When you want to maintain a Linux / Unix server from remote, SSH gives you all options you need. A sime "ssh servername" allows you to conntect to the command line and work the same way as locally. But when you work with SSH every day, there are some things that make the daily business easier. In this blog post i want to collect some experiences that make the work with ssh easier.
When you need to login or copy files with SSH frequently typing passwords can be quite time consuming and annoying. For this reason, SSH provides the feature to generate key files to login, instead of passwords.
An SSH Key consists of two parts. The first part is the "private key". This private key is used to "unlock" a session and should never be given to anybody else it is compareable with a real key. The public key is comparable withe lock, you can copy it and it is used on the target server to allow the login for the owner of the corresponding private key.
The first step to Login with an SSH Key is, to generate the key files:
During the generation process you will be asked in which file the key will be generated. The default value is "~/.ssh/id_rsa".
Important: id_rsa is the private key, do not share this file! id_rsa.pub is the public file. This file can be shared. If you want to allow the login for the owner of the private key, you can add the public key to ~/.ssh/authorized_keys on the target system.
In the end you can check if the public key was added to " ~/.ssh/authorized_keys":
After this you can logout and check if you can login without a password:
When you login with ssh, you can use the option -i to pass an ssh key as identity file. By default id_rsa will be used.
Theire are situations where you want to reach a port on a remote system, that is not available from outside, because it is blocked by the firewall.
In this case you can create an SSH-Tunnel. The SSH Tunnel forwards the port from the remote machine to a port on the local machine.
This command creates an SSH Tunnel to the server "mytomcat". The port 8080, that is listening to the loopback interface (127.0.0.1) will be tunneld to the local port 8080.
In some networks you need to login to a gateway and can then connect to another host in the network.
Client ——> Gateway —— > Web1
With this setup it is enough to block the access to "Gateway" to block the access on any host behinde the gateway. This can be an securtiy advantage.
But there is also a drawback. You can not connect from "Client" to "Web1". Copying files is also a hard task because you need to copy from host to host.
To combine the advantages of both, you can can configure a ProxyCommand that will use netcat and automatically use the gateway host in between.
To do this, you need to adopt your ssh config (<home>/.ssh/config):