5 3809 - ist not allowed for normal user
```
* Managing Foreground and Background Processes
- Running Processes in the Background (& | Ctrl + z):
```
e.g
touch myscript.sh && chmod -v 0775 myscript.sh
vi myscript.sh
myscript.sh:
#!/bin/bash
sleep 1000
exit 0
:wq
```
```
$ ./mysript.sh
...
press Ctrl + Z
[1]+ 3908 Stopped ./myscript.sh
jobs -l
[1]+ 3908 ./myscript.sh
then
fg 1
$ ./mysript.sh
put to background again
Ctrl + Z
$jobs -l
[1]+ 3908 Stopped ./myscript.sh
job is stopped right now, to put into running state again
$bg 1
[1]+ 3908 Running ./myscript.sh
```
* Ending a Running Process
- kill (64 signals)
```
Syntax: kill -signal PID
signal:
SIGHUP (1) - restarts the process with same PID
SIGINT (2) - send Ctrl + c
SIGKILL (9) - brute-force process will not clean up allocated resources
SIGTERM (15) - (default for kill when no signal is set) terminate process immediately,
but allows process to clean up
e.g let 8662 vi process
kill -15 8662
or
kill -SIGTERM 8662
```
- killall - same as kill instead of PID use process name e.g
```
killall -15 vi
```
* Managing Linux Log Files
- most linux services configured to write to /dev/log device
- when services write -> input is captured through syslog
- configured where to log is placed in /etc/syslog.conf
- pattern is:
```
facility.priority file
facility e.g cron
priority e.g info
so
cron.info /var/log/cron
```
- logrotate - runs daily as cron job, config in /etc/logrotate.conf,
individual services can be configured in /etc/logrotate.d/
> Links:
- [howto-linux-unix-write-to-syslog](https://www.cyberciti.biz/tips/howto-linux-unix-write-to-syslog.html)
## 13 Connecting Linux to a Network
* What is protocol
* OSI Model
- Physical
- Datalink - Datagrams
- Network - IP (Internet Protocol), ICMP (Internet Control Message Protocol)
- Transport - Packets, TCP (Transmission Control Protocol), UDP (User Datagram Protocol)
- Session
- Presentation
- Application
* Ports
ICANN ( Internet Corporation for Assigned Names and Numbers)
Port range: 0 - 65536
- Well-know ports (0 - 1023):
```
Ports 20 and 21: FTP
Port 23: Telnet
Port 25: SMTP
Port 80: HTTP
Port 110: POP3
Port 119: NNTP (news)
Ports 137, 138, 139: NetBIOS
Port 443: HTTPS
```
- Registered ports (1024 - 49151)
- Dynamic ports/Private ports (49152 - 65535)
* IP Addresses ( Network layer) - It's logically assigned to network host
- MAC address (Datalink layer) - Pernament, hardware address
- ARP protocol maps logical IP addresses to hard-coded MAC addresses
- IP Address consist from octet, binary number.
Example:
192.168.1.1 - 11000000.10101000.00000001.00000001
- Conversion:
```
Bit 1 = 128
Bit 2 = 64
Bit 3 = 32
Bit 4 = 16
Bit 5 = 8
Bit 6 = 4
Bit 7 = 2
Bit 8 = 1
11000000 = 128 + 64 = 192
```
- IP Address must by unique
- Public Network Address must be globally unique (IANA - Internet Assigned Numbers Authority )
- IPv4 - 32-bit addressing scheme
- IPv6 - 128-bit addressing scheme, eight four HEX numbers, e.g:
```
35BC:FA77:4898:DAFC:200C:FBBC:A007:8973
```
- NAT (Network Address Translation) - connect private subnets to single public IP
- The Private IP address range (https://en.wikipedia.org/wiki/Private_network):
```
10.0.0.0–10.255.255.255 (Class A)
172.16.0.0–172.31.255.255 (Class B)
192.168.0.0–192.168.255.255 (Class C)
```
* Subnet Mask
- Network address
- Node address
```
192.168.1.1
Network | Node
```
- To identify network the host resides on.
```
Network - same numbers 192.168.1
Node - 0 - 255
```
- Default subnet masks:
```
255.0.0.0
255.255.0.0
255.255.255.0
```
- Calculating subnet
> Links:
- [how-do-you-calculate-the-prefix-network-subnet-and-host-numbers](https://networkengineering.stackexchange.com/questions/7106/how-do-you-calculate-the-prefix-network-subnet-and-host-numbers)
- Address Classes (5, but importatnt are those 3):
```
Class A - octet 1 - 126, subnet mask 255.0.0.0, networks 126, nodes 16.7mil
Class B - octet 128 - 191, subnet mask 255.255.0.0, networks 16.384, nodes 65.534mil
Class B - octet 191 - 223, subnet mask 255.255.255.0, networks 2.097.152, nodes 254
```
- Shorthand subnet masks:
```
192.168.1.1/24 24bits longhand 255.255.255.0
```
- Partial subnetting e.g 255.255.252.0
- The condition for two nodes to communicate each other:
> Two nodes must to have same network address, which means they must have same subnet mask
e.g wrong hosts configuration
```
Host 1, 192.168.1.1, 255.255.255.0
Host 2, 192.168.1.2, 255.255.255.0
Host 3, 192.168.1.3, 255.255.252.0 - wrong, won't be able to communicate with Host1, Host2
without the use of a network router
```
* DNS Server and Default Gateway Router Address
```
dig www.google.com
```
* Configuring IP Parameters
- ifconfig (not permanent config):
```
ifconfig eth0 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255
```
- ip (not permanent config):
```
ip a add 192.168.1.1/255.255.255.0 dev eth0
or
ip a add 192.168.1.1/24 dev eth0
add broadcast
ip addr add broadcast 192.168.1.255 dev eth0
```
> Links:
- [ifconfig vs ip: What’s Difference and Comparing Network Configuration](https://www.tecmint.com/ifconfig-vs-ip-command-comparing-network-configuration/)
- [Linux ip Command Examples](https://www.cyberciti.biz/faq/linux-ip-command-examples-usage-syntax/)
- permanent through (RHEL) /etc/network-scripts/ifcfg-eth0
> Chages will be accepted when:
```
ifdown interface
e.g. ifdown eth0
ifup interface
e.g. ifup eth0
```
- dhclient
```
dhclient -v eth0
```
> Links:
- [howto-linux-renew-dhcp-client-ip-address](https://www.cyberciti.biz/faq/howto-linux-renew-dhcp-client-ip-address/)
* Configuring Routing Parameters (Network layer)
- routing table config (SUSE)
```
cat /etc/sysconfig/network/routes
$ default 192.168.1.1 - -
which is
DESTINATION GATEWAY NETMASK INTERFACE [TYPE]
TYPE:
- unicast
- local
- broadcast
- multicast
- unreachable
```
- static routing table config (RHEL), if exists /etc/sysconfig/network-scripts/route-interface
```
e.g
cat /etc/sysconfig/network-scripts/route-eth0
```
> Links:
- [RHEL 7 - Static-Routes_and_the_Default_Gateway](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Networking_Guide/index.html#sec-Static-Routes_and_the_Default_Gateway)
- route command (obsolete, for future use *ip route*):
```
add:
route add –net network_address netmask netmask gw router_address
e.g route add –net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.254
del:
route del –net network_address netmask netmask gw router_address
e.g route del –net 192.168.2.0 netmask 255.255.255.0 gw 192.168.1.254
default route:
route add default gw router_address
e.g route add default gw 192.168.1.254
```
> Links:
- [howto-linux-configuring-default-route-with-ipcommand](https://www.cyberciti.biz/faq/howto-linux-configuring-default-route-with-ipcommand/)
* Configuring Name Resolver Settings
- /etc/hosts is the first name resolver
- if record doesn't exists then operating system try to resolve the hostname using DNS
- How it works: e.g google.com.
1. Request to DNS port 53, if DNS is authoritative for zone, it responds with IP address.
If not than
2. The DNS server sends a request to a root-level DNS server (. dot).
There are 13 root-level DNS servers on the Internet.
The root-levle DNS servers are configured with records for authoritative DNS servers for each TLD (.com,.gov,.de ..etc)
3. The root-level DNS server responds to your DNS with address of DNS server authoritative for TLD (top level domain)
4. Your DNS server sends request to DNS server that’s authoritative for TLD (in this case .com)
5. TLD DNS responds to your server with IP address of DNS server authoritative for the DNS (in this case google)
6. Your DNS server sends a name resolution request to the DNS server that’s authoritative for the zone
7. The authoritative DNS to your DNS server with the IP address.
8. Your DNS server responds to your system with the IP address mapped to the hostname
```
(not cached)
DNS Request -> Your DNS Server -> Root DNS sends TLD IP Address -> Your DNS Server ->
TLD DNS Server sends IP address of DNS server authoritative to zone -> Your DNS Server ->
DNS server authoritative to zone send IP address -> Your DNS Server
-> Finally IP address for hostname
```
- configuration file in /etc/resolv.conf
```
search somedome.com
nameserver 192.168.1.1
nameserver 192.168.1.2
```
> search, used to specify incomplete hostnames (hostname some1, will be some1.somedome.com)
- /etc/nsswitch.conf used to define order of service used to resolve name
```
hosts: files dns
networks: files dns
```
> Links:
- [Name_Service_Switch](https://en.wikipedia.org/wiki/Name_Service_Switch)
* Using ping
- ICMP protocol
- If the ICMP echo response packet is received by the sending system, than is valid:
> 1. your network interface works correctly
> 2. destination system is up and works correctly
> 3. network hardware between requester system and destination system works correctly
* Using netstat
- TODO
* Using traceroute
- TODO
* Using dig, host
- TODO
* Encrypting Remote Access with OpenSSH
- How Encryption Works:
- Symetric encryption:
- the sender and the receiver must have exactly the same key to both encrypt and decrypt messages
- 3DES - 112bit - 168bit
- AES - 128 - 192 - 256 bit
- Blowfish - 448 bit
> Links:
- [Symmetric-key_algorithm](https://en.wikipedia.org/wiki/Symmetric-key_algorithm)
- Asymetric encryption:
- uses two keys, private key and public key
- data encoded with public key, can be decoded only with private key and vice versa
- DSA (Digital Signature Algorithm)
- RSA (Rivest Shamir Adleman)
- public/private key are much longer 1024 bits and higher
- main disadvantage slower than symetric encryption
- verify that a public key is legitimate we use CA (Certificate Authority)
- private key is given only to requesting entity (one who request certificate from CA)
- public key certificates, is a digital message signed with private key
- A certificate contains:
- The name of the organization
- The public key of the organization
- The expiration date of the certificate
- The certificate’s serial number
- The name of the CA that signed the certificate
- A digital signature from the CA
- 2 type of CAs:
- internal CA (self signed, only for internal purposes)
- external CA
- browser comes with lot of preinstalled certificated from external CA,
see Firefox - Edit - Preferences - Advanced - Certificates
> Links:
- [Public-key_cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography)
- [RSA_(cryptosystem)](https://en.wikipedia.org/wiki/RSA_\(cryptosystem\))
- [Public_key_infrastructure](https://en.wikipedia.org/wiki/Public_key_infrastructure)
- [how-to-get-public-key-of-a-secure-webpage](https://security.stackexchange.com/questions/16085/how-to-get-public-key-of-a-secure-webpage)
- [how-should-i-distribute-my-public-key](https://security.stackexchange.com/questions/406/how-should-i-distribute-my-public-key)
* How OpenSSH Works
- OpenSSH provides:
- sshd
- ssh
- scp
- sftp
- slogin
- Keys are stored in:
- Private key: /etc/ssh/ssh_host_key
- Public key: /etc/ssh/ssh_host_key.pub
- SSH client stores keys in:
- /etc/ssh/ssh_known_hosts
- ~/.ssh/known_hosts
- It works like this:
- server send public key to client -> client accept it and decrypt new key
-> send to sshd server -> server decrypt with private key (asymetric)
-> now both have a same key and they start to use symetric encryption
- SSH version 2 differences:
- host key files in:
- /etc/ssh/ssh_host_dsa_key
- /etc/ssh/ssh_host_rsa_key
- the secret key is not transmitted from client to server
- Diffie-Hellman key agreement
> Links:
- [Diffie-Hellman_key_exchange](https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange)
* Configuring OpenSSH
- sshd daemon: /etc/ssh/sshd_config
- ssh client: /etc/ssh/ssh_config file or the ~/.ssh/ssh_config file.
* TODO ssh tunneling
- [ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples](https://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html)
- [whats-ssh-port-forwarding-and-whats-the-difference-between-ssh-local-and-remote](https://unix.stackexchange.com/questions/115897/whats-ssh-port-forwarding-and-whats-the-difference-between-ssh-local-and-remot)