SSH
Install
After installing ssh (client & server), you have to create an ssh-key:
ssh-keygen
Tips
ssh -F hostname # Find hostname in ~/.ssh/known_hosts (useful if HashKnowHosts enabled)
ssh -l -f ~/.ssh/known_hosts # Print fingerprint of known host keys
SSH GUI
Gnome/Nautilus
- Under Gnome, one can uses menu Places → Connect to Server... to connect to a remote server in Nautilus. The connection can be bookmarked for future use.
- The syntax for address bar in Nautilus is sftp://username@server/folder.
KDE/Konqueror
- Use KIO fish or sftp to establish a SSH or SFTP connection in Konqueror.
gftp
- gftp is a free multithreaded file transfer client for *NIX based machines. It supports the FTP, FTPS (control connection only), HTTP, HTTPS, SSH and FSP protocols.
SSH Console
SSH-Tunnel
- See official page on Yobi.
- To install
# Install ssh-tunnel
tar -xvzf ssh-tunnel-x.yy.tgz
make install
# Create empty ssh banner (will be updated at the first connection)
touch ~/.ssh/clbanner.txt
# Create ssh symlink ( need to have ~/bin in path !)
mkdir ~/bin
ln -s /usr/local/bin/ssh.pl ~/bin/ssh
# Edit ~/.ssh/config and ~/.ssh/proxy.conf
vi ~/.ssh/config
vi ~/.ssh/proxy.conf
- Install required packages (openssl and dev libraries) and required PERL packages (see Perl:
$ sudo apt-get install openssl libssl-dev
$ sudo cpan
# 2 following lines only needed if first time cpan is run
cpan> o conf init urllist
cpan> o conf commit
cpan> install Getopt::Long MIME::Base64 Net::SSLeay IO::Socket::SSL Authen::NTLM
- Here a patch on ssh-tunnel-v2.26 to prevent double expansion in command arguments.
--- ssh-tunnel-2.26/ssh.pl 2007-04-15 20:15:36.000000000 +0200
+++ ssh-tunnel-2.26-patched/ssh.pl 2008-09-09 15:54:59.125000000 +0200
@@ -15,5 +15,5 @@
# Parse ssh-options
while ($#ARGV>=0 && $ARGV[0] ne '--') {
- push @SSHARGV, shift @ARGV;
+ push @SSHARGV, "\'" . shift(@ARGV) . "\'";
}
shift @ARGV if $ARGV[0] eq '--';
Remote Command Execution
- SSH allows to execute any command on remote SSH host. The syntax is
% ssh -t SSH_HOST COMMAND
- To execute a remote command on remote host and stay connected afterwards, use ssh -t, along with bash rcfile, like:
% ssh -t SSH_HOST "bash --rcfile PATH_TO_RC_FILE"
Don't miss the quotes around the command. Bash will execute the commands in the rc file, and will open a session. Connection remains open because stdin/stdout is not closed. Option -t allows for connecting with current terminal. Without this option, there will be no terminal connection, so bash would run in batch mode (no prompt), and terminal features like tab completion or color would be missing.
- Another solution is to force bash interactive mode:
% ssh SSH_HOST "bash --rcfile PATH_TO_RC_FILE -i"
Since there is no terminal, bash goes by default in non-interactive mode. Interactive mode is forced with option -i, and so prompt will be printed, etc. But this is only a partial solution because there is still no terminal, ie. no color, no TAB auto-completion.
Troubleshooting
- ~/bin/ssh.pl from ssh-tunnel package currently interferes with the command. This is due to double argument processing and expansion. See patch above on v2.26.
SSH Config
SSH can be configured through file ~/.ssh/config. See man ssh_config for more information. The format is as follows:
# Specific configuration options for host host1
Host host1
Option1 parameter
Option2 parameter
# General configuration options for all hosts.
# Options in this section applies if same option was *not already specified* in a relevant host section above.
Host *
Option1 parameter
Option2 parameter
The value to use for each option is given by the first section that matches the host specification and that provides a value for that option. So section Host * should always be at the end of the file, since any subsequent section will be ignored.
ProxyCommand
Specify the proxy command used by ssh to deal with proxies. If a default command is specified in host *, it can be overridden in a specific host section (use ProxyCommand none to tell ssh that there is no proxies).
Host myhost
ProxyCommand none
Host *
ProxyCommand /usr/local/bin/ssh-tunnel.pl -f - - %h %p
SSH-Agent
ssh-agent is a program that holds private keys used for public key authentication (RSA, DSA). Using this program, users only have to enter once the passphrase of their ssh key, and not at each ssh invokation.
% eval `ssh-agent -s`
% ssh-add # Here ssh-add asks for user's passphrase
% ssh # Here no passphrase requested
ssh-agent defines the environment variable SSH_AUTH_SOCK, which points to a unix socket that is used by 'ssh to communicate with the agent.
Linux
On Linux, ssh-agent should be launched before starting the X session, so that all child processes have this variable defined. Also, be sure to kill all instances of ssh-agent when the session ends.
Cygwin
The situation is trickier on Cygwin / Windows because it is not possible to launch the ssh-agent before the Windows GUI.
I use the script below to overcome this situation (to install in /usr/local/bin/ssh-agent-refresh.sh). The script also works in multi-user environment, but only accept one ssh-agent instance per user.
#!/bin/bash
#
# This script will detect any running ssh-agent and restore the environment
# variable that would normally be created with the command
#
# % ssh-agent -s
#
# By default, this script looks for an existing ssh-agent process already running with
# same UID as the current shell. If none is found, a new ssh-agent process is launched.
# If the SSH_AUTH_SOCK is not specified, the script will try to find back the correct
# socket name. For this it looks for a socket named /tmp/ssh-*/agent.*, with same UID
# as current script.
#
# If the environment variable SSH_AUTH_SOCK is set, ssh-agent will use that socket name
# instead of generating a new one (on first invocation).
#
# Example of use:
# ssh-agent-refresh.sh
# if ( ssh-add -L | grep -q $USER ); then ssh-add -t 3600; fi
#
# Example with predefined SSH_AUTH_SOCK
# export SSH_AUTH_SOCK=/tmp/.ssh-agent-$USER
# ssh-agent-refresh.sh
# if ( ssh-add -L | grep -q $USER ); then ssh-add -t 3600; fi
#
# Example of output of ssh-agent -s:
#
# SSH_AUTH_SOCK=/tmp/ssh-VAjpOtefMI/agent.2112; export SSH_AUTH_SOCK;
# SSH_AGENT_PID=2568; export SSH_AGENT_PID;
# echo Agent pid 2568;
SSH_AGENT_PROCESS_NAME=ssh-agent
# Shell must be a login shell - for USER variable
if [ -z "$USER" ]; then
echo "ERROR! Environment variable USER not defined - you probably don't run a login shell"
exit 4
fi
# First see check that at most one instance of ssh-agent is running.
SSH_AGENT_COUNT=`ps -su $USER | grep -c "$SSH_AGENT_PROCESS_NAME"`
if [ $SSH_AGENT_COUNT -gt 1 ]; then
echo "ERROR! Several ssh-agent processes are running">/dev/stderr
exit 3
fi
# Second launch a new ssh-agent if none is running. We use variable SSH_AUTH_SOCK if defined
if [ $SSH_AGENT_COUNT -eq 0 ]; then
if [ $SSH_AUTH_SOCK ]; then
ssh-agent -a "$SSH_AUTH_SOCK" -s
else
ssh-agent -s
fi
exit 1
fi
# Third, find back ssh-agent-pid We use the blob below because pidof doesn't filter based on process UID
SSH_AGENT_PID=`ps -su $USER | grep "$SSH_AGENT_PROCESS_NAME" | sed -r 's/^ *([0-9]*) .*$/\1/'`
# Next find the socket that the running ssh-agent is attached to. We reuse variable SSH_AUTH_SOCK if it is defined.
if [ ! $SSH_AUTH_SOCK ]; then
SSH_AUTH_SOCK=`find /tmp -type s -user $USER -path "/tmp/ssh-*/agent.*"`
else
if [ -x "$SSH_AUTH_SOCK" ]; then
echo "ssh-agent process found (pid $SSH_AGENT_PID), but given socket does not exist ($SSH_AUTH_SOCK)!">/dev/stderr
exit 2
fi
fi
echo "SSH_AUTH_SOCK=$SSH_AUTH_SOCK; export SSH_AUTH_SOCK;"
echo "SSH_AGENT_PID=$SSH_AGENT_PID; export SSH_AGENT_PID;"
echo "echo Agent pid $SSH_AGENT_PID;"
exit 0
Then add the following lines in your file ~/.bash_profile (not in the ~/.bashrc because we use variable USER which is only defined in a login shell):
eval `ssh-agent-refresh.sh` >/dev/null
if ( ! ( ssh-add -L | grep -q $USER ) ); then ssh-add -t 3600; fi
Some security tip:
- Define a maximum life time using option -t time.
- Lock the agent with a password using option ssh-add -x.
Note that to overcome the one instance per user limitation, one would need to save the environment generated by ssh-agent in some file in home directory, and then source the proper file at next invocation.
Other ideas found on internet:
- win-ssh-askpass A GUI tool to do exactly the same as in Linux. Also provides win-ssh-askpass.exe that can be defined as executable for SSH_ASKPASS (see ssh-add man pages).
- [1] Proposes to use a predefined SSH_AUTH_SOCK (defined in Windows environment), and saves the ssh-agent environment into a file, which can be sourced later on.
- Some more ideas here