LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Blogs > sag47
User Name
Password

Notices


Rate this Entry

OpenSSH common mistakes, tips, and tricks

Posted 10-14-2014 at 11:09 PM by sag47

Here's a post about common mistakes I see made with SSH. A few shortcuts to being more productive when you have a complicated server network. And other neat tips and tricks.

authorized_keys Permissions

The most common problem I see new users attempting to use public key auth is to get the permissions wrong either on their home directory, .ssh directory, or authorized_keys file. Luckily, the openssh project provides a helpful FAQ answer.

The Almighty SSH ProxyCommand

In a complicated server network many times you'll find yourself using SSH to one host only to SSH to another host. The smart guys over at openssh already thought of that with the ProxyCommand and luckily netcat is great at it's one purpose: setting up raw socket connections and passing through communication.

Here's an example of using ProxyCommand client side, client config, with netcat. Add this to your local machine ~/.ssh/config

Code:
Host *
  IdentityFile /home/sam/.ssh/id_rsa

Host dev
  HostName 10.9.8.1
  User sam
  Port 2022

Host webserver
  HostName 192.168.1.15
  ProxyCommand ssh dev nc %h %p
If you execute the following on the command line...

Code:
ssh webserver
What will happen is first it will open up a connection to Host dev (because of the ProxyCommand) and use nc on the dev machine to tunnel the SSH connection to 192.168.1.15.

SCP and ProxyCommand

What if you need to upload a file to the "webserver" host using SCP? Typically what beginners will do is manually set up a tunnel with the -L option and then proceed to upload the file by connecting to a local port they created. The neat thing about ProxyCommand in ~/.ssh/config is it works with SCP as well! If you were to execute the following command,

Code:
scp ./somefile.tgz webserver:
then it will do the same thing by setting up a tunnel through dev to webserver and will securecopy the file to the "webserver" host.

authorized_keys File Format

Check out the authorized_keys man page. It has a section for the File Format of authorized_keys called, "AUTHORIZED_KEYS FILE FORMAT." There's a lot of awesome things you can do with the authorized_keys file. One example is to use the authorized_keys command with a key.

Code:
     command="command"
             Specifies that the command is executed whenever this key is used
             for authentication.  The command supplied by the user (if any) is
             ignored.  The command is run on a pty if the client requests a
             pty; otherwise it is run without a tty.  If an 8-bit clean chan-
             nel is required, one must not request a pty or should specify
             no-pty.  A quote may be included in the command by quoting it
             with a backslash.  This option might be useful to restrict cer-
             tain public keys to perform just a specific operation.  An exam-
             ple might be a key that permits remote backups but nothing else.
             Note that the client may specify TCP and/or X11 forwarding unless
             they are explicitly prohibited.  The command originally supplied
             by the client is available in the SSH_ORIGINAL_COMMAND environ-
             ment variable.  Note that this option applies to shell, command
             or subsystem execution.
An example of that is:

Code:
command="/home/sam/bin/gpg_encrypt_individual_files.sh /media/backup/encrypted" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAr8kw0/b8LxV3ZHrf77S9jQWemHNyuF7KZV9sWZciJX5oYtiegdGcCKhZfPtCXz/J19k5B26u+iA7Zq4foutLHj3Vb2T5vVoXC8SLa/ipsgj1ASuJGLhJbXj8wpSSIbl8ebK4utKvtqx9+JpPC7OT3/IJ9izcfqh1LBd2KAua8ZN2z8zw3joF7IotbtrJ+olmBHeoSDM4ejm+hRz80iCdrIJiqwsLq3nlNFpbtyPMJGtdwMXCEVEiUXP3+BVDk8znqKclkfiTuClJGoRwcv2vuS7XdwIBWvzNq78aX9qebFq8zVQbMqj+jvDVDUbWXA+pOu/4HWv2sEPjkdQ4o7D7SQ== sam@ETHERBEAST
Upon connecting to the server using my "sam@ETHERBEAST" public key the openssh server will automatically execute the shell script "/home/sam/bin/gpg_encrypt_individual_files.sh /media/backup/encrypted" and then exit without dropping into a shell. If you're curious about that gpg script I give it out here.

There's many more things you can do with authorized_keys so definitely read the man page and learn about it!

That's all for now,
SAM
Posted in Uncategorized
Views 3215 Comments 0
« Prev     Main     Next »
Total Comments 0

Comments

 

  



All times are GMT -5. The time now is 05:12 AM.

Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration