
SSH Tricks - fideloper
http://serversforhackers.com/editions/2014/07/01/ssh-tricks/
======
aaronharnly
At the urging of the tech lead at the time, my team has pursued the ultimate
ssh trick: not using it.

i.e. we intentionally do not enable (human) ssh access to the production
hosts. In an autoscaling AWS world, logging into an individual machine by hand
is the last thing you want to be doing. So we are learning the (sometime
difficult!) lessons of how to rely only on what our logging, tracing,
monitoring, and deployment automation (including snapshotting) can afford us.
I suspect sooner or later we will break down and swap in a login-enabled image
to diagnose some sticky problem, but -- as much as I resented the idea when he
presented it -- it's an interesting discipline.

Anyone else living by that principle?

~~~
ProAm
This is great, I think at first glance it works at scale, but I think a lot of
shops not in the 'startup world', older IT shops still working out of the 90s
and 2000's will find that hard to do. When you have 5 monster work horse
servers instead of 50 VMs where you can spin up 50 more within 30 minutes it's
hard to get away from direct server access for the devops team.

------
sciurus
I'd be inclined to call this "basic usage of ssh", rather than "ssh tricks".
For some more interesting tips see [http://www.jedi.be/blog/2010/08/27/ssh-
tricks-the-usual-and-...](http://www.jedi.be/blog/2010/08/27/ssh-tricks-the-
usual-and-beyond/)

------
kyrra
The ~/.ssh/config file was something I discovered when my my company was going
through some changes and I had 2 different usernames for accessing internal
systems.

    
    
       Host hosta hostb hostc
       User usera
       
       Host *
       User userb
    

Since my local system username was different than many of the remote systems I
could wildcard to a different default username then had a list of servers that
would use my other username.

The bad thing is, as the blog post shows, "Host" above is really just an
alias. So if I have an entry like:

    
    
       Host hosta.mycompany.com
       User usera
    

and then try to do "ssh hosta", even if hosta resolves to hosta.mycompany.com,
it won't match the config entry, as config entry data is all used prior to DNS
lookup.

EDIT: thanks for all the suggestions below.

~~~
mpapi
You can do:

    
    
        Host hosta hostb hostc
        HostName %h.mycompany.com
        User usera
    

I believe this isn't a super-new feature -- every ssh version I've run into
client-side in the last couple years has supported it.

------
bfwi
Any list of 'SSH tricks' should contain: 'ssh -D 2001 user@host.com'. This
creates a SOCKS proxy on localhost:2001 that goes through host.com. For
example, I use a digital ocean instance hosted in the US to tunnel through, so
that I can watch hulu (I'm from Europe).

~~~
cmsj
There are also lots of legitimate uses for a SOCKS proxy, such as sshing to a
useful machine in a corp network and using something like FoxyProxy to direct
*.intranet sites via the SOCKS proxy. It's not all about fricken video piracy
:)

~~~
jonemo
Also commonly used in academia when you are not on campus but need access to
IP-restricted journals. Or to freak out your lab mates and start the robot
from home.

------
Argorak
The list misses one of the best. Connect through a jump host directly to the
target server using ProxyCommand and nc:

[http://undeadly.org/cgi?action=article&sid=20070925181947](http://undeadly.org/cgi?action=article&sid=20070925181947)

Combines well with aliases - prefix all hosts with a common name and use "Host
prefix-*" to setup the ProxyCommand.

~~~
mahmoudimus
You do not need nc anymore. -W flag intelligently forwards traffic and
interpolates correctly

~~~
stock_toaster
Requires openssh > 6.0 to work consistently with controlpersist. I still have
problems on Centos 6.x boxes, so I still use nc in proxycommand for those
hosts.

[https://news.ycombinator.com/item?id=4678117](https://news.ycombinator.com/item?id=4678117)

~~~
qzervaas
I have the following in my ~/.ssh/config, which for those who don't know,
maintains the connection even after you disconnect so you can reconnect really
quickly:

    
    
        ControlMaster auto
        ControlPath /tmp/%r@%h:%p
        ControlPersist yes
    

Having said that, sometimes I need to remove the entry from /tmp to reconnect
if my network settings have changed.

~~~
stock_toaster

      > Having said that, sometimes I need to remove the entry
      > from /tmp to reconnect if my network settings have changed.
    

You can also just send the exit command to the conn.

    
    
      ssh somehost -O exit
    

In addition, I put my controlpath in my .ssh dir. Keeps it out of the global
/tmp dir. _shrug_

    
    
      controlpath  ~/.ssh/cp-%r:%h:%p

~~~
voltagex_
Have you used ControlPath with a very long hostname? I haven't worked out how
to stop one of my IPv6 hosts failing with that setup - the DNS RR is _really_
long (causes problems with IRC, too!)

~~~
stock_toaster
Hmm. I have one control file with 44 chars in it. That is probably the longest
one I have hit. You could always give it a dns cname alias or something.

------
peterwwillis
Does anyone read man pages anymore? This is all well documented in the ssh,
sshd, and ssh_config man pages...

~~~
Zikes
You ever read the man pages for less?

Actually apparently it doesn't have a man page, I had to use less --help.

Anyways, it turns out there's a ton of functionality I never thought to look
for. I only ever see "| less" and that's all it ever was to me. There's
nothing more I really expected out of it than that, really.

But that's just how it goes, for the most part. You learn the basics about how
to use a given tool, enough to serve the purpose you originally sought it out
for, and then that's it, everything else is just noise. less lets me easily
scroll through whatever output I pipe to it, ssh gets me onto another server,
what more would I need or expect?

But then an article like this comes along and prompts me to look more closely
at something I had been taking for granted, showing it to be much more
versatile than I thought.

~~~
mooism2
Less has a manpage.
[http://manpages.ubuntu.com/manpages/trusty/en/man1/less.1.ht...](http://manpages.ubuntu.com/manpages/trusty/en/man1/less.1.html)

~~~
Zikes
Doesn't seem to be included on the CentOS 6.5 server I tried it on, but it's
good to see there's one out there.

------
geerlingguy
I liked the mention of Ansible (which thankfully abstracts away the need to
log into a server via SSH altogether), but the author left out the fact that
you can easily use _any_ ansible module (250+ right now, more added all the
time[1]) to manage your servers ad-hoc.

Or use the same syntax to build a playbook that you can run to manage
infrastructure with the `ansible-playbook` command. Since Ansible uses SSH as
it's transport (in most cases—you can do it other ways), if you can connect to
a server via SSH (and who can't?), you can have it completely managed/version-
controlled pretty simply.

[1]
[http://docs.ansible.com/list_of_all_modules.html](http://docs.ansible.com/list_of_all_modules.html)

------
lucb1e
One interesting bit is that ssh aliases also work for scp. For example I have
ssh keys setup on a VPS and to copy a file I can type

    
    
        scp vps:~/www/back<tab>
    

and it'll autocomplete to

    
    
        scp vps:/home/vhosting/c/vhost12345/www/backup-2014-07-02.tar.gz
    

Or if there are multiple matches for file or directory names, it'll list them
like bash normally would. This seamless integration is so awesome, I can
highly recommend ssh keys (and cygwin for Windows users).

~~~
notfoss
SSH aliases work for SFTP as well.

------
baldfat
Dynamic port forwarding with ssh is a life saver!

Not on this web page???

-D #### (Whatever port not being used) and then I just use a proxy extension on my web client and instant privacy.

------
cmsj
see also my post from a couple of years ago:
[http://www.tenshu.net/2012/02/sysadmin-talks-openssh-tips-
an...](http://www.tenshu.net/2012/02/sysadmin-talks-openssh-tips-and-
tricks.html)

------
JoshTheGeek
There's been a bunch of articles about ssh that all say more or less the same
things recently.

~~~
1amzave
...and which essentially amount to "hey, look what's in the man page!".

------
welder
Also check out proxychains for tunneling through multiple ssh servers, for
example to ssh into an intranet machine via the internet:

[https://github.com/haad/proxychains](https://github.com/haad/proxychains)

~~~
kneth
Often (non-IT) companies' firewalls do not allow anything but HTTP and HTTPS
traffic and you have to go through proxies. That implies that you cannot get
to the outside using SSH. In my days as a freelance consultant, I used
Corkscrew
([http://www.agroman.net/corkscrew/](http://www.agroman.net/corkscrew/)) to
get SSH access.

------
cmsj
The chmod commands listed can be chained into a single one:

chmod u=rw,go-rwx /path/to/lol

------
therealidiot
Nobody ever seems to show off the '-w' flag for OpenSSH in these articles.

It creates a virtual network interface and allows for "real" tunneling, which
is pretty cool.

------
citrik
If the author is reading this... You have a typo on your example config file,
your line for aws says "How aws" instead of "Host aws".

------
robmccoll
sshuttle
([https://github.com/apenwarr/sshuttle](https://github.com/apenwarr/sshuttle))
is one of my favorite SSH tricks. It behaves like a VPN more than other ssh-
based proxies that I've used.

------
dsirijus
_Sometimes, if we have a lot of SSH keys in our ~ /.ssh directory_

No, that's not how it's supposed to work. Ideally, one key per machine per
user.

~~~
fideloper
Hmmm interesting - do you recommend I use the same key for github, my personal
server, some work servers, etc?

~~~
emilsedgh
Why not?

~~~
hamburglar
Personally, I like to have different keys that I treat with different levels
of care/paranoia. I'm not particularly worried about leaving my github key
'added' to my ssh agent 24/7, but I don't do that with my work production key.

