Slides from a presentation I gave on SSH. Covers basics of ssh, password|keys|host-based authentication, agent/key forwarding, configuration files (global and user-specific), local/remote port forwarding, scp, rsync, and briefly mentions git's support.
3. SSH was created in 1995 by Finland University
Researcher
Was initially open source, went closed source in
1999
OpenSSH was created in 1999 as a fork of the
last open source SSH code
Friday, September 2, 11
4. What SSH Does
SSH handles the set up and generation of an
encrypted TCP connection
Friday, September 2, 11
5. ...which means....
SSH can handle secure remote logins (ssh)
SSH can handle secure ļ¬le copy (scp)
SSH can even drive secure FTP (sftp)
Friday, September 2, 11
6. Core SSH programs
ssh is the client
sshd is the server
if sshd is not running you will not be able to
connect to it with ssh
Friday, September 2, 11
14. Public / Private Keypair
your-box
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
Friday, September 2, 11
15. Private Key: id_rsa
your-box
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
Private keys should be kept secret,
do not share them with anyone
Friday, September 2, 11
16. Public Key: id_rsa.pub
your-box
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
Public keys are meant to be shared.
Friday, September 2, 11
17. Copy Public Key to box-1
your-box box-1
~/.ssh/id_rsa
~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
Friday, September 2, 11
18. ~/.ssh/authorized_keys
houses all public keys for people who can
authenticate as a user on a machine
when copying public keys, append to the ļ¬le, do
not overwrite the ļ¬le
Friday, September 2, 11
19. No password required!
your-box box-1
ssh sshd
your-box> ssh box-1
box-1>
Friday, September 2, 11
20. Host-based
Authentication
Friday, September 2, 11
21. Host-based Authentication
Doesnāt require user credentials (password or
key)
Provides trust based on hostname and userid
Userid on both system has to be the same
Disabled by default -- not that useful
Friday, September 2, 11
24. Server Conļ¬guration Files
This is automatically by sshd when started.
sshd conļ¬g: /etc/sshd_conļ¬g
Based on installation method system conļ¬g locations may vary.
ie: macports installs in /opt/local/etc/ssh/
Friday, September 2, 11
25. Client Conļ¬guration Files
These are automatically by ssh when executed.
system-side ssh conļ¬g: /etc/ssh_conļ¬g
user-speciļ¬c ssh conļ¬g: ~/.ssh/conļ¬g
Based on installation method system conļ¬g locations may vary.
ie: macports installs in /opt/local/etc/ssh/
Friday, September 2, 11
26. Custom Client Conļ¬guration Files
ssh will not read these on its own, use -F option
You can put custom conļ¬g ļ¬les anywhere you
want.
ssh -F /foo/bar/custom_ssh.cfg
Friday, September 2, 11
29. Login Example #2
ssh example.com
Whatās the difference between example #1 ?
Friday, September 2, 11
30. Login Example #3
Logging in on a non-default port.
ssh -p 45000 example.com
Whatās the default SSH port anyway?
Friday, September 2, 11
31. Login Example #4
Log in, run a command, and exit.
ssh example.com <command here>
ssh example.com ls -l
ssh example.com hostname
Anything with special characters such as
quotes, backticks, etc. need to be escaped.
Friday, September 2, 11
32. Agent / Key Forwarding
Without them, With Them
Friday, September 2, 11
36. your-box to box-1 to box-2
box-1 your-box> ssh box-1
password:
box-1> ssh box-2
your-box password:
Passwords required each
step of the way!
box-2
Friday, September 2, 11
37. Updated Example with SSH Keys
box-1 your-box> ssh-keygen
copy public key to
~/.ssh/authorized_keys
on each remote host
your-box
authorized_keys
id_rsa.pub box-2
id_rsa
authorized_keys
Friday, September 2, 11
46. Capistrano Conļ¬gured (Ruby)
ssh_options[:forward_agent] = true
Capistranoās deploy.rb
Provided by net/ssh library.
Friday, September 2, 11
47. SSH Server has ļ¬nal say!
AllowAgentForwarding no
System-wide /etc/sshd_conļ¬g
Defaults to āyesā -- so pretty much ignore.
Friday, September 2, 11
48. When/Why #1 - Everyday Usage
When SSHāing from box to box to box. (ie:
multiple servers)
Greatly reduces the need to copy over public/
private key ļ¬les
It (usually) just works!
Friday, September 2, 11
49. When/Why #2 - Deploys
No need to manage additional SSH key pairs for
machines that you want to deploy to
If you have access to it and you do the
deploying, the remote machine will just SSH in
as you!
It (usually) just works!
Friday, September 2, 11
50. ...remember...
You still need to copy public key ļ¬le contents to
~/.ssh/authorized_keys
Agent forwarding doesnāt work for automated
workļ¬ows where a user is taken out of the
equation, ie: our automated deploy from
TeamCity for Inspire
Friday, September 2, 11
51. Port Forwarding
Local, Remote, Magic
Friday, September 2, 11
53. Local Port Forwarding Example
your-box box-1 box-2
sshd www
Private Network
Friday, September 2, 11
54. your-box to www on box-2
your-box box-1 box-2
sshd www
public IP local IP
local IP
Private Network
Friday, September 2, 11
55. Canāt access box-2 directly
X
your-box box-1 box-2
sshd www
public IP local IP
local IP
Private Network
Friday, September 2, 11
56. With Local Port Forwarding
your-box box-1 box-2
sshd www
public IP local IP
local IP
your-box> ssh -L 8000:box-2:80 box-1
box-1>
success
Friday, September 2, 11
57. A Tunnel is Made!
your-box box-1 box-2
sshd www
public IP local IP
local IP
your-box> ssh -L 8000:box-2:80 box-1
box-1>
success
Friday, September 2, 11
58. box-2 doesnāt have to run sshd
your-box box-1 box-2
sshd www
public IP local IP
local IP
Friday, September 2, 11
59. Command Line Local Port Forwarding
ssh -L localport:host:hostport example.com
localport is the port on your machine,
host is the remote box to tunnel to,
hostport is the port on the remote box to tunnel to
Friday, September 2, 11
60. Sharing Your Tunnel
your-box box-1 box-2
sshd www
public IP local IP
local IP
bobs-box your-box> ssh -L 8000:box-2:80 -g box-1
box-1>
success
Friday, September 2, 11
61. Command Line Local Port Forwarding
ssh -L localport:host:hostport -g example.com
-g allows others to connect to your forwarded port
Friday, September 2, 11
63. SSH Server has ļ¬nal say!
AllowTcpForwarding no
System-wide /etc/sshd_conļ¬g
Defaults to āyesā -- so pretty much ignore.
Friday, September 2, 11
64. When/Why
Access normally unreachable resources on an
internal network from anywhere on the internet
Friday, September 2, 11
66. Remote Port Forwarding Example
your-box box-1 box-2
sshd
Private Network
Friday, September 2, 11
67. box-2 to your-box
your-box box-1 box-2
sshd
local IP public IP
local IP
Private Network
Friday, September 2, 11
68. box-2 canāt talk to your-box
X
your-box box-1 box-2
sshd
local IP public IP
local IP
Private Network
Friday, September 2, 11
69. With Remote Port Forwarding
your-box box-1 box-2
sshd
local IP public IP
local IP
your-box> ssh -R 8000:localhost:80 box-1
box-1>
success
Friday, September 2, 11
70. A Reverse Tunnel Is Made!
your-box box-1 box-2
sshd
http://box-1:8000
80 8000
local IP public IP
local IP
your-box> ssh -R 8000:localhost:80 box-1
box-1>
success
Friday, September 2, 11
71. Command Line Remote Port Forwarding
ssh -R remoteport:host:hostport example.com
remoteport is the port on the machine you ssh into,
host is the local box to tunnel to,
hostport is the port on the local box to tunnel to
Friday, September 2, 11
72. -g is not supported for
remote forwarding
Friday, September 2, 11
74. SSH Server has ļ¬nal say!
AllowTcpForwarding no
System-wide /etc/sshd_conļ¬g
Defaults to āyesā -- so pretty much ignore.
Friday, September 2, 11
75. When/Why
Allow outside resources to connect to your box,
or another machine on a private network
Example: testing web callbacks
Friday, September 2, 11
76. ~/.ssh/conļ¬g
User-speciļ¬ed SSH conļ¬guration
Friday, September 2, 11
77. Host Conļ¬guration
Host is the section identiļ¬er
Any time Host shows up a new section is started
Host is whatever you want to refer to the connection as
Host inspire
HostName staging.inspirehq.com
User inspire
your-box> ssh example.com
Host inspire.production
HostName inspirehq.com
User inspire
~/.ssh/conļ¬g
Friday, September 2, 11
78. HostName Conļ¬guration
HostName is the real host name to log into
Can be IP address or domain name
Host inspire
HostName staging.inspirehq.com
User inspire
your-box> ssh example.com
Host inspire.production
HostName inspirehq.com
User inspire
~/.ssh/conļ¬g
Friday, September 2, 11
79. User Conļ¬guration
User is the user to log in as
Can be overridden on the command line
Host inspire
HostName staging.inspirehq.com
User inspire
your-box> ssh example.com
Host inspire.production
HostName inspirehq.com
User foobar
~/.ssh/conļ¬g
Friday, September 2, 11
80. Port Conļ¬guration
Port deļ¬nes what port for SSH connect on
Can be overridden on the command line
Host inspire
HostName staging.inspirehq.com
User inspire
Port 45000
your-box> ssh example.com
~/.ssh/conļ¬g
Friday, September 2, 11
81. Local/Remote Port Forwarding
LocalForward
RemoteForward
Host inspire
HostName staging.inspirehq.com
User inspire
LocalForward 8080:example.com:80
your-box> ssh example.com
RemoteForward 8080:example.com:80
~/.ssh/conļ¬g
Friday, September 2, 11
82. GatewayPorts
GatewayPorts speciļ¬es whether or not remote hosts
can connect to local forwarded ports
Works in conjunction with LocalPortForward
Defaults to no
Host inspire
HostName staging.inspirehq.com
User inspire
LocalForward 8080:example.com:80
your-box> ssh example.com
GatewayPorts yes
~/.ssh/conļ¬g
Friday, September 2, 11
83. ServerAliveInterval
ServerAliveInterval sets a time interval in seconds after
which if no data has been received from the server ssh will
send a message to the server
Defaults to 0, meaning this will never be sent
This can be used to keep SSH connections alive
Host inspire
HostName staging.inspirehq.com
User inspire
LocalForward 8080:example.com:80
your-box> ssh example.com
GatewayPorts yes
ServerAliveInterval 5
~/.ssh/conļ¬g
Friday, September 2, 11
86. Overuse ~/.ssh/conļ¬g
SSHing into an IP more than once?
SSHing into crazy domains? (ie: Amazon)
Looking up IP or hostname routinely?
save it in ~/.ssh/conļ¬g
Friday, September 2, 11
97. rsync does so much more
incremental ļ¬le transfers (only transfers whatās
different)
include/exclude ļ¬les and directories
include/exclude ļ¬le name patterns
can copy ļ¬les from a remote box to a local box
can copy ļ¬les from a local box to a remote box
Friday, September 2, 11
99. git/ssh info
Can run over SSH
Supports SSH client conļ¬guration ļ¬les
Can set to speciļ¬c SSH binary using GIT_SSH
environment variable
Friday, September 2, 11