SlideShare a Scribd company logo

SSH

ā€¢
ā€¢
Zach Dennis
Zach Dennis

Slides from a presentation I gave on SSH. Covers basics of ssh, password|keys|host-based authentication, agent/key forwarding, configuration files (global and user-specific), local/remote port forwarding, scp, rsync, and briefly mentions git's support.

Technology
1 of 100
Download to read offline
SSH Friday, September 2, 11
An Overview Friday, September 2, 11
SSH was created in 1995 by Finland University Researcher Was initially open source, went closed source in 1999 OpenSSH was created in 1999 as a fork of the last open source SSH code Friday, September 2, 11
What SSH Does SSH handles the set up and generation of an encrypted TCP connection Friday, September 2, 11
...which means.... SSH can handle secure remote logins (ssh) SSH can handle secure ļ¬le copy (scp) SSH can even drive secure FTP (sftp) Friday, September 2, 11
Core SSH programs ssh is the client sshd is the server if sshd is not running you will not be able to connect to it with ssh Friday, September 2, 11
SSH Authentication Methods Password Public/private keypair Host-based authentication Friday, September 2, 11
Password Authentication Friday, September 2, 11
Example Without SSH Keys your-box box-1 ssh sshd Friday, September 2, 11
Prompts for Password your-box box-1 ssh sshd your-box> ssh box-1 password: box-1> Friday, September 2, 11
Keypair Authentication Friday, September 2, 11
Example With SSH Keys your-box box-1 ssh sshd Friday, September 2, 11
Step 1: Generate Keys your-box> ssh-keygen Friday, September 2, 11
Public / Private Keypair your-box ~/.ssh/id_rsa ~/.ssh/id_rsa.pub Friday, September 2, 11
Private Key: id_rsa your-box ~/.ssh/id_rsa ~/.ssh/id_rsa.pub Private keys should be kept secret, do not share them with anyone Friday, September 2, 11
Public Key: id_rsa.pub your-box ~/.ssh/id_rsa ~/.ssh/id_rsa.pub Public keys are meant to be shared. Friday, September 2, 11
Copy Public Key to box-1 your-box box-1 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys Friday, September 2, 11
~/.ssh/authorized_keys houses all public keys for people who can authenticate as a user on a machine when copying public keys, append to the ļ¬le, do not overwrite the ļ¬le Friday, September 2, 11
No password required! your-box box-1 ssh sshd your-box> ssh box-1 box-1> Friday, September 2, 11
Host-based Authentication Friday, September 2, 11
Host-based Authentication Doesnā€™t require user credentials (password or key) Provides trust based on hostname and userid Userid on both system has to be the same Disabled by default -- not that useful Friday, September 2, 11
SSH Basics Friday, September 2, 11
Conļ¬guration Files Friday, September 2, 11
Server Conļ¬guration Files This is automatically by sshd when started. sshd conļ¬g: /etc/sshd_conļ¬g Based on installation method system conļ¬g locations may vary. ie: macports installs in /opt/local/etc/ssh/ Friday, September 2, 11
Client Conļ¬guration Files These are automatically by ssh when executed. system-side ssh conļ¬g: /etc/ssh_conļ¬g user-speciļ¬c ssh conļ¬g: ~/.ssh/conļ¬g Based on installation method system conļ¬g locations may vary. ie: macports installs in /opt/local/etc/ssh/ Friday, September 2, 11
Custom Client Conļ¬guration Files ssh will not read these on its own, use -F option You can put custom conļ¬g ļ¬les anywhere you want. ssh -F /foo/bar/custom_ssh.cfg Friday, September 2, 11
Secure Logins Friday, September 2, 11
Login Example #1 ssh user@example.com Friday, September 2, 11
Login Example #2 ssh example.com Whatā€™s the difference between example #1 ? Friday, September 2, 11
Login Example #3 Logging in on a non-default port. ssh -p 45000 example.com Whatā€™s the default SSH port anyway? Friday, September 2, 11
Login Example #4 Log in, run a command, and exit. ssh example.com <command here> ssh example.com ls -l ssh example.com hostname Anything with special characters such as quotes, backticks, etc. need to be escaped. Friday, September 2, 11
Agent / Key Forwarding Without them, With Them Friday, September 2, 11
Example Without SSH Keys box-1 your-box box-2 Friday, September 2, 11
your-box> ssh box-1 box-1 your-box> ssh box-1 password: Password required your-box box-2 Friday, September 2, 11
your-box> ssh box-2 box-1 your-box> ssh box-2 password: Password required your-box box-2 Friday, September 2, 11
your-box to box-1 to box-2 box-1 your-box> ssh box-1 password: box-1> ssh box-2 your-box password: Passwords required each step of the way! box-2 Friday, September 2, 11
Updated Example with SSH Keys box-1 your-box> ssh-keygen copy public key to ~/.ssh/authorized_keys on each remote host your-box authorized_keys id_rsa.pub box-2 id_rsa authorized_keys Friday, September 2, 11
your-box> ssh box-1 box-1 your-box> ssh box-1 box-1> success your-box box-2 Friday, September 2, 11
your-box> ssh box-2 box-1 your-box> ssh box-2 box-2> success your-box box-2 Friday, September 2, 11
your-box to box-1 to box-2 box-1 your-box> ssh box-1 box-1> success box-1> ssh box-2 your-box password: authorized_keys Password required at the second step! id_rsa.pub box-2 id_rsa authorized_keys Friday, September 2, 11
Enter Agent/Key Forwarding Friday, September 2, 11
your-box to box-1 to box-2 box-1 your-box> ssh -A box-1 box-1> success box-1> ssh -A box-2 your-box box-2> authorized_keys success id_rsa.pub box-2 id_rsa authorized_keys Friday, September 2, 11
Your SSH Key Gets Forwarded box-1 your-box id_rsa.pub box-2 id_rsa Friday, September 2, 11
Command Line Agent Forwarding ssh -A example.com Use -a to explicitly turn off forwarding for a ssh session. Friday, September 2, 11
Host Conļ¬gured Host inspire.staging ForwardAgent yes Per-User ~/.ssh/conļ¬g System-wide /etc/ssh_conļ¬g Friday, September 2, 11
Capistrano Conļ¬gured (Ruby) ssh_options[:forward_agent] = true Capistranoā€™s deploy.rb Provided by net/ssh library. Friday, September 2, 11
SSH Server has ļ¬nal say! AllowAgentForwarding no System-wide /etc/sshd_conļ¬g Defaults to ā€œyesā€ -- so pretty much ignore. Friday, September 2, 11
When/Why #1 - Everyday Usage When SSHā€™ing from box to box to box. (ie: multiple servers) Greatly reduces the need to copy over public/ private key ļ¬les It (usually) just works! Friday, September 2, 11
When/Why #2 - Deploys No need to manage additional SSH key pairs for machines that you want to deploy to If you have access to it and you do the deploying, the remote machine will just SSH in as you! It (usually) just works! Friday, September 2, 11
...remember... You still need to copy public key ļ¬le contents to ~/.ssh/authorized_keys Agent forwarding doesnā€™t work for automated workļ¬‚ows where a user is taken out of the equation, ie: our automated deploy from TeamCity for Inspire Friday, September 2, 11
Port Forwarding Local, Remote, Magic Friday, September 2, 11
Local Port Forwarding Friday, September 2, 11
Local Port Forwarding Example your-box box-1 box-2 sshd www Private Network Friday, September 2, 11
your-box to www on box-2 your-box box-1 box-2 sshd www public IP local IP local IP Private Network Friday, September 2, 11
Canā€™t access box-2 directly X your-box box-1 box-2 sshd www public IP local IP local IP Private Network Friday, September 2, 11
With Local Port Forwarding your-box box-1 box-2 sshd www public IP local IP local IP your-box> ssh -L 8000:box-2:80 box-1 box-1> success Friday, September 2, 11
A Tunnel is Made! your-box box-1 box-2 sshd www public IP local IP local IP your-box> ssh -L 8000:box-2:80 box-1 box-1> success Friday, September 2, 11
box-2 doesnā€™t have to run sshd your-box box-1 box-2 sshd www public IP local IP local IP Friday, September 2, 11
Command Line Local Port Forwarding ssh -L localport:host:hostport example.com localport is the port on your machine, host is the remote box to tunnel to, hostport is the port on the remote box to tunnel to Friday, September 2, 11
Sharing Your Tunnel your-box box-1 box-2 sshd www public IP local IP local IP bobs-box your-box> ssh -L 8000:box-2:80 -g box-1 box-1> success Friday, September 2, 11
Command Line Local Port Forwarding ssh -L localport:host:hostport -g example.com -g allows others to connect to your forwarded port Friday, September 2, 11
Host Conļ¬gured Host inspire.staging LocalForward 8000:box-2:80 Per-User ~/.ssh/conļ¬g System-wide /etc/ssh_conļ¬g Friday, September 2, 11
SSH Server has ļ¬nal say! AllowTcpForwarding no System-wide /etc/sshd_conļ¬g Defaults to ā€œyesā€ -- so pretty much ignore. Friday, September 2, 11
When/Why Access normally unreachable resources on an internal network from anywhere on the internet Friday, September 2, 11
Remote Port Forwarding Friday, September 2, 11
Remote Port Forwarding Example your-box box-1 box-2 sshd Private Network Friday, September 2, 11
box-2 to your-box your-box box-1 box-2 sshd local IP public IP local IP Private Network Friday, September 2, 11
box-2 canā€™t talk to your-box X your-box box-1 box-2 sshd local IP public IP local IP Private Network Friday, September 2, 11
With Remote Port Forwarding your-box box-1 box-2 sshd local IP public IP local IP your-box> ssh -R 8000:localhost:80 box-1 box-1> success Friday, September 2, 11
A Reverse Tunnel Is Made! your-box box-1 box-2 sshd http://box-1:8000 80 8000 local IP public IP local IP your-box> ssh -R 8000:localhost:80 box-1 box-1> success Friday, September 2, 11
Command Line Remote Port Forwarding ssh -R remoteport:host:hostport example.com remoteport is the port on the machine you ssh into, host is the local box to tunnel to, hostport is the port on the local box to tunnel to Friday, September 2, 11
-g is not supported for remote forwarding Friday, September 2, 11
Host Conļ¬gured Host inspire.staging RemoteForward 8000:localhost:80 Per-User ~/.ssh/conļ¬g System-wide /etc/ssh_conļ¬g Friday, September 2, 11
SSH Server has ļ¬nal say! AllowTcpForwarding no System-wide /etc/sshd_conļ¬g Defaults to ā€œyesā€ -- so pretty much ignore. Friday, September 2, 11
When/Why Allow outside resources to connect to your box, or another machine on a private network Example: testing web callbacks Friday, September 2, 11
~/.ssh/conļ¬g User-speciļ¬ed SSH conļ¬guration Friday, September 2, 11
Host Conļ¬guration Host is the section identiļ¬er Any time Host shows up a new section is started Host is whatever you want to refer to the connection as Host inspire HostName staging.inspirehq.com User inspire your-box> ssh example.com Host inspire.production HostName inspirehq.com User inspire ~/.ssh/conļ¬g Friday, September 2, 11
HostName Conļ¬guration HostName is the real host name to log into Can be IP address or domain name Host inspire HostName staging.inspirehq.com User inspire your-box> ssh example.com Host inspire.production HostName inspirehq.com User inspire ~/.ssh/conļ¬g Friday, September 2, 11
User Conļ¬guration User is the user to log in as Can be overridden on the command line Host inspire HostName staging.inspirehq.com User inspire your-box> ssh example.com Host inspire.production HostName inspirehq.com User foobar ~/.ssh/conļ¬g Friday, September 2, 11
Port Conļ¬guration Port deļ¬nes what port for SSH connect on Can be overridden on the command line Host inspire HostName staging.inspirehq.com User inspire Port 45000 your-box> ssh example.com ~/.ssh/conļ¬g Friday, September 2, 11
Local/Remote Port Forwarding LocalForward RemoteForward Host inspire HostName staging.inspirehq.com User inspire LocalForward 8080:example.com:80 your-box> ssh example.com RemoteForward 8080:example.com:80 ~/.ssh/conļ¬g Friday, September 2, 11
GatewayPorts GatewayPorts speciļ¬es whether or not remote hosts can connect to local forwarded ports Works in conjunction with LocalPortForward Defaults to no Host inspire HostName staging.inspirehq.com User inspire LocalForward 8080:example.com:80 your-box> ssh example.com GatewayPorts yes ~/.ssh/conļ¬g Friday, September 2, 11
ServerAliveInterval ServerAliveInterval sets a time interval in seconds after which if no data has been received from the server ssh will send a message to the server Defaults to 0, meaning this will never be sent This can be used to keep SSH connections alive Host inspire HostName staging.inspirehq.com User inspire LocalForward 8080:example.com:80 your-box> ssh example.com GatewayPorts yes ServerAliveInterval 5 ~/.ssh/conļ¬g Friday, September 2, 11
> ssh inspire Friday, September 2, 11
man ssh_conļ¬g Friday, September 2, 11
Overuse ~/.ssh/conļ¬g SSHing into an IP more than once? SSHing into crazy domains? (ie: Amazon) Looking up IP or hostname routinely? save it in ~/.ssh/conļ¬g Friday, September 2, 11
...skipping server conļ¬guration... Friday, September 2, 11
SSH and Other apps Friday, September 2, 11
scp: secure ļ¬le copy Friday, September 2, 11
copy single ļ¬le scp ļ¬le1 example.com: Friday, September 2, 11
copy multiple ļ¬les scp ļ¬le1 ļ¬le2 example.com: Friday, September 2, 11
copy to other locations scp ļ¬le1example.com:foo/bar scp ļ¬le1example.com:/foo/bar Friday, September 2, 11
scp doesnā€™t copy directories scp dir/ example.com:foo/bar dir/: not a regular ļ¬le Friday, September 2, 11
rsync: remote ļ¬le copying Friday, September 2, 11
copy single ļ¬le rsync -avz ļ¬le1 example.com: Friday, September 2, 11
copy directory rsync -avz dir/ example.com: Friday, September 2, 11
rsync does so much more incremental ļ¬le transfers (only transfers whatā€™s different) include/exclude ļ¬les and directories include/exclude ļ¬le name patterns can copy ļ¬les from a remote box to a local box can copy ļ¬les from a local box to a remote box Friday, September 2, 11
git Friday, September 2, 11
git/ssh info Can run over SSH Supports SSH client conļ¬guration ļ¬les Can set to speciļ¬c SSH binary using GIT_SSH environment variable Friday, September 2, 11
The End Friday, September 2, 11

Recommended

Ssh
SshSsh
SshRaghu nath
Ā 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
Ā 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
Ā 
ssh.ppt
ssh.pptssh.ppt
ssh.pptjoekr1
Ā 
User management
User managementUser management
User managementMufaddal Haidermota
Ā 
Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)Tushar B Kute
Ā 
Networking in linux
Networking in linuxNetworking in linux
Networking in linuxVarnnit Jain
Ā 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016Brendan Gregg
Ā 

Recommended

Ssh
SshSsh
SshRaghu nath
Ā 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
Ā 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
Ā 
ssh.ppt
ssh.pptssh.ppt
ssh.pptjoekr1
Ā 
User management
User managementUser management
User managementMufaddal Haidermota
Ā 
Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)Part 01 Linux Kernel Compilation (Ubuntu)
Part 01 Linux Kernel Compilation (Ubuntu)Tushar B Kute
Ā 
Networking in linux
Networking in linuxNetworking in linux
Networking in linuxVarnnit Jain
Ā 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016Brendan Gregg
Ā 
Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/CoreShay Cohen
Ā 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with SnortNarudom Roongsiriwong, CISSP
Ā 
Presentation on samba server
Presentation on samba serverPresentation on samba server
Presentation on samba serverVeeral Bhateja
Ā 
Lesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemLesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemSadia Bashir
Ā 
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Ahmed El-Arabawy
Ā 
Ipc in linux
Ipc in linuxIpc in linux
Ipc in linuxDr. C.V. Suresh Babu
Ā 
Shell scripting
Shell scriptingShell scripting
Shell scriptingGeeks Anonymes
Ā 
Nfs
NfsNfs
NfsWaqas !!!!
Ā 
Samba server configuration
Samba server configurationSamba server configuration
Samba server configurationRohit Phulsunge
Ā 
Linux
Linux Linux
Linux Patruni Chidananda Sastry
Ā 
Linux security
Linux securityLinux security
Linux securitytrilokchandra prakash
Ā 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSHJeremy Brown
Ā 
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part IEmertxe Information Technologies Pvt Ltd
Ā 
Course 102: Lecture 5: File Handling Internals
Course 102: Lecture 5: File Handling Internals Course 102: Lecture 5: File Handling Internals
Course 102: Lecture 5: File Handling Internals Ahmed El-Arabawy
Ā 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)NetProtocol Xpert
Ā 
Shell scripting
Shell scriptingShell scripting
Shell scriptingManav Prasad
Ā 
CUPS: Common UNIX Printing System
CUPS: Common UNIX Printing SystemCUPS: Common UNIX Printing System
CUPS: Common UNIX Printing SystemRon Bandes
Ā 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory StructureKevin OBrien
Ā 
Course 102: Lecture 20: Networking In Linux (Basic Concepts)
Course 102: Lecture 20: Networking In Linux (Basic Concepts) Course 102: Lecture 20: Networking In Linux (Basic Concepts)
Course 102: Lecture 20: Networking In Linux (Basic Concepts) Ahmed El-Arabawy
Ā 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
Ā 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)Pina Parmar
Ā 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
Ā 

More Related Content

What's hot

Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/CoreShay Cohen
Ā 
Presentation on samba server
Presentation on samba serverPresentation on samba server
Presentation on samba serverVeeral Bhateja
Ā 
Lesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemLesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemSadia Bashir
Ā 
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Ahmed El-Arabawy
Ā 
Samba server configuration
Samba server configurationSamba server configuration
Samba server configurationRohit Phulsunge
Ā 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSHJeremy Brown
Ā 
Course 102: Lecture 5: File Handling Internals
Course 102: Lecture 5: File Handling Internals Course 102: Lecture 5: File Handling Internals
Course 102: Lecture 5: File Handling Internals Ahmed El-Arabawy
Ā 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)NetProtocol Xpert
Ā 
Shell scripting
Shell scriptingShell scripting
Shell scriptingManav Prasad
Ā 
CUPS: Common UNIX Printing System
CUPS: Common UNIX Printing SystemCUPS: Common UNIX Printing System
CUPS: Common UNIX Printing SystemRon Bandes
Ā 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory StructureKevin OBrien
Ā 
Course 102: Lecture 20: Networking In Linux (Basic Concepts)
Course 102: Lecture 20: Networking In Linux (Basic Concepts) Course 102: Lecture 20: Networking In Linux (Basic Concepts)
Course 102: Lecture 20: Networking In Linux (Basic Concepts) Ahmed El-Arabawy
Ā 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
Ā 

What's hot (20)

Linux Internals - Kernel/Core
Linux Internals - Kernel/CoreLinux Internals - Kernel/Core
Linux Internals - Kernel/Core
Ā 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
Ā 
Presentation on samba server
Presentation on samba serverPresentation on samba server
Presentation on samba server
Ā 
Lesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File SystemLesson 2 Understanding Linux File System
Lesson 2 Understanding Linux File System
Ā 
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1) Course 102: Lecture 26: FileSystems in Linux (Part 1)
Course 102: Lecture 26: FileSystems in Linux (Part 1)
Ā 
Ipc in linux
Ipc in linuxIpc in linux
Ipc in linux
Ā 
Shell scripting
Shell scriptingShell scripting
Shell scripting
Ā 
Nfs
NfsNfs
Nfs
Ā 
Samba server configuration
Samba server configurationSamba server configuration
Samba server configuration
Ā 
Linux
Linux Linux
Linux
Ā 
Linux security
Linux securityLinux security
Linux security
Ā 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
Ā 
Linux Internals - Part I
Linux Internals - Part ILinux Internals - Part I
Linux Internals - Part I
Ā 
Course 102: Lecture 5: File Handling Internals
Course 102: Lecture 5: File Handling Internals Course 102: Lecture 5: File Handling Internals
Course 102: Lecture 5: File Handling Internals
Ā 
Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)Dynamic ARP Inspection (DAI)
Dynamic ARP Inspection (DAI)
Ā 
Shell scripting
Shell scriptingShell scripting
Shell scripting
Ā 
CUPS: Common UNIX Printing System
CUPS: Common UNIX Printing SystemCUPS: Common UNIX Printing System
CUPS: Common UNIX Printing System
Ā 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory Structure
Ā 
Course 102: Lecture 20: Networking In Linux (Basic Concepts)
Course 102: Lecture 20: Networking In Linux (Basic Concepts) Course 102: Lecture 20: Networking In Linux (Basic Concepts)
Course 102: Lecture 20: Networking In Linux (Basic Concepts)
Ā 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
Ā 

Viewers also liked

Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)Pina Parmar
Ā 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
Ā 
Security protocols in constrained environments
Security protocols in constrained environments Security protocols in constrained environments
Security protocols in constrained environments Chris Swan
Ā 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
Ā 
Practical unix utilities for text processing
Practical unix utilities for text processingPractical unix utilities for text processing
Practical unix utilities for text processingAnton Arhipov
Ā 
Learning sed and awk
Learning sed and awkLearning sed and awk
Learning sed and awkYogesh Sawant
Ā 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
Ā 
Unix Command Line Productivity Tips
Unix Command Line Productivity TipsUnix Command Line Productivity Tips
Unix Command Line Productivity TipsKeith Bennett
Ā 
Unix command-line tools
Unix command-line toolsUnix command-line tools
Unix command-line toolsEric Wilson
Ā 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Philippe Bogaerts
Ā 
Sed & awk the dynamic duo
Sed & awk the dynamic duoSed & awk the dynamic duo
Sed & awk the dynamic duoJoshua Thijssen
Ā 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Thoughtworks
Ā 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2T. J. Saotome
Ā 
Practical Example of grep command in unix
Practical Example of grep command in unixPractical Example of grep command in unix
Practical Example of grep command in unixJavin Paul
Ā 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
Ā 
Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014iimjobs and hirist
Ā 

Viewers also liked (20)

Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
Ā 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
Ā 
Security protocols in constrained environments
Security protocols in constrained environments Security protocols in constrained environments
Security protocols in constrained environments
Ā 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
Ā 
Practical unix utilities for text processing
Practical unix utilities for text processingPractical unix utilities for text processing
Practical unix utilities for text processing
Ā 
Learning sed and awk
Learning sed and awkLearning sed and awk
Learning sed and awk
Ā 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF
Ā 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
Ā 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Ā 
Unix Command Line Productivity Tips
Unix Command Line Productivity TipsUnix Command Line Productivity Tips
Unix Command Line Productivity Tips
Ā 
Unix command-line tools
Unix command-line toolsUnix command-line tools
Unix command-line tools
Ā 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0
Ā 
Sed & awk the dynamic duo
Sed & awk the dynamic duoSed & awk the dynamic duo
Sed & awk the dynamic duo
Ā 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocol
Ā 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...
Ā 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
Ā 
Secure SHell
Secure SHellSecure SHell
Secure SHell
Ā 
Practical Example of grep command in unix
Practical Example of grep command in unixPractical Example of grep command in unix
Practical Example of grep command in unix
Ā 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Ā 
Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014
Ā 

More from Zach Dennis

A Brief, Very Very Brief Intro to Systems Thinking
A Brief, Very Very Brief Intro to Systems ThinkingA Brief, Very Very Brief Intro to Systems Thinking
A Brief, Very Very Brief Intro to Systems ThinkingZach Dennis
Ā 
BTLE (Bluetooth Low Energy) and CoreBluetooth
BTLE (Bluetooth Low Energy) and CoreBluetooth BTLE (Bluetooth Low Energy) and CoreBluetooth
BTLE (Bluetooth Low Energy) and CoreBluetooth Zach Dennis
Ā 
Sand Piles and Software - Madison Ruby Conference
Sand Piles and Software - Madison Ruby ConferenceSand Piles and Software - Madison Ruby Conference
Sand Piles and Software - Madison Ruby ConferenceZach Dennis
Ā 
Discovering patterns
Discovering patternsDiscovering patterns
Discovering patternsZach Dennis
Ā 
JavaScript Code Organizations, Patterns Slides - Zach Dennis
JavaScript Code Organizations, Patterns Slides - Zach DennisJavaScript Code Organizations, Patterns Slides - Zach Dennis
JavaScript Code Organizations, Patterns Slides - Zach DennisZach Dennis
Ā 
Balancing the Pendulum: Reflecting on BDD in Practice
Balancing the Pendulum: Reflecting on BDD in PracticeBalancing the Pendulum: Reflecting on BDD in Practice
Balancing the Pendulum: Reflecting on BDD in PracticeZach Dennis
Ā 

More from Zach Dennis (6)

A Brief, Very Very Brief Intro to Systems Thinking
A Brief, Very Very Brief Intro to Systems ThinkingA Brief, Very Very Brief Intro to Systems Thinking
A Brief, Very Very Brief Intro to Systems Thinking
Ā 
BTLE (Bluetooth Low Energy) and CoreBluetooth
BTLE (Bluetooth Low Energy) and CoreBluetooth BTLE (Bluetooth Low Energy) and CoreBluetooth
BTLE (Bluetooth Low Energy) and CoreBluetooth
Ā 
Sand Piles and Software - Madison Ruby Conference
Sand Piles and Software - Madison Ruby ConferenceSand Piles and Software - Madison Ruby Conference
Sand Piles and Software - Madison Ruby Conference
Ā 
Discovering patterns
Discovering patternsDiscovering patterns
Discovering patterns
Ā 
JavaScript Code Organizations, Patterns Slides - Zach Dennis
JavaScript Code Organizations, Patterns Slides - Zach DennisJavaScript Code Organizations, Patterns Slides - Zach Dennis
JavaScript Code Organizations, Patterns Slides - Zach Dennis
Ā 
Balancing the Pendulum: Reflecting on BDD in Practice
Balancing the Pendulum: Reflecting on BDD in PracticeBalancing the Pendulum: Reflecting on BDD in Practice
Balancing the Pendulum: Reflecting on BDD in Practice
Ā 

Recently uploaded

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
Ā 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
Ā 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
Ā 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
Ā 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
Ā 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
Ā 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
Ā 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
Ā 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
Ā 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
Ā 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
Ā 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
Ā 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
Ā 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
Ā 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
Ā 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
Ā 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
Ā 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
Ā 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
Ā 

Recently uploaded (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
Ā 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Ā 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
Ā 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
Ā 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Ā 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Ā 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Ā 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Ā 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
Ā 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Ā 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Ā 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Ā 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Ā 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Ā 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Ā 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
Ā 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
Ā 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Ā 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
Ā 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Ā 

SSH

  • 3. SSH was created in 1995 by Finland University Researcher Was initially open source, went closed source in 1999 OpenSSH was created in 1999 as a fork of the last open source SSH code Friday, September 2, 11
  • 4. What SSH Does SSH handles the set up and generation of an encrypted TCP connection Friday, September 2, 11
  • 5. ...which means.... SSH can handle secure remote logins (ssh) SSH can handle secure ļ¬le copy (scp) SSH can even drive secure FTP (sftp) Friday, September 2, 11
  • 6. Core SSH programs ssh is the client sshd is the server if sshd is not running you will not be able to connect to it with ssh Friday, September 2, 11
  • 7. SSH Authentication Methods Password Public/private keypair Host-based authentication Friday, September 2, 11
  • 9. Example Without SSH Keys your-box box-1 ssh sshd Friday, September 2, 11
  • 10. Prompts for Password your-box box-1 ssh sshd your-box> ssh box-1 password: box-1> Friday, September 2, 11
  • 12. Example With SSH Keys your-box box-1 ssh sshd Friday, September 2, 11
  • 13. Step 1: Generate Keys your-box> ssh-keygen Friday, September 2, 11
  • 14. Public / Private Keypair your-box ~/.ssh/id_rsa ~/.ssh/id_rsa.pub Friday, September 2, 11
  • 15. Private Key: id_rsa your-box ~/.ssh/id_rsa ~/.ssh/id_rsa.pub Private keys should be kept secret, do not share them with anyone Friday, September 2, 11
  • 16. Public Key: id_rsa.pub your-box ~/.ssh/id_rsa ~/.ssh/id_rsa.pub Public keys are meant to be shared. Friday, September 2, 11
  • 17. Copy Public Key to box-1 your-box box-1 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys Friday, September 2, 11
  • 18. ~/.ssh/authorized_keys houses all public keys for people who can authenticate as a user on a machine when copying public keys, append to the ļ¬le, do not overwrite the ļ¬le Friday, September 2, 11
  • 19. No password required! your-box box-1 ssh sshd your-box> ssh box-1 box-1> Friday, September 2, 11
  • 20. Host-based Authentication Friday, September 2, 11
  • 21. Host-based Authentication Doesnā€™t require user credentials (password or key) Provides trust based on hostname and userid Userid on both system has to be the same Disabled by default -- not that useful Friday, September 2, 11
  • 24. Server Conļ¬guration Files This is automatically by sshd when started. sshd conļ¬g: /etc/sshd_conļ¬g Based on installation method system conļ¬g locations may vary. ie: macports installs in /opt/local/etc/ssh/ Friday, September 2, 11
  • 25. Client Conļ¬guration Files These are automatically by ssh when executed. system-side ssh conļ¬g: /etc/ssh_conļ¬g user-speciļ¬c ssh conļ¬g: ~/.ssh/conļ¬g Based on installation method system conļ¬g locations may vary. ie: macports installs in /opt/local/etc/ssh/ Friday, September 2, 11
  • 26. Custom Client Conļ¬guration Files ssh will not read these on its own, use -F option You can put custom conļ¬g ļ¬les anywhere you want. ssh -F /foo/bar/custom_ssh.cfg Friday, September 2, 11
  • 28. Login Example #1 ssh user@example.com Friday, September 2, 11
  • 29. Login Example #2 ssh example.com Whatā€™s the difference between example #1 ? Friday, September 2, 11
  • 30. Login Example #3 Logging in on a non-default port. ssh -p 45000 example.com Whatā€™s the default SSH port anyway? Friday, September 2, 11
  • 31. Login Example #4 Log in, run a command, and exit. ssh example.com <command here> ssh example.com ls -l ssh example.com hostname Anything with special characters such as quotes, backticks, etc. need to be escaped. Friday, September 2, 11
  • 32. Agent / Key Forwarding Without them, With Them Friday, September 2, 11
  • 33. Example Without SSH Keys box-1 your-box box-2 Friday, September 2, 11
  • 34. your-box> ssh box-1 box-1 your-box> ssh box-1 password: Password required your-box box-2 Friday, September 2, 11
  • 35. your-box> ssh box-2 box-1 your-box> ssh box-2 password: Password required your-box box-2 Friday, September 2, 11
  • 36. your-box to box-1 to box-2 box-1 your-box> ssh box-1 password: box-1> ssh box-2 your-box password: Passwords required each step of the way! box-2 Friday, September 2, 11
  • 37. Updated Example with SSH Keys box-1 your-box> ssh-keygen copy public key to ~/.ssh/authorized_keys on each remote host your-box authorized_keys id_rsa.pub box-2 id_rsa authorized_keys Friday, September 2, 11
  • 38. your-box> ssh box-1 box-1 your-box> ssh box-1 box-1> success your-box box-2 Friday, September 2, 11
  • 39. your-box> ssh box-2 box-1 your-box> ssh box-2 box-2> success your-box box-2 Friday, September 2, 11
  • 40. your-box to box-1 to box-2 box-1 your-box> ssh box-1 box-1> success box-1> ssh box-2 your-box password: authorized_keys Password required at the second step! id_rsa.pub box-2 id_rsa authorized_keys Friday, September 2, 11
  • 41. Enter Agent/Key Forwarding Friday, September 2, 11
  • 42. your-box to box-1 to box-2 box-1 your-box> ssh -A box-1 box-1> success box-1> ssh -A box-2 your-box box-2> authorized_keys success id_rsa.pub box-2 id_rsa authorized_keys Friday, September 2, 11
  • 43. Your SSH Key Gets Forwarded box-1 your-box id_rsa.pub box-2 id_rsa Friday, September 2, 11
  • 44. Command Line Agent Forwarding ssh -A example.com Use -a to explicitly turn off forwarding for a ssh session. Friday, September 2, 11
  • 45. Host Conļ¬gured Host inspire.staging ForwardAgent yes Per-User ~/.ssh/conļ¬g System-wide /etc/ssh_conļ¬g Friday, September 2, 11
  • 46. Capistrano Conļ¬gured (Ruby) ssh_options[:forward_agent] = true Capistranoā€™s deploy.rb Provided by net/ssh library. Friday, September 2, 11
  • 47. SSH Server has ļ¬nal say! AllowAgentForwarding no System-wide /etc/sshd_conļ¬g Defaults to ā€œyesā€ -- so pretty much ignore. Friday, September 2, 11
  • 48. When/Why #1 - Everyday Usage When SSHā€™ing from box to box to box. (ie: multiple servers) Greatly reduces the need to copy over public/ private key ļ¬les It (usually) just works! Friday, September 2, 11
  • 49. When/Why #2 - Deploys No need to manage additional SSH key pairs for machines that you want to deploy to If you have access to it and you do the deploying, the remote machine will just SSH in as you! It (usually) just works! Friday, September 2, 11
  • 50. ...remember... You still need to copy public key ļ¬le contents to ~/.ssh/authorized_keys Agent forwarding doesnā€™t work for automated workļ¬‚ows where a user is taken out of the equation, ie: our automated deploy from TeamCity for Inspire Friday, September 2, 11
  • 51. Port Forwarding Local, Remote, Magic Friday, September 2, 11
  • 52. Local Port Forwarding Friday, September 2, 11
  • 53. Local Port Forwarding Example your-box box-1 box-2 sshd www Private Network Friday, September 2, 11
  • 54. your-box to www on box-2 your-box box-1 box-2 sshd www public IP local IP local IP Private Network Friday, September 2, 11
  • 55. Canā€™t access box-2 directly X your-box box-1 box-2 sshd www public IP local IP local IP Private Network Friday, September 2, 11
  • 56. With Local Port Forwarding your-box box-1 box-2 sshd www public IP local IP local IP your-box> ssh -L 8000:box-2:80 box-1 box-1> success Friday, September 2, 11
  • 57. A Tunnel is Made! your-box box-1 box-2 sshd www public IP local IP local IP your-box> ssh -L 8000:box-2:80 box-1 box-1> success Friday, September 2, 11
  • 58. box-2 doesnā€™t have to run sshd your-box box-1 box-2 sshd www public IP local IP local IP Friday, September 2, 11
  • 59. Command Line Local Port Forwarding ssh -L localport:host:hostport example.com localport is the port on your machine, host is the remote box to tunnel to, hostport is the port on the remote box to tunnel to Friday, September 2, 11
  • 60. Sharing Your Tunnel your-box box-1 box-2 sshd www public IP local IP local IP bobs-box your-box> ssh -L 8000:box-2:80 -g box-1 box-1> success Friday, September 2, 11
  • 61. Command Line Local Port Forwarding ssh -L localport:host:hostport -g example.com -g allows others to connect to your forwarded port Friday, September 2, 11
  • 62. Host Conļ¬gured Host inspire.staging LocalForward 8000:box-2:80 Per-User ~/.ssh/conļ¬g System-wide /etc/ssh_conļ¬g Friday, September 2, 11
  • 63. SSH Server has ļ¬nal say! AllowTcpForwarding no System-wide /etc/sshd_conļ¬g Defaults to ā€œyesā€ -- so pretty much ignore. Friday, September 2, 11
  • 64. When/Why Access normally unreachable resources on an internal network from anywhere on the internet Friday, September 2, 11
  • 66. Remote Port Forwarding Example your-box box-1 box-2 sshd Private Network Friday, September 2, 11
  • 67. box-2 to your-box your-box box-1 box-2 sshd local IP public IP local IP Private Network Friday, September 2, 11
  • 68. box-2 canā€™t talk to your-box X your-box box-1 box-2 sshd local IP public IP local IP Private Network Friday, September 2, 11
  • 69. With Remote Port Forwarding your-box box-1 box-2 sshd local IP public IP local IP your-box> ssh -R 8000:localhost:80 box-1 box-1> success Friday, September 2, 11
  • 70. A Reverse Tunnel Is Made! your-box box-1 box-2 sshd http://box-1:8000 80 8000 local IP public IP local IP your-box> ssh -R 8000:localhost:80 box-1 box-1> success Friday, September 2, 11
  • 71. Command Line Remote Port Forwarding ssh -R remoteport:host:hostport example.com remoteport is the port on the machine you ssh into, host is the local box to tunnel to, hostport is the port on the local box to tunnel to Friday, September 2, 11
  • 72. -g is not supported for remote forwarding Friday, September 2, 11
  • 73. Host Conļ¬gured Host inspire.staging RemoteForward 8000:localhost:80 Per-User ~/.ssh/conļ¬g System-wide /etc/ssh_conļ¬g Friday, September 2, 11
  • 74. SSH Server has ļ¬nal say! AllowTcpForwarding no System-wide /etc/sshd_conļ¬g Defaults to ā€œyesā€ -- so pretty much ignore. Friday, September 2, 11
  • 75. When/Why Allow outside resources to connect to your box, or another machine on a private network Example: testing web callbacks Friday, September 2, 11
  • 76. ~/.ssh/conļ¬g User-speciļ¬ed SSH conļ¬guration Friday, September 2, 11
  • 77. Host Conļ¬guration Host is the section identiļ¬er Any time Host shows up a new section is started Host is whatever you want to refer to the connection as Host inspire HostName staging.inspirehq.com User inspire your-box> ssh example.com Host inspire.production HostName inspirehq.com User inspire ~/.ssh/conļ¬g Friday, September 2, 11
  • 78. HostName Conļ¬guration HostName is the real host name to log into Can be IP address or domain name Host inspire HostName staging.inspirehq.com User inspire your-box> ssh example.com Host inspire.production HostName inspirehq.com User inspire ~/.ssh/conļ¬g Friday, September 2, 11
  • 79. User Conļ¬guration User is the user to log in as Can be overridden on the command line Host inspire HostName staging.inspirehq.com User inspire your-box> ssh example.com Host inspire.production HostName inspirehq.com User foobar ~/.ssh/conļ¬g Friday, September 2, 11
  • 80. Port Conļ¬guration Port deļ¬nes what port for SSH connect on Can be overridden on the command line Host inspire HostName staging.inspirehq.com User inspire Port 45000 your-box> ssh example.com ~/.ssh/conļ¬g Friday, September 2, 11
  • 81. Local/Remote Port Forwarding LocalForward RemoteForward Host inspire HostName staging.inspirehq.com User inspire LocalForward 8080:example.com:80 your-box> ssh example.com RemoteForward 8080:example.com:80 ~/.ssh/conļ¬g Friday, September 2, 11
  • 82. GatewayPorts GatewayPorts speciļ¬es whether or not remote hosts can connect to local forwarded ports Works in conjunction with LocalPortForward Defaults to no Host inspire HostName staging.inspirehq.com User inspire LocalForward 8080:example.com:80 your-box> ssh example.com GatewayPorts yes ~/.ssh/conļ¬g Friday, September 2, 11
  • 83. ServerAliveInterval ServerAliveInterval sets a time interval in seconds after which if no data has been received from the server ssh will send a message to the server Defaults to 0, meaning this will never be sent This can be used to keep SSH connections alive Host inspire HostName staging.inspirehq.com User inspire LocalForward 8080:example.com:80 your-box> ssh example.com GatewayPorts yes ServerAliveInterval 5 ~/.ssh/conļ¬g Friday, September 2, 11
  • 84. > ssh inspire Friday, September 2, 11
  • 86. Overuse ~/.ssh/conļ¬g SSHing into an IP more than once? SSHing into crazy domains? (ie: Amazon) Looking up IP or hostname routinely? save it in ~/.ssh/conļ¬g Friday, September 2, 11
  • 87. ...skipping server conļ¬guration... Friday, September 2, 11
  • 88. SSH and Other apps Friday, September 2, 11
  • 89. scp: secure ļ¬le copy Friday, September 2, 11
  • 90. copy single ļ¬le scp ļ¬le1 example.com: Friday, September 2, 11
  • 91. copy multiple ļ¬les scp ļ¬le1 ļ¬le2 example.com: Friday, September 2, 11
  • 92. copy to other locations scp ļ¬le1example.com:foo/bar scp ļ¬le1example.com:/foo/bar Friday, September 2, 11
  • 93. scp doesnā€™t copy directories scp dir/ example.com:foo/bar dir/: not a regular ļ¬le Friday, September 2, 11
  • 94. rsync: remote ļ¬le copying Friday, September 2, 11
  • 95. copy single ļ¬le rsync -avz ļ¬le1 example.com: Friday, September 2, 11
  • 96. copy directory rsync -avz dir/ example.com: Friday, September 2, 11
  • 97. rsync does so much more incremental ļ¬le transfers (only transfers whatā€™s different) include/exclude ļ¬les and directories include/exclude ļ¬le name patterns can copy ļ¬les from a remote box to a local box can copy ļ¬les from a local box to a remote box Friday, September 2, 11
  • 99. git/ssh info Can run over SSH Supports SSH client conļ¬guration ļ¬les Can set to speciļ¬c SSH binary using GIT_SSH environment variable Friday, September 2, 11