SlideShare a Scribd company logo

SSH configuration and tricks

V
vide80

The document discusses various SSH tricks and configurations, including setting up port forwarding tunnels for a "poor man's VPN", configuring SSH keys and host fingerprints, and using the ~/.ssh/config file to define SSH connection settings and aliases. It also covers enabling SSH autocompletion and disabling host key checking for automated deployments.

1 of 38
Download to read offline
SSH tricks Davide Ferrari - @vide September 2016 - Billy Mobile
You have passed through this: $ ssh moria.middle.earth -p 1234 Speak friend and enter
And through this: $ ssh -l balrog moria.middle.earth Connection timed out
Clickety clack $ scp -P 666 ~/hobbits_archives/* -i .ssh/smeagol.rsa gollum@mordor.middle.earth
Enter ~/.ssh/config
Enter ~/.ssh/config $ cat /home/lotr/.ssh/config Host moria.middle.earth User gandalf Port 1234 Host mordor.middle.earth User gollum IdentityFile ~/.ssh/smeagol.rsa Port 666 Host *.middle.earth User hobbits KexAlgorithms diffie-hellman-group1-sha1
Enter ~/.ssh/config $ cat /home/lotr/.ssh/config Host moria.middle.earth User gandalf Port 1234 Host mordor.middle.earth User gollum IdentityFile ~/.ssh/smeagol.rsa Port 666 Host *.middle.earth User hobbits KexAlgorithms diffie-hellman-group1-sha1 You can put almost any ssh config option in there, and use wildcard expansion. It’s respected by scp and ssh and anything using libssh
Enter ~/.ssh/config $ cat /home/lotr/.ssh/config Host moria.middle.earth User gandalf Port 1234 Host mordor.middle.earth User gollum IdentityFile ~/.ssh/smeagol.rsa Port 666 Host *.middle.earth User hobbits KexAlgorithms diffie-hellman-group1-sha1 You can put almost any ssh config option in there, and use wildcard expansion. It’s respected by scp and ssh and anything using libssh This is just the beginning of what you can do in .ssh/config
In any case man ssh_config
In any case man ssh_config is your friend
What about some tunneling?
Poor man’s VPN
Poor man’s VPN ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f
Human readable please?
ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f
ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f user@remote host: . . .
ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f user@remote host: . . . 8000: port opened on MY machine
ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f user@remote host: . . . 8000: port opened on MY machine 127.0.0.1:9091: address referred to the REMOTE network
ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f user@remote host: . . . 8000: port opened on MY machine 127.0.0.1:9091: address referred to the REMOTE network -N: don’t execute anything on remote host
ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f user@remote host: . . . 8000: port opened on MY machine 127.0.0.1:9091: address referred to the REMOTE network -N: don’t execute anything on remote host -f: execute in background
The other way round ssh user@remote_host -R 8111:127.0.0.1:80 -N -f
Fingerprint?
Fingerprint?
>THIS< fingerprint
>THIS< fingerprint The authenticity of host ’178.36.62.115 (178.36.62.115)’ can’t b ECDSA key fingerprint is SHA256:F0B6XIdcukwjjkI+edez42aQt6W73f+O Are you sure you want to continue connecting (yes/no)
>THIS< fingerprint The authenticity of host ’178.36.62.115 (178.36.62.115)’ can’t b ECDSA key fingerprint is SHA256:F0B6XIdcukwjjkI+edez42aQt6W73f+O Are you sure you want to continue connecting (yes/no) This is a great security feature, protecting against MITM attacks, but can be a real PITA especially when automatically deploying/copying something and maybe remote server got reinstalled without preserving the old keys
Solution?
Solution? ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no somebody@somewhere
Solution? ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no somebody@somewhere This line will disable fingerprint checking (StrictHostKeyChecking=no) and route to the void content directed to the Known Hosts file (UserKnownHostsFile=/dev/null)
In other words
In other words Host somewhere User somebody UserKnownHostsFile /dev/null StrictHostKeyChecking no
Poor man’s VPN revisited $ ssh foo@remote_host -L 8000:127.0.0.1:9091 -N -f
Poor man’s VPN revisited $ ssh foo@remote_host -L 8000:127.0.0.1:9091 -N -f $ cat ~/.ssh/config Match user foo LocalForward 8000 127.0.0.1:9091 $ ssh foo@remote_host -N -f $ ssh foo@another_host -N -f
Autocompletion FTW
Autocompletion FTW OSX: brew install bash-completion
Autocompletion FTW OSX: brew install bash-completion Ubuntu: sudo apt-get install bash-completion
Autocompletion FTW OSX: brew install bash-completion Ubuntu: sudo apt-get install bash-completion Just to be sure: echo "HashKnownHosts No" >> ~/.ssh/config
THE END. QUESTIONS?

Recommended

RG講義_SSH
RG講義_SSHRG講義_SSH
RG講義_SSHShuya Osaki
 
ভিবিন্ন DEVISE AND AR PORT NUMBER
ভিবিন্ন DEVISE AND AR PORT NUMBERভিবিন্ন DEVISE AND AR PORT NUMBER
ভিবিন্ন DEVISE AND AR PORT NUMBERmd shariful eng
 
Configuring ssh on switch
Configuring ssh on switchConfiguring ssh on switch
Configuring ssh on switchtcpipguru
 
How to Configure password for telnet and console port of a switch
How to Configure password for telnet and console port of a switchHow to Configure password for telnet and console port of a switch
How to Configure password for telnet and console port of a switchtcpipguru
 
Setting up SSH
Setting up SSHSetting up SSH
Setting up SSHNetProtocol Xpert
 
Cisco ssh telnet en radius
Cisco ssh telnet en radiusCisco ssh telnet en radius
Cisco ssh telnet en radiusRoger Rayme Bautista
 
Bash Programming
Bash ProgrammingBash Programming
Bash ProgrammingKiplangat Chelule
 
Ssh
SshSsh
SshSatria Anpan
 

Recommended

RG講義_SSH
RG講義_SSHRG講義_SSH
RG講義_SSHShuya Osaki
 
ভিবিন্ন DEVISE AND AR PORT NUMBER
ভিবিন্ন DEVISE AND AR PORT NUMBERভিবিন্ন DEVISE AND AR PORT NUMBER
ভিবিন্ন DEVISE AND AR PORT NUMBERmd shariful eng
 
Configuring ssh on switch
Configuring ssh on switchConfiguring ssh on switch
Configuring ssh on switchtcpipguru
 
How to Configure password for telnet and console port of a switch
How to Configure password for telnet and console port of a switchHow to Configure password for telnet and console port of a switch
How to Configure password for telnet and console port of a switchtcpipguru
 
Setting up SSH
Setting up SSHSetting up SSH
Setting up SSHNetProtocol Xpert
 
Cisco ssh telnet en radius
Cisco ssh telnet en radiusCisco ssh telnet en radius
Cisco ssh telnet en radiusRoger Rayme Bautista
 
Bash Programming
Bash ProgrammingBash Programming
Bash ProgrammingKiplangat Chelule
 
Ssh
SshSsh
SshSatria Anpan
 
Advanced open ssh
Advanced open sshAdvanced open ssh
Advanced open sshDan Kaminsky
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network IssuesApcera
 
Linuxserver harden
Linuxserver hardenLinuxserver harden
Linuxserver hardenGregory Hanis
 
Importance of sshfp and configuring sshfp for network devices
Importance of sshfp and configuring sshfp for network devicesImportance of sshfp and configuring sshfp for network devices
Importance of sshfp and configuring sshfp for network devicesMuhammad Moinur Rahman
 
Importance of SSHFP for Network Devices
Importance of SSHFP for Network DevicesImportance of SSHFP for Network Devices
Importance of SSHFP for Network DevicesAPNIC
 
Capital onehadoopclass
Capital onehadoopclassCapital onehadoopclass
Capital onehadoopclassDoug Chang
 
Ssh cookbook v2
Ssh cookbook v2Ssh cookbook v2
Ssh cookbook v2Jean-Marie Renouard
 
Ssh cookbook
Ssh cookbookSsh cookbook
Ssh cookbookJean-Marie Renouard
 
Tomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHTomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHwebelement
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
tutorial-ssh.pdf
tutorial-ssh.pdftutorial-ssh.pdf
tutorial-ssh.pdfNigussMehari4
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSHJP Bourget
 
SSH Tunnel-Fu [NoVaH 2011]
SSH Tunnel-Fu [NoVaH 2011]SSH Tunnel-Fu [NoVaH 2011]
SSH Tunnel-Fu [NoVaH 2011]Vincent Batts
 
Don't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiDon't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiMackenzie Morgan
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden TicketGiuseppe Trotta
 
PENYELESAIAN SOAL UKK/UPK TAHUN 2018 Paket 3 oleh Walid Umar
PENYELESAIAN SOAL UKK/UPK TAHUN 2018 Paket 3 oleh Walid UmarPENYELESAIAN SOAL UKK/UPK TAHUN 2018 Paket 3 oleh Walid Umar
PENYELESAIAN SOAL UKK/UPK TAHUN 2018 Paket 3 oleh Walid UmarWalid Umar
 
Globus toolkit4installationguide
Globus toolkit4installationguideGlobus toolkit4installationguide
Globus toolkit4installationguideAdarsh Patil
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)Fred Posner
 
Configure Proxy and Firewall (Iptables)
Configure Proxy and Firewall (Iptables)Configure Proxy and Firewall (Iptables)
Configure Proxy and Firewall (Iptables)Tola LENG
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 

More Related Content

Similar to SSH configuration and tricks

Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network IssuesApcera
 
Importance of sshfp and configuring sshfp for network devices
Importance of sshfp and configuring sshfp for network devicesImportance of sshfp and configuring sshfp for network devices
Importance of sshfp and configuring sshfp for network devicesMuhammad Moinur Rahman
 
Importance of SSHFP for Network Devices
Importance of SSHFP for Network DevicesImportance of SSHFP for Network Devices
Importance of SSHFP for Network DevicesAPNIC
 
Capital onehadoopclass
Capital onehadoopclassCapital onehadoopclass
Capital onehadoopclassDoug Chang
 
Tomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHTomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHwebelement
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoTiago Cruz
 
SSH Tunnel-Fu [NoVaH 2011]
SSH Tunnel-Fu [NoVaH 2011]SSH Tunnel-Fu [NoVaH 2011]
SSH Tunnel-Fu [NoVaH 2011]Vincent Batts
 
Don't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiDon't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiMackenzie Morgan
 
PENYELESAIAN SOAL UKK/UPK TAHUN 2018 Paket 3 oleh Walid Umar
PENYELESAIAN SOAL UKK/UPK TAHUN 2018 Paket 3 oleh Walid UmarPENYELESAIAN SOAL UKK/UPK TAHUN 2018 Paket 3 oleh Walid Umar
PENYELESAIAN SOAL UKK/UPK TAHUN 2018 Paket 3 oleh Walid UmarWalid Umar
 
Globus toolkit4installationguide
Globus toolkit4installationguideGlobus toolkit4installationguide
Globus toolkit4installationguideAdarsh Patil
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)Fred Posner
 
Configure Proxy and Firewall (Iptables)
Configure Proxy and Firewall (Iptables)Configure Proxy and Firewall (Iptables)
Configure Proxy and Firewall (Iptables)Tola LENG
 

Similar to SSH configuration and tricks (20)

Advanced open ssh
Advanced open sshAdvanced open ssh
Advanced open ssh
 
Debugging Network Issues
Debugging Network IssuesDebugging Network Issues
Debugging Network Issues
 
Linuxserver harden
Linuxserver hardenLinuxserver harden
Linuxserver harden
 
Importance of sshfp and configuring sshfp for network devices
Importance of sshfp and configuring sshfp for network devicesImportance of sshfp and configuring sshfp for network devices
Importance of sshfp and configuring sshfp for network devices
 
Importance of SSHFP for Network Devices
Importance of SSHFP for Network DevicesImportance of SSHFP for Network Devices
Importance of SSHFP for Network Devices
 
Capital onehadoopclass
Capital onehadoopclassCapital onehadoopclass
Capital onehadoopclass
 
Ssh cookbook v2
Ssh cookbook v2Ssh cookbook v2
Ssh cookbook v2
 
Ssh cookbook
Ssh cookbookSsh cookbook
Ssh cookbook
 
Tomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSHTomáš Čorej - OpenSSH
Tomáš Čorej - OpenSSH
 
SSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso RemotoSSH: Seguranca no Acesso Remoto
SSH: Seguranca no Acesso Remoto
 
tutorial-ssh.pdf
tutorial-ssh.pdftutorial-ssh.pdf
tutorial-ssh.pdf
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSH
 
SSH Tunnel-Fu [NoVaH 2011]
SSH Tunnel-Fu [NoVaH 2011]SSH Tunnel-Fu [NoVaH 2011]
SSH Tunnel-Fu [NoVaH 2011]
 
Don't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFiDon't Get Hacked on Hostile WiFi
Don't Get Hacked on Hostile WiFi
 
Da APK al Golden Ticket
Da APK al Golden TicketDa APK al Golden Ticket
Da APK al Golden Ticket
 
PENYELESAIAN SOAL UKK/UPK TAHUN 2018 Paket 3 oleh Walid Umar
PENYELESAIAN SOAL UKK/UPK TAHUN 2018 Paket 3 oleh Walid UmarPENYELESAIAN SOAL UKK/UPK TAHUN 2018 Paket 3 oleh Walid Umar
PENYELESAIAN SOAL UKK/UPK TAHUN 2018 Paket 3 oleh Walid Umar
 
Globus toolkit4installationguide
Globus toolkit4installationguideGlobus toolkit4installationguide
Globus toolkit4installationguide
 
SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)SIP Attack Handling (Kamailio World 2021)
SIP Attack Handling (Kamailio World 2021)
 
Configure Proxy and Firewall (Iptables)
Configure Proxy and Firewall (Iptables)Configure Proxy and Firewall (Iptables)
Configure Proxy and Firewall (Iptables)
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
 

SSH configuration and tricks

  • 1. SSH tricks Davide Ferrari - @vide September 2016 - Billy Mobile
  • 2. You have passed through this: $ ssh moria.middle.earth -p 1234 Speak friend and enter
  • 3. And through this: $ ssh -l balrog moria.middle.earth Connection timed out
  • 4. Clickety clack $ scp -P 666 ~/hobbits_archives/* -i .ssh/smeagol.rsa gollum@mordor.middle.earth
  • 6. Enter ~/.ssh/config $ cat /home/lotr/.ssh/config Host moria.middle.earth User gandalf Port 1234 Host mordor.middle.earth User gollum IdentityFile ~/.ssh/smeagol.rsa Port 666 Host *.middle.earth User hobbits KexAlgorithms diffie-hellman-group1-sha1
  • 7. Enter ~/.ssh/config $ cat /home/lotr/.ssh/config Host moria.middle.earth User gandalf Port 1234 Host mordor.middle.earth User gollum IdentityFile ~/.ssh/smeagol.rsa Port 666 Host *.middle.earth User hobbits KexAlgorithms diffie-hellman-group1-sha1 You can put almost any ssh config option in there, and use wildcard expansion. It’s respected by scp and ssh and anything using libssh
  • 8. Enter ~/.ssh/config $ cat /home/lotr/.ssh/config Host moria.middle.earth User gandalf Port 1234 Host mordor.middle.earth User gollum IdentityFile ~/.ssh/smeagol.rsa Port 666 Host *.middle.earth User hobbits KexAlgorithms diffie-hellman-group1-sha1 You can put almost any ssh config option in there, and use wildcard expansion. It’s respected by scp and ssh and anything using libssh This is just the beginning of what you can do in .ssh/config
  • 9. In any case man ssh_config
  • 10. In any case man ssh_config is your friend
  • 11. What about some tunneling?
  • 13. Poor man’s VPN ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f
  • 15. ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f
  • 16. ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f user@remote host: . . .
  • 17. ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f user@remote host: . . . 8000: port opened on MY machine
  • 18. ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f user@remote host: . . . 8000: port opened on MY machine 127.0.0.1:9091: address referred to the REMOTE network
  • 19. ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f user@remote host: . . . 8000: port opened on MY machine 127.0.0.1:9091: address referred to the REMOTE network -N: don’t execute anything on remote host
  • 20. ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f user@remote host: . . . 8000: port opened on MY machine 127.0.0.1:9091: address referred to the REMOTE network -N: don’t execute anything on remote host -f: execute in background
  • 21. The other way round ssh user@remote_host -R 8111:127.0.0.1:80 -N -f
  • 25. >THIS< fingerprint The authenticity of host ’178.36.62.115 (178.36.62.115)’ can’t b ECDSA key fingerprint is SHA256:F0B6XIdcukwjjkI+edez42aQt6W73f+O Are you sure you want to continue connecting (yes/no)
  • 26. >THIS< fingerprint The authenticity of host ’178.36.62.115 (178.36.62.115)’ can’t b ECDSA key fingerprint is SHA256:F0B6XIdcukwjjkI+edez42aQt6W73f+O Are you sure you want to continue connecting (yes/no) This is a great security feature, protecting against MITM attacks, but can be a real PITA especially when automatically deploying/copying something and maybe remote server got reinstalled without preserving the old keys
  • 28. Solution? ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no somebody@somewhere
  • 29. Solution? ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no somebody@somewhere This line will disable fingerprint checking (StrictHostKeyChecking=no) and route to the void content directed to the Known Hosts file (UserKnownHostsFile=/dev/null)
  • 31. In other words Host somewhere User somebody UserKnownHostsFile /dev/null StrictHostKeyChecking no
  • 32. Poor man’s VPN revisited $ ssh foo@remote_host -L 8000:127.0.0.1:9091 -N -f
  • 33. Poor man’s VPN revisited $ ssh foo@remote_host -L 8000:127.0.0.1:9091 -N -f $ cat ~/.ssh/config Match user foo LocalForward 8000 127.0.0.1:9091 $ ssh foo@remote_host -N -f $ ssh foo@another_host -N -f
  • 35. Autocompletion FTW OSX: brew install bash-completion
  • 36. Autocompletion FTW OSX: brew install bash-completion Ubuntu: sudo apt-get install bash-completion
  • 37. Autocompletion FTW OSX: brew install bash-completion Ubuntu: sudo apt-get install bash-completion Just to be sure: echo "HashKnownHosts No" >> ~/.ssh/config