SSH

Article by on August 26, 2013, last modified on April 11, 2014

Secure Shell (SSH) is the magic portal to computers everywhere. It allows you to run commands on computers other than your own, tunnel through other computers, and in the case of X11 forwarding, allows you to even use GUI's on other computers. In my opinion, it is one of the marvels of the computing ecosystem that exists today.

Getting Started

There is so much to talk about. For the time being, I will give a few tips and tricks and list topics I hope to cover in the future.

Installation

On Debian systems:

$ sudo apt-get install openssh-server

On Mac:

$ sudo port install openssh

And, to install sshfs on Debian systems:

$ sudo apt-get install sshfs

And, to install sshfs on Mac:

$ sudo port install sshfs

If you don't have ssh-copy-id, check out this StackOverflow answer.

Tips and Tricks

  • Run ssh -CND 1080 user@yourdomain.com to bind your local 1080 port to tunnel through a remote server. In Firefox, for example, you can then set your SOCKS proxy to 127.0.0.1 and 1080, go to www.whatsmyip.org and you'll see you have the public IP of that server. (If you are in the same house as that server, it will be the same, probably.) This is a great technique for testing and fun tricks such as being able to view Apache vhosts that are only accessible "locally" (i.e. only if you are seen as 127.0.0.1, which is what tunneling does from the perspective of the machine you are tunneling into).
  • Use ssh-copy-id to copy your SSH public key to remote servers. This prevents you from having to type in your password every time. Your public key is by default in ~/.ssh/id_rsa.pub. If you don't have a key, run ssh-keygen and just keep hitting enter (unless you want to do fancy stuff).
  • If you get a host has changed conflict that makes it sound like you are an evil villain hacking into the computer, find the entry in your ~/.ssh/known_hosts and remove it.
  • You can mount remote drives via: $ sshfs user@yourdomain.com:/ ~/server, where ~/server is an empty folder that will become the location for the mounted drive.
  • The lowest hanging fruit in adding some security to your SSH setup is to edit your /etc/ssh/sshd_config to have:
    • Port 222 (or some other port)
    • PermitRootLogin no
    • PubkeyAuthentication yes
    • RSAAuthentication yes
    • PermitEmptyPasswords no
    • ChallengeResponseAuthentication no
    • PasswordAuthentication no
    • AllowUsers user1 user2

    where "user1" and "user2" are the two users on the system you want to have access. I'm not an expert, but from what I've read that is a good start to security.

    Warning!

    You can very easily lock yourself out of your system when you change the sshd_config. Ensure that you have successfully logged in using your public key before locking the system down to allow only public key. And yes, I know from experience.

Topics to Cover

In the mean time, typing these phrases into a search engine should be a good place to start learning more:

  • server config
  • client config
  • sshfs
  • tunneling
  • x11 forwarding
  • security and decrypting SSH

Fingerprint

How to get a fingerprint of a ssh key:

$ ssh-keygen -lf ~/.ssh/id_rsa.pub

Copying Keys

use ssh-copy-id

or

http://www.commandlinefu.com/commands/view/188/copy-your-ssh-public-key-to-a-server-from-a-machine-that-doesnt-have-ssh-copy-id

Further Reading

Older Articles ยป