“SSH is a program enabling secure access to remote filesystems. Not everyone is aware of other powerful SSH capabilities, such as passwordless login, automatic execution of commands on a remote system or even mounting a remote folder using SSH! In this article we’ll cover these features and much more.”
Really like RSA-key (aka password-less) login. Makes it much easier to implement automated stuff involving more than one machine.
The author has a nice list of tricks, I even learned a thing or two, like how mc (midnight commander handles fish and ssh protocols). My favorite ftp client lftp handles ftp, fish(sftp), and http protols and makes it easy to get and upload files to remote box.
You can find my list of favorite ssh tips at
uadmin.blogspot.com/2006/02/ssh-tips.html it includes how to access boxes behind a firewall, like they are on your own system. I even includes a script that automates logging into a box behind a firewall, using lftp, another trick it has, is if you need shell access, just shell out with “!”, and type ssh 2200, and it will give you a full shell to the remote box, that is behind the firewall, not two steps like it would usually take to get to the box.
Gotta love the power of ssh.
SSH is powerful, useful, and I couldn’t live without it. I am constantly moving files between my machines over SSH, I do all the installing and administration usually over SSH, and I have already setup some automatic scripts on both machines to run over SSH when certain conditions are met. More specifically, NFS is faster than SSH, so I like to make the stuff available on PC1 available on PC2 over NFS, so PC2 checks on boot if PC1 is on, and mounts the NFS share. If PC1 is off, it will check on boot if PC2 is on, and mount the NFS share, using SSH and automatic login. Also, when PC1 is going down/rebooted, it checks again if PC2 is on, and unmounts the NFS share on it. This is just *so* useful.
Nautilus rocks when I gotta use SSH to manage files..
Are you for real?
Which tricks ?
He is just using ssh just as every sysadmin every day.
All is described in the man page. Why reinvent the wheel ?
Not everybody is a sysadmin. Not everybody wants to learn from a man page. Nothing reinvented here.
If you set up passwordless logins, anyone who gets ahold of your key can login to anywhere you’ve put as an authorized key — this is a horrible security hole and should be highly discouraged.
What is FAR better is to use ssh-agent (or the windows equivilant peagant) to keep your passcode so you only have to input once — this means you functionally have passwordless logins for your session after to type it in once, but you are still not hosed if someone steals your key.
This should be SSH 101, not some “tip” to undermine the security of the system you log into.
agree, disabling passwords guts the security you are trying to create by using this tool in the first place. of course when this was mentioned on digg i was told i simply “had no clue”.
Except you don’t really disable any passwords. You just store a login key on your main computer for the other computer you want to remotely login to. As long as you have a good password for your main computer and store the key at a location that is only accessible by yourself (e.g. in your chmod’ed 700 home dir), the key is not at higher risk of being compromised than anything else in your home dir.
Edited 2006-07-07 09:18
Unless the file system is encrypted, chmod 700 isn’t going to help once the wrong person gets physical access to your machine. For instance, if your laptop got stolen and had keys on it for imporant servers at work, the doors would be wide open.
The beauty of key pairs in such situation is of course that you can disable the key by simply removing it from authorized_keys (which is a good reason to not reuse keys for different machines), but do you really trust that you will not forget one of the hosts that accept this key, and are you sure you’ll be able to clean up before anybody makes use of the key?
It’s really not advisable to use plain text keys. You should always protect your private key with a passphrase. SSH-agent makes it almost as convenient as the non-encrypted option, although it clearly is more work to set up than just using normal password login. It’s also more secure, though.
Wow mounting a remote folder! Good Golly!
There’s a new SSH standard for using Kerberos for host and user authentication. It’s called gssapi-keyexchange. With it, you don’t need to manage ssh-specific host kets and known_hosts files, which can be a real win for very large sites. It’s a shame the author didn’t mention it.
interesting article…
nothing amazingly new but certainly something that not everyone is familar with…
An oldy that I use alot is the tar pipe over ssh. Eg. :
$ tar cf – /home/myuser | compress -c | ssh user@host ” ( uncompress -c | tar xvf – ) ”
Surprised not to see it mentioned.
… I assume it is faster then normal every day “scp -C”, right?
BTW, why not use gzip and/or bzip2 for compression?
… I assume it is faster then normal every day “scp -C”, right?
BTW, why not use gzip and/or bzip2 for compression?
It’s faster and you can throw sudo’s in there to copy files you don’t own if needed. Gzip isn’t installed on every unix, it certainly isn’t on our reduced DMZ builds. It’s also more flexible : you can only copy a predefined list of files, or use find to pipe a list of files into the tar. It also has the added bonus of confusing those new to unix 😉
Numerous other apps can use SSH. I use svn for version control over ssh with password-less auth. Rsync is another big one — excellent for transfering a whole website to the host securely. And, rsync only transfers modified files, which makes the whole process of updating a huge site secure and painless.
svn co svn+ssh://repo/module
svn commit # and svn commits over ssh tunnel
rsync -e ssh src [user@host:]dest
Why the extra pipes with compress? Just add -j (BZip2) or -z (GZip) to the tar command to do the compression/uncompression automatically in one go.
Not every *nix’ tar command supports -j or -z for compression.
“It’s a shame the author didn’t mention it.”
Maybe he didn’t want to write a 5000 word essay on how to configure kerberos.
“When the program asks for the key password, we should just press ENTER – this way, a passwordless key will be created.”
This is such bad advice it hurts my brain. Hasn’t this guy heard of ssh-agent?
maybe he is using ssh only on his local network where a password isnt needed? maybe???
Using SSHFS in a wireless local network is a lot more secure than NFS or Samba shares. Couple it with ssh-agent and you get hassle-free and very secure file sharing between your computers in the network.
Except for one minor issue I’ve had: For some reason, SSHFS crashes and sometimes even makes the whole system crash. At least if you’re running Ubuntu (tested in Hoary, Breezy and Dapper). I’ve tried it with several machines and it’s always the same thing. When you unmount shares, it says “Segmentation fault” and sometimes the graphics in your X session gets garbled and the whole system crashes. If anyone knows what’s wrong, any advice would be much appreciated.
I must share a tip I’m using daily. Commuting to work, I sometimes need to spend half an hour waiting for a train on a public train station. They have a wireless Internet connection you may use if you pay for it. However, by changing the SSH port on my server to e.g. 7722, I can now connect to it using ‘ssh -p 7722 my.server.com’ and use the Internet connection for free! I know, it may not be perfectly legal, but in my opinion they should blame themselves for not disabling the traffic on the port.
Anyway, if you often spent time on public paid-for wireless spots, go ahead and try it out!
“maybe he is using ssh only on his local network where a password isnt needed? maybe???”
That’s no excuse for teaching bad and insecure habits.
picking your nose is a bad habit….nothing wrong with doing it at home though!
no password SSH is a bad habit…nothing wrong with doing it at home though!
a little bit of warning in the article would of been good – sort of like your mother telling you to not pick your nose in public maybe!
“picking your nose is a bad habit….nothing wrong with doing it at home though!”
Noone’s actively trying to teach you to pick your nose though.