Ssh

From ConShell
Jump to: navigation, search


ssh, or more specifically OpenSSH is a secure replacement for telnet, rsh, rexec, rcp and more. It even does tunneling (also called port forwarding)!.

Keypair generation

Besides regular password authentication, SSH can use public/private keypairs for authentication. To generate a DSA keypair run this command:

 ssh-keygen -t dsa

Keychain & Pageant

A great way to leverage keypair functionality is to combine it with keychain or pageant (for putty users). These two applications let you load your private key into memory (after providing the passphrase) and thereafter, they handle the authentication so you won't be prompted for your passphrase over and over when logging into different hosts. It's not ultra-secure, but what kind of convenience is? Note that these two utilities are very similar to what is provided by the ssh-add and ssh-agent commands.

SSH Tunnels - Local and Remote

One of my favorite uses of SSH is port forwarding (or tunneling). This features makes local TCP ports available remotely, and remote TCP ports available locally. For instance, this is a command I use often to make my CVS repository on host franco available at port 12345 on dango.

 ssh -R 12345:franco:22 dango

The same setup can be configured in .ssh/config or the system-wide /etc/ssh/ssh_config like so.

Host dango
 RemoteForward 12345 franco:22

Once the connection has been established to dango, I can use this configuration to enable access to cvs...

Host cvs
 Hostname localhost
 Port 12345
 HostKeyAlias cvs

The example above is remote port forwarding. It is possible to do a local port forwarding. For example, to enable "direct" access to an otherwise locally-inaccessible host called remotehost1.

Host gatewayhost
 LocalForward 12345 remotehost1:22
 HostKeyAlias gatewayhost
Host remotehost1
 Port 12345
 Hostname localhost
 HostKeyAlias remotehost1

Thereafter, ssh remotehost1 should just work anytime the connection to gatewayhost is open.

Note1: might have to make sure AllowTcpForwarding is not disallowed (i.e. not No) in /etc/ssh/ssh_config. The default is yes.

Note2: Don't expect this to work if remotehost1 does not resolve from the local system. Use IP addresses if necessary.

SSH Proxy

Even cooler than the tunneling described above is a proxy setup. This allows you to ssh directly to hosts that are behind another.

Host *.example.com
  ProxyCommand ssh examplegw exec 'nc %h %p' 2>/dev/null
Host examplegw
  Hostname proxyhost.example.com
  HostKeyAlias examplegw


Others useful commands

List SSH keys in memory

This shows the size and fingerprint of any keys loaded into memory.

ssh-add -l
2048 91:4f:37:d0:f2:43:ba:68:70:57:b2:46:3f:23:ee:8a  (RSA)

List SSH key fingerprint

This is useful to corroborate against the command above.

ssh-keygen -l -f .ssh/id_rsa
2048 91:4f:37:d0:f2:43:ba:68:70:57:b2:46:3f:23:ee:8a .ssh/id_rsa.pub

.bashrc snippet for ssh-agent

This is the snippet I use in .bashrc so that I get my ssh key loaded and remembered for future bash sessions/shells.

function start_agent {
    echo "Initialising new SSH agent..."
    /usr/bin/ssh-agent > "${SSH_ENV}"
    echo succeeded
    chmod 600 "${SSH_ENV}"
    . "${SSH_ENV}" > /dev/null
    /usr/bin/ssh-add;
}

# Source SSH settings, if applicable

if [ -f "${SSH_ENV}" ]; then
    . "${SSH_ENV}" > /dev/null
    ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
        start_agent;
    }
else
    start_agent;
fi

See Also