ssh.adoc

SSH

Generate keys

Keys should be generated on your secure machine and not on the machine you intend to install the public key on.

$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ ssh-keygen -t rsa

The private key should remain safe and secure on your client host. The public key should be moved to the .ssh directory of the remote host account you want to log in using key authentication.

Register key to remote host

$ cat id_rsa.pub >> authorized_keys

Executing a command on the remote system

$ ssh host "command"

Using advanced configuration

In order to invoke ssh with any of its advanced configuration options (these are typically set in /etc/ssh/ssh_config or in user configuration per host in ~/.ssh/config) you can use the -o command syntax.

Example

When there are any keys in your .ssh directory, ssh will try those keys againt the server you are connecting. If there are many keys and none is appropriate you might get a Too many authentication failures error. Use the following command to only use password authentication:

$ ssh -o PreferredAuthentications=password user@host

Local port forwarding

$ ssh -L 8000:localhost:80 host (1)
$ ssh -L 8000:otherhost:80 host (2)

1. When connecting to localhost:8000 you will get host:80 as if connecting from host

2. When connecting to localhost:8000 you will get otherhost:80 as if connecting from host

Tip	It is worth noting, that local port forwarding, always opens a port in localhost and obviously you need ssh access to the host in order for the tunnel to be established.

Remote port forwarding

$ ssh -R 8000:localhost:80 host (1)
$ ssh -R 8000:otherhost:80 host (2)

1. When connecting to host:8000 you will get localhost:80

2. When connecting to host:8000 you will get otherhost:80 as if connecting from localhost

Note	The host your are connecting to (host) will need to have GatewayPorts yes in its /etc/ssh/sshd_config.

Dynamic forwarding

$ ssh -D 1080 host (1)

1. Establishes a secure connection with host. In your proxy settings, define localhost:1080 as a SOCKS proxy. Any network requests will be served through this proxy.

Tip	All port forwarding modes open a terminal on the target server. To avoid this, add the -Nf switches. To tear down the tunnel the specific ssh process must be found and killed.

ssh-agent

Its role it twofold. First, it caches your keys enabling you to provide the passphrase just once. Second, it allows you to forward your private key to a second server (more on this later). If ssh-agent is not already running, there are two options to start it:

Launching a new shell from within ssh-agent

$ ssh-agent bash

This will launch a new shell which the agent environment set.

Merging the appropriate environment variables to the current shell

$ eval `ssh-agent -s`

After that, keys should be added to the like so:

$ ssh-add ~/.ssh/id_rsa

Tip	~/.ssh/id_rsa is one of the default keys that ssh-add will look for, so it is not necessary to provide this information.

ForwardAgent

Lets assume that you want to log in host c from host a. To log in host c you have to use host b as a jumphost. In host A, private and public keys exist. and host b and c are configured to accept your keys. This will require you first to log in host b and then host c. And this requires having your private key not just in host a, but in host b as well.

Using forwarding this can be avoided. Just login in host c like so:

$ ssh -A hostB
$ ssh hostC

Note	ssh-agent must be running in host a for forwarding to work, and daemons must be configured appropriately.

Tip	The -A parameter can be skipped if .ssh/config is configured like so:

Host hostB
  ForwardAgent yes

Warning

Using ForwardAgent possibly opens a back door in the host you are login in and if possible should be avoided. The ProxyCommand that will be presented in a following section is considered a safer option.

ProxyCommand

Lets assume that you want to establish a connection from host a to host c via host b. This functionality is better realized through configuration. It assumes that the user key that has been installed in host a is accepted in host b and host c.

~/.ssh/config

Host c_via_b (1)
  HostName hostC (2)
  ProxyCommand ssh hostB -W %h:%p (3)

1. Configures c_via_b

2. Defines the target host

3. Uses ProxyCommand to reach hostC through hostB

Log in host C via host B

$ ssh c_via_b

Tip	Intermediate hosts can be added at will!

ServerAliveInterval

When a connection is left idle, it is eligible to closure. This option sends every so many seconds a message to the server to keep the connection alive.

sshfs

It is quite simple to mount a filesystem where you have ssh access.

Install sshfs

$ sudo apt-get install sshfs

Add user to fuse group

$ sudo gpasswd -a $USER fuse

Tip	For the new groups to take effect, the user has to login again

Mount the remote filesystem

$ mkdir -p ~/mount_point (1)
$ sshfs server:/remote_directory ~/mount_point (2)

Unmount

$ fusermount -u ~/far_projects

Resources

• https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts

• https://developer.github.com/guides/using-ssh-agent-forwarding

• http://www.unixwiz.net/techtips/ssh-agent-forwarding.html

• https://heipei.github.io/2015/02/26/SSH-Agent-Forwarding-considered-harmful

• http://blog.trackets.com/2014/05/17/ssh-tunnel-local-and-remote-port-forwarding-explained-with-examples.html