http://www.osnews.com/story/15095/Guide_SSH_Tricks Exploring the Future of Computing en-us Copyright 2001-2009, David Adams adam+nospam@osnews.com Thu, 09 Jul 2009 20:05:08 GMT http://www.osnews.com/images/osnews.gif http://www.osnews.com http://osnews.com/thread?140473 http://osnews.com/thread?140473 Really like RSA-key (aka password-less) login. Makes it much easier to implement automated stuff involving more than one machine. Wed, 05 Jul 2006 17:52:00 GMT donotreply@osnews.com (tomcat) Comments http://osnews.com/thread?140497 http://osnews.com/thread?140497 The author has a nice list of tricks, I even learned a thing or two, like how mc (midnight commander handles fish and ssh protocols). My favorite ftp client lftp handles ftp, fish(sftp), and http protols and makes it easy to get and upload files to remote box.

You can find my list of favorite ssh tips at
uadmin.blogspot.com/2006/02/ssh-tips.html it includes how to access boxes behind a firewall, like they are on your own system. I even includes a script that automates logging into a box behind a firewall, using lftp, another trick it has, is if you need shell access, just shell out with "!", and type ssh 2200, and it will give you a full shell to the remote box, that is behind the firewall, not two steps like it would usually take to get to the box.

Gotta love the power of ssh. Wed, 05 Jul 2006 18:30:00 GMT donotreply@osnews.com (jamesd) Comments http://osnews.com/thread?140522 http://osnews.com/thread?140522 SSH is powerful, useful, and I couldn't live without it. I am constantly moving files between my machines over SSH, I do all the installing and administration usually over SSH, and I have already setup some automatic scripts on both machines to run over SSH when certain conditions are met. More specifically, NFS is faster than SSH, so I like to make the stuff available on PC1 available on PC2 over NFS, so PC2 checks on boot if PC1 is on, and mounts the NFS share. If PC1 is off, it will check on boot if PC2 is on, and mount the NFS share, using SSH and automatic login. Also, when PC1 is going down/rebooted, it checks again if PC2 is on, and unmounts the NFS share on it. This is just *so* useful.

Nautilus rocks when I gotta use SSH to manage files.. Wed, 05 Jul 2006 19:35:00 GMT donotreply@osnews.com (WereCatf) Comments http://osnews.com/thread?140528 http://osnews.com/thread?140528 Which tricks ?
He is just using ssh just as every sysadmin every day.
All is described in the man page. Why reinvent the wheel ? Wed, 05 Jul 2006 20:06:00 GMT donotreply@osnews.com (Duffman) Comments http://osnews.com/thread?140533 http://osnews.com/thread?140533 Not everybody is a sysadmin. Not everybody wants to learn from a man page. Nothing reinvented here. Wed, 05 Jul 2006 20:35:00 GMT donotreply@osnews.com (Ford Prefect) Comments http://osnews.com/thread?140538 http://osnews.com/thread?140538 If you set up passwordless logins, anyone who gets ahold of your key can login to anywhere you've put as an authorized key -- this is a horrible security hole and should be highly discouraged.

What is FAR better is to use ssh-agent (or the windows equivilant peagant) to keep your passcode so you only have to input once -- this means you functionally have passwordless logins for your session after to type it in once, but you are still not hosed if someone steals your key.

This should be SSH 101, not some "tip" to undermine the security of the system you log into. Wed, 05 Jul 2006 20:57:00 GMT donotreply@osnews.com (ryan) Comments http://osnews.com/thread?140547 http://osnews.com/thread?140547 Wow mounting a remote folder! Good Golly! Wed, 05 Jul 2006 21:33:00 GMT donotreply@osnews.com (cozby) Comments http://osnews.com/thread?140548 http://osnews.com/thread?140548 Are you for real? Wed, 05 Jul 2006 21:35:00 GMT donotreply@osnews.com (cozby) Comments http://osnews.com/thread?140561 http://osnews.com/thread?140561 There's a new SSH standard for using Kerberos for host and user authentication. It's called gssapi-keyexchange. With it, you don't need to manage ssh-specific host kets and known_hosts files, which can be a real win for very large sites. It's a shame the author didn't mention it. Wed, 05 Jul 2006 22:47:00 GMT donotreply@osnews.com (derekmorr) Comments http://osnews.com/thread?140562 http://osnews.com/thread?140562 interesting article...
nothing amazingly new but certainly something that not everyone is familar with... Wed, 05 Jul 2006 22:48:00 GMT donotreply@osnews.com (deanlinkous) Comments http://osnews.com/thread?140577 http://osnews.com/thread?140577 An oldy that I use alot is the tar pipe over ssh. Eg. :

$ tar cf - /home/myuser | compress -c | ssh user@host " ( uncompress -c | tar xvf - ) "

Surprised not to see it mentioned. Thu, 06 Jul 2006 00:13:00 GMT donotreply@osnews.com (Tyr.) Comments http://osnews.com/thread?140584 http://osnews.com/thread?140584 Numerous other apps can use SSH. I use svn for version control over ssh with password-less auth. Rsync is another big one -- excellent for transfering a whole website to the host securely. And, rsync only transfers modified files, which makes the whole process of updating a huge site secure and painless.

svn co svn+ssh://repo/module
svn commit # and svn commits over ssh tunnel

rsync -e ssh src [user@host:]dest Thu, 06 Jul 2006 01:19:00 GMT donotreply@osnews.com (tbostick78) Comments http://osnews.com/thread?140587 http://osnews.com/thread?140587 Why the extra pipes with compress? Just add -j (BZip2) or -z (GZip) to the tar command to do the compression/uncompression automatically in one go. Thu, 06 Jul 2006 01:43:00 GMT donotreply@osnews.com (phoenix) Comments http://osnews.com/thread?140594 http://osnews.com/thread?140594 Not every *nix' tar command supports -j or -z for compression. Thu, 06 Jul 2006 02:27:00 GMT donotreply@osnews.com (taos) Comments http://osnews.com/thread?140597 http://osnews.com/thread?140597 "It's a shame the author didn't mention it."

Maybe he didn't want to write a 5000 word essay on how to configure kerberos. Thu, 06 Jul 2006 03:12:00 GMT donotreply@osnews.com (Soulbender) Comments http://osnews.com/thread?140598 http://osnews.com/thread?140598 "When the program asks for the key password, we should just press ENTER - this way, a passwordless key will be created."

This is such bad advice it hurts my brain. Hasn't this guy heard of ssh-agent? Thu, 06 Jul 2006 03:13:00 GMT donotreply@osnews.com (Soulbender) Comments http://osnews.com/thread?140602 http://osnews.com/thread?140602 maybe he is using ssh only on his local network where a password isnt needed? maybe??? Thu, 06 Jul 2006 03:28:00 GMT donotreply@osnews.com (deanlinkous) Comments http://osnews.com/thread?140608 http://osnews.com/thread?140608 agree, disabling passwords guts the security you are trying to create by using this tool in the first place. of course when this was mentioned on digg i was told i simply "had no clue". Thu, 06 Jul 2006 05:51:00 GMT donotreply@osnews.com (theGrump) Comments http://osnews.com/thread?140609 http://osnews.com/thread?140609 ... I assume it is faster then normal every day "scp -C", right?

BTW, why not use gzip and/or bzip2 for compression? Thu, 06 Jul 2006 05:59:00 GMT donotreply@osnews.com (gilboa) Comments http://osnews.com/thread?140611 http://osnews.com/thread?140611 Using SSHFS in a wireless local network is a lot more secure than NFS or Samba shares. Couple it with ssh-agent and you get hassle-free and very secure file sharing between your computers in the network.

Except for one minor issue I've had: For some reason, SSHFS crashes and sometimes even makes the whole system crash. At least if you're running Ubuntu (tested in Hoary, Breezy and Dapper). I've tried it with several machines and it's always the same thing. When you unmount shares, it says "Segmentation fault" and sometimes the graphics in your X session gets garbled and the whole system crashes. If anyone knows what's wrong, any advice would be much appreciated. Thu, 06 Jul 2006 06:38:00 GMT donotreply@osnews.com (djst) Comments http://osnews.com/thread?140612 http://osnews.com/thread?140612 I must share a tip I'm using daily. Commuting to work, I sometimes need to spend half an hour waiting for a train on a public train station. They have a wireless Internet connection you may use if you pay for it. However, by changing the SSH port on my server to e.g. 7722, I can now connect to it using 'ssh -p 7722 my.server.com' and use the Internet connection for free! I know, it may not be perfectly legal, but in my opinion they should blame themselves for not disabling the traffic on the port.

Anyway, if you often spent time on public paid-for wireless spots, go ahead and try it out! Thu, 06 Jul 2006 06:42:00 GMT donotreply@osnews.com (djst) Comments http://osnews.com/thread?140613 http://osnews.com/thread?140613 "maybe he is using ssh only on his local network where a password isnt needed? maybe???"

That's no excuse for teaching bad and insecure habits. Thu, 06 Jul 2006 06:47:00 GMT donotreply@osnews.com (Soulbender) Comments http://osnews.com/thread?140754 http://osnews.com/thread?140754 picking your nose is a bad habit....nothing wrong with doing it at home though!

no password SSH is a bad habit...nothing wrong with doing it at home though!

a little bit of warning in the article would of been good - sort of like your mother telling you to not pick your nose in public maybe! Thu, 06 Jul 2006 15:05:00 GMT donotreply@osnews.com (deanlinkous) Comments http://osnews.com/thread?140788 http://osnews.com/thread?140788 ... I assume it is faster then normal every day "scp -C", right?

BTW, why not use gzip and/or bzip2 for compression?

It's faster and you can throw sudo's in there to copy files you don't own if needed. Gzip isn't installed on every unix, it certainly isn't on our reduced DMZ builds. It's also more flexible : you can only copy a predefined list of files, or use find to pipe a list of files into the tar. It also has the added bonus of confusing those new to unix ;-) Thu, 06 Jul 2006 16:44:00 GMT donotreply@osnews.com (Tyr.) Comments http://osnews.com/thread?140975 http://osnews.com/thread?140975 "picking your nose is a bad habit....nothing wrong with doing it at home though!"

Noone's actively trying to teach you to pick your nose though. Fri, 07 Jul 2006 02:54:00 GMT donotreply@osnews.com (Soulbender) Comments http://osnews.com/thread?141025 http://osnews.com/thread?141025 Except you don't really disable any passwords. You just store a login key on your main computer for the other computer you want to remotely login to. As long as you have a good password for your main computer and store the key at a location that is only accessible by yourself (e.g. in your chmod'ed 700 home dir), the key is not at higher risk of being compromised than anything else in your home dir.Edited 2006-07-07 09:18 Fri, 07 Jul 2006 09:17:00 GMT donotreply@osnews.com (Endica) Comments http://osnews.com/thread?141181 http://osnews.com/thread?141181 Unless the file system is encrypted, chmod 700 isn't going to help once the wrong person gets physical access to your machine. For instance, if your laptop got stolen and had keys on it for imporant servers at work, the doors would be wide open.

The beauty of key pairs in such situation is of course that you can disable the key by simply removing it from authorized_keys (which is a good reason to not reuse keys for different machines), but do you really trust that you will not forget one of the hosts that accept this key, and are you sure you'll be able to clean up before anybody makes use of the key?

It's really not advisable to use plain text keys. You should always protect your private key with a passphrase. SSH-agent makes it almost as convenient as the non-encrypted option, although it clearly is more work to set up than just using normal password login. It's also more secure, though. Fri, 07 Jul 2006 21:37:00 GMT donotreply@osnews.com (bogomipz) Comments