ssh

SSH

Friday, September 2, 11

An Overview


SSH was created in 1995 by Finland University Researcher

Was initially open source, went closed source in 1999

OpenSSH was created in 1999 as a fork of the last open source SSH code


SSH handles the set up and generation of an encrypted TCP connection

What SSH Does


SSH can handle secure remote logins (ssh)

SSH can handle secure file copy (scp)

SSH can even drive secure FTP (sftp)

...which means....


ssh is the client

sshd is the server

if sshd is not running you will not be able to connect to it with ssh

Core SSH programs


Password

Public/private keypair

Host-based authentication

SSH Authentication Methods


Password Authentication


Example Without SSH Keys

your-box box-1

ssh sshd


Prompts for Password

your-box box-1

ssh sshd

your-box> ssh box-1password:

box-1>


Keypair Authentication


Example With SSH Keys

your-box box-1

ssh sshd


Step 1: Generate Keys

your-box> ssh-keygen


Public / Private Keypair

your-box

~/.ssh/id_rsa~/.ssh/id_rsa.pub


Private Key: id_rsa

your-box


Private keys should be kept secret,do not share them with anyone


Public Key: id_rsa.pub

your-box


Public keys are meant to be shared.


Copy Public Key to box-1

your-box box-1

~/.ssh/id_rsa~/.ssh/id_rsa.pub ~/.ssh/authorized_keys


~/.ssh/authorized_keys

houses all public keys for people who can authenticate as a user on a machine

when copying public keys, append to the file, do not overwrite the file


No password required!

your-box box-1

ssh sshd

your-box> ssh box-1

box-1>


Host-based Authentication


Host-based Authentication

Doesn’t require user credentials (password or key)

Provides trust based on hostname and userid

Userid on both system has to be the same

Disabled by default -- not that useful


SSH Basics


Configuration Files


sshd config: /etc/sshd_config

Server Configuration Files

Based on installation method system config locations may vary. ie: macports installs in /opt/local/etc/ssh/

This is automatically by sshd when started.


system-side ssh config: /etc/ssh_config

user-specific ssh config: ~/.ssh/config

Client Configuration Files

Based on installation method system config locations may vary. ie: macports installs in /opt/local/etc/ssh/

These are automatically by ssh when executed.


You can put custom config files anywhere you want.

ssh -F /foo/bar/custom_ssh.cfg

Custom Client Configuration Filesssh will not read these on its own, use -F option


Secure Logins


ssh [email protected]

Login Example #1


ssh example.com

Login Example #2

What’s the difference between example #1 ?


ssh -p 45000 example.com

Login Example #3

What’s the default SSH port anyway?

Logging in on a non-default port.


ssh example.com <command here>

ssh example.com ls -l

ssh example.com hostname

Login Example #4

Anything with special characters such as quotes, backticks, etc. need to be escaped.

Log in, run a command, and exit.


Agent / Key Forwarding

Without them, With Them


Example Without SSH Keys

your-box

box-1

box-2


your-box> ssh box-1

your-box

box-1

box-2


Password required


your-box> ssh box-2

your-box

box-1

box-2


Password required


your-box to box-1 to box-2

your-box

box-1

box-2


box-1> ssh box-2password:

Passwords required each step of the way!


Updated Example with SSH Keys

your-box

box-1

box-2id_rsa.pubid_rsa

authorized_keys

authorized_keys

your-box> ssh-keygen

copy public key to ~/.ssh/authorized_keys on each remote host


your-box> ssh box-1

your-box

box-1

box-2

your-box> ssh box-1box-1> success


your-box> ssh box-2

your-box

box-1

box-2

your-box> ssh box-2box-2> success


your-box

box-1


authorized_keys

authorized_keys

your-box> ssh box-1box-1>success

box-1> ssh box-2password:

Password required at the second step!



Enter Agent/Key Forwarding


your-box

box-1


authorized_keys

authorized_keys

your-box> ssh -A box-1box-1>success

box-1> ssh -A box-2box-2>success



your-box

box-1

box-2

Your SSH Key Gets Forwarded

id_rsa.pubid_rsa


Command Line Agent Forwarding

ssh -A example.com

Use -a to explicitly turn off forwarding for a ssh session.


Host Configured

Host inspire.stagingForwardAgent yes

Per-User ~/.ssh/config System-wide /etc/ssh_config


Capistrano Configured (Ruby)

ssh_options[:forward_agent] = true

Capistrano’s deploy.rbProvided by net/ssh library.


SSH Server has final say!

AllowAgentForwarding no

System-wide /etc/sshd_configDefaults to “yes” -- so pretty much ignore.


When/Why #1 - Everyday Usage

When SSH’ing from box to box to box. (ie: multiple servers)

Greatly reduces the need to copy over public/private key files

It (usually) just works!


When/Why #2 - Deploys

No need to manage additional SSH key pairs for machines that you want to deploy to

If you have access to it and you do the deploying, the remote machine will just SSH in as you!

It (usually) just works!


...remember...

You still need to copy public key file contents to ~/.ssh/authorized_keys

Agent forwarding doesn’t work for automated workflows where a user is taken out of the equation, ie: our automated deploy from TeamCity for Inspire


Port Forwarding

Local, Remote, Magic


Local Port Forwarding


your-box box-1 box-2

Local Port Forwarding Example

Private Network

wwwsshd



your-box to www on box-2

Private Network

public IPlocal IP

local IP

wwwsshd



Can’t access box-2 directly

Private Network

public IPlocal IP

local IPX wwwsshd



With Local Port Forwarding

public IPlocal IP

local IP

your-box> ssh -L 8000:box-2:80 box-1box-1>success

wwwsshd



A Tunnel is Made!

public IPlocal IP

local IP

wwwsshd

your-box> ssh -L 8000:box-2:80 box-1box-1>success



box-2 doesn’t have to run sshd

public IPlocal IP

local IP

wwwsshd


Command Line Local Port Forwarding

ssh -L localport:host:hostport example.com

localport is the port on your machine,host is the remote box to tunnel to,

hostport is the port on the remote box to tunnel to



Sharing Your Tunnel

public IPlocal IP

local IP

wwwsshd

your-box> ssh -L 8000:box-2:80 -g box-1box-1>success

bobs-box


Command Line Local Port Forwarding

ssh -L localport:host:hostport -g example.com

-g allows others to connect to your forwarded port


Host Configured

Host inspire.stagingLocalForward 8000:box-2:80




AllowTcpForwarding no



When/Why

Access normally unreachable resources on an internal network from anywhere on the internet


Remote Port Forwarding



Remote Port Forwarding Example

Private Network

sshd



box-2 to your-box

Private Network

sshd

public IPlocal IP

local IP



box-2 can’t talk to your-box

Private Network

sshd

public IPlocal IP

local IP

X


With Remote Port Forwarding

your-box box-1 box-2sshd

public IPlocal IP

local IP

your-box> ssh -R 8000:localhost:80 box-1box-1>

success


A Reverse Tunnel Is Made!

your-box box-1 box-2sshd

public IPlocal IP

local IP

800080http://box-1:8000

your-box> ssh -R 8000:localhost:80 box-1box-1>

success


Command Line Remote Port Forwarding

ssh -R remoteport:host:hostport example.com

remoteport is the port on the machine you ssh into,host is the local box to tunnel to,

hostport is the port on the local box to tunnel to


-g is not supported for remote forwarding


Host Configured

Host inspire.stagingRemoteForward 8000:localhost:80




AllowTcpForwarding no



When/Why

Allow outside resources to connect to your box, or another machine on a private network

Example: testing web callbacks


~/.ssh/config

User-specified SSH configuration


Host Configuration

your-box> ssh example.com

Host inspireHostName staging.inspirehq.comUser inspire

Host inspire.productionHostName inspirehq.comUser inspire

Host is the section identifier

Any time Host shows up a new section is started

Host is whatever you want to refer to the connection as

~/.ssh/config


HostName Configuration


HostName is the real host name to log into

Can be IP address or domain name


Host inspire.productionHostName inspirehq.comUser inspire ~/.ssh/config


User Configuration


User is the user to log in as

Can be overridden on the command line


Host inspire.productionHostName inspirehq.comUser foobar ~/.ssh/config


Port Configuration


Port defines what port for SSH connect on

Can be overridden on the command line

Host inspireHostName staging.inspirehq.comUser inspirePort 45000

~/.ssh/config


Local/Remote Port Forwarding


LocalForward

RemoteForward

Host inspireHostName staging.inspirehq.comUser inspireLocalForward 8080:example.com:80RemoteForward 8080:example.com:80

~/.ssh/config


GatewayPorts


GatewayPorts specifies whether or not remote hosts can connect to local forwarded ports

Works in conjunction with LocalPortForward

Defaults to no

Host inspireHostName staging.inspirehq.comUser inspireLocalForward 8080:example.com:80GatewayPorts yes

~/.ssh/config


ServerAliveInterval


ServerAliveInterval sets a time interval in seconds after which if no data has been received from the server ssh will send a message to the server

Defaults to 0, meaning this will never be sent

This can be used to keep SSH connections alive

Host inspireHostName staging.inspirehq.comUser inspireLocalForward 8080:example.com:80GatewayPorts yesServerAliveInterval 5

~/.ssh/config


> ssh inspire


man ssh_config


Overuse ~/.ssh/config

SSHing into an IP more than once?

SSHing into crazy domains? (ie: Amazon)

Looking up IP or hostname routinely?

save it in ~/.ssh/config


...skipping server configuration...


SSH and Other apps


scp: secure file copy


copy single file

scp file1 example.com:


copy multiple files

scp file1 file2 example.com:


copy to other locations

scp file1example.com:foo/bar

scp file1example.com:/foo/bar


scp doesn’t copy directories

scp dir/ example.com:foo/bar

dir/: not a regular file


rsync: remote file copying


copy single file

rsync -avz file1 example.com:


copy directory

rsync -avz dir/ example.com:


incremental file transfers (only transfers what’s different)

include/exclude files and directories

include/exclude file name patterns

can copy files from a remote box to a local box

can copy files from a local box to a remote box

rsync does so much more


git


Can run over SSH

Supports SSH client configuration files

Can set to specific SSH binary using GIT_SSH environment variable

git/ssh info


The End


ssh

Technology

box ssh box

passwordyourbox box

box id

success box

forwarded box

keysyourbox sshkeygenfriday

ssh example

box sshkeygencopy public