1. X11 Forwarding
The use of ssh enables a secure connection from a local X server to a remote application server. Set X11Forwarding and AllowTcpForwarding entries to yes in /etc/ssh/sshd_config of the remote host. Start the X server on the local host. Run ssh to establish a connection with the remote site.
localname@localhost:~$ ssh -q -X -l loginname remotehost.domain |
Password:
**********
Run X application commands on the remote site.
loginname@remotehost:~$ gimp & |
This method allows the display of the remote X client output as if it were locally connected through a local UNIX domain socket.
2. SSH Login Without Password
For this you required to generate your own personal set of private/public pair. ssh-keygen is used to generate that key pair for you.
On the user’s home directory, on the localhost, type
[local-host]$ ssh-keygen -t dsa
This will ask you a passphrase. A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security. Once entered the passphrase you will be prompted to enter the same passphrase again for confirmation.
The private key was saved in .ssh/id_dsa and the public key .ssh/id_dsa.pub.
Now, copy the public key to the remote machine
[local-host]$ ssh-copy-id -i ~/.ssh/id_dsa.pub user@remotehost |
or if you don’t have ssh-copy-id script installed use
[local-host]$ cat ~/.ssh/id_dsa.pub | ssh user@remotehost "cat - >> ~/.ssh/authorized_keys" |
Now on the localhost machine, on GNOME select System > Preferences > Sessions.
Select Startup Programs and add a new entry with this command.
ssh-agent is a program that used together with OpenSSH or similar ssh programs provides a secure way of storing the passphrase of the private key.
Open terminal and run ssh-add without any arguments, it will ask your passphrase once.
ssh-add adds identities to the authentication agent, ssh-agent.
Enter passphrase for /home/vinod/.ssh/id_dsa: <Enter your passphrase here>
Identity added: /home/vinod/.ssh/id_dsa (/home/vinod/.ssh/id_dsa)
That’s it, now login to remote server it will not ask any password or passphrase.
NB: No one else must see the content of .ssh/id_dsa, as it is used to decrypt all correspondence encrypted with the public key.
3. Run Command On A Remote Machine
You can use SSH for opening sessions between server or you can use it run a command on a remote system, non-interactively.
Usage:
$ ssh user@hostname command |
A simple example of which might be getting file system usage:
$ ssh user@192.168.3.4 "df -h" |
That will prompt you for password. Also, don’t forget to escape variables if you want to pick them up from the destination host.
For example:
user@host ]$ ssh root@host2 "echo \$HOME" |
prints out /root
while
user@host ]$ ssh root@host2 "echo $HOME" |
prints out /home/user
Another example:
user@host ]$ ssh user2@host2 "echo hello world | awk '{print \$1}'" |
prints out “hello” correctly.
4. Remote Backup Using SSH
PUSH:
$ tar cvf - . | gzip -c -1 | ssh user@host cat ">" remotefile.gz |
$ dd if=localfile | ssh target_address dd of=remotefile |
PULL:
$ ssh target_address cat remotefile > localfile |
$ ssh target_address dd if=remotefile | dd of=localfile |
5. SSH Port Forwarding
Local Port Forwarding:
If the remote server is running ssh server, it may be possible to “tunnel” certain services via ssh. This may be desirable, for example, to encrypt POP or SMTP connections, even though the software does not directly support encrypted communications. Tunnelling uses port forwarding to create a connection between the client and server. The client software must be able to specify a non-standard port to connect to for this to work.
So, to connect using example.com as the gateway to a pop3 server with IP 192.168.0.12 inside of the Intranet of Example Inc, you would write:
$ ssh example.com -L 1100:192.168.0.12:110 |
Enter your password (if you need to) and then you can connect to the local port 1100 to check your mail. We used an unprivileged port (> 1024). You can have OpenSSH listen on a privileged port if You’re the root user on the local machine.
You can forward more ports:
$ ssh example.com -L 1100:192.168.0.12:110 -L 1101:192.168.0.12:25 |
Remote Port Forwarding:
A Remote Forward is just the opposite – a tunnel initiated on the server side that goes back through the client machine. For example, to give access to a service (SSH port tcp/22) on your home machine (192.168.0.2) to user at example.com
$ ssh user@example.com -R 8080:192.168.0.2:80 |
5 SSH Tricks You Must Know
1. X11 Forwarding
The use of ssh enables a secure connection from a local X server to a remote application server. Set X11Forwarding and AllowTcpForwarding entries to yes in /etc/ssh/sshd_config of the remote host. Start the X server on the local host. Run ssh to establish a connection with the remote site.
localname@localhost:~$ ssh -q -X -l loginname remotehost.domain |
Password:
**********
Run X application commands on the remote site.
loginname@remotehost:~$ gimp & |
This method allows the display of the remote X client output as if it were locally connected through a local UNIX domain socket.
2. SSH Login Without Password
For this you required to generate your own personal set of private/public pair. ssh-keygen is used to generate that key pair for you.
On the user’s home directory, on the localhost, type
[local-host]$ ssh-keygen -t dsa |
This will ask you a passphrase. A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security. Once entered the passphrase you will be prompted to enter the same passphrase again for confirmation.
The private key was saved in .ssh/id_dsa and the public key .ssh/id_dsa.pub.
Now, copy the public key to the remote machine
[local-host]$ scp .ssh/id_dsa.pub user@remote:~/.ssh/id_dsa.pub |
Now, login into the remote machine and go to the .ssh directory on the server side
[local-host]$ ssh user@remote
[remote-host]$ cd .ssh
Now, add the client’s public key to the known public keys on the remote machine.
[remote-host]$ cat id_dsa.pub >> authorized_keys2
[remote-host]$ chmod 640 authorized_keys2
[remote-host]$ rm id_dsa.pub
[remote-host]$ exit
Now on the localhost machine, on GNOME select System > Preferences > Sessions.
Select Startup Programs and add a new entry with this command.
eval `ssh-agent`
ssh-agent is a program that used together with OpenSSH or similar ssh programs provides a secure way of storing the passphrase of the private key.
Open terminal and run ssh-add without any arguments, it will ask your passphrase once.
ssh-add adds identities to the authentication agent, ssh-agent.
[local-host]$ ssh-add
Enter passphrase for /home/vinod/.ssh/id_dsa: <Enter your passphrase here>
Identity added: /home/vinod/.ssh/id_dsa (/home/vinod/.ssh/id_dsa)
That’s it, now login to remote server it will not ask any password or passphrase.
NB: No one else must see the content of .ssh/id_dsa, as it is used to decrypt all correspondence encrypted with the public key.
3. Remote Backup Using SSH
PUSH:
$ tar cvf – . | gzip -c -1 | ssh user@host cat “>” remotefile.gz
$ dd if=localfile | ssh target_address dd of=remotefile
PULL:
$ ssh target_address cat remotefile > localfile
$ ssh target_address dd if=remotefile | dd of=localfile
4. Run Command On A Remote Machine
You can use SSH for opening sessions between server or you can use it run a command on a remote system, non-interactively.
Usage:
$ ssh user@hostname command
A simple example of which might be getting file system usage:
$ ssh user@192.168.3.4 "df -h"
That will prompt you for password. Also, don’t forget to escape variables if you want to pick them up from the destination host. This has caught me out in the past.
For example:
user@host> ssh root@host2 "echo \$HOME"
prints out /root
while
user@host> ssh root@host2 "echo $HOME"
prints out /home/user
Another example:
user@host> ssh user2@host2 "echo hello world | awk '{print \$1}'"
prints out “hello” correctly.
5. SSH Port Forwarding
Local Port Forwarding:
If the remote server is running ssh server), it may be possible to “tunnel” certain services via ssh. This may be desirable, for example, to encrypt POP or SMTP connections, even though the software does not directly support encrypted communications. Tunnelling uses port forwarding to create a connection between the client and server. The client software must be able to specify a non-standard port to connect to for this to work.
So, to connect using example.com as the gateway to a pop3 server with IP 192.168.0.12 inside of the Intranet of Example Inc, you would write:
$ ssh example.com -L 1100:192.168.0.12:110
Enter your password (if you need to) and then you can connect to the local port 1100 to check your mail. We used an unprivileged port (> 1024). You can have OpenSSH listen on a privileged port if You’re the root user on the local machine.
You can forward more ports:
$ ssh example.com -L 1100:192.168.0.12:110 -L 1101:192.168.0.12:25
Remote Port Forwarding:
A Remote Forward is just the opposite – a tunnel initiated on the server side that goes back through the client machine. For example, to give access to a service (SSH port tcp/22) on your home machine (192.168.0.2) to user at example.com
$ ssh user@example.com -R 8080:192.168.0.2:80
Wireshark is a useful tool in troubleshooting. Wireshark can decrypt SSL traffic as long as you have the server private key. This can be extremely useful, if you have to debug HTTPS traffic and cannot use HTTP instead.
Recent Comments