Slides from a presentation I gave on SSH. Covers basics of ssh, password|keys|host-based authentication, agent/key forwarding, configuration files (global and user-specific), local/remote port forwarding, scp, rsync, and briefly mentions git's support.
3. SSH was created in 1995 by Finland University
Researcher
Was initially open source, went closed source in
1999
OpenSSH was created in 1999 as a fork of the
last open source SSH code
Friday, September 2, 11
4. What SSH Does
SSH handles the set up and generation of an
encrypted TCP connection
Friday, September 2, 11
5. ...which means....
SSH can handle secure remote logins (ssh)
SSH can handle secure file copy (scp)
SSH can even drive secure FTP (sftp)
Friday, September 2, 11
6. Core SSH programs
ssh is the client
sshd is the server
if sshd is not running you will not be able to
connect to it with ssh
Friday, September 2, 11
14. Public / Private Keypair
your-box
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
Friday, September 2, 11
15. Private Key: id_rsa
your-box
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
Private keys should be kept secret,
do not share them with anyone
Friday, September 2, 11
16. Public Key: id_rsa.pub
your-box
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
Public keys are meant to be shared.
Friday, September 2, 11
17. Copy Public Key to box-1
your-box box-1
~/.ssh/id_rsa
~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
Friday, September 2, 11
18. ~/.ssh/authorized_keys
houses all public keys for people who can
authenticate as a user on a machine
when copying public keys, append to the file, do
not overwrite the file
Friday, September 2, 11
19. No password required!
your-box box-1
ssh sshd
your-box> ssh box-1
box-1>
Friday, September 2, 11
20. Host-based
Authentication
Friday, September 2, 11
21. Host-based Authentication
Doesn’t require user credentials (password or
key)
Provides trust based on hostname and userid
Userid on both system has to be the same
Disabled by default -- not that useful
Friday, September 2, 11
24. Server Configuration Files
This is automatically by sshd when started.
sshd config: /etc/sshd_config
Based on installation method system config locations may vary.
ie: macports installs in /opt/local/etc/ssh/
Friday, September 2, 11
25. Client Configuration Files
These are automatically by ssh when executed.
system-side ssh config: /etc/ssh_config
user-specific ssh config: ~/.ssh/config
Based on installation method system config locations may vary.
ie: macports installs in /opt/local/etc/ssh/
Friday, September 2, 11
26. Custom Client Configuration Files
ssh will not read these on its own, use -F option
You can put custom config files anywhere you
want.
ssh -F /foo/bar/custom_ssh.cfg
Friday, September 2, 11
29. Login Example #2
ssh example.com
What’s the difference between example #1 ?
Friday, September 2, 11
30. Login Example #3
Logging in on a non-default port.
ssh -p 45000 example.com
What’s the default SSH port anyway?
Friday, September 2, 11
31. Login Example #4
Log in, run a command, and exit.
ssh example.com <command here>
ssh example.com ls -l
ssh example.com hostname
Anything with special characters such as
quotes, backticks, etc. need to be escaped.
Friday, September 2, 11
32. Agent / Key Forwarding
Without them, With Them
Friday, September 2, 11
36. your-box to box-1 to box-2
box-1 your-box> ssh box-1
password:
box-1> ssh box-2
your-box password:
Passwords required each
step of the way!
box-2
Friday, September 2, 11
37. Updated Example with SSH Keys
box-1 your-box> ssh-keygen
copy public key to
~/.ssh/authorized_keys
on each remote host
your-box
authorized_keys
id_rsa.pub box-2
id_rsa
authorized_keys
Friday, September 2, 11
46. Capistrano Configured (Ruby)
ssh_options[:forward_agent] = true
Capistrano’s deploy.rb
Provided by net/ssh library.
Friday, September 2, 11
47. SSH Server has final say!
AllowAgentForwarding no
System-wide /etc/sshd_config
Defaults to “yes” -- so pretty much ignore.
Friday, September 2, 11
48. When/Why #1 - Everyday Usage
When SSH’ing from box to box to box. (ie:
multiple servers)
Greatly reduces the need to copy over public/
private key files
It (usually) just works!
Friday, September 2, 11
49. When/Why #2 - Deploys
No need to manage additional SSH key pairs for
machines that you want to deploy to
If you have access to it and you do the
deploying, the remote machine will just SSH in
as you!
It (usually) just works!
Friday, September 2, 11
50. ...remember...
You still need to copy public key file contents to
~/.ssh/authorized_keys
Agent forwarding doesn’t work for automated
workflows where a user is taken out of the
equation, ie: our automated deploy from
TeamCity for Inspire
Friday, September 2, 11
51. Port Forwarding
Local, Remote, Magic
Friday, September 2, 11
53. Local Port Forwarding Example
your-box box-1 box-2
sshd www
Private Network
Friday, September 2, 11
54. your-box to www on box-2
your-box box-1 box-2
sshd www
public IP local IP
local IP
Private Network
Friday, September 2, 11
55. Can’t access box-2 directly
X
your-box box-1 box-2
sshd www
public IP local IP
local IP
Private Network
Friday, September 2, 11
56. With Local Port Forwarding
your-box box-1 box-2
sshd www
public IP local IP
local IP
your-box> ssh -L 8000:box-2:80 box-1
box-1>
success
Friday, September 2, 11
57. A Tunnel is Made!
your-box box-1 box-2
sshd www
public IP local IP
local IP
your-box> ssh -L 8000:box-2:80 box-1
box-1>
success
Friday, September 2, 11
58. box-2 doesn’t have to run sshd
your-box box-1 box-2
sshd www
public IP local IP
local IP
Friday, September 2, 11
59. Command Line Local Port Forwarding
ssh -L localport:host:hostport example.com
localport is the port on your machine,
host is the remote box to tunnel to,
hostport is the port on the remote box to tunnel to
Friday, September 2, 11
60. Sharing Your Tunnel
your-box box-1 box-2
sshd www
public IP local IP
local IP
bobs-box your-box> ssh -L 8000:box-2:80 -g box-1
box-1>
success
Friday, September 2, 11
61. Command Line Local Port Forwarding
ssh -L localport:host:hostport -g example.com
-g allows others to connect to your forwarded port
Friday, September 2, 11
66. Remote Port Forwarding Example
your-box box-1 box-2
sshd
Private Network
Friday, September 2, 11
67. box-2 to your-box
your-box box-1 box-2
sshd
local IP public IP
local IP
Private Network
Friday, September 2, 11
68. box-2 can’t talk to your-box
X
your-box box-1 box-2
sshd
local IP public IP
local IP
Private Network
Friday, September 2, 11
69. With Remote Port Forwarding
your-box box-1 box-2
sshd
local IP public IP
local IP
your-box> ssh -R 8000:localhost:80 box-1
box-1>
success
Friday, September 2, 11
70. A Reverse Tunnel Is Made!
your-box box-1 box-2
sshd
http://box-1:8000
80 8000
local IP public IP
local IP
your-box> ssh -R 8000:localhost:80 box-1
box-1>
success
Friday, September 2, 11
71. Command Line Remote Port Forwarding
ssh -R remoteport:host:hostport example.com
remoteport is the port on the machine you ssh into,
host is the local box to tunnel to,
hostport is the port on the local box to tunnel to
Friday, September 2, 11
72. -g is not supported for
remote forwarding
Friday, September 2, 11
74. SSH Server has final say!
AllowTcpForwarding no
System-wide /etc/sshd_config
Defaults to “yes” -- so pretty much ignore.
Friday, September 2, 11
75. When/Why
Allow outside resources to connect to your box,
or another machine on a private network
Example: testing web callbacks
Friday, September 2, 11
76. ~/.ssh/config
User-specified SSH configuration
Friday, September 2, 11
77. Host Configuration
Host is the section identifier
Any time Host shows up a new section is started
Host is whatever you want to refer to the connection as
Host inspire
HostName staging.inspirehq.com
User inspire
your-box> ssh example.com
Host inspire.production
HostName inspirehq.com
User inspire
~/.ssh/config
Friday, September 2, 11
78. HostName Configuration
HostName is the real host name to log into
Can be IP address or domain name
Host inspire
HostName staging.inspirehq.com
User inspire
your-box> ssh example.com
Host inspire.production
HostName inspirehq.com
User inspire
~/.ssh/config
Friday, September 2, 11
79. User Configuration
User is the user to log in as
Can be overridden on the command line
Host inspire
HostName staging.inspirehq.com
User inspire
your-box> ssh example.com
Host inspire.production
HostName inspirehq.com
User foobar
~/.ssh/config
Friday, September 2, 11
80. Port Configuration
Port defines what port for SSH connect on
Can be overridden on the command line
Host inspire
HostName staging.inspirehq.com
User inspire
Port 45000
your-box> ssh example.com
~/.ssh/config
Friday, September 2, 11
81. Local/Remote Port Forwarding
LocalForward
RemoteForward
Host inspire
HostName staging.inspirehq.com
User inspire
LocalForward 8080:example.com:80
your-box> ssh example.com
RemoteForward 8080:example.com:80
~/.ssh/config
Friday, September 2, 11
82. GatewayPorts
GatewayPorts specifies whether or not remote hosts
can connect to local forwarded ports
Works in conjunction with LocalPortForward
Defaults to no
Host inspire
HostName staging.inspirehq.com
User inspire
LocalForward 8080:example.com:80
your-box> ssh example.com
GatewayPorts yes
~/.ssh/config
Friday, September 2, 11
83. ServerAliveInterval
ServerAliveInterval sets a time interval in seconds after
which if no data has been received from the server ssh will
send a message to the server
Defaults to 0, meaning this will never be sent
This can be used to keep SSH connections alive
Host inspire
HostName staging.inspirehq.com
User inspire
LocalForward 8080:example.com:80
your-box> ssh example.com
GatewayPorts yes
ServerAliveInterval 5
~/.ssh/config
Friday, September 2, 11
86. Overuse ~/.ssh/config
SSHing into an IP more than once?
SSHing into crazy domains? (ie: Amazon)
Looking up IP or hostname routinely?
save it in ~/.ssh/config
Friday, September 2, 11
97. rsync does so much more
incremental file transfers (only transfers what’s
different)
include/exclude files and directories
include/exclude file name patterns
can copy files from a remote box to a local box
can copy files from a local box to a remote box
Friday, September 2, 11
99. git/ssh info
Can run over SSH
Supports SSH client configuration files
Can set to specific SSH binary using GIT_SSH
environment variable
Friday, September 2, 11