tjll.net

SSH Kung Fu

OpenSSH is an incredible tool. Though primarily relied upon as a secure alternative to plaintext remote tools like telnet or rsh, OpenSSH (hereafter referred to as plain old ssh) has become a swiss army knife of functionality for far more than just remote logins.


This is a companion discussion topic for the original entry at http://blog.tjll.net/ssh-kung-fu/

Very nicely done. The remote file editing feature is new to me - very cool.
It’s worth noting that the Tab Completion feature is the product of some sort of unrelated shell level completion and may require additional packages to be installed (such as bash-completion on Debian). Tab completion does not work for ssh by default on Macs.

A couple of other tricks I find useful:
a. The ForwardAgent config option: From the man page “Specifies whether the connection to the authentication agent (if any) will be forwarded to the remote machine.” …basically if you are on hostA and login into hostB using ssh and now want to access hostC (where your pub key from hostA is already setup in authorized hosts (eg: a remote git server)), you needn’t create another set of keys for hostB and then add them to hostC. Simply add “ForwardAgent yes” and you credentials ‘travel’ with you.

b. ssh escapes: From within an ssh session try : ~+h …the most useful espace sequences for me are ~+^Z (suspend ssh) and ~+. (terminate connection – especially if the remote ssh host dies unexpectedly)

No need to use anymore the nice ‘nc’ trick. In recent versions of OpenSSH, you have the -W option that does the same.
So for example, you’d use:

Host finaldest
   Hostname 1.2.3.4
   User root
   ProxyCommand ssh -e none -W %h:119 intermediate

bash-completion can be installed on OS X to get completion of ssh hosts. To get it:

brew install bash-completion

Please stop telling people to use netcat to proxy ssh connections. Use ssh -W instead

All modern SSH clients support this flag and it works infinitely better than netcat.

@vook Thanks! Apparently remote editing works with Emacs as well, I’ll be amending my post to include that trick.

@vook @ford As far as tab-completion goes, I’ve been running under oh-my-zsh so long it’s become hard to tell what requires special configurations, so thank you for the clarification regarding needed packages.

@lonetwin I use agent forwarding heavily and love it. Note that the key also has to be cached client-side with ssh-agent and the ssh daemon must have “AllowAgentForwarding yes”

@lior @speeddymon The -W flag is new to me and makes much more sense than calling an entirely new executable to enable forwarding. I’ll be updating the post to reflect this much better practice.

If you think that ECDSA keys are small wait until you see an ED25519 key. They will probably completely replace ECDSA after they have been around for a few versions.

http://unixwiz.net/techtips/ssh-agent-forwarding.html gives some nice and detailed background explanation of how SSH Agents work.

So I’m not cryptographer, but I’m pretty sure ec was the random number generator that has holes in it. Not a very good idea to use ecdrsa keys then I should think?

Regarding the ~C and ~. combinations you can enter within an open SSH connection:
If you enter ~? you will get a small list of all the different combinations there is, such as:

Supported escape sequences:
 ~.   - terminate connection (and any multiplexed sessions)
 ~B   - send a BREAK to the remote system
 ~C   - open a command line
 ~R   - request rekey
 ~V/v - decrease/increase verbosity (LogLevel)
 ~^Z  - suspend ssh
 ~#   - list forwarded connections
 ~&   - background ssh (when waiting for connections to terminate)
 ~?   - this message
 ~~   - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)

You are thinking of Dual_EC_DRBG which has never had anything to do with ECDSA.

If you use SSH and vim, you might be interested in bcvi which allows you to just type ‘vi filename’ in your ssh session on the remote host and have the file open in an editor on your workstation.

Thank you for this great list.

You can extend the Sharing Connection trick to all your hosts by adding this at the begining of your config file

Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p

Once you get used to that you can’t go back!

Indeed a great list. I never knew so many things about SSH, though I have been using it from long time. This is what I call fundamental building, a must read tutorial for every one, bookmarked in my list of favorite blogs.

Great compilation of useful tips, thanks. I am using most of these options (and replaced my nc usage with the -W option). I suggest another one, in relation to the socks proxying, which is great but only works with SOCKS-enabled apps. The great sshuttle application is a transparent proxy-based VPN using ssh: relying on dynamic iptables trickery, it creates a VPN through a ssh connection. You launch the application as root on the client side, it transfers some python code to the server side (where you do not have to have any specific admin rights) and you get a VPN. It saves my life on a daily basis.