• View
• Edit
• History
• Print

SSH

This page will provide How-Tos that are more than just cool and useful software and making things work. This is, in large part, a personal config and help stuff.

SSH

SSH (secure shell)

SSH is a tool to log into other machines. You use it at the terminal, and you get a new terminal. What's really cool, though, is that you can run programs on that computer, and if those are graphical programs you can set it up to display the graphics on your computer (if you don't set it up, they just don't show up anywhere.... even though I know you want them to pop up randomly in front of whoever is using that computer presently. Not all OS programmers have a sense of humor... either that or it got old in 1993).

SSH is fully encrypted and safe to send/edit/manipulate data. This is different then rsh (remote shell), rlogin (remote login), and telnet, which are not secure. If you want to send your password in plain text across the interweb, and then, after you are validated, send all of your data fully visible to anyone watching network traffic, use one of those protocols.

There are lots of ways to use SSH, and man ssh will tell you about them. Here are the most common ones:

The raw defaults try to log your username into the remote host at port 22 (the standard SSH port) :

 ssh 192.168.1.100
 ssh boxeebox.com

If you have a different account or the server uses a different port, you need to specify them. My webserver, for instance, servers SSH requests on port 2222

 ssh kevin@boxeebox.com
 ssh -p 2222 kcrouse@mywebserver.com

If you want to do X forwarding, which lets you run graphical programs on the remote machine but have the graphics come back to your machine (magic stuff), then you need to use -X for standard X forwarding and -Y for trusted X forwarding. What is the difference? I don't really know, except that trusted forwarding basically opens you up to a lot more security vulnerabilities. Both should only be used if you know who owns the server and you trust them and anyone else using those machines.

 ssh -X kevin@boxeebox.com
 ssh -Y -p 2222 192.168.1.100 

SCP (secure copy)

SCP is a way to copy files from one computer to another, again securely over ssh. You know all the common options from SSH, so I'll just give you some examples. Note the -r for 'recursive', just like cp -R

 scp file.txt 192.168.1.100:~/textfiles
 scp -r kevin@boxeebox.com:/var/log/stuff /music/stuff  
 scp -P 2222 kcrouse@mywebserver.com:babypenguins.png ~

SFTP (secure ftp (file transfer protocol))

SFTP is a way to upload and download files securely. You also don't need to have a separate server running - sftp is done over the same protocol as ssh, and so any computer with a ssh server running can run sftp. If you know how to use ftp (lls, lcd, put, get), all of the standard commands work in sftp.

 sftp 192.168.1.100
 sftp kevin@boxeebox.org
 sftp -o port=2222 kcrouse@mywebserver.com

SSH Config File

So you are tired of adding in your custom username, port number, and specifying -X to log into your home desktop computer from your laptop? And you can't remember if scp uses -P <port> or -o port=<port> ? Well, you can set up config file based on the typed hostname to do it all for you! It's fantastic. First, create the directories and make sure they have secure settings:

mkdir ~/.ssh
chmod 0700 ~/.ssh
touch ~/.ssh/config
chmod 0600 ~/.ssh/config

Now use gedit or vi or whatever you like to edit the config file you just created. You will create entries that have the following format:

Host [sets of hosts that you want to ssh into.  You can use wildcards, like *'s]
     Hostname [fully qualified hostname]
     User [the username]
     Port [port]
     ForwardAgent yes/no [indicates whether you should forward programs across the network]
     ForwardX11 yes/no [the same as -X]
     ForwardX11Trusted yes/no [the same as -Y]

The cool thing about the Host setting is that the domain doesn't need to exist! You can say anything, and then when you type ssh anything , it will use all of the parameters you specified (you would need to specify Hostname if you have a fake Host.

Some examples :

Host touch*
        User touch
Host *.google.com
        Port 8854
Host myhost myhost.com
        Hostname myhost.com
        User krcrouse
        Port 2222
        ForwardAgent yes
        ForwardX11 yes
Host boxee boxeebox 192.168.1.100
        Hostname 192.168.1.100
        User boxeebox
        ForwardAgent yes
        ForwardX11Trusted yes
Host boxee.away boxeebox.away
        Hostname boxeebox.com
        User boxeebox

SSH Authorized Keys Configuration

So now that you have all of the settings for your trusted host computers, it's really cool. Really cool. ssh, scp, and sftp. You can almost seamless copy files from other computers. Almost. Except that you have to enter your password every time. That is annoying.

Now lets say you trust the server and you don't want to enter your client. You have accounts on both machines. Why can't it just figure things out?!

It can - by setting up authorized keys. This is the how-to. Before you begin, you do have to make sure that you have valid user accounts on both machines. They don't have to have the same login or password, but you need to be able to write to the ~/.ssh directory. What we will do is make a set of encrypted keys and the give the open public key to the hosts you want to automatically be able to log into.

Making the Key

First, make your keys. Do not enter a password - you want the 'empty' option. Since we care a little bit about security, we check that all our permissions are set correctly.

mkdir ~/.ssh
chmod 0700 ~/.ssh

ssh-keygen -t dsa
chmod 0600 ~/.ssh/id_dsa
chmod 0644 ~/.ssh/id_dsa.pub

Create the authorized keys file

Next, create the authorized_keys2 file and set the permissions. This is the file in which you store other keys for automatic ssh transfers.

touch ~/.ssh/authorized_keys2
chmod 0600 ~/.ssh/authorized_keys2

Copy the public key to the remote computer

Now, temporarily copy your file to your second computer/account, make sure the authorized keys file is there and correctly permissioned, and then add the keys and delete the file.

scp ~/.ssh/ids_dsa.pub kevin@<HOST>:temp_id

Log into the computer and add your client's Information

ssh kevin@<HOST>

mkdir ~/.ssh
chmod 0700 ~/.ssh
touch ~/.ssh/authorized_keys2
chmod 0600 ~/.ssh/authorized_keys2
cat temp_id >> ~/.ssh/authorized_keys2
rm -f temp_id

You should be set!