Ssh: Difference between revisions
No edit summary |
No edit summary |
||
| Line 2: | Line 2: | ||
__NOTOC__ | __NOTOC__ | ||
ssh, or more specifically [http://www.openssh.org/ OpenSSH] is a secure replacement for telnet, rsh, rexec, rcp and more. It even does tunneling (also called port forwarding)!. | ssh, or more specifically [http://www.openssh.org/ OpenSSH] is a secure replacement for telnet, rsh, rexec, rcp and more. It even does tunneling (also called port forwarding)!. | ||
== Keypair generation == | == Keypair generation == | ||
Besides regular password authentication, SSH can use public/private keypairs for authentication. To generate a DSA keypair run this command: | Besides regular password authentication, SSH can use public/private keypairs for authentication. To generate a DSA keypair run this command: | ||
ssh-keygen | ssh-keygen | ||
== Keychain & Pageant == | == Keychain & Pageant == | ||
| Line 60: | Line 61: | ||
2048 91:4f:37:d0:f2:43:ba:68:70:57:b2:46:3f:23:ee:8a .ssh/id_rsa.pub | 2048 91:4f:37:d0:f2:43:ba:68:70:57:b2:46:3f:23:ee:8a .ssh/id_rsa.pub | ||
=== | === ssh-agent === | ||
This is the snippet I use in .bashrc so that I get my ssh key loaded and remembered for future bash sessions/shells. | This is the snippet I use in .bashrc so that I get my ssh key loaded once and remembered for future bash sessions/shells. From http://mah.everybody.org/docs/ssh | ||
function start_agent { | function start_agent { | ||
| Line 73: | Line 74: | ||
# Source SSH settings, if applicable | # Source SSH settings, if applicable | ||
if [ -f "${SSH_ENV}" ]; then | if [ -f "${SSH_ENV}" ]; then | ||
. "${SSH_ENV}" > /dev/null | . "${SSH_ENV}" > /dev/null | ||
Revision as of 15:50, 1 April 2020
ssh, or more specifically OpenSSH is a secure replacement for telnet, rsh, rexec, rcp and more. It even does tunneling (also called port forwarding)!.
Keypair generation
Besides regular password authentication, SSH can use public/private keypairs for authentication. To generate a DSA keypair run this command:
ssh-keygen
Keychain & Pageant
A great way to leverage keypair functionality is to combine it with keychain or pageant (for putty users). These two applications let you load your private key into memory (after providing the passphrase) and thereafter, they handle the authentication so you won't be prompted for your passphrase over and over when logging into different hosts. It's not ultra-secure, but what kind of convenience is? Note that these two utilities are very similar to what is provided by the ssh-add and ssh-agent commands.
SSH Tunnels - Local and Remote
One of my favorite uses of SSH is port forwarding (or tunneling). This features makes local TCP ports available remotely, and remote TCP ports available locally. For instance, this is a command I use often to make my CVS repository on host franco available at port 12345 on dango.
ssh -R 12345:franco:22 dango
The same setup can be configured in .ssh/config or the system-wide /etc/ssh/ssh_config like so.
Host dango RemoteForward 12345 franco:22
Once the connection has been established to dango, I can use this configuration to enable access to cvs...
Host cvs Hostname localhost Port 12345 HostKeyAlias cvs
The example above is remote port forwarding. It is possible to do a local port forwarding. For example, to enable "direct" access to an otherwise locally-inaccessible host called remotehost1.
Host gatewayhost LocalForward 12345 remotehost1:22 HostKeyAlias gatewayhost Host remotehost1 Port 12345 Hostname localhost HostKeyAlias remotehost1
Thereafter, ssh remotehost1 should just work anytime the connection to gatewayhost is open.
Note1: might have to make sure AllowTcpForwarding is not disallowed (i.e. not No) in /etc/ssh/ssh_config. The default is yes.
Note2: Don't expect this to work if remotehost1 does not resolve from the local system. Use IP addresses if necessary.
SSH Proxy
Even cooler than the tunneling described above is a proxy setup. This allows you to ssh directly to hosts that are behind another.
Host *.example.com ProxyCommand ssh examplegw exec 'nc %h %p' 2>/dev/null
Host examplegw Hostname proxyhost.example.com HostKeyAlias examplegw
Others useful commands
List SSH keys in memory
This shows the size and fingerprint of any keys loaded into memory.
ssh-add -l 2048 91:4f:37:d0:f2:43:ba:68:70:57:b2:46:3f:23:ee:8a (RSA)
List SSH key fingerprint
This is useful to corroborate against the command above.
ssh-keygen -l -f .ssh/id_rsa 2048 91:4f:37:d0:f2:43:ba:68:70:57:b2:46:3f:23:ee:8a .ssh/id_rsa.pub
ssh-agent
This is the snippet I use in .bashrc so that I get my ssh key loaded once and remembered for future bash sessions/shells. From http://mah.everybody.org/docs/ssh
function start_agent {
echo "Initialising new SSH agent..."
/usr/bin/ssh-agent > "${SSH_ENV}"
echo succeeded
chmod 600 "${SSH_ENV}"
. "${SSH_ENV}" > /dev/null
/usr/bin/ssh-add;
}
# Source SSH settings, if applicable
if [ -f "${SSH_ENV}" ]; then
. "${SSH_ENV}" > /dev/null
ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
start_agent;
}
else
start_agent;
fi