SSH

From miki
Revision as of 15:49, 27 October 2009 by Mikiadmin (talk | contribs) (reformated, hidden stuff)
Jump to navigation Jump to search

Install

After installing ssh (client & server), you have to create an ssh-key:

ssh-keygen

Tips

ssh -F hostname                  # Find hostname in ~/.ssh/known_hosts (useful if HashKnowHosts enabled)
ssh -l -f ~/.ssh/known_hosts     # Print fingerprint of known host keys

SSH GUI

Gnome/Nautilus

  • Under GNOME, one can uses menu PlacesConnect to Server... to connect to a remote server in Nautilus. The connection can be bookmarked for future use.
  • The syntax for address bar in Nautilus is sftp://username@server/folder.

KDE/Konqueror

  • Use KIO fish or sftp to establish a SSH or SFTP connection in Konqueror.

gftp

  • gftp is a free multithreaded file transfer client for *NIX based machines. It supports the FTP, FTPS (control connection only), HTTP, HTTPS, SSH and FSP protocols.

SSH Console

SSH-Tunnel

  • See official page on Yobi.
  • To install
# Install ssh-tunnel
tar -xvzf ssh-tunnel-x.yy.tgz
make install

# Create empty ssh banner (will be updated at the first connection)
touch ~/.ssh/clbanner.txt

# Create ssh symlink ( need to have ~/bin in path !)
mkdir ~/bin
ln -s /usr/local/bin/ssh.pl ~/bin/ssh

# Edit ~/.ssh/config and ~/.ssh/proxy.conf
vi ~/.ssh/config
vi ~/.ssh/proxy.conf
  • Install required packages (openssl and dev libraries) and required PERL packages (see Perl:
$ sudo apt-get install openssl libssl-dev
$ sudo cpan
# 2 following lines only needed if first time cpan is run
cpan> o conf init urllist
cpan> o conf commit
cpan> install Getopt::Long MIME::Base64 Net::SSLeay IO::Socket::SSL Authen::NTLM
  • Here a [{{#filelink: ssh-tunnel-v2.26.patch}} patch] on ssh-tunnel-v2.26 to prevent double expansion in command arguments:
{{#fileanchor: ssh-tunnel-v2.26.patch}}
--- ssh-tunnel-2.26/ssh.pl      2007-04-15 20:15:36.000000000 +0200
+++ ssh-tunnel-2.26-patched/ssh.pl      2008-09-09 15:54:59.125000000 +0200
@@ -15,5 +15,5 @@
 # Parse ssh-options
 while ($#ARGV>=0 && $ARGV[0] ne '--') {
-       push @SSHARGV, shift @ARGV;
+       push @SSHARGV, "\'" . shift(@ARGV) . "\'";
 }
 shift @ARGV if $ARGV[0] eq '--';

Remote Command Execution

  • SSH allows to execute any command on remote SSH host. The syntax is
ssh -t SSH_HOST COMMAND
  • To execute a remote command on remote host and stay connected afterwards, use ssh -t, along with bash rcfile, like:
ssh -t SSH_HOST "bash --rcfile PATH_TO_RC_FILE"

Don't miss the quotes around the command. Bash will execute the commands in the rc file, and will open a session. Connection remains open because stdin/stdout is not closed. Option -t allows for connecting with current terminal. Without this option, there will be no terminal connection, so bash would run in batch mode (no prompt), and terminal features like tab completion or color would be missing.

  • Another solution is to force bash interactive mode:
ssh SSH_HOST "bash --rcfile PATH_TO_RC_FILE -i"

Since there is no terminal, bash goes by default in non-interactive mode. Interactive mode is forced with option -i, and so prompt will be printed, etc. But this is only a partial solution because there is still no terminal, ie. no color, no TAB auto-completion.

Troubleshooting

  • ~/bin/ssh.pl from ssh-tunnel package currently interferes with the command. This is due to double argument processing and expansion. See patch above on v2.26.

SSH Config

SSH can be configured through file ~/.ssh/config. See man ssh_config for more information. The format is as follows:

# Specific configuration options for host host1
Host host1
  Option1     parameter
  Option2     parameter

# General configuration options for all hosts. 
# Options in this section applies if same option was *not already specified* in a relevant host section above.
Host *
  Option1     parameter
  Option2     parameter

The value to use for each option is given by the first section that matches the host specification and that provides a value for that option. So section Host * should always be at the end of the file, since any subsequent section will be ignored.

ProxyCommand

Specify the proxy command used by ssh to deal with proxies. If a default command is specified in host *, it can be overridden in a specific host section (use ProxyCommand none to tell ssh that there is no proxies).

Host myhost
  ProxyCommand    none
Host *
  ProxyCommand    /usr/local/bin/ssh-tunnel.pl -f - - %h %p

SSH-Agent

ssh-agent is a program that holds private keys used for public key authentication (RSA, DSA). Using this program, users only have to enter once the passphrase of their ssh key, and not at each ssh invokation.

% eval `ssh-agent -s`
% ssh-add                      # Here ssh-add asks for user's passphrase
% ssh                          # Here no passphrase requested

ssh-agent defines the environment variable SSH_AUTH_SOCK, which points to a unix socket that is used by 'ssh to communicate with the agent.

Linux

On Linux, ssh-agent should be launched before starting the X session, so that all child processes have this variable defined. Also, be sure to kill all instances of ssh-agent when the session ends.

Cygwin

The situation is trickier on Cygwin / Windows because it is not possible to launch the ssh-agent before the Windows GUI.

I use [{{#filelink: ssh-agent-refresh.sh}} this script] to overcome this situation (to install in /usr/local/bin/). The script also works in multi-user environment, but only accept one ssh-agent instance per user.

Then add the following lines in your file ~/.bash_profile (not in the ~/.bashrc because we use variable USER which is only defined in a login shell):

eval `ssh-agent-refresh.sh` >/dev/null
if ( ! ( ssh-add -L | grep -q $USER ) ); then ssh-add -t 3600; fi

Some security tip:

  • Define a maximum life time using option -t time.
  • Lock the agent with a password using option ssh-add -x.

Note that to overcome the one instance per user limitation, one would need to save the environment generated by ssh-agent in some file in home directory, and then source the proper file at next invocation.

Other ideas found on internet:

  • win-ssh-askpass A GUI tool to do exactly the same as in Linux. Also provides win-ssh-askpass.exe that can be defined as executable for SSH_ASKPASS (see ssh-add man pages).
  • [1] Proposes to use a predefined SSH_AUTH_SOCK (defined in Windows environment), and saves the ssh-agent environment into a file, which can be sourced later on.
  • Some more ideas here