Search This Blog

SSH tricks

  • 9 awesome ssh tricks
  • Use autossh for managing persistent sessions/tunnels which will restart upon network or local issues.
  • OpenSSH >=5.4 will allow you to add new port-forwardings in multiplexing mode. If you start a new slave session with port forward requests they will automatically be relayed and added to the master. You can also request the mux master set up forwards without requesting a new session using 
    ssh -O forward -Rxx:yy:zz -Laa:bb:cc user@host
  • Rather than grovelling though /tmp to find a working agent (which could connect you to a malicious one!), you might instead want to start the agent at a known location (e.g. ~/.ssh/auth_sock) using 
    ssh-agent -a /path/to/socket
  • sshuttle - transparent proxy server that forwards over ssh, now you can have a full-featured vpn with security implemented by ssh. https://github.com/apenwarr/sshuttle
  • "CompressionLevel" is ignored in SSH v2 and higher. Supposedly the default is ideal.
  • "Cipher" is ignored in SSH v2 and higher. Use "Ciphers" and put your favorite on the front of the list. Type man ssh to see what ciphers are on your system.
  • Use arcfour (rc4) encryption for higher performance and very low load but be sure to enable re-keying by hour or by data volume. Rebuild OpenSSL and OpenSSH to include it.
  • Type 
    ssh -vvv user@example.com
    for really detailed debugging information. More "v" means more verbose.
  • Try using "keychain" to discover, reap, and re-use those ssh-agents littering your system.
  • For seamless but secure remote execution: generate a new ssh key (ssh-keygen) without a pass-phrase; put the id and id.pub files on each "client" machine; add the id.pub to the authorized_keys file under the username used for the "server" end. Here's the trick: Insert restrictions before the public key, but all on the one long line. So instead of "ssh-dss AAAAB3blahblahblah..." in the authorized_keys, use "no-port-forwarding,no-X11-forwarding,command="/the/specific/command",from="client1.ip.addr,*.other.clients" ssh-dss AAAAB3blahblahblah..."
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)