ssh
DESCRIPTION
Slides from a presentation I gave on SSH. Covers basics of ssh, password|keys|host-based authentication, agent/key forwarding, configuration files (global and user-specific), local/remote port forwarding, scp, rsync, and briefly mentions git's support.TRANSCRIPT
SSH
Friday, September 2, 11
An Overview
Friday, September 2, 11
SSH was created in 1995 by Finland University Researcher
Was initially open source, went closed source in 1999
OpenSSH was created in 1999 as a fork of the last open source SSH code
Friday, September 2, 11
SSH handles the set up and generation of an encrypted TCP connection
What SSH Does
Friday, September 2, 11
SSH can handle secure remote logins (ssh)
SSH can handle secure file copy (scp)
SSH can even drive secure FTP (sftp)
...which means....
Friday, September 2, 11
ssh is the client
sshd is the server
if sshd is not running you will not be able to connect to it with ssh
Core SSH programs
Friday, September 2, 11
Password
Public/private keypair
Host-based authentication
SSH Authentication Methods
Friday, September 2, 11
Password Authentication
Friday, September 2, 11
Example Without SSH Keys
your-box box-1
ssh sshd
Friday, September 2, 11
Prompts for Password
your-box box-1
ssh sshd
your-box> ssh box-1password:
box-1>
Friday, September 2, 11
Keypair Authentication
Friday, September 2, 11
Example With SSH Keys
your-box box-1
ssh sshd
Friday, September 2, 11
Step 1: Generate Keys
your-box> ssh-keygen
Friday, September 2, 11
Public / Private Keypair
your-box
~/.ssh/id_rsa~/.ssh/id_rsa.pub
Friday, September 2, 11
Private Key: id_rsa
your-box
~/.ssh/id_rsa~/.ssh/id_rsa.pub
Private keys should be kept secret,do not share them with anyone
Friday, September 2, 11
Public Key: id_rsa.pub
your-box
~/.ssh/id_rsa~/.ssh/id_rsa.pub
Public keys are meant to be shared.
Friday, September 2, 11
Copy Public Key to box-1
your-box box-1
~/.ssh/id_rsa~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
Friday, September 2, 11
~/.ssh/authorized_keys
houses all public keys for people who can authenticate as a user on a machine
when copying public keys, append to the file, do not overwrite the file
Friday, September 2, 11
No password required!
your-box box-1
ssh sshd
your-box> ssh box-1
box-1>
Friday, September 2, 11
Host-based Authentication
Friday, September 2, 11
Host-based Authentication
Doesn’t require user credentials (password or key)
Provides trust based on hostname and userid
Userid on both system has to be the same
Disabled by default -- not that useful
Friday, September 2, 11
SSH Basics
Friday, September 2, 11
Configuration Files
Friday, September 2, 11
sshd config: /etc/sshd_config
Server Configuration Files
Based on installation method system config locations may vary. ie: macports installs in /opt/local/etc/ssh/
This is automatically by sshd when started.
Friday, September 2, 11
system-side ssh config: /etc/ssh_config
user-specific ssh config: ~/.ssh/config
Client Configuration Files
Based on installation method system config locations may vary. ie: macports installs in /opt/local/etc/ssh/
These are automatically by ssh when executed.
Friday, September 2, 11
You can put custom config files anywhere you want.
ssh -F /foo/bar/custom_ssh.cfg
Custom Client Configuration Filesssh will not read these on its own, use -F option
Friday, September 2, 11
Secure Logins
Friday, September 2, 11
ssh example.com
Login Example #2
What’s the difference between example #1 ?
Friday, September 2, 11
ssh -p 45000 example.com
Login Example #3
What’s the default SSH port anyway?
Logging in on a non-default port.
Friday, September 2, 11
ssh example.com <command here>
ssh example.com ls -l
ssh example.com hostname
Login Example #4
Anything with special characters such as quotes, backticks, etc. need to be escaped.
Log in, run a command, and exit.
Friday, September 2, 11
Agent / Key Forwarding
Without them, With Them
Friday, September 2, 11
Example Without SSH Keys
your-box
box-1
box-2
Friday, September 2, 11
your-box> ssh box-1
your-box
box-1
box-2
your-box> ssh box-1password:
Password required
Friday, September 2, 11
your-box> ssh box-2
your-box
box-1
box-2
your-box> ssh box-2password:
Password required
Friday, September 2, 11
your-box to box-1 to box-2
your-box
box-1
box-2
your-box> ssh box-1password:
box-1> ssh box-2password:
Passwords required each step of the way!
Friday, September 2, 11
Updated Example with SSH Keys
your-box
box-1
box-2id_rsa.pubid_rsa
authorized_keys
authorized_keys
your-box> ssh-keygen
copy public key to ~/.ssh/authorized_keys on each remote host
Friday, September 2, 11
your-box> ssh box-1
your-box
box-1
box-2
your-box> ssh box-1box-1> success
Friday, September 2, 11
your-box> ssh box-2
your-box
box-1
box-2
your-box> ssh box-2box-2> success
Friday, September 2, 11
your-box
box-1
box-2id_rsa.pubid_rsa
authorized_keys
authorized_keys
your-box> ssh box-1box-1>success
box-1> ssh box-2password:
Password required at the second step!
your-box to box-1 to box-2
Friday, September 2, 11
Enter Agent/Key Forwarding
Friday, September 2, 11
your-box
box-1
box-2id_rsa.pubid_rsa
authorized_keys
authorized_keys
your-box> ssh -A box-1box-1>success
box-1> ssh -A box-2box-2>success
your-box to box-1 to box-2
Friday, September 2, 11
your-box
box-1
box-2
Your SSH Key Gets Forwarded
id_rsa.pubid_rsa
Friday, September 2, 11
Command Line Agent Forwarding
ssh -A example.com
Use -a to explicitly turn off forwarding for a ssh session.
Friday, September 2, 11
Host Configured
Host inspire.stagingForwardAgent yes
Per-User ~/.ssh/config System-wide /etc/ssh_config
Friday, September 2, 11
Capistrano Configured (Ruby)
ssh_options[:forward_agent] = true
Capistrano’s deploy.rbProvided by net/ssh library.
Friday, September 2, 11
SSH Server has final say!
AllowAgentForwarding no
System-wide /etc/sshd_configDefaults to “yes” -- so pretty much ignore.
Friday, September 2, 11
When/Why #1 - Everyday Usage
When SSH’ing from box to box to box. (ie: multiple servers)
Greatly reduces the need to copy over public/private key files
It (usually) just works!
Friday, September 2, 11
When/Why #2 - Deploys
No need to manage additional SSH key pairs for machines that you want to deploy to
If you have access to it and you do the deploying, the remote machine will just SSH in as you!
It (usually) just works!
Friday, September 2, 11
...remember...
You still need to copy public key file contents to ~/.ssh/authorized_keys
Agent forwarding doesn’t work for automated workflows where a user is taken out of the equation, ie: our automated deploy from TeamCity for Inspire
Friday, September 2, 11
Port Forwarding
Local, Remote, Magic
Friday, September 2, 11
Local Port Forwarding
Friday, September 2, 11
your-box box-1 box-2
Local Port Forwarding Example
Private Network
wwwsshd
Friday, September 2, 11
your-box box-1 box-2
your-box to www on box-2
Private Network
public IPlocal IP
local IP
wwwsshd
Friday, September 2, 11
your-box box-1 box-2
Can’t access box-2 directly
Private Network
public IPlocal IP
local IPX wwwsshd
Friday, September 2, 11
your-box box-1 box-2
With Local Port Forwarding
public IPlocal IP
local IP
your-box> ssh -L 8000:box-2:80 box-1box-1>success
wwwsshd
Friday, September 2, 11
your-box box-1 box-2
A Tunnel is Made!
public IPlocal IP
local IP
wwwsshd
your-box> ssh -L 8000:box-2:80 box-1box-1>success
Friday, September 2, 11
your-box box-1 box-2
box-2 doesn’t have to run sshd
public IPlocal IP
local IP
wwwsshd
Friday, September 2, 11
Command Line Local Port Forwarding
ssh -L localport:host:hostport example.com
localport is the port on your machine,host is the remote box to tunnel to,
hostport is the port on the remote box to tunnel to
Friday, September 2, 11
your-box box-1 box-2
Sharing Your Tunnel
public IPlocal IP
local IP
wwwsshd
your-box> ssh -L 8000:box-2:80 -g box-1box-1>success
bobs-box
Friday, September 2, 11
Command Line Local Port Forwarding
ssh -L localport:host:hostport -g example.com
-g allows others to connect to your forwarded port
Friday, September 2, 11
Host Configured
Host inspire.stagingLocalForward 8000:box-2:80
Per-User ~/.ssh/config System-wide /etc/ssh_config
Friday, September 2, 11
SSH Server has final say!
AllowTcpForwarding no
System-wide /etc/sshd_configDefaults to “yes” -- so pretty much ignore.
Friday, September 2, 11
When/Why
Access normally unreachable resources on an internal network from anywhere on the internet
Friday, September 2, 11
Remote Port Forwarding
Friday, September 2, 11
your-box box-1 box-2
Remote Port Forwarding Example
Private Network
sshd
Friday, September 2, 11
your-box box-1 box-2
box-2 to your-box
Private Network
sshd
public IPlocal IP
local IP
Friday, September 2, 11
your-box box-1 box-2
box-2 can’t talk to your-box
Private Network
sshd
public IPlocal IP
local IP
X
Friday, September 2, 11
With Remote Port Forwarding
your-box box-1 box-2sshd
public IPlocal IP
local IP
your-box> ssh -R 8000:localhost:80 box-1box-1>
success
Friday, September 2, 11
A Reverse Tunnel Is Made!
your-box box-1 box-2sshd
public IPlocal IP
local IP
800080http://box-1:8000
your-box> ssh -R 8000:localhost:80 box-1box-1>
success
Friday, September 2, 11
Command Line Remote Port Forwarding
ssh -R remoteport:host:hostport example.com
remoteport is the port on the machine you ssh into,host is the local box to tunnel to,
hostport is the port on the local box to tunnel to
Friday, September 2, 11
-g is not supported for remote forwarding
Friday, September 2, 11
Host Configured
Host inspire.stagingRemoteForward 8000:localhost:80
Per-User ~/.ssh/config System-wide /etc/ssh_config
Friday, September 2, 11
SSH Server has final say!
AllowTcpForwarding no
System-wide /etc/sshd_configDefaults to “yes” -- so pretty much ignore.
Friday, September 2, 11
When/Why
Allow outside resources to connect to your box, or another machine on a private network
Example: testing web callbacks
Friday, September 2, 11
~/.ssh/config
User-specified SSH configuration
Friday, September 2, 11
Host Configuration
your-box> ssh example.com
Host inspireHostName staging.inspirehq.comUser inspire
Host inspire.productionHostName inspirehq.comUser inspire
Host is the section identifier
Any time Host shows up a new section is started
Host is whatever you want to refer to the connection as
~/.ssh/config
Friday, September 2, 11
HostName Configuration
your-box> ssh example.com
HostName is the real host name to log into
Can be IP address or domain name
Host inspireHostName staging.inspirehq.comUser inspire
Host inspire.productionHostName inspirehq.comUser inspire ~/.ssh/config
Friday, September 2, 11
User Configuration
your-box> ssh example.com
User is the user to log in as
Can be overridden on the command line
Host inspireHostName staging.inspirehq.comUser inspire
Host inspire.productionHostName inspirehq.comUser foobar ~/.ssh/config
Friday, September 2, 11
Port Configuration
your-box> ssh example.com
Port defines what port for SSH connect on
Can be overridden on the command line
Host inspireHostName staging.inspirehq.comUser inspirePort 45000
~/.ssh/config
Friday, September 2, 11
Local/Remote Port Forwarding
your-box> ssh example.com
LocalForward
RemoteForward
Host inspireHostName staging.inspirehq.comUser inspireLocalForward 8080:example.com:80RemoteForward 8080:example.com:80
~/.ssh/config
Friday, September 2, 11
GatewayPorts
your-box> ssh example.com
GatewayPorts specifies whether or not remote hosts can connect to local forwarded ports
Works in conjunction with LocalPortForward
Defaults to no
Host inspireHostName staging.inspirehq.comUser inspireLocalForward 8080:example.com:80GatewayPorts yes
~/.ssh/config
Friday, September 2, 11
ServerAliveInterval
your-box> ssh example.com
ServerAliveInterval sets a time interval in seconds after which if no data has been received from the server ssh will send a message to the server
Defaults to 0, meaning this will never be sent
This can be used to keep SSH connections alive
Host inspireHostName staging.inspirehq.comUser inspireLocalForward 8080:example.com:80GatewayPorts yesServerAliveInterval 5
~/.ssh/config
Friday, September 2, 11
> ssh inspire
Friday, September 2, 11
man ssh_config
Friday, September 2, 11
Overuse ~/.ssh/config
SSHing into an IP more than once?
SSHing into crazy domains? (ie: Amazon)
Looking up IP or hostname routinely?
save it in ~/.ssh/config
Friday, September 2, 11
...skipping server configuration...
Friday, September 2, 11
SSH and Other apps
Friday, September 2, 11
scp: secure file copy
Friday, September 2, 11
copy single file
scp file1 example.com:
Friday, September 2, 11
copy multiple files
scp file1 file2 example.com:
Friday, September 2, 11
copy to other locations
scp file1example.com:foo/bar
scp file1example.com:/foo/bar
Friday, September 2, 11
scp doesn’t copy directories
scp dir/ example.com:foo/bar
dir/: not a regular file
Friday, September 2, 11
rsync: remote file copying
Friday, September 2, 11
copy single file
rsync -avz file1 example.com:
Friday, September 2, 11
copy directory
rsync -avz dir/ example.com:
Friday, September 2, 11
incremental file transfers (only transfers what’s different)
include/exclude files and directories
include/exclude file name patterns
can copy files from a remote box to a local box
can copy files from a local box to a remote box
rsync does so much more
Friday, September 2, 11
git
Friday, September 2, 11
Can run over SSH
Supports SSH client configuration files
Can set to specific SSH binary using GIT_SSH environment variable
git/ssh info
Friday, September 2, 11
The End
Friday, September 2, 11