
SSH tricks - joeyespo
http://matt.might.net/articles/ssh-hacks/
======
lloeki
This talks about port forwarding but does not mention using ssh as a socks
proxy, with is extremely convenient. Also, although tricky to configure ssh
can also be used as a VPN with tun/tap support (although a good
/etc/network/interfaces on Debian can make it as easy as ifup/ifdown tunX)

Unfortunately this guide does not mention ssh-agent to have usable passphrased
keys. Tip: Mac OS X Keychain integrates fantastically with ssh-agent.

My favorite trick is transparently bouncing via ProxyCommand+netcat:

    
    
        Host target.domain
            Hostname target.local
            ProxyCommand ssh -q bounce_host.domain nc -q0 %h 22
    

Also, authorizing by key but restricting the (passwordless) key to certain
commands, allowing for remote action automation. [0]

Ssh agent forwarding is also particularly awesome instead of naively
scattering keys.

Ssh ControlMaster allowing to reuse connections can really improve
responsiveness. Tip: start the master connection as a daemon (-f), so as not
to mistakenly close the terminal which handles it, else you will close the
channel for all other currently opened slave sessions. I wish ssh would fork
and start the master on demand then close it when the last channel closes.

[0] <http://www.cmdln.org/2008/02/11/restricting-ssh-commands/>

~~~
yycom

        host *%*
            proxycommand ssh $(echo %h | cut -d%% -f1) nc $(echo %h | cut -d%% -f2) %p
    
    

usage:

    
    
        ssh gateway%target

~~~
a3_nm
Awesome. Here is another version to support chaining multiple gateways:

    
    
      Host *%*
        Proxycommand ssh $(echo %h | rev | cut -d%% -f2- | rev) nc $(echo %h | rev | cut -d%% -f1 | rev) %p
    

usage:

    
    
        ssh gateway1%gateway2%target
    

(Not very clean, improvements welcome.)

~~~
a3_nm
A shorter version of the same thing:

    
    
      Host *%*
        Proxycommand bash -c "h=%h; ssh \${h%%\\%%*} nc \${h##*%%} %p"
    

It would be shorter and cleaner if I knew a way to apply string operators on a
constant string rather than defining the intermediate variable $h.

------
mattdeboard
Is there a "tech blogger of the year" category somewhere so we can nominate
this guy? Every single one of his posts is epic. The peri-relational metaphor
for shell command composition, this one, and every one before should be
required reading.

~~~
mattmight
Thanks for the kind words!

These recent posts are part of the lecture notes for my "Scripting Language
Design and Implementation" course.

There are slides that go along with some of them:

[http://matt.might.net/teaching/scripting-
languages/spring-20...](http://matt.might.net/teaching/scripting-
languages/spring-2012/lectures/)

I prefer spartan slides, so I'm not sure how useful they are without me
presenting them.

But, I'll throw them out there since there are a few nuggets in them that are
not in the posts.

There are also slides for non-existent posts (e.g. bash), because I don't
always have time to transcribe my notes into a blog post.

~~~
beambot
Hey Matt, to echo yycom's concern below... can you please add dates to your
articles? We have context as they're posted today, but it gets muddled 10+
years out.

------
nlh
One addition:

Re: iOS -- Panic (makers of Coda, etc.) developed a _really_ nice little iOS
app for SSH called 'Prompt'. It got some coverage here when it was released,
and I immediately replaced iSSH with it and haven't looked back once.

[http://www.panic.com/blog/2011/04/introducing-prompt-ssh-
for...](http://www.panic.com/blog/2011/04/introducing-prompt-ssh-for-ios/)

------
sciurus
I wouldn't call these tricks, just using ssh properly.

Here is an article with some less known features of ssh:
[http://www.jedi.be/blog/2010/08/27/ssh-tricks-the-usual-
and-...](http://www.jedi.be/blog/2010/08/27/ssh-tricks-the-usual-and-beyond/)

------
rbonvall

        > $ cat .ssh/id_dsa.pub | ssh host 'cat >> ~/.ssh/authorized_keys'
    

Using ssh-copy-id is simpler:

    
    
        ssh-copy-id host
    

(Works On My Machine™)

~~~
stretchwithme
does not work on mac, but this guy has a script:

[http://phildawson.tumblr.com/post/484798267/ssh-copy-id-
in-m...](http://phildawson.tumblr.com/post/484798267/ssh-copy-id-in-mac-os-x)

~~~
pavel_lishin
Homebrew also has a recipe for it.

    
    
        brew install ssh-copy-id

------
moe
As a small addendum to "Copying files", you can also copy entire directories:

    
    
      $ tar czf - foo | ssh remote "cd /where/to/unpack && tar xzf -"
    

This is often significantly faster than rsync, e.g. when copying a directory
with many files for the first (or only) time.

~~~
timrod
if you're piping the output of tar, instead of using "tar f -", you can leave
off the f argument (since you don't want to specify a file anyway) and tar
will default to stdin/stdout:

    
    
        $ tar cz foo | ssh remote "cd /where/to/unpack && tar xz"

~~~
ralph
For GNU tar these days that's true, unless you can be sure $TAPE is in its
environment. Historically, tar defaulted to a tape device, e.g. /dev/mt0, and
you still find vestiges of that, e.g. OpenBSD defaults to /dev/rst0.

IOW, specify "f -". :-)

------
nzmsv
I would add the use of the ControlMaster and ControlPath options for
connection sharing, as well as keepalive settings for those cases where
connections drop when idle.

The remote port forwarding feature can be very handy. I've used a combination
of ssh and daemontools to set up remote access to a machine behind a
particularly nasty firewall.

~~~
paxswill
And if your SSH client supports it ControlPersist. It keeps the shared
connection around in case you're coming back. It's a fairly new feature
though.

~~~
newman314
I tried enabling this and it seems that support for this on MacOS is pretty
iffy. It's not too stable and my issues went away as soon as I disabled it.

------
Estragon
My main problem with sshfs lately has been that on a flakey connection it
sometimes hangs irretrievably, often taking out the process trying to use it
(usually emacs.)

~~~
vectorpush
I've had this problem too. Try appending "-o reconnect" flag, I haven't had a
hang since.

------
mike-cardwell
Only yesterday, I wrote up how I use a smart card and reader with hardware pin
pad for SSH authentication. Seems relevant:

<https://grepular.com/Smart_Cards_and_SSH_Authentication>

~~~
zobzu
yeah, been using that for a while, and its quite handy. I want to switch to
the cryptostick tho, because having a pinpad/reader around sux.

don't you have one of those?

~~~
mike-cardwell
My laptop has a built in smart card reader, and my desktop has a USB one
plugged in with a hardware pin-pad.

The cryptostick does look cool. I've come across it before. I like the smart
card because I can just pop it in my wallet like a credit card.

You can also get keyboards with built in smart card readers, where the numeric
keypad has a mode to operate as a hardware pin pad (rather than sending the
keypresses to the computer) I'm thinking of getting one of these at some
point.

------
xtacy
Good list of useful configuration options. I'd also like to add the
"Compression yes" option that you can add on a per-host basis, and this could
save some bytes sent over the wire. To see how much it saved, invoke with
verbose ("ssh -v"), and it outputs the number of bytes saved after the session
ends.

Another config option that has saved me a lot of time is the "ProxyCommand"
option that lets you specify a command, whose stdin is used as a pipe to talk
to a remote server. So, something like:

    
    
        Host inside
            ProxyCommand ssh gateway nc inside 22
    

Would allow you to just type "ssh inside" and ssh to a machine behind a
gateway, without ssh-ing twice!

~~~
loeg
Cool trick -- thanks!

------
pooriaazimi
The best and most useful SSH trick (for me at least) is:

    
    
       ssh -[N]D 1080 [-p 33] user@server
    

A SOCKS5 proxy on the go...

~~~
mirkules
Remember also when you're using SSH socks proxy that all your DNS requests go
through the un-proxied connection -- unless you're using Firefox, in which
case you could set network.proxy.socks_remote_dns to 1 in about:config.

Another point is that most firewalls block most ports, but usually not 443
(https). So set up your SSH server on port 443. Since all traffic to 443 is
encrypted anyway, you're less likely to raise suspicion.

------
delan
One good trick that the article could add is getting around NTLM-authenticated
HTTP proxies, which are frequently found in schools and workplaces. First, set
up cntlm or ntlmaps to run a local HTTP proxy that strips the authentication
from the real proxy. This is because almost all software that can handle
authenticated proxies (including corkscrew) can only handle basic auth, but
not NTLM. Then, configure ssh to use corkscrew:

ProxyCommand /usr/bin/corkscrew localhost 3128 %h %p

Finally, set up the socks proxy (most of these proxies only allow outgoing
connections over ports 80 and 443):

ssh -ND2345 -p443 host

I use this technique constantly at school to browse the web unrestricted and
with privacy.

------
elehack
One more trick that I really like: using an SSH agent. On Gnome-based systems,
Seahorse provides one (sometimes you have to install seahorse-plugins to get
it); otherwise, gpg-agent can be an ssh agent. Pageant on Windows, and I'm not
sure what's available on Mac.

SSH agents let you keep your key encrypted while only needing to enter your
passphrase on first use (with the default ssh-agent, you must load the key
manually with ssh-add; gpg-agent and seahorse both prompt you the first time
it's needed). Add that to SSH agent forwarding (where multi-hop SSH
connections authenticate using the agent on the originating machine, and your
key is (A) only on the local machine and (B) encrypted when not in use.

------
michaelcampbell
ssh as a cheap way around firewalls is nifty, but caveat ssh-or, for sure. A
colleague of mine used this to connect to Yahoo IM (or somesuch; details not
important) for some totally innocent IM'ing. Nothing against the company, no
secrets leaked, nothing against any of his signed agreements. (Only that he
couldn't use IM.)

While corporate IT couldn't tell exactly what was going on, they did ask him
why he was ssh'd to an ISP-provided IP for X hours using Y bytes. So don't try
to outclever your company this way; they can still nab you on suspicion of
whatever, even if what you did was non-harmful in any way.

------
eridius
SSH is capable of running multiple channels over the same SSH connection. In
theory this means you could ssh to a remote host, then establish a second
channel to transfer a file over. Why the heck does the ssh tool not actually
allow this sort of capability? Why do I have to establish a second scp or sftp
connection to transfer a file when I'm already ssh'd into the machine? I don't
get it.

~~~
lmz
If you use ControlMaster & ControlPath in ~/.ssh/config, sftp will use the
existing connection.

~~~
eridius
Sure, but that's not really relevant to my point. That's just a minor
optimization, but my workflow is still exactly the same: start up sftp, re-
navigate back to the same directory, and do the transfer.

------
sravfeyn
I actually went on to implement an automated file sharing service over SSH
using these tricks in our college when they blocked normal protocols. You can
see the software on github tailored for my college
<https://github.com/sravfeyn/SparkDC>

------
Joeri
Another cool trick is setting up a script that constantly tries to set up x2x
between your laptop and desktop, tunneled over ssh. As soon as the laptop
enters the local network, you can use the keyboard and mouse of the desktop on
it, no cable connections necessary.

------
xxqs
nice summary, and sshfs looks cool.

here are my 2 cents: <http://txlab.wordpress.com/2012/01/25/call-home-ssh-
scripts/>

~~~
keeperofdakeys
Be warned that sshfs uses sftp underneath, which doesn't like latency too
much, so potential bandwidth is greatly reduced over the internet. If you want
fast file transfers, try scp or rsync.

~~~
xxqs
of course, I use scp and ssh tunneling quite regularly. I just like the
concept of sshfs, will need to play with that and see how it could be useful

------
symkat
Some more (Transferring whole directories, multiplexing etc)
<http://www.symkat.com/ssh-tips-and-tricks-you-need>

------
blacksmith_tb
Lots of good advice, but if you are using Windows Kitty is a bit nicer than
Putty:

<http://kitty.9bis.com/>

------
jsilence
Please don't use password less ssh keys. Use ssh-agent.

------
skeletonjelly
Seems like this pops up every few months. But I guess I can't complain about
the spread of the knowledge surrounding ssh security and pro tips.

------
ronreiter
The most amazing thing about SSH tunneling is that it is always on, even if
there is NO SHELL CONFIGURED for the user.

------
joejohnson
Port forwarding is a good trick to know.

