ssh is the secure shell, an encrypted version of telnet and a whole lot more

ssh

The secure shell itself, very useful for administering remote systems, tunneling arbitrary ports, tunneling X sessions, and a whole lot more.

scp

scp is like cp, but it happens securely and allows host-to-host transfers over ssh. Very handy when used with ssh_config and key-based authentication.

sftp

A secure FTP client built into ssh. The native client sucks, try lftp or rsync if it's available.

sshd

Output effective server configuration variables

This is useful for troubleshooting ssh_config matching.

sshd -T # requires root

ssh

Output effective client configuration variables

ssh -G user@host

tunnel local port to the destination through the SSH connection

This allows you to hit remote services as if they were running on your own machine on the given port.

This will only listen on localhost, not ethernet interfaces. Use -g to listen on all interfaces.

local_port=9980
remote_port=80
destination_host=some_other_remote_server
ssh -L "${remote_port}:${destination_host}:${local_port}"

Tunnel remote port through the ssh connection to the local machine

This allows remote hosts to connect to a server running on your local network.

local_port=80
remote_port=9980
destination_host=some_other_local_server
ssh -R "${remote_port}:${destination_host}:${local_port}"

Create a socks 5 proxy on a local port

local_port=5555
ssh -D "$local_port" user@host

Loop through some ssh hosts and execute a command

-n is required in order to proceed past the first host.

cat hostnames.txt | while read -r host ; do
  ssh -o ConnectTimeout=10 -o PasswordAuthentication=no -n "$host" 'some_command ; another_command'
done

Prefer password auth

Sometimes you need to prefer password auth over key based auth. For example, if you have lots of keys and you are trying to connect to a host that only allows one failure, you will expire your failures before you ever reach a password dialogue.

ssh -o PreferredAuthentications=password root@libreelec.local

ssh_config

The user ssh config file, ~/.ssh/config, lets you override default options. This makes it handy for command line stuff where the syntax is funky such as using non-standard ports.

Notably, global vriables need to come at the end of the file, not the beginning!

Simple host aliasing

The following example will let you simply ssh sugarbeast to log in on the non-standard port on the proper IP# with the specified user.

Host sugarbeast
  HostName 66.134.66.42
  User daniel
  Port 888

Multiplexed connections

After running mkdir -p -m 700 ~/.ssh/sockets add this to your ~/.ssh/config

Host *
  ControlPersist yes
  ControlMaster auto
  ControlPath ~/.ssh/sockets/%r@%h:%p

To kill a multiplexed connection, run ssh -O exit user@host

ProxyCommand

This config option lets you execute an arbitrary series of commands to connect with.

SSH proxy through ssh host for openSSH v4 and earlier (Ubuntu 8):

ProxyCommand ssh -q bastion nc -q 0 %h %p

SSH proxy through ssh host for openSSH v5 and later:

ProxyCommand ssh -W %h:%p bastion

HTTP proxy (from man ssh_config):

ProxyCommand nc -X connect -x 192.0.2.0:8080 %h %p

key-based authentication

Key-based authentication lets you log in without specifying a password. This is useful for rsync, scp and just plain old ssh shell. Adding comments to the public key makes it easy to sort through the keys that authorized_keys file. The $HOME/.ssh/authorized_keys file is the default list of public keys which are allowed password-less login. See also man authorized_keys for more info.

Key-based auth Permissions

Permissions on this file need to be set like this:

#!/bin/sh
# This will repair permissions for the current user's ssh key-pair authentication.
mkdir ~/.ssh/
touch ~/.ssh/authorized_keys
chmod go-w ~          && \
chmod 700 ~/.ssh      && \
chmod 600 ~/.ssh/*    && \
echo "Successfully fixed ssh authentication files permissions."

ssh-keygen

Validate each entry of authorized_keys

ssh-keygen -lvf ~/.ssh/authorized_keys

Generate Keys

Not all systems support ed25519, but it is currently the most secure key type.

ssh-keygen -t ssh-ed25519 -c "Daniel Hoherd <danielhoherd@xyzhost>"

If you require backwards compatibility, use 4096 bit RSA keys.

ssh-keygen -b 4096 -t rsa -c "Daniel Hoherd <danielhoherd@xyzhost>"

Create or change a password for an ssh identity

This will update the password used to unlock an ssh identity.

ssh-keygen -p -f ~/.ssh/id_ed25519

Limit root login to key based auth

In /etc/ssh/sshd_config

PermitRootLogin without-password

See Also