When you want to maintain a Linux / Unix server from remote, SSH gives you all options you need. A sime "ssh servername" allows you to conntect to the command line and work the same way as locally. But when you work with SSH every day, there are some things that make the daily business easier. In this blog post i want to collect some experiences that make the work with ssh easier.
When you need to login or copy files with SSH frequently typing passwords can be quite time consuming and annoying. For this reason, SSH provides the feature to generate key files to login, instead of passwords.
An SSH Key consists of two parts. The first part is the "private key". This private key is used to "unlock" a session and should never be given to anybody else it is compareable with a real key. The public key is comparable withe lock, you can copy it and it is used on the target server to allow the login for the owner of the corresponding private key.
The first step to Login with an SSH Key is, to generate the key files:
ssh-keygen -b 4096
During the generation process you will be asked in which file the key will be generated. The default value is "~/.ssh/id_rsa".
Important: id_rsa is the private key, do not share this file! id_rsa.pub is the public file. This file can be shared. If you want to allow the login for the owner of the private key, you can add the public key to ~/.ssh/authorized_keys on the target system.
scp ~/.ssh/id_rsa.pub email@example.com ssh firstname.lastname@example.org mkdir ~/.ssh cat ~/id_rsa.pub >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys rm ~/id_rsa.pub
In the end you can check if the public key was added to " ~/.ssh/authorized_keys":
After this you can logout and check if you can login without a password:
When you login with ssh, you can use the option -i to pass an ssh key as identity file. By default id_rsa will be used.
Theire are situations where you want to reach a port on a remote system, that is not available from outside, because it is blocked by the firewall.
In this case you can create an SSH-Tunnel. The SSH Tunnel forwards the port from the remote machine to a port on the local machine.
ssh -NL <local_ip>:<local_port>:<remote_ip>:<remote_port> user@remote_ipLokaler SSH Tunnel
ssh -NL 127.0.0.1:8080:127.0.0.1:8080 user@mytomcat
This command creates an SSH Tunnel to the server "mytomcat". The port 8080, that is listening to the loopback interface (127.0.0.1) will be tunneld to the local port 8080.
In some networks you need to login to a gateway and can then connect to another host in the network.
Client ——> Gateway —— > Web1
With this setup it is enough to block the access to "Gateway" to block the access on any host behinde the gateway. This can be an securtiy advantage.
But there is also a drawback. You can not connect from "Client" to "Web1". Copying files is also a hard task because you need to copy from host to host.
To combine the advantages of both, you can can configure a ProxyCommand that will use netcat and automatically use the gateway host in between.
To do this, you need to adopt your ssh config (<home>/.ssh/config):
ForwardX11 yes ForwardX11trusted yes ForwardAgent yes Compression yes EscapeChar none StrictHostKeyChecking no User <myusername> Host gateway_de HostName gateway.mycompany.de Host !gateway_de *.mycompany.de ProxyCommand ssh gateway_de -A netcat -w 120 %h %p