
SSH Tricks - ahalan
http://tychoish.com/rhizome/9-awesome-ssh-tricks/
======
beagle3
The most magical command he didn't mention is 'ssh-copy-id'. If you can log-in
to a host with password, you just 'ssh-copy-id myuser@thishost', supply the
password once, and from that moment you can ssh with public key
authentication. Extreme magic.

Also, sshfs works great, but has some issues with memory mapped files that
silently lose writes. Luckily (?) most programs don't use mmap to write files,
so it's not very noticeable.

All in all, ssh is one of the greatest tools.

~~~
dotBen
I'm always sad that OS X doesn't support ssh-copy-id natively.

~~~
pilif
apparently it's in homebrew (see other comment), but for half an eternity,
I've always been using this:

    
    
        ssh user@host "mkdir .ssh && cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pub
    

(remove the mkdir if .ssh already exists)

This works as well and is using nothing but the power of the unix shell and
the concept of pipes.

~~~
cjp
Use mkdir -p to avoid failing if .ssh already exists.

    
    
        ssh user@host "mkdir -p .ssh && cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pub

------
ary
> /dev/null .known_hosts

This is _not_ a good idea (and far from "awesome"). I get why he's doing it,
but suggesting that weakening the security of a tool that is meant to
_enhance_ it is bad advice.

~~~
peterwwillis
Eh... bad advice in general, but awesome advice for the case he's using it in.
Like he says in the post: _Don't set these values for hosts that you actually
care about._

~~~
JoachimSchipper
Or hosts that you use passwords on that you actually care about. Or hosts that
have access to a network you care about. Or...

There's just too much that can go wrong.

~~~
atakan_gurkan
I think "hosts that you care about" captures them all. Yes, there is too much
that can go wrong, but for this tiny case the advice is useful. Let me quote
GJ Sussman: "It is OK if it is not user-friendly, I am not a user".

------
JoshTriplett
Another handy trick: put this script on your path somewhere, and name it "ssh-
argv0":

    
    
        #!/bin/sh
        exec ssh "${0##*/}" "$@"
    

Then create symlinks to ssh-argv0 for common hostnames you ssh to, shortened
using host aliases as suggested in the article. You now have a command for
each host, which you can use as a prefix like sudo to run a single command on
that host. For instance, "myth sudo reboot".

If you're used to using "ssh user@box foo", and not always for the same user
(in which case you could use "User" in .ssh/config), you can do the same thing
via "box -l user foo"

~~~
davvid
${0##*/} ... are you looking for the basename(1) command? Posix requires
support for this usage, but it does not work with many traditional shells,
e.g., Solaris 10 /bin/sh.

Here's how to work around it:

    
    
        #!/bin/sh
        exec ssh "$(basename "$0")" "$@"
    

FWIW it's a little easier to read, too.

~~~
apaprocki
Sun was so into keeping backward compatibility intact they would not update
the default /bin/sh because of some compatibility issues that could affect
customers. So they included the newer XPG4 sh in a different location (it is a
POSIX-compliant ksh88): /usr/xpg4/bin/sh. So you can write:

    
    
      #!/usr/bin/env sh
    

So that users who have setup PATH=/usr/xpg4/bin:$PATH get the correct shell
and everything works fine.

------
xtacy
The ssh escape sequence "~" (without quotes) comes in handy at times.

    
    
        "~ C" Gives you a ssh command prompt.
                  Press ? for help.
    
        "~ ." Closes the ssh connection; useful for
                  unresponsive ssh connections!

~~~
LiveTheDream
Worth noting that you need a newline before the ~ for it to work.

Another useful tip to know is how to set your own escape key.

    
    
        ssh -e ^ example.com
    

This will set the escape key to ^ instead of ~.

I had to use this recently to terminate an ssh connection that was initiated
inside of a screen session on a machine I was sshed into from my laptop.
Obviously, the generic ~. killed the first ssh session (on my machine), not
the one in the screen. Connecting to the middle machine with ssh -e^ let me
send ~. to the proper ssh session.

~~~
fugue88
Instead of changing the escape, you can tap it one more time. So, to drop your
2nd (nested) connection: ~ ~ .

------
dotBen
Ok, not techically part of SSH itself but I think SShuttle[1] is one of the
most awesome SSH tricks around.

[1] <https://github.com/apenwarr/sshuttle>

~~~
sunyc
too hard , you should just use -D and tsocks

~~~
nieve
I'm surprised that you'd say that if you actually understand what sshuttle
does and you've read the tsocks (8) manpage. The ssh -D/tsocks combination is
significantly more fragile due it how SOCKS proxying works & potential
LD_PRELOAD problems, doesn't work at all with static binaries, works only for
programs started with the preload (sshuttle is system-wide), doesn't handle
async sockets, has issues with DNS, and fails with programs that do syscall()
directly. The tsocks solution also fails miserably for anything but the use
case of "have this program act (mostly, sorta) like it's running on this other
machine's network" and can only do all or nothing for a program, no
discrimination based on routes or ip. If it's too hard to alias "./sshuttle -r
user@ssh 0/0 -vv" I'm not sure you should be playing with sharp objects like
LD_PRELOAD...

~~~
sunyc
What I say too hard, is saying this is way too much trouble for a problem that
should be solved at another perspective. that is, fix the network or
authorization problem.

------
jerrya
I hadn't known about sshfs - that sounds great and I'll have to look it up.

One of my favorite features is ssh forced commands,
<http://oreilly.com/catalog/sshtdg/chapter/ch08.html#22858> which I use on
infrequently used remote servers to present menus of pre-defined commands to
me or to others. And at other times, I can use it to kick off a daemon on a
remote server just by ssh'ing to that remote server with the proper key.

It's a simple way to create a "compile server" and then use one command line
from my preferred machine to tell the compile server to check a certain
directory and compile everything within it.

Yeah, ssh is nice.

------
darrikmazey
Another trick I especially like is to use the command="" syntax inside of an
authorized_keys file to allow a user to execute certain commands via ssh,
especially handy for git-shell.

------
jpdoctor
Anyone know how to ensure 8 bits worth of keyboard are passed? (Run emacs over
ssh and you sometimes get stuck without the meta key working.)

------
jvogt
I have a lot of machines I regularly connect to. Parsing the known_hosts file
and adding to my shell's tab completion was a nice timesaver. Here's the line
from my .bash_profile

complete -W "$(echo `cat ~/.ssh/known_hosts | cut -f 1 -d ' ' | sed -e
s/,.*//g | uniq | grep -v "\\["`;)" ssh

------
sneak
I'm not sure how this could omit "ssh -D".

Also, is it just me, or might his ssh-reagent bash function add keys to some
other user's ssh agent process if they've sufficiently modified the
permissions on their socket file in the temporary directory to allow you to
write to it?

------
there
many shells can be setup to autocomplete a list of hosts parsed from
~/.ssh/known_hosts.

for tcsh, see
[http://www.opensource.apple.com/source/tcsh/tcsh-63.1/tcsh/c...](http://www.opensource.apple.com/source/tcsh/tcsh-63.1/tcsh/complete.tcsh)

~~~
joeyh
This was useful back before known_hosts got obfuscated for security. Now not
so much.

~~~
cmsj
So disable known host hashing :) See man ssh_config

------
Spoutingshite
I use SuperPutty on my Windows PC to manage many putty sessions at a time...it
is a little clunky, however it is better than having putty open 5 or 10 times.

------
0x12
my personal favorite, a one liner to set up an email tunnel on a non-
privileged port:

ssh -f username@mymailserver.com -L 2000:mymailserver.com:25 -N

~~~
jrockway
Why not connect to mymailserver.com's port 25 directly?

~~~
0x12
Because plenty of ISP's will block outgoing traffic on port 25.

------
koenigdavidmj
<http://www.funtoo.org/wiki/Keychain> is also quite nice.

------
RyanMcGreal
+1 for sshfs, which comes in handy for backing up my hard drive to an external
machine.

------
primo44
In case the article's author stops by:

\- loose rhymes with "goose". The word is "lose".

------
zobzu
gpg-agent. ;-)

------
gnu6
Nice use of /tmp, I hope you're the only one on your machine.

~~~
brown9-2
I believe _ssh-agent_ has always written it's socket files to /tmp, in
directories readable only by the user. If you disagree with this, criticize
the program, not the user.

