Getting the Most Out of SSH

jfruh writes "If you have to administer a *nix computer remotely, you hopefully ditched Telnet for SSH years ago. But you might not know that this tool does a lot more than offer you a secured command line. Here are some tips and tricks that'll help you do everything from detect man-in-the-middle attacks (how are you supposed to know if you should accept a new hosts public key, anyway?) to evading restrictions on Web surfing." What are your own favorite tricks for using SSH?

InfoWorld at it again

[MasterMan]

Seriously, anyone who uses SSH knows about things like proxying your connection via the connection and X11 forwarding. This is nothing new. This is just InfoWorld getting backlinks and traffic from Slashdot once again. Hell, I knew about these things when I was 16 and so did every other guy I knew who ever had used SSH.

Re:InfoWorld at it again

[MasterMan]

The best thing is that there isn't really even "16 tricks". Most of them are about the same things, like the first randomart images. And then, we are taught how to use screen, like it somehow matters that it is over remote connection!

Re:InfoWorld at it again

[buchner.johannes]

My favorite trick is
1) have a server on the internet, let someone ssh -R their port 22 there
2) connect to that server too with ssh -L putting their port 22 on the local port 8022
3) Now you have a peer-to-peer ssh (with -Y), and you can run graphical applications remotely.

Re:InfoWorld at it again

[Anrego]

Indeed. And that was the closest thing to an "ultimate hack". Everything else was basic intro to Linux type stuff.

That and the randomart stuff was very poorly explained. Personally I think that feature is pointless anyway. If you are in a position where you feel you might actually get a MiM attack.. copy the key onto a USB stick.

Re:InfoWorld at it again

[Dwedit]

It does matter though. Didn't use screen? Lost a connection? Your processes are terminated. Linux sucks in that regard, you need to know about the hangup "feature" that immediately kills your processes when the terminal dies.

Re:InfoWorld at it again

[hcs_$reboot]

The 16 tricks are pretty high level, while some people still don't know that 'PermitRootLogin' in sshd_config is set to 'yes' by default...

Re:InfoWorld at it again

[tangent3]

That's what nohup is for

Re:InfoWorld at it again

[jellomizer]

Well to be fair not everyone had SSH when they were 16 years old...

I was 16 once, and I would try to figure out how to do all the cool new trick that my new systems has... As we get older we get in a groove (mostly due to the fact that we are paid to do a particular job, and if we spend too much time finding something new and cool would prevent us from getting things done by are estimated time)

And after 8+ hour of work when we get home the last thing we want to do is more work.

Re:InfoWorld at it again

[GameboyRMH]

Yep I shoulda looked before I clicked...nothing non-obvious here folks, move along.

Here's an actual handy tip: You can make your RSA keyfiles also act as shellscripts for the connection, so you only need to carry 1 file to open the connection from any *nix machine.

To do it, just prefix your keyfile (say it's called ssh_my_server) like this:

#! /bin/sh
ssh user@hostname -i ssh_my_server
exit

----------BEGIN RSA PRIVATE KEY--------
(key goes here, use 4096-bit key for extra l33tness)

Make the file executable and now you can open the connection just by cd'ing to it and running it.

Re:InfoWorld at it again

[syzler]

I generally prefer the apps on my desktop rather than the remote apps. "ssh -D 8080 " will start a SOCKS4/SOCKS5 server running on your local port 8080 and proxy the connections out the remote side. This allows all of your SOCKS enabled applications on your local workstation to make use of the tunnel without having to setup a one to one port mapping.

Re:InfoWorld at it again

[MasterMan]

It does matter though. Didn't use screen? Lost a connection? Your processes are terminated. Linux sucks in that regard, you need to know about the hangup "feature" that immediately kills your processes when the terminal dies.

Yes, but this isn't even explained in the article!

Re:InfoWorld at it again

[Albanach]

Hell, I knew about these things when I was 16 and so did every other guy I knew who ever had used SSH.

To be fair, I'm sure there are sixteen year olds reading /.

I don't expect every article to be useful to me. Not sure why you would expect that.

I haven't read the article - I think I'm familar enough myself with ssh - but as long as the info is accurate, I'd image it's a useful tutorial for folk getting into Linux.

Re:InfoWorld at it again

[icebraining]

Using sshuttle, the applications don't even need to support SOCKS; it proxies all traffic over SSH.

Re:InfoWorld at it again

[nschubach]

In my opinion, I think it might be a better idea to kill the errant job if the controller/user gets disconnected than to continue with a job that may need a followup command that may never come, possibly leaving the server in an unusable state. So you have a choice of trusting the user or having the user say explicitly, "trust me, this is what I want to happen (screen/nohup)... even if I get disconnected."

Re:InfoWorld at it again

[dingen]

Which distro comes with an enabled root user these days?

Re:InfoWorld at it again

[marcosdumay]

The GP is certainly asking for a default screen session evey time he does SSH, emulating what he gets on Windows.

Oh, well, most people prefer the option of choosing what session to use when they connect, thus things don't get linked the way he wants, but it is easy enough to set ssh to execute "screen -r" when one connects... The GP needs only to RTFM (the first line of it).

Re:InfoWorld at it again

[marcosdumay]

Not on Debian.

Re:InfoWorld at it again

[Skuld-Chan]

I know about a lot of stuff like this too, but when I was 16 the internet didn't really exist the way it is today. I remember using telnet and rsh for everything for example.

Re:InfoWorld at it again

[allo]

[exec] screen -r on the remote shell or ssh screen -r ... mostly the same stuff, and already covered later by "directly running commands via ssh".

And to easily edit known_hosts there is an easy vim trick: vim .ssh/known_hosts +line_no (opens vim, jumps to line #line_no)

Re:InfoWorld at it again

[hcs_$reboot]

To be honest I don't know, but these man pages show
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be "yes", "without-password", "forced-commands-only" or "no". The default is "yes".

Re:InfoWorld at it again

[Anrego]

Wow. Thanks!

And yeah.. that was more useful and more worthy of being called an "ultimate hack" then everything in this lame article combined.

Re:InfoWorld at it again

[Anrego]

Problem is the article is all over the place. It lists basic "intro to linux 101" stuff right next to "security paranoid enterprise server admin" stuff (which is does a very bad job of explaining anyway).

There are plenty of good "intro to SSH" articles and plenty of good "advanced SSH tricks" articles out there. This is just trash.

Re:InfoWorld at it again

[nine-times]

Well good for you. You're a 1337 h4x0rz, I guess. There are still some people in the world who are just getting their feet wet.

Re:InfoWorld at it again

[Sancho]

On the sshd_config which ships with FreeBSD has this disabled.

Re:InfoWorld at it again

If you don't spend time learning cool, new things (IOW other stuff, not always cool or even new), you may one day find yourself without 8+ hours of work. Never, ever feel secure in your job. Eventually there'll be layoffs, or a purchase, or a merger, and even if you're the best engineer there, you may still get sacked. And when you do, you'l realize that the world passed you by. And in the tech universe, that can happen in a matter of months, not years or decades.

Re:InfoWorld at it again

[miknix]

What about unlimited encrypted storage?

you need TCP forwarding enabled in your sshd_config, then

ssh -L localhost:2222:localhost:2222 localhost
$ echo "data you wanna save" | nc localhost 2222

# or if you want to backup your hdd, try:
$ cat /dev/sda1 | nc localhost 2222

# the data will be forwarded forever in the loopback link at no cost until you read it back:
$ nc localhost 2222 > hdd-backup.bin

# profit!

Re:InfoWorld at it again

[dc29A]

Ubuntu has a root user.

Re:InfoWorld at it again

[hawkinspeter]

However, it doesn't have a valid password for root, so you won't be able to login remotely as root unless you've set up key authentication.

Re:InfoWorld at it again

[buglista]

That's dated September 1999. Anything current and sane has root login turned off by default.

Re:InfoWorld at it again

[CBravo]

and you can, for the sake of being able to rename your keyfile, replace the word ssh_my_server with ${0}. .

Re:InfoWorld at it again

[dylan_-]

My mistake, then. I'd heard they'd gone the same route as OS X (incorrectly, it appears). Apologies to all.

Nope, you heard correctly. The bit you're mistaken about is that OS X also has a root user. In both cases, the account is "locked" (no matchable password is set). Set a password for the root user and it works as normal.

Re:InfoWorld at it again

[strikethree]

Or... the computer could keep the jobs going and allow you to reconnect to them when you are finally able to reconnect to the computer... I am unsure why that is not a part of job control already. Unix sure can be weird sometimes.

Re:InfoWorld at it again

[GameboyRMH]

I was just wondering if there was a way to self-reference the filename, thanks.

Re:InfoWorld at it again

[tqk]

Just curious; I haven't tried it. Does it then ask you for your passphrase?

So, if I wander past your workstation and see an unsecured shell prompt, can I just do:

find $HOME -type f -exec grep ssh {} \;

then run that script, and I'm in?

Re:InfoWorld at it again

[GameboyRMH]

It will ask for your passphrase if the keyfile is passphrased. If it's not, then it won't, and indeed it would be more dangerous if lost or stolen than a keyfile alone.

Re:InfoWorld at it again

[Zeromous]

Having seen Primer, this backup technique is more than a little disconcerting.

Re:InfoWorld at it again

[kangsterizer]

and thats why /. readers arestill better than the likes of HN (which has TFA once a week as top story)

heck some even just read man and that's that (holy cow all the secrets are clearly explained when you RTFM!)

Re:InfoWorld at it again

[roman_mir]

Well, with iptables for example you can do

iptables -I INPUT -p tcp -m tcp -s xxx.xxx.xxx.xxx --dport 8022 -j ACCEPT
iptables -I INPUT -p tcp -m tcp -s 0.0.0.0/0 --dport 8022 -j DROP

with pf:

block in all
block out all ...
pass in log inet proto tcp from xxx.xxx.xxx.xxx to $ext_if port ssh
pass out log inet proto tcp from any to $ext_if port ssh

or something similar depending on the versions of the tools.

Re:InfoWorld at it again

[Wolfrider]

--Actually, if you forget nohup, you can still use " disown "... FYI ;-)

Re:InfoWorld at it again

[doom]

Hell, I knew about these things when I was 16 and so did every other guy I knew who ever had used SSH.

Your circle of acquaintances is not wide. When I was 16 ssh didn't exist yet.

Don't object to stating the obvious if it's correct and useful.

Re:InfoWorld at it again

[mattventura]

If you only need to do something basic like delete a specific line number, then there's an even easier way: just use sed. If you know you want to delete line 10, then just do "sed -i 10d .ssh/known_hosts"

Re:InfoWorld at it again

[kiore]

SSH didn't even exist when I was 16 (nor 32, for that matter) but I have used it most days since the late 1990s.

Keep your mind open and new tricks and tools will find their way in then use the maturity gained by experience to filter out the dross and keep the ones that are useful to you.

Re:InfoWorld at it again

[deek]

You are correct. Try using the following instead:

iptables -I OUTPUT -p tcp -d localhost --dport 8022 -m owner ! --uuid-owner me -j REJECT

Obviously change the owner name to whatever login name you use.

Re:InfoWorld at it again

[DarwinSurvivor]

tsocks can be used to add SOCKS support to anything.

Re:InfoWorld at it again

[DarwinSurvivor]

Set up ssh keys (takes 10 seconds) and never worry about such things again.

Re:InfoWorld at it again

[enoz]

The full horror of the GP's post was only revealed to me after you mentioned Primer.

Re:InfoWorld at it again

[Zeromous]

I personally thought it would be worth more Karma.

Re:InfoWorld at it again

[Electricity+Likes+Me]

Yeah but in that case you can't actually get back to the console session, which is principally what screen is good for.

Re:InfoWorld at it again

[terbeaux]

Maybe you and the author of screen have something in common. "Toss this in your ~/.bash_profile so that you never have that "oh crap" moment where you wanted to run something in screen and didn't." http://www.commandlinefu.com/commands/view/2035/set-your-profile-so-that-you-resume-or-start-a-screen-session-on-login

Re:InfoWorld at it again

[geminidomino]

Never seen Primer, but my mind went right to the ST:TNG episode "Relics"...

Re:InfoWorld at it again

[Elrond,+Duke+of+URL]

Even better is the screen/tmux wrapper called byobu (https://launchpad.net/byobu). It puts a nice face on screen (and now also tmux) and greatly simplifies basic usage. It also has a large selection of status notifications that can be displayed on the bottom one or two lines of your terminal which show things like the current screens, load, time, etc.

The default key mapping uses the function keys for the most common commands. For example, F2 for a new window, F3/F4 for previous/next window, and so on. It provides a wrapper around the session handling as well, so that, in general, you can almost always just run "byobu" and get your session back or start a new one if there is none existing. And if it finds that you have more than one session running, it will ask you which one to connect to.

In the configuration menu (F9), the last item allows you to toggle auto-launching at login. Select it and it will add a line to the end of your shell's profile file to start byobu when you login.

Development has been proceeding at a very rapid pace over the past year and the feature set it quite nice. Recently, the default backend was switched from screen to tmux, but because byobu is a wrapper on top of those programs, I didn't need to learn a new set of keys... though it did help to read up on tmux to see what it could/couldn't do as compared to screen. For the most part, the change was transparent, though tmux only does one status line at the bottom of the terminal versus the two that you had with screen. One of the nicest changes is that tmux can determine what command you are executing in a window and it shows this in place of a window's generic title in the status line. Screen could do this too, but you had to jump though some hoops, change your shell prompt, and it didn't always work.

Anyway, with the additions byobu brings to screen/tmux, I always have it running which has the added benefit that in the (these days, not very likely) event of SSH dropping my connection, nothing is lost. I usually use it in local terminals too, so if X or my terminal ever crashes for some odd reason, I'm saved there, too.

Re:InfoWorld at it again

[semi-extrinsic]

Personal favourite: If you have machines on a LAN that are only exposed to that LAN, but there is one "gateway" machine that you can ssh to from the internet: use ProxyCommand, and you can ssh "directly" to the machines on the LAN even from the internet! Put the following in your .ssh/config:

Host gate1
Hostname 128.141.81.163
User joe

Host local12
Hostname 192.168.1.12
User joe
ProxyCommand ssh -e none gate1 exec netcat -w 5 %h %p

You can now ssh to "local12" just by typing "ssh local12", whether you are on the LAN or not.

Re:InfoWorld at it again

[cr_nucleus]

Word of advice for would be users of this technique, please generate a specific private key to carry around.
It will be less problematic the day you lose your thumb drive.

Re:InfoWorld at it again

[Arrepiadd]

Maybe a bit late, but OpenSUSE as of 11.4 still had "PermitRootLogin yes" by default. Haven't checked for later versions...

Re:InfoWorld at it again

[Miqlo]

Haven't commented here for a long time, but to this I must reply to point out something that is not immediately obvious; with SSH X11 forwarding you had better be sure that you trust whoever has root access in the other end because they can quite easily fully hijack your X-session and gain potentially unlimited access to your system.

Miq

Re:InfoWorld at it again

[Lord+Apathy]

--Actually, if you forget nohup, you can still use " disown "... FYI ;-)

Hello new command. Thank you for showing me this one. Don't just love those moments when you learn something new like this and just say "sweet?" This is one of those moments.

Re:InfoWorld at it again

[Lord+Apathy]

Maybe a bit late, but OpenSUSE as of 11.4 still had "PermitRootLogin yes" by default. Haven't checked for later versions...

I just checked with OpenSuse 12.1. It has "PermitRootLogin yes" but its commented out. I'm assuming that is the same as "PermitRootLogin no" but not going to take any chances. I uncommented it and changed the yes to no anyway.

Re:InfoWorld at it again

[stridebird]

Quite right. I was certainly over 16 when I first used SSH. In fact, I thought I was late to the party, but I have just read the wikipedia page on SSH and there it is: first released in 1995. So basically, it's only 17 year olds that can say this. Like the GP.

Re:InfoWorld at it again

[jellomizer]

OK, the official title for this phenomena is "Opportunity Costs".

When you are 16 there are less risks in life so your "Opportunity Costs" are more level. You choose to learn SSH vs. Hanging out with your friends when you are 16 doesn't have much weight, as you can do both, or the risk of not doing one for the other doesn't cause a major (short term) problem.

When you are 35, learning SSH vs. Getting your work load done. Does give you a different weights for your Opportunity, SSH you may be able to Google later if you need to master it, but you need to get your work done now or you will not get paid. There are weights and more severe consequences for choosing one option or the other.

If you have to buy your own food, shelter and a family that needs food and shelter too. You need to balance your time on knowing what you should learn and what you need to do.

Re:InfoWorld at it again

[Arrepiadd]

It's the same as in 11.4.
Whatever is commented out keeps the default behavior. As already mentioned in this thread, the default is allowing root logins. Your change to "No" prevents root access (provided you restarted the SSH daemon). Of course you can use "without-password" to allow ssh-key based access to root, if you still have a need for it.

Re:InfoWorld at it again

[allo]

yeah, but then i can copy&paste the suggested ssh-keygen commandline as well. often i want to see the actual line and maybe the next (which is often the same hostkey but this time for the ip and not for the hostname).

Re:InfoWorld at it again

[thereitis]

Nice tip. You can improve on it like this:

#! /bin/sh
ssh user@hostname -i $0
exit

The $0 (dollar-zero) expands to the name of your script (including path) so you don't need to be in the same directory. Now add $HOME/.ssh to your PATH and you can run it from anywhere.

Hopefully?

[Enry]

If you're still using telnet to administer anything that offers SSH, you should probably choose another field to work in.

Re:Hopefully?

[hcs_$reboot]

well I occasionally use 'telnet host 25' to test the smtp port

Re:Hopefully?

[buchner.johannes]

Telnet has a protocol. Look at socat and netcat. Socat supports ssl, you can check your smtps server port.

Re:Hopefully?

[vlm]

Port 110 is trivially tested by hand... port 80 also.

Re:Hopefully?

[CubicleZombie]

I've worked in organizations where, because you can tunnel over SSH, it was banned and blocked over the network. Everything had to be done with Telnet instead. I'm not joking. That is probably what started my loathing of net admins.

Re:Hopefully?

[hcs_$reboot]

So, when I want to check if the port 25 is not blocked (firewall at ISP...) and is opened, instead of a simple 'telnet host 25' followed by ^D or ^C, I should write a C++ (may I use C for that, please?) program that does the same thing? You do know that some people already wrote some commands for that, right?

Re:Hopefully?

[Junta]

When I see someone testing port 25 or 80, it's usually nothing more than a liveness test. Not worth the overhead of writing a program to open a socket and read and write data. perl/python is a tad more accessible, but still for a once in a blue moon use is generally more trouble than it's worth.

Re:Hopefully?

[lcam]

There may be reasons to use telnet over SSH. Challenge the assumption that it's always better to encrypt communications rather then let someone listen in.

That being said, your presumption is normally right; ISP administrators who block SSH and only allow file transfer by FTP fall into the same category. They should be fired.

Re:Hopefully?

MasterMan (2603851) - You do know that you can use real programming language like C++ for that, right?

C++ programmers are truly masters of the universe. I salute you sir for taking hours and object oriented wizardry to do what most programmers would do in 5 mins with a short script.

Re:Hopefully?

[Darinbob]

Ha, I'm still using rlogin!

Re:Hopefully?

[unixisc]

In college, I used to use that - rsh or rlogin. That was for accessing other hosts on campus, though.

Re:Hopefully?

[Galactic+Dominator]

Telnet isn't, it only works "by accident" because the protocol is similar enough to plain text to work sometimes.

Bullshit. It was designed that way. And I can prove it, unlike your assertion.

http://tools.ietf.org/html/rfc15

Re:Hopefully?

[kwark]

smtps was deprecated years ago (not that I agree). You should use:
openssl s_client -starttls smtp -connect host:(25|587)
Something socat doesn't appear to support (that's a first).

Re:Hopefully?

[bzipitidoo]

And in 2002, when I was contracting for the government, I needed some data that was stored on a government server. They set up a user account for me and rather than email the password to me, called to tell it to me over the phone, because they felt that was more secure than email.

The joke was that I was to connect via telnet. They didn't have ssh on that server. They didn't even have some kind of secure telnet that would at least try to encrypt the password. Just plain old telnet, with the password transmitted in the clear.

Re:Hopefully?

[steveb3210]

Telnet is wide open to a MITM attack - besides just sniffing the password, suppose you have a shell open - then a MITM hijacking your TCP session could write an arbitrary rlogin file.

My professor for the computer security class at my college demoed this exact scenario - its not a safe protocol.

Re:Hopefully?

[DrgnDancer]

Wait wha? I mean, I can see blocking it on outgoing ports in the firewall so that you can't tunnel to the outside world, but blocking it internally? Besides, it's trivial to set SSH to listen on port 23 and viola. New tunneling setup.

Re:Hopefully?

[jd]

Hardware encryption is still not widely available and Linux support for it where it does exist isn't great (drivers belong in the kernel, especially drivers you need a high level of security for, but there's so much antipathy towards encryption in the kernel that hardware drivers that merely happen to involve encryption have a very hard time of it).

As such, SSH is more CPU-intensive (unnecessarily, since a chip could offload the CPU-intensive part of the workload), which means there will be times when SSH is exactly the wrong thing to use. If you're running a Linux box in as close to hard realtime mode as possible, your admin activities must have as light a fingerprint as possible. Yes, ideally hardware encryption would be widely available and widely used, then SSH would be viable in those situations as it would be no more disruptive than any other protocol but provide the security other protocols do not.

The other case to consider is end-to-end IPSec. What is the point in encrypting traffic twice? The obvious advantage of IPSec is that everything is encrypted, from start to finish, including protocols that don't have any support for encryption. Everything is protected. Ok, not many people run all LAN and extranet connections over p2p IPSec, but they could. What does SSH buy you in those cases? If anything, there's a lot of skepticism in the crypto community towards stacking encryption because that's a much-less scrutinized case and therefore potentially less secure.

Re:Hopefully?

[Enry]

CPU-based encryption is hard, but there's ports like HPN-SSH that works to keep the connection fast while making sure the authentication still happens in a secure manner.

My team maintains a system that has a few hundred people logged in at any time, both for interactive connections to our HPC cluster, but also to send data in and out. All of it goes over SSH and the CPUs are rarely breaking a sweat to keep up - it's usually the storage that is lagging.

Re:Hopefully?

[sydneyfong]

Emails are cached in a lot of intermediate servers and stuff. The logs are routinely backed up. Undelivered emails get forwarded to all sorts of addresses and admins. Even if nobody was maliciously scooping on you, the passwords could land on some random person's hands.

It *is* more secure over the phone in that sense.

And it's not a common practice to log down telnet traffic. Anyone who gets your telnet password is probably sniffing maliciously.

Not to say it's a sane policy to use telnet, but there are these differences in "levels" of safety (both levels are of course very very low). To a security conscious person it may be equivalent, but practically you have less chance a random John Doe will get your password this way. Maybe it matters, don't ask me....

Re:Hopefully?

[jd]

Agreed. Those tend to be thinner on the ground, though, which is incredibly annoying. There's also a lot less awareness of acceleration patches and ports, which I suspect has led to a lower adoption level than would have otherwise been the case. I can't remember the last person I talked to who was aware that such software even existed.

Re:Hopefully?

[hawkinspeter]

More like 5 seconds from the terminal.

Re:Hopefully?

[hawkinspeter]

I've never seen a problem with modern CPUs and using SSH (even including transferring files over SSHFS).

I'd still use SSH over an IPSEC VPN as it provides authentication and prevents a MITM attack. SSH also has the advantage of being ubiquitous - one tool you can use for configuring servers and network equipment in a safe fashion. Now if only Windows supported SSH natively.

Re:Hopefully?

[cayenne8]

I can see blocking it on outgoing ports in the firewall so that you can't tunnel to the outside world

Yeah, but usually hard for companies to block ALL ports, particularly ones that are popular like, say port 80 or 443...

It is simple to ssh tunnel through those to try to look like legitimate traffic...just port forward through those...to a home server running squid looking for traffic on those ports...and voila...you're bypassing proxies and firewall rules...

Re:Hopefully?

[daid303]

Every day.

Our embedded systems offer SSH. But on a local trusted network telnet is a lot quicker. 50Mhz systems are not that fast with SSL sockets.

Re:Hopefully?

[slimjim8094]

Not bullshit. A telnet client works best with a telnet server; while you can use it against other servers, it is not ideal. The client interprets certain byte sequences as commands.

Furthermore, I quote the wiki:

a Telnet client application may also be used to establish an interactive raw TCP session, and it is commonly believed that such session which does not use the IAC (\377 character, or 255 in decimal) is functionally identical. This is not the case, however, because there are other network virtual terminal (NVT) rules, such as the requirement for a bare carriage return character (CR, ASCII 13) to be followed by a NULL (ASCII 0) character, that distinguish the telnet protocol from raw TCP sessions.

The wiki lacks citations; I point you to RFC 854 (bottom of page 11).

Thus, the protocol is not plain text. It is very close, close enough that most things should work fine, but if you actually desire the ability to deal with raw TCP streams, you'd be much better off using a tool designed for it. Such as socat or netcat.

The protocol was designed to provide remote access similar to a terminal. As such, it includes escape characters and other terminal-control mechanisms. It was not designed to pass text exactly as entered, or display it exactly as sent. Given the common existence of tools that are, it seems like a poor choice to use the inferior one.

Re:Hopefully?

[LordLimecat]

DD-WRT router. Sometimes the webGUI breaks, and SSH may not be available due to problem, but telnet will let you in as an easy password recovery option. You know the username (ALWAYS root when telnetting to DD-WRT), which can make guessing the password easier. Additionally, its gonna be pretty hard to MITM a direct connection from your workstation to the router, and I dont think youd have much luck trying to trick the router into flooding the frame to all ports (is it possible to get the router to drop its own MAC from its ARP table?).

Of course I would only ever enable it on the LAN.

There may be other situations, like wanting access between routers on a network that is ACL'd-- I could probably come up with a plausible scenario where not all of the routers are capable of initiating SSH, and security controls do not allow direct connections to all devices. A secure alternative might be having ACLs that only allow SSH tunnels into one of the devices, and from there telnetting to whichever router you want. Only security risk would be if someone had physical access to the links between the routers, and as we all remember physical access is 8/10ths of security.

Re:Hopefully?

[Tassach]

Sounds like a case of throwing out the baby with the bathwater, but in a really secure environment, SSH *is* a huge can of worms, especially when combined with Corkscrew.

I once worked for a large company with a draconian firewall policy and no remote access solution. SSH connections were forbidden in both directions. So, I came up with a ssh reverse tunnel solution.

On a box inside the firewall, run this script as a daemon:

#!/bin/bash
while true
do
        nohup ssh -O ProxyCommand=/usr/local/bin/corkscrew \
                  -O TCPKeepAlive=1 \
                -R 2222:localhost:22 homeuser@homebox
done

This creates a persistent, automatically-restarting outbound ssh tunnel, inside a HTTP tunnel. For added obfuscation, I could run sshd on port 443 on homebox.

Now, (assuming proper corkscrew config), when I'm on homebox I can run:

ssh -p 2222 workuser@localhost

By running squid on homebox:3128 and modifying the corkscrewed connection with -L 3128:homebox:3128, When I'm at work I can set my browser's proxy settings to localhost:3218 and browse anonymously, incidentally bypassing their content filter.

Re:Hopefully?

[Tassach]

SSH is more CPU-intensive(unnecessarily, since a chip could offload the CPU-intensive part of the workload), which means there will be times when SSH is exactly the wrong thing to use.

That may have been valid a decade ago, but unless you're dealing with something that's ridiculously underpowered (like *maybe* a controller on a minimalist embedded system), I can't see SSH adding appreciable overhead. In my experience, even a 200MHz ARM processor, which is found in LOTS of embedded systems, doesn't bog down running SSH.

If you're running a Linux box in as close to hard realtime mode as possible, your admin activities must have as light a fingerprint as possible.

In that scenario for remote admin you should ssh to a jumphost that's located close to the RTS, and use some internal firewalling to ensure that ONLY the jumphost has permission to connect to the realtime box. (Which isn't a bad idea anyway even if you're running ssh)

Re:Hopefully?

[kasperd]

You should use netcat or socat, since those are designed to allow you to fire text at a remote port and display the result. Telnet isn't, it only works "by accident" because the protocol is similar enough to plain text to work sometimes.

That is not exactly correct. If you use netcat newlines are not send in the correct way. The nc command will receive character number 10 from the terminal and write character number 10 on the socket. However text based protocols don't use character number 10 for newlines, they use character number 13 followed by character number 10.

That means if you use the nc command to connect to a server with just about any text based protocol, you will be sending malformed commands. However many servers will accept what you send anyway and simply do the exact same thing when they see a character number 10 as they would have done if they had seen character number 13 followed by character number 10.

OTOH using the telnet command to connect to a server with a text based protocol will do the right thing. The telnet command will send the proper 13 followed by 10 sequence when you press enter.

It is true that what telnet does in this case is nothing like the telnet protocol. As a matter of fact, the telnet protocol is not a text based protocol. The telnet client will recognize the difference because a real telnet server will send some binary data immediately when a connections is established.

So to talk a text based protocol using the telnet client is a better choice. If you are going to be using a binary protocol, nc is more suitable (but of course then stdin and stdout should of course not be a terminal). One problem that nc still has is that it doesn't properly handle half open connections correctly, not that I think telnet is any better, it is just that when pushing raw data over a TCP socket, nc is my usual choice, and in those cases half open connections matter.

Speaking of ssh tricks, I wrote this tool a few years back to allow the ssh client to choose from multiple alternative ways to connect to an ssh server.

Re:Hopefully?

[karnal]

Here is a clue though. Any firewall worth it's salt will do protocol inspection and not just blindly let you use a port.

Now the question is whether the admins set it up that way.

Re:Hopefully?

[slimjim8094]

Works for me, as they say. But check out this to send a literal CRLF (CTRL+V enter enter)

Re:Hopefully?

[kasperd]

Some servers don't care, and you can get away with just using nc. And as you point out, a few extra keypresses can get nc to send the newline as required by the protocol. But I don't see why that is in any way better than using the telnet command, which will do the right thing by default.

Re:Hopefully?

[rubycodez]

your netcat pumping of an smtp server won't be able to react to varying possible replies as the human brain, it is inferior to telnet for the job. the escape and terminal control characters are of no import since they won't occur.

Re:Hopefully?

[Electricity+Likes+Me]

It's almost criminal the HPN-SSH patches haven't been rolled into mainline SSH yet. On modern LAN's, SSH is incredibly slow at data transfer yet tons of guides out there on the internet (and systems) propose using it for things like disc imaging and the like - where it's completely unsuited.

The average user ends up with either a disappointing experience, or just turns off encryption / uses no authentication whatsoever.

The HPN-SSH patches more or less fix all these problems: SSH gets faster, they've added a multi-threaded AES cipher, and the "none" cipher let's you retain secure authentication and HMAC digests without the transfer overhead of encryption (which is incredibly useful when you want to move basically unsecure items like log files, media etc.) but retaining secure log in and authentication.

Re:Hopefully?

[Skapare]

I just use SSH to make my VPN. See the -w option.

Re:Hopefully?

[trastomatic]

Telnet inside SSH still makes sense. Ie: hosting company, both end customers and hosting company have root access. Customers can do their daily work, but hosting company is responsible for server health. How can one be sure that the server didn't became unresponsive due to some commands issued by the customer? AFAIK, SSH is not replayable, whilst telnet is. So, just tunnel a telnet to localhost inside an SSH session, and log the telnet session in a (safe,encrypted) remote box.

Re:Hopefully?

[anarcat]

i have stopped using telnet when i discovered swaks. It just rocks.

Re:Hopefully?

[goeldi]

Oh I'm sure you already use ftp, don't you? So where's the difference? telnet -> ssh, ftp -> sftp. get it?

Re:Hopefully?

[Enry]

Anonymous FTP, yes. Authenticated unencrypted FTP I haven't used in well over 10 years.

SSH Tunnel

[slashgrim]

SSH Tunneling by far: http://www.debian-administration.org/article/38/Tunneling_connections_securely_with_SSH

Re:SSH Tunnel

[lcam]

The holy grail of SSH, IMO, is tunneling. No firewall can stop you! (Well they can but they have to move to something more sophisticated then packet inspection and port blocking.)

Re:SSH Tunnel

[Ruzty]

Traffic pattern matching over SSL. A web session over an SSL connection looks very different than an ssh tunnel session over SSL, not to mention the length of life of the socket. It's trivial to have the firewall identify the ssh connection over port 443 and disconnect it in the first few seconds of the session based purely on the pattern of the traffic regardless of content.

Re:SSh tunnel

[manoweb]

But a PPP over SSH gives you a complete VPN, not only a bunch or redirected ports.

Re:SSH Tunnel

[lcam]

Neat. Thanks for your input.

Re:SSh tunnel

Oh baby, I want your packet in my tunnel so bad ...

Re:SSH Tunnel

[allo]

no, it could be a http keep alive connection inside the ssl-tunnel. and you do not know the traffic patterns of certain web-apps.
On the other hand with ssh and screen you can reconnect fast and without noticing, if you need to.

But you should propably not risk a fight with the admins. either accept or discuss the rule.

Re:SSh tunnel

[impaledsunset]

OpenVPN beats both solutions.

Re:SSh tunnel

[wertarbyte]

plus the problems of layering multiple TCP layers above each other. Also, PPP is not needed anymore: ssh can establish VPN connections using tun devices quite fine ("-w")

Re:SSh tunnel

[Krneki]

Yes, but can also be blocked/detected easier then SSH.

Re:SSh tunnel

[manoweb]

That problem is more theoretical than practical. Back in the day I was doing videoconferencing H.263/SIP and all that stuff with PPP over SSH and I had no problem at all. And it works when there is a very strict (and stupid) firewall setting that does not allow but port 80 TCP destinations like at my University in the late 90's. Just one open TCP port and you have a full VPN that works well; other VPN systems were not quite as easy to put together.

Re:SSH Tunnel

[hawkinspeter]

I didn't know this was feasible. How would I do that in a Cisco ASA firewall?

Re:SSh tunnel

[LordLimecat]

Other than the fact that OpenVPN is SSL, sure.

Re:SSh tunnel

[kasperd]

True, but on systems where pppd is unavailable (permissions or just not there!) then SSH tools are most useful!

I have on some occasions used PPP over SSH without having pppd available on the server. I used pppd on the client and slirp on the server. The result was usable, though performance of anything trying to layer IP on top of TCP is not going to be great. At some point I switched to running PPP over UDP packets and just used an SSH connection to start the software in each end. I used scp to transfer a key for encrypting the traffic.

Re:SSH Tunnel

[hawkinspeter]

Can one of those tell the difference between SSH and HTTPS without decrypting if they're using the same ports?

Re:SSH Tunnel

[OdinOdin_]

Not in age of Websockets RFC6455 ]:->

How's that again?

[93+Escort+Wagon]

(how are you supposed to know if you should accept a new hosts public key, anyway?)

Seriously? If you don't know enough about what's going on with the machine at the other end to make that decision... that's the whole bloody point of the warning!

Re:How's that again?

[Speare]

(how are you supposed to know if you should accept a new hosts public key, anyway?)

Seriously? If you don't know enough about what's going on with the machine at the other end to make that decision... that's the whole bloody point of the warning!

Just because you use SSH doesn't mean you administer the machine.

I get a cheap ISP, it offers shell access to help me set up my scripts or website. I usually access it through the hostname I've attached with my DNS record: ssh shell.mydomain.com One day, they do some load balancing or something, and they shift my account to a different box. To me, it doesn't matter if they do that, but they don't exactly send out emails on each occasion. It has happened roughly three times a year for me. Every time I get the fingerprint-changed warning, it would be nice to have some confidence in it without resorting to the telephone. I can check whether the traceroute still goes to my ISP. I don't enter my password, I have already set up the account to trust my desktop's public key. Does the fact that they have my old SSH authorized_key file really mean there's no man-in-the-middle? (No.) At what point do I shrug and trust the new machine, vs calling up the ISP to get some info on the latest fingerprint change?

Re:How's that again?

[Meeuw]

I once enabled strict hostkey checking and created a global known hosts file, because all users had a (different, out dated) ~/.ssh/known_hosts. We had about 500 different SSH servers. I tried to explain why it is important not to send your credentials without checking the hostkey but no one understood it. Some (managers) even requested me to disable the host key checking altogether or let anyone update the known hosts automatically.

Re:How's that again?

[marcosdumay]

At what point do I shrug and trust the new machine, vs calling up the ISP to get some info on the latest fingerprint change?

At no point. That is because there is no way for them to tell you the new key (or even that the key changed) whitout the possiblity it was forged. You shouldn't trust an email either.

The wrong thing here is that they are changing the keys. They shouldn't. If they have several servers pretending to be one, they should configure them to share the key and IP address.

Re:How's that again?

[nine-times]

Yes, that is the point of the warning, but now that I've been warned, what's the proper next step?

"OK, so I'm connecting to a server that I don't admin using SSH, and I don't already have the public key stored. So how do I know there's not a MITM attack going on?"

Re:How's that again?

[kasperd]

One day, they do some load balancing or something, and they shift my account to a different box. To me, it doesn't matter if they do that, but they don't exactly send out emails on each occasion. It has happened roughly three times a year for me. Every time I get the fingerprint-changed warning, it would be nice to have some confidence in it without resorting to the telephone.

I experienced something similar from a company that shall not be named here. I was responsible for a system that would ssh to their ssh server. But it turns out that the IP they had their hostname resolves to was actually some sort of loadbalancer, that would communicate with 3 or 4 actual ssh servers.

On a couple of occasions they would put an incorrect key on one of those ssh servers. That meant successive TCP connections to port 22 would end up on different servers with different hostkeys.

Naturally when I contacted them, I didn't ask them if their hostkeys had changed. Rather I insisted on them fixing their servers, such that we would consistently get the same hostkey when connecting to port 22 on that IP. That's not to say they can never change the hostkey, but if they do feel a need to change it, it is also their responsibility to ensure that it gets updated simultaneously on all the hosts, and to communicate the new public key in a secure way to their customers.

Them being incompetent in managing ssh servers might have been more tolerable if they had been very competent in their primary field of business. Sadly, they demonstrated even more incompetence in their primary field of business.

Re:How's that again?

[bill_mcgonigle]

"OK, so I'm connecting to a server that I don't admin using SSH, and I don't already have the public key stored. So how do I know there's not a MITM attack going on?"

Pick up the phone and talk to the admin.

Re:How's that again?

[nine-times]

And if that's not an option?

Re:How's that again?

[halltk1983]

Find a service that allows you to talk to the admin after periods of maintenance.

Re:How's that again?

[nine-times]

What if this isn't after a period of maintenance? What if you don't control where the service is hosted?

This isn't really a solved problem, so I can't blame you for not having a better answer.

Re:How's that again?

[halltk1983]

Whether the period was scheduled maintenance, or emergency maintenance due to failure, a failure should always result in the maintaining of the system, thus I call them all a "maintenance". What service do you or your company pay for that you or your company do not provide? If you or your company don't pay for it, then there are no guarantees. The hosting company I work for is available 24/7/365 or 24/7/366 on leap years. If you call Christmas afternoon, you will get someone working in our office here in the US. We may cos a bit more than some other carriers, but being able to talk to someone has always been worth it to me.

Most wanted feature which SSH lacks?

[garo5]

I'd always have liked that I could transfer a file or an stdout/stdin stream directly in the middle of an open ssh session. Also the file transfer / stream should be carried over nested ssh connections.
Imagine that you could just pipe the output from a command into some magical ssh command in a remote machine and your ssh client would ask where you would like to pipe the stream in your local machine.

Re:Most wanted feature which SSH lacks?

[allo]

this is possible.

first thing to look into:
[enter]~?
the ssh escape-key is ~, but only after a newline. and look out for deadkeys. ~? is a short help on this. There you can manage sub-connections and other stuff.
~. is very useful for terminating a ssh-process, which is still waiting for a network timeout.

And multiplexing a single ssh-connection: read the manpage of ssh for "ControlMaster". then a unix-socket which contains username and hostname in the filename is used to use a single ssh-connection for multiple streams (shells, transfers, etc.)

Re:Most wanted feature which SSH lacks?

[kasperd]

Imagine that you could just pipe the output from a command into some magical ssh command in a remote machine and your ssh client would ask where you would like to pipe the stream in your local machine.

Sort of how zmodem would do over a serial line. If you have a typical terminal emulator and hook it up to a serial login on a Linux machine, you can type the command "sz <filename>", and once the sz command executes on the server it will send a message that the terminal emulator will understand an ask you where to store the file.

I don't see any reason why the ssh client couldn't implement zmodem as well such that you could type the same sort of command in an ssh session and have the file stored on the client. However one might argue that such a feature doesn't belong in the ssh client, but rather in the terminal. You shouldn't expect such advanced features to show up in xterm any time soon, but why don't gnome-terminal or something similar support receiving files using zmodem? If the terminal supported it, then it should just work with ssh, rsh, telnet, rlogin, or even just su.

Wow

[frodo+from+middle+ea]

Wow, ssh tunneling, and a few command line options , and screen, that's your ultimate SSH guide ?
I am impressed, not!

How about
- ssh master connection, for svn+ssh ?
- ssh agent forwarding
- opening ssh ports using knocking
- auto blacklisting with something like sshblack

I think the above are more advanced options than the ones mentioned in the article, no ?

Re:Wow

[mlts]

I'd love to see stuff like that as well as:

OpenSSH signed certificates (Not X.509) and TrustedUserCAKeys options and their usage. This way, I can hand a new cow-orker signed ssh host keys and assuming he or she knows enough not to just blindly replace a key if it isn't right, will minimize the chance of a MITM attack.

Revoking SSH keys.

Using SSHGuard to lock out brute force attempts.

Proper configuration of the sshd_config file. Stuff like only allowing root in via RSA keys (or blocking root access entirely.)

Auditing logs to know that key "A" ssh-ing to root is from user Alice, and key "B" is from Bob, so that one can tell who just wiped out the wrong filesystem come an inquiry.

Running sshd as a user, not as root.

Getting a backup program like NetBackup to form a ssh tunnel, do the backup, then close down the connection cleanly.

Re:Wow

[Qzukk]

Or the key agent, or ~, or...

Re:Wow

[ModernGeek]

This is intermediate at best. I need to spend more time on IRC if I can expect to stay in the game.

Re:Wow

[jon3k]

holy shit how have I never heard of this? and why don't I have mod points today! damn you slashdot commenting system!

Re:Wow

[mlts]

The certs in the latest version of OpenSSH are as lightweight as one can get... it is better than nothing though.

2600 article

[buanzo]

there's a 2600 article on how to use ssh to run commands in a very INTERESTING way.... check out the past 6 issues, cant remember which one.

Re:2600 article

[CubicleZombie]

If you get an "Informative" mod for that, I'm giving up on Slashdot.

Re:2600 article

[nschubach]

No, not Informative... even the GP said Interesting. ;)

Re:2600 article

[CubicleZombie]

Okay.

There might be a story about how to do something INSIGHTFUL in a magazine I borrowed from someone a few months back in some place somewhere.

Karma bonus, here I come...

Re:2600 article

[mattack2]

Buh-bye.

(No, I wasn't one who modded it, especially after posting this.)

Re:2600 article

[tqk]

If you get an "Informative" mod for that, I'm giving up on Slashdot.

Er, bye? It's at +3 Informative as I look at it. BTW, don't discount his reading 2600. I used to too. Know thy enemy, and all that.

Really lame

[Anrego]

Tip 16 and friends (the keyart stuff) is very poorly explained. You don’t know that the key is secure, but you magically know that the randomart is? That’s the bit they forgot to mention. It’s a visual representation of the key that _you have to have seen before to be able to verify_. Personally if you are going to go to the trouble.. I say throw the key on a USB stick and be done with it.

The screen stuff maybe worth mentioning the more modern alternative tmux.

SSHFS is better than NFS

For quick one-off stuff .. maybe. Cryptographic overhead is still startlingly effective at slowing things down, even on fast hardware (random: can anyone explain why.. you’d think it shouldn’t make any difference at this point.. I’m guessing it has something to do with network framing?).

Tip 4 (logging in with server-specific keys ) seems like the kind of thing that very few people will ever need to do.. and if they do.. they’ll google it. Kinda silly putting it in an article like this.

Tip 2 (ssh tunnel) is probably the only thing in here that _might_ be considered an “ultimate” hack (everything else is pretty much Linux 101).

Tip 1 (Evading silly web restrictions) is great. Alternate title: “my job is important, but damnit I need my facebook/twitter fix”.

Re:Really lame

Any clued network admin will eventually get wind of a ssh connection going to the same box from someone's workstation, especially if there is a lot of traffic going to and from it. Then, depending on how much they like/dislike the person with the tunnel, they will either ignore it, mention to be careful about PPP over SSH in passing, randomly kill the connection, block the destination IP at the router, block ssh from going outside from that workstation, or just sit there, watch statistics, then present HR with a case that a user is doing something they shouldn't by constantly sending encrypted traffic to a box that isn't owned by the company or anyone relevant. That right there is good enough to get someone sacked in most companies, especially ones with more paranoid and clueless PHBs.

Of course, one can ssh to a different port, but most IDS/IPS systems can detect a bunch of encrypted traffic over a TCP port and send a note to the admins, or just automatically lock the workstation out from the rest of the network.

So, the guide of using ssh as a tunnel is just plain stupid, and a good way to get fired for gross misconduct (which means no unemployment).

Re:Really lame

I am the developper of libssh (www.libssh.org).
SSHFS is slow because it's a packet based TCP-encapsulated file transfer protocol. All requests are initiated by the client and somewhat replied to by the server in an asynchronous design, but in practice no sftp server really has an asynchronous implementation. Opening a file, querying its length and downloading 8KiB require at least 3 or 4 RTT.
Compare with NFS, UDP based and mostly kernel-land and fully asynchronous.
Crypto is the main overhead in libssh and I suspect in openssh too, mainly because the crypto libs used do not probe for AES extensions or accelerators by default. And last but not least, OpenSSH's Channel window handling (similar to TCP windows) is not optimal for bulk transfers at high speed.
There are also some remote filesystem features missing in SFTP, like server-send feedback, locks and friends.

Re:Really lame

I use server specific keys daily. Any competent sysadmin really should. And I'm just...well.. probably really 'devops'

Here's the blunt:
      There's a firewall. It's controlled by people above us. We have permission to install and configure a VPN, but not to edit the firewall rules. People are encouraged to use gotomypc ... etc.

My desktop runs autossh with a ssh-agent and password protected key. SSH reverse tunnels out to a tiny server I have running at home, using a server specific fixed key to a local user account on a passwordless shell. The user account is firewalled to do *NOTHING* but the reverse forward.

From home, I login to that box as another user, grab the port forward--and am now ssh tunneled into the office.

I have full X11 forwarding, RDP, VNC, and am past the firewall and NAT layer.

Without permission to VPN, this might be a big "no-no"...but this is frankly better than any client VPN out there. With standard linux tools, I can pull my desktop to anywhere I am. If the double networking is any sort of issue--I simply need to ssh in and start another autossh job to the public IP of my laptop (if it exists).

I've got password authentication, key and SSHD authentication. And even if somebody compromises my remote server entirely --the most they can do is gain access to my work desktop's SSHD port. Which is going to require a good key to do anything.

Beyond that, it's a *great* temporary hack when you have slow developers. Sure, it's no real substitute for RPC -- but have a command on the system you want to expose to "bob", but don't trust him with a shell? Give him a copy of putty, a key you generated, and a fixed command on the server that *only* runs that. You can also change his shell if you're really paranoid.

Need a makeshift RPC service because you've got machines separated across the LAN, no permission to bridge a VPN? Or punch the port through the firewall? Oh... IT has ssh installed and they already use it. There you go -- blast through procedure and process to install a non-user account, provide a script that runs the single needed command, and associate it to a key. You now have a secure, authenticated remote service that lasts as long as it needs on a terminal.

Just don't do something idiotic like attach it to a psql shell or the less command.

I mean, I'll admit -- in an enterprise, all of these SHOULD be better developed. But when you need something solved in twenty minutes -- SSH to the damned rescue. It's secure, uses any type of authentication you might require, is usually already permitted, and can be locked down to any purpose you can imagine trivially.

Re:Really lame

[Qzukk]

(random: can anyone explain why.. you’d think it shouldn’t make any difference at this point.. I’m guessing it has something to do with network framing?)

What happened is that advances in communication at the kernel has made everything else MUCH faster. System calls like sendfile() basically tell the kernel to dump everything in the file to that port and don't bother me until you're done, which eliminates all of the syscall context switching overhead for read()ing data from the file to a buffer then write()ing the buffer to the socket and maybe a select() or epoll() thrown in there, etc.

The only way to get this benefit with openssl is if you had the file pre-encrypted on the drive somewhere, somehow (each session is a new key, so not likely to happen). You could write the file on the fly, but then you might as well just write to the network instead of writing to a file and telling the kernel to send it later.

Re:Really lame

[hawkinspeter]

As much as I like SSH (it's probably my most used tool), an IPSEC based VPN should give better performance. Have a look at http://sites.inka.de/bigred/devel/tcp-tcp.html/ for a brief explanation of the problems with tunnelling TCP over TCP.

My favourite SSH trick is using SSHFS along with AUTOFS to automagically connect to other servers' filesystems. Again, not the best performance, but as long as the server is running an SSH daemon, you're good to go.

Re:Really lame

[Tanktalus]

sshfs is better than NFS. For

• switching between many different servers quickly, easily, and without jumping to root each time.
• penetrating firewalls (ssh port may be allowed, but nfs port usually isn't)

I'm sure there are other uses, too, where NFS might perform better but sshfs provides a level of convenience as a fully user-mode filesystem that outweighs it.

I have a unit test wrapper that takes the name of a machine to test against, automatically penetrates firewalls (using https and DBus + KWallet for passwords) when the machine is behind a firewall, mounts the remote filesystem via sshfs, copies tests to run, runs them via ssh, and reports everything back on my desktop. And I can switch from machine to machine trivially. Without aggravating IT. They've already approved my access to the machine (user account, firewall access), and approved ssh access. They don't like NFS, especially for VPN-based clients (roving IP address). I'm happy, they're happy, I get my job done.

I only wish I had found sshfs years ago. This would have made earlier jobs so much easier.

SSh tunnel

[Krneki]

SSh tunneling is teh sex.

Beyond the shell

[pak9rabid]

Anybody that knows what they're doing already knows this, but since /. is quickly becoming a refuge for retards, other uses for SSH also include:

1.) File transfers between 2 hosts (via scp or sftp)
2.) Tunnelling (aka the "poor man's VPN"...great for accessing hosts behind a Unix-based firewall securely without having to setup additional DNAT rules)

Remote TCP port forwarding

[aglider]

My favorite is to use SSH remote port forwarding (-R) to allow my machines to connect back home from an unknown (and possibly changing) IP and then allow me to ssh back to them. And key authentication all the way along!
And, by the way, SSH tunneling is not TCP port forwarding!

Re:Remote TCP port forwarding

[tramp]

Indeed SSH tunneling is not TCP port forwarding and if you want something like that, you should use shuttle (https://github.com/apenwarr/sshuttle).

Re:Remote TCP port forwarding

[jon3k]

I've always referred to this as a "reverse tunnel". It's awesome if you have a shell somewhere and you want to be able to get back into a machine at your house that's behind a firewall.

Should have been titled "ssh basics".

Also... screen? When there's tmux???

Re:Should have been titled "ssh basics".

[tscheez]

I'd never used tmux. i've officially learned more from /. comments than the actual articles. Thanks!

Connection Multiplexing

[igglepiggle]

Having multiple sessions over the same connection speeds up repeat connections: http://blogs.perl.org/users/smylers/2011/08/ssh-productivity-tips.html It's well worth setting up.

Re:Connection Multiplexing

[Elrond,+Duke+of+URL]

Connection multiplexing is great. I use it all the time when I connect to my machine at work from home since I'm very likely to scp files to/from that machine at the same time. The page you linked to gives simple and good instructions at the beginning on how to configure it.

I created a simple shell script to help automate the process. The advantage of the script is that it will take care of checking to see if the shared connection is already open, create a new connection if one does not exist, and then connect to the remote host.

ssh-shared.sh

The script includes a large comment block at the beginning which includes detailed instructions on how to configure SSH and how to use the script. After you have configured your ~/.ssh/config file for the server(s) in question and to create the multiplexing socket, you can use this script to connect to the machine. Put it in your user bin directory (~/bin) and then create a symlink to the script with the same name as the host alias you put in ~/.ssh/config. For example, if you have a "Host foo" line in your SSH config, name the symlink "foo". This way the script will automatically use the correct options from the config file.

I also have an alias to close the connection (for Bash):

alias ssh-exit='ssh -O exit'

Now, a session will look like this:

$ foo
--SSH session starts/ends--
$ ssh-exit foo

The MITM 'help' is worthless.

[Junta]

Basically they go into some detail about the ascii art representation, and at the end acknowledge that you need to securely get the keys to know what to expect. If you have a secure means of getting the ascii art, you have a secure means of getting the key. The only exception I can think of is if you have someone cell-phone picturing the local console, which could be helpful.

The real useful thing would be for people to do DNSSEC and SSHFP records.

My fav

Rather than more complaining, I thought I'd say my favorite option. I like using the ~/.ssh/config file and the use of a master connection. In mine, I have:

host *
  controlmaster auth
  controlpath ~/.ssh/ssh-%r@%h:%p
  controlpersist yes

This creates a master socket on my client. When I first connect, I need to use my passphrase. But when I exit, the SSH tunnel stays up. Futher connections via SSH and sftp and scp use this connection, multiplexed. So no more asking from my passphrase. When I'm finished for the day, I close down the connection with

ssh -O exit host

replacing "host"

Re:My fav

[Barnoid]

one of my favorites, too. small correction for those who actually try it out: it should be controlmaster auto, not auth.

~/.ssh/config

host *
  controlmaster auto
  controlpath ~/.ssh/ssh-%r@%h:%p
  controlpersist yes

This creates a master socket on my client. When I first connect, I need to use my passphrase. But when I exit, the SSH tunnel stays up. Futher connections via SSH and sftp and scp use this connection, multiplexed. So no more asking from my passphrase. When I'm finished for the day, I close down the connection with

ssh -O exit host

replacing "host"

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

HTTP Proxy

[bambewn]

I had forgot about this for a while due to VPN shenanigans, but tunneling your web traffic through an SSH is a great way to secure your web sessions if you don't have a VPN setup. I have also found that using Cygwin/SSH to secure your RDP can also be pretty boss if you have to work on M$ machines from remote very often.

SSH Feature Wish: Server policy on SSH keys

[linuxtelephony]

I wish it was possible to require SSH keys for some (or even all) users to have a passphrase, and enforce this requirement on the server.

As it stands right now, even if you generate a key for someone with a pass phrase, they can remove it easily on the client side and the server has no way of knowing. This means you could have passwordless logins to remote systems. Not good.

At least with modern systems and key agents you can get passwordless ease of use once you log into your local account, and if someone happens to get your private key they don't immediately have instant access to the machines you can log into. You should have a little time to secure the machines. [Think lost/stolen laptop or backup drive.]

Re:SSH Feature Wish: Server policy on SSH keys

[Erpo]

I wish it was possible to require SSH keys for some (or even all) users to have a passphrase, and enforce this requirement on the server.

As it stands right now, even if you generate a key for someone with a pass phrase, they can remove it easily on the client side and the server has no way of knowing. This means you could have passwordless logins to remote systems. Not good.

Such a policy would require the server to take the client's word for it that the private key was encrypted with a passphrase.

At least with modern systems and key agents you can get passwordless ease of use once you log into your local account, and if someone happens to get your private key they don't immediately have instant access to the machines you can log into. You should have a little time to secure the machines. [Think lost/stolen laptop or backup drive.]

Agreed. If someone is removing the passphrase from their private key, there is some other problem that needs to be solved. Personally, I like ecryptfs for my home directory and LUKS for my backup drive with the LUKS passphrase inside my login keyring.

Re:SSH Feature Wish: Server policy on SSH keys

[allo]

how is the server supposed to check, if the key is really using a password?

Re:SSH Feature Wish: Server policy on SSH keys

[lindi]

Passphrases on SSH keys help if somebody steals your backups but for almost anything else they are not very useful. If you somehow get access to the encrypted key of some user you very often also have access to their ~/.bashrc. Then you can easily trojan PATH that so that their passphrase is emailed to you next time they type it.

Re:I hope the list of tricks

[Wee]

Thank heavens for Ghostery.

You misspelled "NoScript".

This Article's True Purpose

[preaction]

Get real SSH tips from people complaining (rightly or not) that it doesn't contain any actual advice.

Re:_slashdot_ at it again

there, fixed that for ya.

i want the old slashdot back. i could put up with the general
technical ability around here dropping, but when slashdot assumes
we're all managers, that pisses me off.

here's who infoworld is aimed at
http://search.dilbert.com/search?w=trade+magazine&view=list&filter=type%3Acomic

I live in the post-SSH world

[DrSkwid]

the 1970s was cool and all

Speedwise

[marcovje]

Speedwise, ssh -2 still holds up my Mac 840AV up for several minutes to login :-)

Wikibook on OpenSSH

[SgtChaireBourne]

The has also been a WIkibook on OpenSSH out for a year or so. The prose may not be the best but the tips are there.

My SSH Utility

[merc]

Feel free to check out a little perl utility I wrote for creating aliases or shortcuts for remote ssh logins. If you have a lot of hosts to manage it can make your life easier:

http://www.cpan.org/authors/id/L/LD/LDAVIS/remote-ssh-access-1.7

Download the file, name it "remote-ssh-access". To read the perl documentation just use "perldoc remote-ssh-access"

"root login over SSH is considered [...] unsafe"

> The example assumes you have a sudo user set up with appropriate restrictions,
> because allowing a root login over SSH is considered an unsafe practice.

Yeah, because an attacker that has succesfully cracked your sudo account will NEVER come up with the idea to alias your su/sudo command so that it mails him the password.

Re:I hope the list of tricks

[jojoba_oil]

I stopped taking NoScript seriously when they thought it was a good idea to deliberately disable AdBlock and obfuscate the code that did so.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Please sit down and shut up.

[suso]

OP should be -1 overrated. You jerks who keep saying things like "everyone is doing X because I am" or "this isn't knew" or "this isn't important" really need to STFU. There are people coming into the world all the time who haven't learned what you learned or had the same experiences that you do. Much of what you learned from is burried now under mountains of information and its very often not clear where people should start from. So sit down, shut up and let others learn, otherwise all you will do is scare them away so that they never will. Not everything is some conspiracy to generate ad revenue.

Re:Please sit down and shut up.

[kangsterizer]

man ssh
now that wasnt so hard, was it?

not buried. not long to read. precise, complete, concise and standard. you "really need to RTFM"

Re:Please sit down and shut up.

[Ash-Fox]

man ssh
now that wasnt so hard, was it?

I don't have a problem using SSH, however, your advice may not actually work for some machines, like mine.

$ man ssh
No manual entry for ssh

However, I assure you, SSH installed on my system:

$ ssh -V
OpenSSH_5.8p1, OpenSSL 0.9.8r 8 Feb 2011

Re:Please sit down and shut up.

[suso]

InfoWorld has a long history of doing this. It is not some huge conspiracy, it's simple. I actually feel bad for bashing the article because the author does know her stuff. But Slashdot is not place for it. However, I am quite certain that InfoWorld has an internal policy of submitting all their articles to Slashdot by their authors or relevant persons because it's such a constant pattern, with link dropping for very specific and good keywords. This means they first get traffic from Slashdot, but also increase the article in Google and other search engines, dropping off more useful tutorials. And isn't pretty much anyone on Slashdot tired of the shitty SEO spam techniques that pollute search results?

Yeah. They are a business. Try running one sometime and you'll understand why they do what they do.

Re:Please sit down and shut up.

[stridebird]

So no man for you then. However, I don't think this problem is insurmountable.
1) The man pages may well be on your machine but not in the configured man path
2) google.com?q=man+ssh

Personally I like

[Rich]

tar cf - somedir | ssh remote@remotehost 'tar xf -'

A nice way to get things moved around. a similar trick is:

tar cf - somedir | (cd /a/local/path; tar xf - )

Which lets you copy things around a local file system.

Re:Personally I like

[rdebath]

I used to use this, but I tend to use rsync nowadays; it automatically does something very similar (only better in that the physical copy only copies new data) in a fraction of the command size. And it has it's -P argument.

rsync -PAX -Hax somedir remote@remotehost:/a/remote/path

Re:Personally I like

[zumajim]

And since this post was originally about SSH, why not add '-e ssh' to tunnel rsync over a secure connection?

Re:Personally I like

[jon3k]

very cool! never thought about piping output to ssh before. another wonderful trick that i'll forget 5 minutes from now.

Re:Personally I like

[rdebath]

Because that's the default if you have a single colon like in my example.

rsync -PAX -Hax somedir remote@remotehost::module/remote/path
This is for a bare rsync server, (or use rsync:// )

arcfour is fast

[Enolas]

Real trick here, if you're using ssh -L often use: -c arcfour, that cipher is very fast.

Comment removed

[account_deleted]

Comment removed based on user account deletion

MONKEY in the middle?

[Galestar]

Good old Infoworld, doesn't know the difference between Monkey-in-the-Middle and Man-in-the-Middle

SSHFP records in your DNS zone

[stderr_dk]

ssh-keygen -r example.com.

Add the output to your DNS and set VerifyHostKeyDNS to "yes" or "ask" in your ssh_config.

Remember to update your DNS if/when your machine gets a new SSH hostkey.

Re:SSHFP records in your DNS zone

[FoolishOwl]

Why is this useful?

Re:SSHFP records in your DNS zone

[stderr_dk]

Let me demonstrate the difference with some examples.

First a normal ssh connection to a new host. Without VerifyHostKeyDNS it doesn't matter if your SSHFP records are up-to-date, since they won't be checked.

$ ssh login@example.com
The authenticity of host 'example.com (127.0.0.1)' can't be established.
RSA key fingerprint is 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef.
Are you sure you want to continue connecting (yes/no)?

With "VerifyHostKeyDNS yes" and up-to-date SSHFP records, it looks like this instead. Note the extra line of output.

$ ssh -o "VerifyHostKeyDNS yes" login@example.com
The authenticity of host 'example.com (127.0.0.1)' can't be established.
RSA key fingerprint is 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

And this is what you get, if the SSHFP record ain't up-to-date:

$ ssh -o "VerifyHostKeyDNS yes" login@example.com
[Cut long line of @'s. Too many 'junk' characters for /.]
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
[Cut long line of @'s]
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef.
Please contact your system administrator.
Update the SSHFP RR in DNS with the new host key to get rid of this message.
The authenticity of host 'example.com (127.0.0.1)' can't be established.
RSA key fingerprint is 01:23:45:67:89:ab:cd:ef:01:23:45:67:89:ab:cd:ef.
No matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

Compare that with the first case where you had absolutely no idea if the fingerprint was correct or not.

I'm not saying, you should just trust all SSHFP records, if you're paranoid. But even if you ain't paranoid, the warning about the mismatching SSHFP record should be enough to make you stop and think instead of just saying yes.

Re:SSHFP records in your DNS zone

[FoolishOwl]

Thank you. That was well-written and clear.

Not necessarily malicious

[Weaselmancer]

And it's not a common practice to log down telnet traffic. Anyone who gets your telnet password is probably sniffing maliciously.

Yeah, that is the most likely scenario. But I work in embedded design. And even though we've screamed to have two networks in the office it hasn't happened. So that means DUT and the office computers are on the same net. I've had to work on ethernet drivers that were malfunctioning. So I downloaded Ethereal (now Wireshark) to debug.

And was immediately and completely horrified at what I saw.

The very next thing I did was to set up a proxy server at home and get zebedee working (windows environment - ssh would have been difficult) and proxy everything I do.

SSH Mastery, new book by Lucas

[austinhook]

While on the topic, note the new book by Michael Lucas:
http://www.michaelwlucas.com/nonfiction/ssh-mastery

Re:On the other hand, you could buy the book

[tqk]

...well-regarded in the OpenBSD community.

That is to say, both of them agree.

Ever seen an OpenBSD hackathon? I have. I'd guess 75 people were there, and that's just the devs who could make it.

A$$hole.

InfoWorld Advertising

[jon3k]

If you seriously haven't figured it out yet, InfoWorld is obviously paying slashdot editors to post articles. I don't know how it could possibly be any more obvious.

Remote sound with video on a low-end box

[Demonoid-Penguin]

Host medium to high powered and have pulseaudio installed using a decent distro like Debian (Ewebuntu is broken). Enable network sound.
Client old laptop with minimal install that includes pulseaudio. For Debian you need to enable ForwardX11Trusted. Login to the Host box using "ssh -XC vlc". Now enjoy movies without stuttering sound or dropped frames on a box that would struggle to run W95. 32MB of RAM will work fine.

Re:Author forgot to tunnel DNS

[kasperd]

Author forgot to set Firefox to tunnel DNS requests, alot of danger is still exposed via DNS.

Why is it that Firefox sets network.proxy.socks_remote_dns to false by default? I know of several scenarios where setting it to true works better than setting it to false. I don't know of any situation where the default value is actually better.

ProxyCommand is teh awesome

[Just+Some+Guy]

My personal favorite "trick":

.Host *.example.com
.....ProxyCommand ssh -W %h:%p bastionhost.example.com

Add the above to ~/.ssh/config, and from then on I can SSH to machines inside my company's firewall by first connecting to a secured bastion host, just by running ssh internalmachine.example.com. If you do a lot of work from home, or have specially secured machines at the office that require intermediate connections, you can set up proxying and make it automatic and easy to connect to them.

Re:ProxyCommand is teh awesome

[jampola]

This is a good one. I've really got to start playing with the config file in ~/.ssh/ more often. What a thrilling life I lead!

Re:ProxyCommand is teh awesome

[gatkinso]

Much nicer than a reverse ssh tunnel!

commandlinefu

[jampola]

www.commandlinefu.com - Some more shameless advertising for a site I have nothing to do with apart from frequenting quite often!

Probably one of the cooler tricks I saw the other day was being able to ssh into a remote box and push the signal from your pc mic onto the remote machines speakers and vice versa!

Lot's of fun was had in our office that day!

my #1 hack

[no-karma-no-worries]

man ssh

Further exploration

[swehack]

Here are some interesting projects you can progress with after reading this article.

1. ansible - python, paramiko and jinja based puppet replacement using ssh instead of re-invented wheel
2. mussh - multi ssh sessions using native openssh facilities such as .ssh/config
3. clusterssh - pretty much same as above, stands out from ansible for using openssh facilities

Re:I hope the list of tricks

[GameboyRMH]

No seriously though, NoScript doesn't prevent plain-HTTP tracking, which is gaining more and more popularity again these days and is used by Facebook.

tip #3 was news for me, thanks!

[anarcat]

I was also a bit surprised to see basic stuff and some repetition in the article there, but trick #3 was really nice for me:

ssh-keygen -R remote-hostname

This will remove the entry for remote-hostname in the known_hosts file, for example if you know the key changed or (don't do that) if you think you're in a MITM attack and don't care.

now that will fix many countless fiddling around the known_hosts file...

Also, remember MW Lucas' new ssh book

[badger.foo]

I think it's worth mentioning to anybody who enjoyed this article that Michael W. Lucas has a fresh SSH book out called 'SSH Mastery'. Initially an ebook, but becoming available right about now in a paper version too.

Amazon will have it, or if you're shopping for OpenBSD stuff anyway (as you should, OpenSSH which is almost certainly the ssh and sshd on your system, is essentially an in-tree development at OpenBSD), www.openbsd.org/books.html and tentacles of the ordering system will show you where to get it.

Re:I hope the list of tricks

[airdweller]

Can you elaborate?

Re:_slashdot_ at it again

[thereitis]

What's to stop anyone from creating their own site? Slashcode is free. Meld that with something like digg (except with clueful readers) and the users can control the submissions (since your gripe seems to be with the editors of this site). Sounds easy, but I'll bet it isn't.

My guess is the editors have so many stories to choose from, they've got some keyword filters set up and pick out of that lot. That would explain why there are so many stories along the same lines, which gets kind of repetitive.

remote sniffing!

[Washuu2]

ssh root@10.0.0.245 "tcpdump -l -n -s 0 -w -not port 22" wireshark-i -

Re:I hope the list of tricks

[jojoba_oil]

A good review of the issue was documented on the website of yet a different extension: DownThemAll! - Can I trust NoScript any longer?

Basically, NoScript got upset that AdBlock made it possible to block ads on their site. (Note: by default, the NoScript site gets opened on every update.) So NoScript issued an update that crippled AdBlock's ability to block anything. This was discovered and NoScript, under pressure, changed to automatically add a forced white-list for their own site. Eventually, that was changed to allow opt-out, and then removed entirely. But the trust is still damaged; I haven't used NoScript since then.

Bittorrent, anyone?

[thoughtlover]

Yes, it can be done. I read about it back in 2007. "Tunneling BitTorrent over SSH"

SSL SSH

[nullspoon]

I had a friend suggest to me something a ways back that I thought was pretty clever.

If you're ssh'ing to your box for a proxy from say, work, you might not be able to get out since outbound connections might be disallowed by your company's firewall (or what have you). Even if outbound connections on 22 (or whatever oddball port you're running your ssh server on) are allowed, weird traffic like that might raise some eyebrows and get you in trouble.

My friend's idea was to have ssh running on port 443 on your proxy box provided you don't have a web server using ssl running. Pretty much any firewall that has a website behind it has 80 and 443 open. In addition, 443 is ssl encrypted so when your encrypted ssh traffic goes through it, it hopefully won't raise much suspicion.

Re:On the other hand, you could buy the book

[abirdman]

It's an excellent book-- short, concise, clear and nicely explained. Delivered by Amazon today. Thanks for the information.