SSH is probably the most used command on my machine. If you use linux or OSX, ssh is most likely preinstalled for you. Even if you use windows, most likely you have Putty installed to securely connect to other machines. Today, I am going to show few things about the way I use SSH and may help you using it efficiently as well.
Keys Keys Keys…
The heart and power of ssh comes with its Public Key cryptography, using keys effectively you can eliminate the use of username and passwords completely. If not used correctly, it could be dangerous thing.
Setting up a key pair will let us connect to a server w/o having to key in a username and passwords. (I will discuss further below:)
Creating a key pair
You can use “ssh-keygen” to generate a key-pair on your local machine.
You may want to skip the “passphrase”, having it adds an extra layer of security but if you want to seamlessly be able to connect to servers or connect via scripts, having a passphrase will not help.
Here is how you can create a ssh key (rsa):
$ ssh-keygen -t rsa
You will output like below: Note here you can simply hit enter to continue or specify location of a file and passphrase
Generating public/private rsa key pair. Enter file in which to save the key (/home/username/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/username/.ssh/id_rsa. Your public key has been saved in /home/username/.ssh/id_rsa.pub. The key fingerprint is: 31:XX:ee:XX:aa:bb:XX:XX username@linux The key's randomart image is: +--[ RSA 2048]----+ | | | | | . | | . + o + | | o S | |.o . o | |...+.... | |..===... | |........ | +-----------------+
At this point you should have 2 files in your “.ssh” folder
$ cd ~/.ssh $ ls -l -rw------- 1 username admin 1557 May 22 21:23 id_rsa -rw-r--r-- 1 username admin 410 May 22 21:23 id_rsa.pub
In most cases you dont have to touch either of them except that you should know its existence. If you use cygwin or someone else modified/copied the file changing its permission, you will have problem. Pay close attention to the file permission. The “id_rsa”, ie. the private key must have RW to owner only. If the permission is not set correctly, SSH will not use your keys.
Now you have a key pair you can use. Lets go ahead and use it.
Normally you may already know that you would connect to remote server by running a command like below:
$ ssh remoteuser@remoteserver ... Enter password...
Since we create a key lets setup it up.
You can copy your public key over to remote host using the ssh-copy-id command:
$ ssh-copy-id -i ~/.ssh/id_rsa remoteuser@remoteserver remoteuser@remoteserver's password: [ENTER PASSWORD] Now try logging into the machine, with "ssh 'remoteuser@remoteserver'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
Lets login to the remote server. We can simply run the ssh command along with the identity file.
$ ssh -i ~/.ssh/id_rsa remoteuser@remoteserver
You should notice that we just logged into the remote server w/o entering a password.
In the ssh command we passed “-i” flag along with the location to our private key. This means, we passed our identity file as our id_rsa private key telling ssh to use it to connect to the remote server.
If you have multiple key pairs and long list of servers to go along with it, it might be hard to keep track and hard to manage. If you use Amazon EC2, or other private/public cloud, you know will have to keep track of them specially with hard server names and multiple keys.
But, there is a solution for that. And it is “config” file.
The ssh “config” file
“config” file in your “.ssh” folder does a lot of magic. I will show you some tricks.
If the file doesn’t already exist, you can just create one. If the file exist, you can keep adding entries at the end of the file.
I will explain an entry here:
So to go along with our example. We can now setup a config to our remote server.
Let’s add following entry in our config file.
$ vi ~/.ssh/config ... ... ... Host rs HostName remoteserver User username IdentityFile ~/.ssh/id_rsa
Here we added all the information we need to connect to our remoteserver. We entered “User” that we will login as. Pointed to your private key. At the very first we added a word “rs” after Host, ie. we are giving an alias to my “remotesever”. So we can now do “ssh rs”.
Try it for yourself.
$ ssh rs
Walla you just logged in to your remote server w/o a password yet with one single word.
Port Forwarding is an advanced feature of ssh. It is very useful in many cases.
Using port forwarding, your communication over the port is encrypted over ssh. This creates a p2p “tunnel” between the server and you.
This is often referred as poor man’s vpn.
Local port forwarding will let us forward any communication that happens in our “local” box on that port to be forwarded on to the remote server.
Let’s say that we have mysql installed in our remote server. We want to connect to that database from our local server as if it is installed locally, we can configure it as follows:
$ ssh rs -L 3306:localhost:3306
Above we configured a local port forwarding (“-L”), we binded our local port “3306”, to remote port “3306” on the localhost i.e. the remote host.
this means if you configure your application to connect to “localhost:3306″, it is actually connecting to the port 3306 on the remote server.
You can have more than one port forwarding. If you want more, simply add more ” -L localport:host:remoteport”
Another example to clarify this more:
Lets say you want to bind port 8181 on your local box to point to http://www.cnn.com through the ssh connection. (Basically the traffic to cnn.com will be routed from the remote box)
$ ssh -L 8181:www.cnn.com:80 rs
Now, open a browser and navigate to “localhost:8181”. You will see that cnn.com page comes up :).
Similar to local forwarding, we can bind a port on the remote box back to our local machine. This is done via “-R” flag.
$ ssh -R 8282:localhost:8585
After ssh connection is established, on the remote box’s port 8282 is bound back to box initiating the connection to port 8585.
Using port forwarding, remote and local, you can create these tunnels between servers.
SSH could be used as socks proxy. To explain this lets say the machine you are using locally does not have access to the internet. Or your access to facebook or youtube is blocked. But say a “remote” server has unrestricted access to the internet and is able to surf facebook or youtube.
You can setup a ssh dynamic port binding and use it as socks proxy. This means, your local machine can access those site through the “remote” server bypassing the firewall. Your connection to facebook / youtube is happening through the secure “tunnel”.
Let’s set one up.
$ ssh -C -D 1080 remoteserver
You can go to any site on that browser and all the web traffic will be routed over through remoteserver.
Hope this helps you use ssh like a pro 🙂