SSH

4,619 views

Published on

Slides from a presentation I gave on SSH. Covers basics of ssh, password|keys|host-based authentication, agent/key forwarding, configuration files (global and user-specific), local/remote port forwarding, scp, rsync, and briefly mentions git's support.

Published in: Technology
1 Comment
12 Likes
Statistics
Notes
No Downloads
Views
Total views
4,619
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
379
Comments
1
Likes
12
Embeds 0
No embeds

No notes for slide

SSH

  1. 1. SSHFriday, September 2, 11
  2. 2. An OverviewFriday, September 2, 11
  3. 3. SSH was created in 1995 by Finland University Researcher Was initially open source, went closed source in 1999 OpenSSH was created in 1999 as a fork of the last open source SSH codeFriday, September 2, 11
  4. 4. What SSH Does SSH handles the set up and generation of an encrypted TCP connectionFriday, September 2, 11
  5. 5. ...which means.... SSH can handle secure remote logins (ssh) SSH can handle secure file copy (scp) SSH can even drive secure FTP (sftp)Friday, September 2, 11
  6. 6. Core SSH programs ssh is the client sshd is the server if sshd is not running you will not be able to connect to it with sshFriday, September 2, 11
  7. 7. SSH Authentication Methods Password Public/private keypair Host-based authenticationFriday, September 2, 11
  8. 8. Password AuthenticationFriday, September 2, 11
  9. 9. Example Without SSH Keys your-box box-1 ssh sshdFriday, September 2, 11
  10. 10. Prompts for Password your-box box-1 ssh sshd your-box> ssh box-1 password: box-1>Friday, September 2, 11
  11. 11. Keypair AuthenticationFriday, September 2, 11
  12. 12. Example With SSH Keys your-box box-1 ssh sshdFriday, September 2, 11
  13. 13. Step 1: Generate Keys your-box> ssh-keygenFriday, September 2, 11
  14. 14. Public / Private Keypair your-box ~/.ssh/id_rsa ~/.ssh/id_rsa.pubFriday, September 2, 11
  15. 15. Private Key: id_rsa your-box ~/.ssh/id_rsa ~/.ssh/id_rsa.pub Private keys should be kept secret, do not share them with anyoneFriday, September 2, 11
  16. 16. Public Key: id_rsa.pub your-box ~/.ssh/id_rsa ~/.ssh/id_rsa.pub Public keys are meant to be shared.Friday, September 2, 11
  17. 17. Copy Public Key to box-1 your-box box-1 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub ~/.ssh/authorized_keysFriday, September 2, 11
  18. 18. ~/.ssh/authorized_keys houses all public keys for people who can authenticate as a user on a machine when copying public keys, append to the file, do not overwrite the fileFriday, September 2, 11
  19. 19. No password required! your-box box-1 ssh sshd your-box> ssh box-1 box-1>Friday, September 2, 11
  20. 20. Host-based AuthenticationFriday, September 2, 11
  21. 21. Host-based Authentication Doesn’t require user credentials (password or key) Provides trust based on hostname and userid Userid on both system has to be the same Disabled by default -- not that usefulFriday, September 2, 11
  22. 22. SSH BasicsFriday, September 2, 11
  23. 23. Configuration FilesFriday, September 2, 11
  24. 24. Server Configuration Files This is automatically by sshd when started. sshd config: /etc/sshd_config Based on installation method system config locations may vary. ie: macports installs in /opt/local/etc/ssh/Friday, September 2, 11
  25. 25. Client Configuration Files These are automatically by ssh when executed. system-side ssh config: /etc/ssh_config user-specific ssh config: ~/.ssh/config Based on installation method system config locations may vary. ie: macports installs in /opt/local/etc/ssh/Friday, September 2, 11
  26. 26. Custom Client Configuration Files ssh will not read these on its own, use -F option You can put custom config files anywhere you want. ssh -F /foo/bar/custom_ssh.cfgFriday, September 2, 11
  27. 27. Secure LoginsFriday, September 2, 11
  28. 28. Login Example #1 ssh user@example.comFriday, September 2, 11
  29. 29. Login Example #2 ssh example.com What’s the difference between example #1 ?Friday, September 2, 11
  30. 30. Login Example #3 Logging in on a non-default port. ssh -p 45000 example.com What’s the default SSH port anyway?Friday, September 2, 11
  31. 31. Login Example #4 Log in, run a command, and exit. ssh example.com <command here> ssh example.com ls -l ssh example.com hostname Anything with special characters such as quotes, backticks, etc. need to be escaped.Friday, September 2, 11
  32. 32. Agent / Key Forwarding Without them, With ThemFriday, September 2, 11
  33. 33. Example Without SSH Keys box-1 your-box box-2Friday, September 2, 11
  34. 34. your-box> ssh box-1 box-1 your-box> ssh box-1 password: Password required your-box box-2Friday, September 2, 11
  35. 35. your-box> ssh box-2 box-1 your-box> ssh box-2 password: Password required your-box box-2Friday, September 2, 11
  36. 36. your-box to box-1 to box-2 box-1 your-box> ssh box-1 password: box-1> ssh box-2 your-box password: Passwords required each step of the way! box-2Friday, September 2, 11
  37. 37. Updated Example with SSH Keys box-1 your-box> ssh-keygen copy public key to ~/.ssh/authorized_keys on each remote host your-box authorized_keys id_rsa.pub box-2 id_rsa authorized_keysFriday, September 2, 11
  38. 38. your-box> ssh box-1 box-1 your-box> ssh box-1 box-1> success your-box box-2Friday, September 2, 11
  39. 39. your-box> ssh box-2 box-1 your-box> ssh box-2 box-2> success your-box box-2Friday, September 2, 11
  40. 40. your-box to box-1 to box-2 box-1 your-box> ssh box-1 box-1> success box-1> ssh box-2 your-box password: authorized_keys Password required at the second step! id_rsa.pub box-2 id_rsa authorized_keysFriday, September 2, 11
  41. 41. Enter Agent/Key ForwardingFriday, September 2, 11
  42. 42. your-box to box-1 to box-2 box-1 your-box> ssh -A box-1 box-1> success box-1> ssh -A box-2 your-box box-2> authorized_keys success id_rsa.pub box-2 id_rsa authorized_keysFriday, September 2, 11
  43. 43. Your SSH Key Gets Forwarded box-1 your-box id_rsa.pub box-2 id_rsaFriday, September 2, 11
  44. 44. Command Line Agent Forwarding ssh -A example.com Use -a to explicitly turn off forwarding for a ssh session.Friday, September 2, 11
  45. 45. Host Configured Host inspire.staging ForwardAgent yes Per-User ~/.ssh/config System-wide /etc/ssh_configFriday, September 2, 11
  46. 46. Capistrano Configured (Ruby) ssh_options[:forward_agent] = true Capistrano’s deploy.rb Provided by net/ssh library.Friday, September 2, 11
  47. 47. SSH Server has final say! AllowAgentForwarding no System-wide /etc/sshd_config Defaults to “yes” -- so pretty much ignore.Friday, September 2, 11
  48. 48. When/Why #1 - Everyday Usage When SSH’ing from box to box to box. (ie: multiple servers) Greatly reduces the need to copy over public/ private key files It (usually) just works!Friday, September 2, 11
  49. 49. When/Why #2 - Deploys No need to manage additional SSH key pairs for machines that you want to deploy to If you have access to it and you do the deploying, the remote machine will just SSH in as you! It (usually) just works!Friday, September 2, 11
  50. 50. ...remember... You still need to copy public key file contents to ~/.ssh/authorized_keys Agent forwarding doesn’t work for automated workflows where a user is taken out of the equation, ie: our automated deploy from TeamCity for InspireFriday, September 2, 11
  51. 51. Port Forwarding Local, Remote, MagicFriday, September 2, 11
  52. 52. Local Port ForwardingFriday, September 2, 11
  53. 53. Local Port Forwarding Example your-box box-1 box-2 sshd www Private NetworkFriday, September 2, 11
  54. 54. your-box to www on box-2 your-box box-1 box-2 sshd www public IP local IP local IP Private NetworkFriday, September 2, 11
  55. 55. Can’t access box-2 directly X your-box box-1 box-2 sshd www public IP local IP local IP Private NetworkFriday, September 2, 11
  56. 56. With Local Port Forwarding your-box box-1 box-2 sshd www public IP local IP local IP your-box> ssh -L 8000:box-2:80 box-1 box-1> successFriday, September 2, 11
  57. 57. A Tunnel is Made! your-box box-1 box-2 sshd www public IP local IP local IP your-box> ssh -L 8000:box-2:80 box-1 box-1> successFriday, September 2, 11
  58. 58. box-2 doesn’t have to run sshd your-box box-1 box-2 sshd www public IP local IP local IPFriday, September 2, 11
  59. 59. Command Line Local Port Forwarding ssh -L localport:host:hostport example.com localport is the port on your machine, host is the remote box to tunnel to, hostport is the port on the remote box to tunnel toFriday, September 2, 11
  60. 60. Sharing Your Tunnel your-box box-1 box-2 sshd www public IP local IP local IP bobs-box your-box> ssh -L 8000:box-2:80 -g box-1 box-1> successFriday, September 2, 11
  61. 61. Command Line Local Port Forwarding ssh -L localport:host:hostport -g example.com -g allows others to connect to your forwarded portFriday, September 2, 11
  62. 62. Host Configured Host inspire.staging LocalForward 8000:box-2:80 Per-User ~/.ssh/config System-wide /etc/ssh_configFriday, September 2, 11
  63. 63. SSH Server has final say! AllowTcpForwarding no System-wide /etc/sshd_config Defaults to “yes” -- so pretty much ignore.Friday, September 2, 11
  64. 64. When/Why Access normally unreachable resources on an internal network from anywhere on the internetFriday, September 2, 11
  65. 65. Remote Port ForwardingFriday, September 2, 11
  66. 66. Remote Port Forwarding Example your-box box-1 box-2 sshd Private NetworkFriday, September 2, 11
  67. 67. box-2 to your-box your-box box-1 box-2 sshd local IP public IP local IP Private NetworkFriday, September 2, 11
  68. 68. box-2 can’t talk to your-box X your-box box-1 box-2 sshd local IP public IP local IP Private NetworkFriday, September 2, 11
  69. 69. With Remote Port Forwarding your-box box-1 box-2 sshd local IP public IP local IP your-box> ssh -R 8000:localhost:80 box-1 box-1> successFriday, September 2, 11
  70. 70. A Reverse Tunnel Is Made! your-box box-1 box-2 sshd http://box-1:8000 80 8000 local IP public IP local IP your-box> ssh -R 8000:localhost:80 box-1 box-1> successFriday, September 2, 11
  71. 71. Command Line Remote Port Forwarding ssh -R remoteport:host:hostport example.com remoteport is the port on the machine you ssh into, host is the local box to tunnel to, hostport is the port on the local box to tunnel toFriday, September 2, 11
  72. 72. -g is not supported for remote forwardingFriday, September 2, 11
  73. 73. Host Configured Host inspire.staging RemoteForward 8000:localhost:80 Per-User ~/.ssh/config System-wide /etc/ssh_configFriday, September 2, 11
  74. 74. SSH Server has final say! AllowTcpForwarding no System-wide /etc/sshd_config Defaults to “yes” -- so pretty much ignore.Friday, September 2, 11
  75. 75. When/Why Allow outside resources to connect to your box, or another machine on a private network Example: testing web callbacksFriday, September 2, 11
  76. 76. ~/.ssh/config User-specified SSH configurationFriday, September 2, 11
  77. 77. Host Configuration Host is the section identifier Any time Host shows up a new section is started Host is whatever you want to refer to the connection as Host inspire HostName staging.inspirehq.com User inspire your-box> ssh example.com Host inspire.production HostName inspirehq.com User inspire ~/.ssh/configFriday, September 2, 11
  78. 78. HostName Configuration HostName is the real host name to log into Can be IP address or domain name Host inspire HostName staging.inspirehq.com User inspire your-box> ssh example.com Host inspire.production HostName inspirehq.com User inspire ~/.ssh/configFriday, September 2, 11
  79. 79. User Configuration User is the user to log in as Can be overridden on the command line Host inspire HostName staging.inspirehq.com User inspire your-box> ssh example.com Host inspire.production HostName inspirehq.com User foobar ~/.ssh/configFriday, September 2, 11
  80. 80. Port Configuration Port defines what port for SSH connect on Can be overridden on the command line Host inspire HostName staging.inspirehq.com User inspire Port 45000 your-box> ssh example.com ~/.ssh/configFriday, September 2, 11
  81. 81. Local/Remote Port Forwarding LocalForward RemoteForward Host inspire HostName staging.inspirehq.com User inspire LocalForward 8080:example.com:80 your-box> ssh example.com RemoteForward 8080:example.com:80 ~/.ssh/configFriday, September 2, 11
  82. 82. GatewayPorts GatewayPorts specifies whether or not remote hosts can connect to local forwarded ports Works in conjunction with LocalPortForward Defaults to no Host inspire HostName staging.inspirehq.com User inspire LocalForward 8080:example.com:80 your-box> ssh example.com GatewayPorts yes ~/.ssh/configFriday, September 2, 11
  83. 83. ServerAliveInterval ServerAliveInterval sets a time interval in seconds after which if no data has been received from the server ssh will send a message to the server Defaults to 0, meaning this will never be sent This can be used to keep SSH connections alive Host inspire HostName staging.inspirehq.com User inspire LocalForward 8080:example.com:80 your-box> ssh example.com GatewayPorts yes ServerAliveInterval 5 ~/.ssh/configFriday, September 2, 11
  84. 84. > ssh inspireFriday, September 2, 11
  85. 85. man ssh_configFriday, September 2, 11
  86. 86. Overuse ~/.ssh/config SSHing into an IP more than once? SSHing into crazy domains? (ie: Amazon) Looking up IP or hostname routinely? save it in ~/.ssh/configFriday, September 2, 11
  87. 87. ...skipping server configuration...Friday, September 2, 11
  88. 88. SSH and Other appsFriday, September 2, 11
  89. 89. scp: secure file copyFriday, September 2, 11
  90. 90. copy single file scp file1 example.com:Friday, September 2, 11
  91. 91. copy multiple files scp file1 file2 example.com:Friday, September 2, 11
  92. 92. copy to other locations scp file1example.com:foo/bar scp file1example.com:/foo/barFriday, September 2, 11
  93. 93. scp doesn’t copy directories scp dir/ example.com:foo/bar dir/: not a regular fileFriday, September 2, 11
  94. 94. rsync: remote file copyingFriday, September 2, 11
  95. 95. copy single file rsync -avz file1 example.com:Friday, September 2, 11
  96. 96. copy directory rsync -avz dir/ example.com:Friday, September 2, 11
  97. 97. rsync does so much more incremental file transfers (only transfers what’s different) include/exclude files and directories include/exclude file name patterns can copy files from a remote box to a local box can copy files from a local box to a remote boxFriday, September 2, 11
  98. 98. gitFriday, September 2, 11
  99. 99. git/ssh info Can run over SSH Supports SSH client configuration files Can set to specific SSH binary using GIT_SSH environment variableFriday, September 2, 11
  100. 100. The EndFriday, September 2, 11

×