SSH: Difference between revisions
(reformated, hidden stuff) |
(Reformated - keep only ssh command related information - move ssh tools to dedicated page) |
||
Line 1: | Line 1: | ||
== |
== Reference == |
||
On this Wiki: |
|||
After installing ssh (client & server), you have to create an ssh-key: |
|||
* [[SSH Tools]] |
|||
<source lang="bash"> |
|||
ssh-keygen |
|||
</source> |
|||
== Tips == |
== Tips == |
||
Line 11: | Line 9: | ||
</source> |
</source> |
||
== |
== Install == |
||
After installing ssh (client & server), you have to create an ssh-key: |
|||
<source lang="bash"> |
|||
ssh-keygen |
|||
</source> |
|||
== Configuration == |
|||
* Under GNOME, one can uses menu ''Places'' → ''Connect to Server...'' to connect to a remote server in ''Nautilus''. The connection can be bookmarked for future use. |
|||
* The syntax for address bar in ''Nautilus'' is '''<tt>sftp://''username''@''server''/''folder''</tt>'''. |
|||
=== KDE/Konqueror === |
|||
* Use [[KDE#KIO|KIO]] '''fish''' or '''sftp''' to establish a SSH or SFTP connection in ''Konqueror''. |
|||
=== gftp === |
|||
* [http://gftp.seul.org/ gftp] is a free multithreaded file transfer client for *NIX based machines. It supports the FTP, FTPS (control connection only), HTTP, HTTPS, SSH and FSP protocols. |
|||
== SSH Console == |
|||
=== SSH-Tunnel === |
|||
* See official page on [http://wiki.yobi.be/wiki/Bypass_Proxy Yobi]. |
|||
* To install |
|||
{{pl2|<source lang="bash"> |
|||
# Install ssh-tunnel |
|||
tar -xvzf ssh-tunnel-x.yy.tgz |
|||
make install |
|||
# Create empty ssh banner (will be updated at the first connection) |
|||
touch ~/.ssh/clbanner.txt |
|||
# Create ssh symlink ( need to have ~/bin in path !) |
|||
mkdir ~/bin |
|||
ln -s /usr/local/bin/ssh.pl ~/bin/ssh |
|||
# Edit ~/.ssh/config and ~/.ssh/proxy.conf |
|||
vi ~/.ssh/config |
|||
vi ~/.ssh/proxy.conf |
|||
</source>}} |
|||
* Install required packages (openssl and dev libraries) and required PERL packages (see [[Perl]]: |
|||
{{pl2|<source lang="bash"> |
|||
$ sudo apt-get install openssl libssl-dev |
|||
$ sudo cpan |
|||
# 2 following lines only needed if first time cpan is run |
|||
cpan> o conf init urllist |
|||
cpan> o conf commit |
|||
cpan> install Getopt::Long MIME::Base64 Net::SSLeay IO::Socket::SSL Authen::NTLM |
|||
</source>}} |
|||
* Here a [{{#filelink: ssh-tunnel-v2.26.patch}} patch] on ssh-tunnel-v2.26 to prevent double expansion in command arguments: {{Hide|{{#fileanchor: ssh-tunnel-v2.26.patch}}<source lang="diff"> |
|||
--- ssh-tunnel-2.26/ssh.pl 2007-04-15 20:15:36.000000000 +0200 |
|||
+++ ssh-tunnel-2.26-patched/ssh.pl 2008-09-09 15:54:59.125000000 +0200 |
|||
@@ -15,5 +15,5 @@ |
|||
# Parse ssh-options |
|||
while ($#ARGV>=0 && $ARGV[0] ne '--') { |
|||
- push @SSHARGV, shift @ARGV; |
|||
+ push @SSHARGV, "\'" . shift(@ARGV) . "\'"; |
|||
} |
|||
shift @ARGV if $ARGV[0] eq '--'; |
|||
</source>}} |
|||
=== Remote Command Execution === |
|||
* SSH allows to execute any command on remote SSH host. The syntax is |
|||
{{pl2|<source lang="bash">ssh -t SSH_HOST COMMAND</source>}} |
|||
* To execute a remote command on remote host and stay connected afterwards, use <tt>ssh -t</tt>, along with bash ''rcfile'', like: |
|||
{{pl2|<source lang="bash">ssh -t SSH_HOST "bash --rcfile PATH_TO_RC_FILE"</source>}} |
|||
Don't miss the quotes around the command. Bash will execute the commands in the rc file, and will open a session. Connection remains open because stdin/stdout is not closed. Option -t allows for connecting with current terminal. Without this option, there will be no terminal connection, so bash would run in batch mode (no prompt), and terminal features like tab completion or color would be missing. |
|||
* Another solution is to force bash ''interactive'' mode: |
|||
{{pl2|<source lang="bash">ssh SSH_HOST "bash --rcfile PATH_TO_RC_FILE -i"</source>}} |
|||
Since there is no terminal, bash goes by default in non-interactive mode. Interactive mode is forced with option <tt>-i</tt>, and so prompt will be printed, etc. But this is only a partial solution because there is still no terminal, ie. no color, no TAB auto-completion. |
|||
==== Troubleshooting ==== |
|||
* <tt>~/bin/ssh.pl</tt> from <font color="red">''ssh-tunnel''</font> package currently interferes with the command. This is due to double argument processing and expansion. See patch above on v2.26. |
|||
== SSH Config == |
|||
SSH can be configured through file <tt>~/.ssh/config</tt>. See <tt>[http://linux.die.net/man/5/ssh_config man ssh_config]</tt> for more information. The format is as follows: |
SSH can be configured through file <tt>~/.ssh/config</tt>. See <tt>[http://linux.die.net/man/5/ssh_config man ssh_config]</tt> for more information. The format is as follows: |
||
Line 104: | Line 38: | ||
<source lang=bash> |
<source lang=bash> |
||
Host myhost |
Host myhost |
||
ProxyCommand none |
ProxyCommand none # Otherwise setting in Host * would be taken |
||
Host * |
Host * |
||
ProxyCommand /usr/local/bin/ssh-tunnel.pl -f - - %h %p |
ProxyCommand /usr/local/bin/ssh-tunnel.pl -f - - %h %p |
||
</source> |
</source> |
||
== |
== Command-Line == |
||
'''<tt>ssh-agent</tt>''' is a program that holds private keys used for public key authentication (RSA, DSA). Using this program, users only have to enter once the passphrase of their ssh key, and not at each <tt>ssh</tt> invokation. |
|||
=== Remote Command Execution === |
|||
<source lang="bash"> |
|||
* SSH allows to execute any command on remote SSH host. The syntax is |
|||
% eval `ssh-agent -s` |
|||
{{pl2|<source lang="bash">ssh -t SSH_HOST COMMAND</source>}} |
|||
% ssh-add # Here ssh-add asks for user's passphrase |
|||
* To execute a remote command on remote host and stay connected afterwards, use <tt>ssh -t</tt>, along with bash ''rcfile'', like: |
|||
% ssh # Here no passphrase requested |
|||
{{pl2|<source lang="bash">ssh -t SSH_HOST "bash --rcfile PATH_TO_RC_FILE"</source>}} |
|||
</source> |
|||
Don't miss the quotes around the command. Bash will execute the commands in the rc file, and will open a session. Connection remains open because stdin/stdout is not closed. Option -t allows for connecting with current terminal. Without this option, there will be no terminal connection, so bash would run in batch mode (no prompt), and terminal features like tab completion or color would be missing. |
|||
* Another solution is to force bash ''interactive'' mode: |
|||
<tt>ssh-agent</tt> defines the environment variable <tt>SSH_AUTH_SOCK</tt>, which points to a unix socket that is used by '''ssh'' to communicate with the agent. |
|||
{{pl2|<source lang="bash">ssh SSH_HOST "bash --rcfile PATH_TO_RC_FILE -i"</source>}} |
|||
Since there is no terminal, bash goes by default in non-interactive mode. Interactive mode is forced with option <tt>-i</tt>, and so prompt will be printed, etc. But this is only a partial solution because there is still no terminal, ie. no color, no TAB auto-completion. |
|||
=== Linux === |
|||
On Linux, '''ssh-agent''' should be launched before starting the X session, so that all child processes have this variable defined. Also, be sure to kill all instances of '''ssh-agent''' when the session ends. |
|||
=== Cygwin === |
|||
The situation is trickier on Cygwin / Windows because it is not possible to launch the '''ssh-agent''' before the Windows GUI. |
|||
I use [{{#filelink: ssh-agent-refresh.sh}} this script] to overcome this situation (to install in <tt>/usr/local/bin/</tt>). The script also works in multi-user environment, but only accept one ssh-agent instance per user. |
|||
{{hidden|/usr/local/bin/ssh-agent-refresh.sh|{{#fileanchor: ssh-agent-refresh.sh}} |
|||
<source lang="bash"> |
|||
#!/bin/bash |
|||
# |
|||
# This script will detect any running ssh-agent and restore the environment |
|||
# variable that would normally be created with the command |
|||
# |
|||
# % ssh-agent -s |
|||
# |
|||
# By default, this script looks for an existing ssh-agent process already running with |
|||
# same UID as the current shell. If none is found, a new ssh-agent process is launched. |
|||
# If the SSH_AUTH_SOCK is not specified, the script will try to find back the correct |
|||
# socket name. For this it looks for a socket named /tmp/ssh-*/agent.*, with same UID |
|||
# as current script. |
|||
# |
|||
# If the environment variable SSH_AUTH_SOCK is set, ssh-agent will use that socket name |
|||
# instead of generating a new one (on first invocation). |
|||
# |
|||
# Example of use: |
|||
# ssh-agent-refresh.sh |
|||
# if ( ssh-add -L | grep -q $USER ); then ssh-add -t 3600; fi |
|||
# |
|||
# Example with predefined SSH_AUTH_SOCK |
|||
# export SSH_AUTH_SOCK=/tmp/.ssh-agent-$USER |
|||
# ssh-agent-refresh.sh |
|||
# if ( ssh-add -L | grep -q $USER ); then ssh-add -t 3600; fi |
|||
# |
|||
# Example of output of ssh-agent -s: |
|||
# |
|||
# SSH_AUTH_SOCK=/tmp/ssh-VAjpOtefMI/agent.2112; export SSH_AUTH_SOCK; |
|||
# SSH_AGENT_PID=2568; export SSH_AGENT_PID; |
|||
# echo Agent pid 2568; |
|||
SSH_AGENT_PROCESS_NAME=ssh-agent |
|||
# Shell must be a login shell - for USER variable |
|||
if [ -z "$USER" ]; then |
|||
echo "ERROR! Environment variable USER not defined - you probably don't run a login shell" |
|||
exit 4 |
|||
fi |
|||
# First see check that at most one instance of ssh-agent is running. |
|||
SSH_AGENT_COUNT=`ps -su $USER | grep -c "$SSH_AGENT_PROCESS_NAME"` |
|||
if [ $SSH_AGENT_COUNT -gt 1 ]; then |
|||
echo "ERROR! Several ssh-agent processes are running">/dev/stderr |
|||
exit 3 |
|||
fi |
|||
# Second launch a new ssh-agent if none is running. We use variable SSH_AUTH_SOCK if defined |
|||
if [ $SSH_AGENT_COUNT -eq 0 ]; then |
|||
if [ $SSH_AUTH_SOCK ]; then |
|||
ssh-agent -a "$SSH_AUTH_SOCK" -s |
|||
else |
|||
ssh-agent -s |
|||
fi |
|||
exit 1 |
|||
fi |
|||
# Third, find back ssh-agent-pid We use the blob below because pidof doesn't filter based on process UID |
|||
SSH_AGENT_PID=`ps -su $USER | grep "$SSH_AGENT_PROCESS_NAME" | sed -r 's/^ *([0-9]*) .*$/\1/'` |
|||
# Next find the socket that the running ssh-agent is attached to. We reuse variable SSH_AUTH_SOCK if it is defined. |
|||
if [ ! $SSH_AUTH_SOCK ]; then |
|||
SSH_AUTH_SOCK=`find /tmp -type s -user $USER -path "/tmp/ssh-*/agent.*"` |
|||
else |
|||
if [ -x "$SSH_AUTH_SOCK" ]; then |
|||
echo "ssh-agent process found (pid $SSH_AGENT_PID), but given socket does not exist ($SSH_AUTH_SOCK)!">/dev/stderr |
|||
exit 2 |
|||
fi |
|||
fi |
|||
echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK; export SSH_AUTH_SOCK;" |
|||
echo "SSH_AGENT_PID=$SSH_AGENT_PID; export SSH_AGENT_PID;" |
|||
echo "echo Agent pid $SSH_AGENT_PID;" |
|||
exit 0 |
|||
</source>}} |
|||
Then add the following lines in your file <tt>~/.bash_profile</tt> (not in the <tt>~/.bashrc</tt> because we use variable <tt>USER</tt> which is only defined in a login shell): |
|||
<source lang="bash"> |
|||
eval `ssh-agent-refresh.sh` >/dev/null |
|||
if ( ! ( ssh-add -L | grep -q $USER ) ); then ssh-add -t 3600; fi |
|||
</source> |
|||
Some security tip: |
|||
* Define a maximum life time using option '''-t time'''. |
|||
* Lock the agent with a password using option '''ssh-add -x'''. |
|||
Note that to overcome the one instance per user limitation, one would need to save the environment generated by <tt>ssh-agent</tt> in some file in home directory, and then source the proper file at next invocation. |
|||
Other ideas found on internet: |
|||
* [http://www.ganaware.jp/archives/2006/04/winsshaskpass_1.html win-ssh-askpass] A GUI tool to do exactly the same as in Linux. Also provides <tt>win-ssh-askpass.exe</tt> that can be defined as executable for <tt>SSH_ASKPASS</tt> (see '''ssh-add''' man pages). |
|||
* [http://www.webweavertech.com/ovidiu/weblog/archives/000326.html] Proposes to use a predefined <tt>SSH_AUTH_SOCK</tt> (defined in Windows environment), and saves the ssh-agent environment into a file, which can be sourced later on. |
|||
* Some more ideas [http://mah.everybody.org/docs/ssh here] |
Revision as of 16:15, 27 October 2009
Reference
On this Wiki:
Tips
ssh -F hostname # Find hostname in ~/.ssh/known_hosts (useful if HashKnowHosts enabled)
ssh -l -f ~/.ssh/known_hosts # Print fingerprint of known host keys
Install
After installing ssh (client & server), you have to create an ssh-key:
ssh-keygen
Configuration
SSH can be configured through file ~/.ssh/config. See man ssh_config for more information. The format is as follows:
# Specific configuration options for host host1
Host host1
Option1 parameter
Option2 parameter
# General configuration options for all hosts.
# Options in this section applies if same option was *not already specified* in a relevant host section above.
Host *
Option1 parameter
Option2 parameter
The value to use for each option is given by the first section that matches the host specification and that provides a value for that option. So section Host * should always be at the end of the file, since any subsequent section will be ignored.
ProxyCommand
Specify the proxy command used by ssh to deal with proxies. If a default command is specified in host *, it can be overridden in a specific host section (use ProxyCommand none to tell ssh that there is no proxies).
Host myhost
ProxyCommand none # Otherwise setting in Host * would be taken
Host *
ProxyCommand /usr/local/bin/ssh-tunnel.pl -f - - %h %p
Command-Line
Remote Command Execution
- SSH allows to execute any command on remote SSH host. The syntax is
ssh -t SSH_HOST COMMAND
- To execute a remote command on remote host and stay connected afterwards, use ssh -t, along with bash rcfile, like:
ssh -t SSH_HOST "bash --rcfile PATH_TO_RC_FILE"
Don't miss the quotes around the command. Bash will execute the commands in the rc file, and will open a session. Connection remains open because stdin/stdout is not closed. Option -t allows for connecting with current terminal. Without this option, there will be no terminal connection, so bash would run in batch mode (no prompt), and terminal features like tab completion or color would be missing.
- Another solution is to force bash interactive mode:
ssh SSH_HOST "bash --rcfile PATH_TO_RC_FILE -i"
Since there is no terminal, bash goes by default in non-interactive mode. Interactive mode is forced with option -i, and so prompt will be printed, etc. But this is only a partial solution because there is still no terminal, ie. no color, no TAB auto-completion.