ssh

ssh is the secure shell, an encrypted version of telnet and a whole lot more

ssh

The secure shell itself, very useful for administering remote systems, tunneling arbitrary ports, tunneling X sessions, and a whole lot more.

scp

scp is like cp, but it happens securely and allows host-to-host transfers over ssh. Very handy when used with ssh_config and key-based authentication.

sftp

A secure FTP client built into ssh. The native client sucks, try lftp or rsync if it's available.

sshd

Output effective server configuration variables

This is useful for troubleshooting ssh_config matching.

sshd -T # requires root

ssh

Output effective client configuration variables

ssh -G user@host

tunnel local port to the destination through the SSH connection

This allows you to hit remote services as if they were running on your own machine on the given port.

This will only listen on localhost, not ethernet interfaces. Use -g to listen on all interfaces.

local_port=9980
remote_port=80
destination_host=some_other_remote_server
ssh -L "${remote_port}:${destination_host}:${local_port}"

Tunnel remote port through the ssh connection to the local machine

This allows remote hosts to connect to a server running on your local network.

local_port=80
remote_port=9980
destination_host=some_other_local_server
ssh -R "${remote_port}:${destination_host}:${local_port}"

Create a socks 5 proxy on a local port

local_port=5555
ssh -D "$local_port" user@host

Loop through some ssh hosts and execute a command

-n is required in order to proceed past the first host.

cat hostnames.txt | while read -r host ; do
  ssh -o ConnectTimeout=10 -o PasswordAuthentication=no -n "$host" 'some_command ; another_command ;'
done

Be really verbose about not wanting to use an interactive login

Some ssh servers (EG: macOS 11) need even more options to not ask for a password:

ssh \
  -o PasswordAuthentication=no \
  -o KbdInteractiveAuthentication=no \
  -o KbdInteractiveDevices=no

This is also really handy for putting into GIT_SSH_COMMAND to avoid password prompts in scripts.

Prefer password auth

Sometimes you need to prefer password auth over key based auth. For example, if you have lots of keys and you are trying to connect to a host that only allows one failure, you will expire your failures before you ever reach a password dialogue.

ssh -o PreferredAuthentications=password root@libreelec.local

ssh_config

The user ssh config file, ~/.ssh/config, lets you override default options. This makes it handy for command line stuff where the syntax is funky such as using non-standard ports.

Notably, global variables need to come at the end of the file, not the beginning!

Simple host aliasing

The following example will let you simply ssh sugarbeast to log in on the non-standard port on the proper IP# with the specified user.

Host sugarbeast
  HostName 66.134.66.42
  User daniel
  Port 888

Multiplexed connections

After running mkdir -p -m 700 ~/.ssh/sockets add this to your ~/.ssh/config

Host *
  ControlPersist yes
  ControlMaster auto
  ControlPath ~/.ssh/sockets/%r@%h:%p

To kill a multiplexed connection, run ssh -O exit user@host

ProxyCommand

This config option lets you execute an arbitrary series of commands to connect with.

SSH proxy through ssh host for openSSH v4 and earlier (Ubuntu 8):

ProxyCommand ssh -q bastion nc -q 0 %h %p

SSH proxy through ssh host for openSSH v5 and later:

ProxyCommand ssh -W %h:%p bastion

HTTP proxy (from man ssh_config):

ProxyCommand nc -X connect -x 192.0.2.0:8080 %h %p

key-based authentication

Key-based authentication lets you log in without specifying a password. This is useful for rsync, scp and just plain old ssh shell. Adding comments to the public key makes it easy to sort through the keys that authorized_keys file. The $HOME/.ssh/authorized_keys file is the default list of public keys which are allowed password-less login. See also man authorized_keys for more info.

Key-based auth Permissions

Permissions on this file need to be set like this:

#!/bin/sh
# This will repair permissions for the current user's ssh key-pair authentication.
mkdir ~/.ssh/
touch ~/.ssh/authorized_keys
chmod go-w ~          && \
chmod 700 ~/.ssh      && \
chmod 600 ~/.ssh/*    && \
echo "Successfully fixed ssh authentication files permissions."

ssh-keygen

Validate each entry of authorized_keys

ssh-keygen -lvf ~/.ssh/authorized_keys

Generate Keys

Not all systems support ed25519, but as of 2016 it is the most secure key type.

ssh-keygen -t ssh-ed25519 -C "Daniel Hoherd: ${USER}@${HOSTNAME} -- $(date +%F)"

If you require backwards compatibility, use 4096 bit RSA keys.

ssh-keygen -b 4096 -t rsa -C "Daniel Hoherd: ${USER}@${HOSTNAME} -- $(date +%F)"

Create or change a password for an ssh identity

This will update the password used to unlock an ssh identity.

ssh-keygen -p -f ~/.ssh/id_ed25519

Generate a public key from a given private key

This outputs the pub key, including the comment that is stored in the private key.

ssh-keygen -y -f id_rsa_bar

Change the comment in an ssh key pair

The old comment will be printed when changing the comment:

ssh-keygen -c -f ~/.ssh/id_ed25519 -C 'this is the new comment'

Show the fingerprints for the given key file

This works with both private and public keys

ssh-keygen -E MD5 -l -f id_rsa_baz

ssh-add

Show fingerprints for all keys that are loaded into ssh-agent

# ssh-add -l
2048 SHA256:aFAG8RjEr+mvqNyFR10kwCF9LP5ttJR3vI85qPDHDbo  (RSA)
4096 SHA256:8K5XkmSFyAUgA6DLhQTbmTDnkh1kPc7GTdg5EYP7C8s  (RSA)
4096 SHA256:7Bmhh1TGQkY7RfT9gmShNb1Eaq7erRkDphcOsQH0jaE  (RSA)

Or if you need to show the hash as the older MD5 hash, EG to use with CircleCI

# ssh-add -l -E md5
2048 MD5:65:fd:c2:05:1e:b2:a6:32:15:37:3d:e6:98:81:a9:ab  (RSA)
4096 MD5:db:af:71:c0:44:06:33:5f:63:b0:cb:8f:8a:59:0b:46  (RSA)
4096 MD5:8e:f3:02:1c:bb:39:8e:b2:5e:27:5a:48:c4:d1:0c:4b  (RSA)

Delete keys from the agent

Delete all keys with

ssh-add -D

Delete the key for the givent filename from ssh-agent

ssh-add -d ~/.ssh/id_rsa

Fetch pub keys from ssh-agent

These keys will show the comment contained within the key

ssh-add -L

Limit root login to key based auth

In /etc/ssh/sshd_config

PermitRootLogin without-password

See Also

• sshuttle - IP network router over ssh
• sslh - lets one accept both HTTPS and SSH connections on the same port. It makes it possible to connect to an SSH server on port 443 (e.g. from inside a corporate firewall)
• Corkscrew - a tool for tunneling SSH through HTTP proxies
• Putty - An SSH (and telnet) client for windows.
• Passwordless SSH logins
• SSH server for Windows
• SSH jump hosts
• The Secure Shell (SSH) Connection Protocol - https://www.ietf.org/rfc/rfc4254.txt
• The Secure Shell (SSH) Authentication Protocol - https://www.ietf.org/rfc/rfc4252.txt
• The Secure Shell (SSH) Transport Layer Protocol - https://www.ietf.org/rfc/rfc4253.txt
• https://www.agwa.name/blog/post/ssh_signatures
• lwn.net: Restricting SSH agent keys