SSH
From Taclug
See the SSHErrors page for resolving SSH related errors, and SSHKeys for information about setting up SSH key logins.
| Table of contents |
Config file aliases
To ease your life, you can put all settings for a particular host in your .ssh/config. Say you would normally use the CommandLine
ssh me@some.long.winded.fqdn.name.here.com
to connect to somewhere. That's a lot to type. If you spell this out in configuration directives (see ssh_config(5)) it looks like this:
Host foo Protocol 2 User me HostName some.long.winded.fqdn.name.here.com
From then on it's enough to simply say
ssh foo
Much better! You can also use wildcards for the hostname. A Host * section defines directives that should be in effect for all SSH connections.
NOTE: If the server does not have DNS pointing at it, you can replace the some.long.winded.fqdn.name.here.com with the IP address of the server. This is especially handy when you have a server or workstation that you are trying to keep a low profile on.
Port Forwarding
SSH can forward ports across its encrypted tunnel. Using the following command,
ssh -L 5000:very.remote:80 user@host.remote
will have SSH listening on port 5000 on localhost. By connecting to this port you get a connection tunneled to host.remote, which will then establish a connection to port 80 on very.remote. This is very helpful if very.remote lives behind a FireWall that blocks direct traffic, but will let you SSH to host.remote. By the same token, doing
ssh -L 5000:localhost:80 user@host.remote
you can tunnel a connection from port 5000 on your own host to port 80 on host.remote, which for the purposes of the webserver on the other end will appear to come from that localhost.
If you don't need the shell, and just want the tunnel, you can add options -f (go to background before command execution) and -N (don't execute remote command).
ssh -f -N -L 5000:localhost:80 user@host.remote
SSH will then effectively run as a daemon.
If you add -g, your local end of the SSH tunnel will accept connections from anyone, not just localhost. Say there are two machines called host1.lan and host2.lan on a LAN. By doing
host1$ ssh -f -g -N -L 5000:localhost:80 user@host.remote host2$ lynx host1:5000
you have opened a connection from host2.lan to the webserver on host.remote without, in fact, connecting from host2.lan to host.remote.
Imagine the fun you can have with multiple SSH forwards!
If you've set up your .ssh/config as in the tip above, you can spare yourself typing the same parameters to set up tunnels in the same manner. -L 5000:localhost:110 translates to LocalForward 5000 localhost:110. If you'd like to have -g taken care of as well, add GatewayPorts. -f and -N don't have corresponding options, but those wouldn't be very useful anyway.
X Connection Forwarding
If you use the -X option to ssh, you will enable X-connection forwarding. This is essentially a reverse port forward with a few added effects: for instance it will set your DISPLAY variable on the remote end to something like localhost:15. Most of the time you won't need to mess with xhost(1) or xauth(1) either.
Be aware that you will need the X libraries and utilites even if you're forwarding clients from a headless server. To fix yourself up on Debian machines, just
apt-get install xbase-clients
For those of us not running debian, you need to install whatever packages you have that give you the xhost binary. In FreeBSD, it is named xorg-clients.
If you've set up your .ssh/config as discussed above, you can spare yourself typing -X every time using the directive ForwardX11.
The SSH daemon on the remote machine must be configured to allow X11 forwarding -- the Debian Woody default configuration for example disables it. If it is disabled, you have to edit /etc/ssh/sshd_config and then restart sshd.
If you are running OpenSSH 3.8 or newer, some X applications may give you one of these errors:
* BadWindow (invalid Window parameter) * BadAccess (attempt to access private resource denied) * X Error of failed request: BadAtom (invalid Atom parameter) * Major opcode of failed request: 20 (X_GetProperty)
You will also find by invoking xdpyinfo from the remote machine that they can only use a fraction of the extensions your X server offers. This is because the new default is to use untrusted X11 cookies for forwarding connections. You need to invoke ssh(1) with the -Y option for X11 forwarding, or add ForwardX11Trusted yes to your configuration. Since one of the affected extensions is XRENDER, which greatly reduces the bandwidth required to draw AntiAliasedFonts and accelerates their rendering, it is unclear why anyone would ever use untrusted cookies.
STDIN Forwarding
SSH forwards its standard input to be the standard input of a command executed on the remote machine. You can use this to do some pretty cool things like stream tar archives across a network to eliminate any overhead with copying many small files:
tar c sourcedir | ssh user@host tar xf -
There are many other neat tricks that can be perfomed using this technique as well. The feature was inherited from rsh. If you are having problems with corruption when piping data via SSH, you may find a solution on the SSHErrors page.
In a rudimentary test involving about 200MB of variously sized files, the tar stream finished in about 4:00 minutes, where scp -R took about 5:40 minutes. (That is even though it doesn't seem to establish a new connection for each file as ftp does, nor have much overhead at all. So tar could just be better at doing this than scp.)
Executing the same command on multiple machines
Check out the distributed shell dsh. It lets you SSH to all your drones and execute the same series of commands, watching the output as you go.
SSHing to not directly reachable hosts
Suppose you have a shell account on safe, a machine on a NATted LAN without a public IP address assigned to it. Let's also suppose you can SSH to the publicly visible gateway router of that LAN, door, and that on this machine a copy of nc (aka netcat) is installed. With the aid of a config file alias for the NATted host and a config directive called ProxyCommand, you can easily set yourself up such that SSHing to safe is no different from SSHing to any publicly visible box:
# this section isn't necessary of course Host door Protocol 2 User me HostName homelan.at.dsl.my.isp.com # but this one is Host safe Protocol 2 User me HostName 192.168.0.42 ProxyCommand ssh door nc -q 0 safe 22
If you have the sshd running on a different port than 22 (the standard SSH port) on safe, you need to change the argument to nc accordingly, of course. Note the "-q 0" argument to netcat - without this, you will likely end up with stale netcat processes on the intermediary machine. Now, you can just
$ ssh safe
and SSH will transparently invoke another copy of itself that connects to door and uses the netcat installed there to establish a connection from door to safe. netcat's STDIN/STDOUT is tunnelled back to your via your slave SSH connection to door, across which the primary SSH process can then communicate with the sshd(8) on safe.
Note that since the master SSH process is only communicating with the proxy process, it has no way of knowing the IP address of the remote host it is talking to. Since its address is needed to verify its host key's authenticity, it is advisable to use a HostName directive for the proxied host to specify its address. Since the address is not otherwise used, you can leave it out or even enter something fake - you'll just get a complaint from SSH.
Finally, remember that ssh foo nc bar 1234 is just one example of what the proxy command could be. The only requirement is that it forward the traffic, whether that be a TCP connection or even anything else, to and from SSH over STDIN/STDOUT. You might even use something like
ProxyCommand pppd nodetach call foo
and have the remote getty launch sshd -i on the incoming line, thus logging into a machine that's not even connected to the InterNet.
The possibilities are endless. In the standard case of using a slave SSH connection to some gateway, nothing stops you from using a ProxyCommand in the alias configured for the gateway - so you can build an entire cascade of SSH tunneled connection from one gateway to the next. Of course eventually the onion of tunnels wrapped around the connection will push the latency up and the throughput down to unworkable levels.
