OpenSSH common mistakes, tips, and tricks
Posted 10-14-2014 at 11:09 PM by sag47
Tags ssh, ssh forwarding
Here's a post about common mistakes I see made with SSH. A few shortcuts to being more productive when you have a complicated server network. And other neat tips and tricks.
authorized_keys Permissions
The most common problem I see new users attempting to use public key auth is to get the permissions wrong either on their home directory, .ssh directory, or authorized_keys file. Luckily, the openssh project provides a helpful FAQ answer.
The Almighty SSH ProxyCommand
In a complicated server network many times you'll find yourself using SSH to one host only to SSH to another host. The smart guys over at openssh already thought of that with the ProxyCommand and luckily netcat is great at it's one purpose: setting up raw socket connections and passing through communication.
Here's an example of using ProxyCommand client side, client config, with netcat. Add this to your local machine ~/.ssh/config
If you execute the following on the command line...
What will happen is first it will open up a connection to Host dev (because of the ProxyCommand) and use nc on the dev machine to tunnel the SSH connection to 192.168.1.15.
SCP and ProxyCommand
What if you need to upload a file to the "webserver" host using SCP? Typically what beginners will do is manually set up a tunnel with the -L option and then proceed to upload the file by connecting to a local port they created. The neat thing about ProxyCommand in ~/.ssh/config is it works with SCP as well! If you were to execute the following command,
then it will do the same thing by setting up a tunnel through dev to webserver and will securecopy the file to the "webserver" host.
authorized_keys File Format
Check out the authorized_keys man page. It has a section for the File Format of authorized_keys called, "AUTHORIZED_KEYS FILE FORMAT." There's a lot of awesome things you can do with the authorized_keys file. One example is to use the authorized_keys command with a key.
An example of that is:
Upon connecting to the server using my "sam@ETHERBEAST" public key the openssh server will automatically execute the shell script "/home/sam/bin/gpg_encrypt_individual_files.sh /media/backup/encrypted" and then exit without dropping into a shell. If you're curious about that gpg script I give it out here.
There's many more things you can do with authorized_keys so definitely read the man page and learn about it!
That's all for now,
SAM
authorized_keys Permissions
The most common problem I see new users attempting to use public key auth is to get the permissions wrong either on their home directory, .ssh directory, or authorized_keys file. Luckily, the openssh project provides a helpful FAQ answer.
The Almighty SSH ProxyCommand
In a complicated server network many times you'll find yourself using SSH to one host only to SSH to another host. The smart guys over at openssh already thought of that with the ProxyCommand and luckily netcat is great at it's one purpose: setting up raw socket connections and passing through communication.
Here's an example of using ProxyCommand client side, client config, with netcat. Add this to your local machine ~/.ssh/config
Code:
Host * IdentityFile /home/sam/.ssh/id_rsa Host dev HostName 10.9.8.1 User sam Port 2022 Host webserver HostName 192.168.1.15 ProxyCommand ssh dev nc %h %p
Code:
ssh webserver
SCP and ProxyCommand
What if you need to upload a file to the "webserver" host using SCP? Typically what beginners will do is manually set up a tunnel with the -L option and then proceed to upload the file by connecting to a local port they created. The neat thing about ProxyCommand in ~/.ssh/config is it works with SCP as well! If you were to execute the following command,
Code:
scp ./somefile.tgz webserver:
authorized_keys File Format
Check out the authorized_keys man page. It has a section for the File Format of authorized_keys called, "AUTHORIZED_KEYS FILE FORMAT." There's a lot of awesome things you can do with the authorized_keys file. One example is to use the authorized_keys command with a key.
Code:
command="command" Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; otherwise it is run without a tty. If an 8-bit clean chan- nel is required, one must not request a pty or should specify no-pty. A quote may be included in the command by quoting it with a backslash. This option might be useful to restrict cer- tain public keys to perform just a specific operation. An exam- ple might be a key that permits remote backups but nothing else. Note that the client may specify TCP and/or X11 forwarding unless they are explicitly prohibited. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environ- ment variable. Note that this option applies to shell, command or subsystem execution.
Code:
command="/home/sam/bin/gpg_encrypt_individual_files.sh /media/backup/encrypted" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr8kw0/b8LxV3ZHrf77S9jQWemHNyuF7KZV9sWZciJX5oYtiegdGcCKhZfPtCXz/J19k5B26u+iA7Zq4foutLHj3Vb2T5vVoXC8SLa/ipsgj1ASuJGLhJbXj8wpSSIbl8ebK4utKvtqx9+JpPC7OT3/IJ9izcfqh1LBd2KAua8ZN2z8zw3joF7IotbtrJ+olmBHeoSDM4ejm+hRz80iCdrIJiqwsLq3nlNFpbtyPMJGtdwMXCEVEiUXP3+BVDk8znqKclkfiTuClJGoRwcv2vuS7XdwIBWvzNq78aX9qebFq8zVQbMqj+jvDVDUbWXA+pOu/4HWv2sEPjkdQ4o7D7SQ== sam@ETHERBEAST
There's many more things you can do with authorized_keys so definitely read the man page and learn about it!
That's all for now,
SAM
Total Comments 0