Home > LINUX > 5 SSH Tricks You Must Know

5 SSH Tricks You Must Know

February 20th, 2010

openssh1. X11 Forwarding

The use of ssh enables a secure connection from a local X server to a remote application server. Set X11Forwarding and AllowTcpForwarding entries to yes in /etc/ssh/sshd_config of the remote host. Start the X server on the local host. Run ssh to establish a connection with the remote site.

localname@localhost:~$ ssh -q -X -l loginname remotehost.domain

Password:

**********

Run X application commands on the remote site.

loginname@remotehost:~$ gimp &

This method allows the display of the remote X client output as if it were locally connected through a local UNIX domain socket.

2. SSH Login Without Password

For this you required to generate your own personal set of private/public pair. ssh-keygen is used to generate that key pair for you.

On the user’s home directory, on the localhost, type

[local-host]$ ssh-keygen -t dsa

This will ask you a passphrase. A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security. Once entered the passphrase you will be prompted to enter the same passphrase again for confirmation.

The private key was saved in .ssh/id_dsa and the public key .ssh/id_dsa.pub.

Now, copy the public key to the remote machine

[local-host]$ ssh-copy-id -i ~/.ssh/id_dsa.pub user@remotehost

or if you don’t have ssh-copy-id script installed use

[local-host]$ cat ~/.ssh/id_dsa.pub | ssh user@remotehost "cat - >> ~/.ssh/authorized_keys"

Now on the localhost machine, on GNOME select System > Preferences > Sessions.

Select Startup Programs and add a new entry with this command.

 eval `ssh-agent`

ssh-agent is a program that used together with OpenSSH or similar ssh programs provides a secure way of storing the passphrase of the private key.

Open terminal and run ssh-add without any arguments, it will ask your passphrase once.

ssh-add adds identities to the authentication agent, ssh-agent.

[local-host]$ ssh-add

Enter passphrase for /home/vinod/.ssh/id_dsa: <Enter your passphrase here>

Identity added: /home/vinod/.ssh/id_dsa (/home/vinod/.ssh/id_dsa)

That’s it, now login to remote server it will not ask any password or passphrase.

NB: No one else must see the content of .ssh/id_dsa, as it is used to decrypt all correspondence encrypted with the public key.

3. Run Command On A Remote Machine

You can use SSH for opening sessions between server or you can use it run a command on a remote system, non-interactively.

Usage:

$ ssh user@hostname command

A simple example of which might be getting file system usage:

$ ssh user@192.168.3.4 "df -h"

That will prompt you for password. Also, don’t forget to escape variables if you want to pick them up from the destination host.

For example:

user@host ]$ ssh root@host2 "echo \$HOME"

prints out /root

while

user@host ]$ ssh root@host2 "echo $HOME"

prints out /home/user

Another example:

user@host ]$ ssh user2@host2 "echo hello world | awk '{print \$1}'"

prints out “hello” correctly.

4. Remote Backup Using SSH

PUSH:

$ tar cvf - . | gzip -c -1 | ssh user@host cat ">" remotefile.gz
$ dd if=localfile | ssh target_address dd of=remotefile

PULL:

$ ssh target_address cat remotefile > localfile

$ ssh target_address dd if=remotefile | dd of=localfile

5. SSH Port Forwarding

Local Port Forwarding:

If the remote server is running ssh server, it may be possible to “tunnel” certain services via ssh. This may be desirable, for example, to encrypt POP or SMTP connections, even though the software does not directly support encrypted communications. Tunnelling uses port forwarding to create a connection between the client and server. The client software must be able to specify a non-standard port to connect to for this to work.

So, to connect using example.com as the gateway to a pop3 server with IP 192.168.0.12 inside of the Intranet of Example Inc, you would write:

$ ssh example.com -L 1100:192.168.0.12:110

Enter your password (if you need to) and then you can connect to the local port 1100 to check your mail. We used an unprivileged port (> 1024). You can have OpenSSH listen on a privileged port if You’re the root user on the local machine.

You can forward more ports:

$ ssh example.com -L 1100:192.168.0.12:110 -L 1101:192.168.0.12:25

Remote Port Forwarding:

A Remote Forward is just the opposite – a tunnel initiated on the server side that goes back through the client machine. For example, to give access to a service (SSH port tcp/22) on your home machine (192.168.0.2) to user at example.com

$ ssh user@example.com -R 8080:192.168.0.2:80

5 SSH Tricks You Must Know

1. X11 Forwarding

The use of ssh enables a secure connection from a local X server to a remote application server. Set X11Forwarding and AllowTcpForwarding entries to yes in /etc/ssh/sshd_config of the remote host. Start the X server on the local host. Run ssh to establish a connection with the remote site.

localname@localhost:~$ ssh -q -X -l loginname remotehost.domain

Password:

**********

Run X application commands on the remote site.

loginname@remotehost:~$ gimp &amp;

This method allows the display of the remote X client output as if it were locally connected through a local UNIX domain socket.

2. SSH Login Without Password

For this you required to generate your own personal set of private/public pair. ssh-keygen is used to generate that key pair for you.

On the user’s home directory, on the localhost, type

[local-host]$ ssh-keygen -t dsa

This will ask you a passphrase. A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security. Once entered the passphrase you will be prompted to enter the same passphrase again for confirmation.

The private key was saved in .ssh/id_dsa and the public key .ssh/id_dsa.pub.

Now, copy the public key to the remote machine

[local-host]$ scp .ssh/id_dsa.pub user@remote:~/.ssh/id_dsa.pub

Now, login into the remote machine and go to the .ssh directory on the server side

[local-host]$ ssh user@remote

[remote-host]$ cd .ssh

Now, add the client’s public key to the known public keys on the remote machine.

[remote-host]$ cat id_dsa.pub >> authorized_keys2

[remote-host]$ chmod 640 authorized_keys2

[remote-host]$ rm id_dsa.pub

[remote-host]$ exit

Now on the localhost machine, on GNOME select System > Preferences > Sessions.

Select Startup Programs and add a new entry with this command.

eval `ssh-agent`

ssh-agent is a program that used together with OpenSSH or similar ssh programs provides a secure way of storing the passphrase of the private key.

Open terminal and run ssh-add without any arguments, it will ask your passphrase once.

ssh-add adds identities to the authentication agent, ssh-agent.

[local-host]$ ssh-add

Enter passphrase for /home/vinod/.ssh/id_dsa: <Enter your passphrase here>

Identity added: /home/vinod/.ssh/id_dsa (/home/vinod/.ssh/id_dsa)

That’s it, now login to remote server it will not ask any password or passphrase.

NB: No one else must see the content of .ssh/id_dsa, as it is used to decrypt all correspondence encrypted with the public key.

3. Remote Backup Using SSH

PUSH:

$ tar cvf – . | gzip -c -1 | ssh user@host cat “>” remotefile.gz

$ dd if=localfile | ssh target_address dd of=remotefile

PULL:

$ ssh target_address cat remotefile > localfile

$ ssh target_address dd if=remotefile | dd of=localfile

4. Run Command On A Remote Machine

You can use SSH for opening sessions between server or you can use it run a command on a remote system, non-interactively.

Usage:
$ ssh user@hostname command

A simple example of which might be getting file system usage:

$ ssh user@192.168.3.4 "df -h"

That will prompt you for password. Also, don’t forget to escape variables if you want to pick them up from the destination host. This has caught me out in the past.

For example:

user@host> ssh root@host2 "echo \$HOME"

prints out /root

while

user@host> ssh root@host2 "echo $HOME"

prints out /home/user

Another example:

user@host> ssh user2@host2 "echo hello world | awk '{print \$1}'"

prints out “hello” correctly.

5. SSH Port Forwarding

Local Port Forwarding:

If the remote server is running ssh server), it may be possible to “tunnel” certain services via ssh. This may be desirable, for example, to encrypt POP or SMTP connections, even though the software does not directly support encrypted communications. Tunnelling uses port forwarding to create a connection between the client and server. The client software must be able to specify a non-standard port to connect to for this to work.

So, to connect using example.com as the gateway to a pop3 server with IP 192.168.0.12 inside of the Intranet of Example Inc, you would write:

$ ssh example.com -L 1100:192.168.0.12:110

Enter your password (if you need to) and then you can connect to the local port 1100 to check your mail. We used an unprivileged port (> 1024). You can have OpenSSH listen on a privileged port if You’re the root user on the local machine.

You can forward more ports:

$ ssh example.com -L 1100:192.168.0.12:110 -L 1101:192.168.0.12:25

Remote Port Forwarding:

A Remote Forward is just the opposite – a tunnel initiated on the server side that goes back through the client machine. For example, to give access to a service (SSH port tcp/22) on your home machine (192.168.0.2) to user at example.com

$ ssh user@example.com -R 8080:192.168.0.2:80
Categories: LINUX Tags: ,
  1. February 20th, 2010 at 17:06 | #1

    2. or you could use ssh-copy-id in which case you dont have to scp your pub file and add it to knownhosts manually
    ssh-copy-id -i ~/.ssh/id_rsa.pub user@remotehost
    or if the remotehost is running on a different port
    ssh-copy-id -i ~/.ssh/id_rsa.pub “-p 22000 user@remotehost”

  2. February 21st, 2010 at 19:57 | #2

    Might be worth mentioning that some implementations of sshd don't allow root logins.

  3. vinodvm
    February 22nd, 2010 at 14:55 | #3

    @Felix Thanks for pointing out. I have updated the post.

  1. February 26th, 2010 at 13:53 | #1
Comments are closed.