Working efficient with SSH

Using SSH efficient

When you want to maintain a Linux / Unix server from remote, SSH gives you all options you need. A sime "ssh servername" allows you to conntect to the command line and work the same way as locally. But when you work with SSH every day, there are some things that make the daily business easier. In this blog post i want to collect some experiences that make the work with ssh easier.

 

SSH Login without Password - Authentication with SSH Keys

When you need to login or copy files with SSH frequently typing passwords can be quite time consuming and annoying. For this reason, SSH provides the feature to generate key files to login, instead of passwords.

 

An SSH Key consists of two parts. The first part is the "private key". This private key is used to "unlock" a session and should never be given to anybody else it is compareable with a real key. The public key is comparable withe lock, you can copy it and it is used on the target server to allow the login for the owner of the corresponding private key.

 

The first step to Login with an SSH Key is, to generate the key files:

 

ssh-keygen -b 4096

During the generation process you will be asked in which file the key will be generated. The default value is "~/.ssh/id_rsa".

 

Important: id_rsa is the private key, do not share this file! id_rsa.pub is the public file. This file can be shared. If you want to allow the login for the owner of the private key, you can add the public key to ~/.ssh/authorized_keys on the target system.

 

scp  ~/.ssh/id_rsa.pub username@myserver.de
ssh username@myserver.de
mkdir ~/.ssh
cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
rm ~/id_rsa.pub

In the end you can check if the public key was added to  " ~/.ssh/authorized_keys":

 

cat  ~/.ssh/authorized_keys

After this you can logout and check if you can login without a password:

 

ssh username@myserver.de

When you login with ssh, you can use the option -i to pass an ssh key as identity file. By default id_rsa will be used.

 

Using SSH Tunnels to reach blocked ports - Using local SSH tunnels

Theire are situations where you want to reach a port on a remote system, that is not available from outside, because it is blocked by the firewall.

In this case you can create an SSH-Tunnel. The SSH Tunnel forwards the port from the remote machine to a port on the local machine.

 

ssh -NL <local_ip>:<local_port>:<remote_ip>:<remote_port> user@remote_ip
Lokaler SSH Tunnel

Example:


ssh -NL 127.0.0.1:8080:127.0.0.1:8080 user@mytomcat

This command creates an SSH Tunnel to the server "mytomcat". The port 8080, that is listening to the loopback interface (127.0.0.1) will be tunneld to the local port 8080.

 

Using Nodes as SSH Gateway - SSH Jump hosts

In some networks you need to login to a gateway and can then connect to another host in the network.

 
Client  ——> Gateway —— > Web1

 

With this setup it is enough to block the access to "Gateway" to block the access on any host behinde the gateway. This can be an securtiy advantage.

 

But there is also a drawback. You can not connect from "Client" to "Web1". Copying files is also a hard task because you need to copy from host to host.

 

To combine the advantages of both, you can can configure a ProxyCommand that will use netcat and automatically use the gateway host in between.

 

To do this, you need to adopt your ssh config (<home>/.ssh/config):

ForwardX11 yes
ForwardX11trusted yes
ForwardAgent yes
Compression yes
EscapeChar none
StrictHostKeyChecking no
User <myusername>

Host gateway_de
    HostName gateway.mycompany.de

Host !gateway_de *.mycompany.de
    ProxyCommand ssh gateway_de -A netcat -w 120 %h %p

Navigation