Slashdot Mirror

← Back to Stories (view on slashdot.org)

Getting the Most Out of SSH

Posted by Soulskill on from the for-remote-controlling-your-nuclear-submarine dept.

jfruh writes "If you have to administer a *nix computer remotely, you hopefully ditched Telnet for SSH years ago. But you might not know that this tool does a lot more than offer you a secured command line. Here are some tips and tricks that'll help you do everything from detect man-in-the-middle attacks (how are you supposed to know if you should accept a new hosts public key, anyway?) to evading restrictions on Web surfing." What are your own favorite tricks for using SSH?

11 of 284 comments (clear)

  1. Hopefully? by Enry · · Score: 5, Insightful

    If you're still using telnet to administer anything that offers SSH, you should probably choose another field to work in.

    1. Re:Hopefully? by buchner.johannes · · Score: 4, Insightful

      Telnet has a protocol. Look at socat and netcat. Socat supports ssl, you can check your smtps server port.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    2. Re:Hopefully? by hcs_$reboot · · Score: 4, Insightful

      So, when I want to check if the port 25 is not blocked (firewall at ISP...) and is opened, instead of a simple 'telnet host 25' followed by ^D or ^C, I should write a C++ (may I use C for that, please?) program that does the same thing? You do know that some people already wrote some commands for that, right?

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    3. Re:Hopefully? by Junta · · Score: 3, Insightful

      When I see someone testing port 25 or 80, it's usually nothing more than a liveness test. Not worth the overhead of writing a program to open a socket and read and write data. perl/python is a tad more accessible, but still for a once in a blue moon use is generally more trouble than it's worth.

      --
      XML is like violence. If it doesn't solve the problem, use more.
  2. Re:InfoWorld at it again by jellomizer · · Score: 3, Insightful

    Well to be fair not everyone had SSH when they were 16 years old...

    I was 16 once, and I would try to figure out how to do all the cool new trick that my new systems has... As we get older we get in a groove (mostly due to the fact that we are paid to do a particular job, and if we spend too much time finding something new and cool would prevent us from getting things done by are estimated time)

    And after 8+ hour of work when we get home the last thing we want to do is more work.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  3. Re:SSH Tunnel by Ruzty · · Score: 4, Insightful

    Traffic pattern matching over SSL. A web session over an SSL connection looks very different than an ssh tunnel session over SSL, not to mention the length of life of the socket. It's trivial to have the firewall identify the ssh connection over port 443 and disconnect it in the first few seconds of the session based purely on the pattern of the traffic regardless of content.

    --
    The Master (Angelo Rossitto) in Mad Max Beyond Thunderdome, "Not shit, energy!"
  4. Re:InfoWorld at it again by Albanach · · Score: 4, Insightful

    Hell, I knew about these things when I was 16 and so did every other guy I knew who ever had used SSH.

    To be fair, I'm sure there are sixteen year olds reading /.

    I don't expect every article to be useful to me. Not sure why you would expect that.

    I haven't read the article - I think I'm familar enough myself with ssh - but as long as the info is accurate, I'd image it's a useful tutorial for folk getting into Linux.

  5. This Article's True Purpose by preaction · · Score: 5, Insightful

    Get real SSH tips from people complaining (rightly or not) that it doesn't contain any actual advice.

  6. Re:Wow by mlts · · Score: 3, Insightful

    I'd love to see stuff like that as well as:

    OpenSSH signed certificates (Not X.509) and TrustedUserCAKeys options and their usage. This way, I can hand a new cow-orker signed ssh host keys and assuming he or she knows enough not to just blindly replace a key if it isn't right, will minimize the chance of a MITM attack.

    Revoking SSH keys.

    Using SSHGuard to lock out brute force attempts.

    Proper configuration of the sshd_config file. Stuff like only allowing root in via RSA keys (or blocking root access entirely.)

    Auditing logs to know that key "A" ssh-ing to root is from user Alice, and key "B" is from Bob, so that one can tell who just wiped out the wrong filesystem come an inquiry.

    Running sshd as a user, not as root.

    Getting a backup program like NetBackup to form a ssh tunnel, do the backup, then close down the connection cleanly.

  7. Re:Should have been titled "ssh basics". by tscheez · · Score: 3, Insightful

    I'd never used tmux. i've officially learned more from /. comments than the actual articles. Thanks!

    --
    Supplies!
  8. Please sit down and shut up. by suso · · Score: 2, Insightful

    OP should be -1 overrated. You jerks who keep saying things like "everyone is doing X because I am" or "this isn't knew" or "this isn't important" really need to STFU. There are people coming into the world all the time who haven't learned what you learned or had the same experiences that you do. Much of what you learned from is burried now under mountains of information and its very often not clear where people should start from. So sit down, shut up and let others learn, otherwise all you will do is scare them away so that they never will. Not everything is some conspiracy to generate ad revenue.