Image of the glider from the Game of Life by John Conway
Skip to content
{ 2008 12 11 }

My SSH Tips - Yes, More Than One

There is a meme going on with Planet Debian right now about SSH tips. Here's mine.

I used to travel the country teaching Linux System Administrators. I have spent many a day in airports, hotels and training centers. Whenever there was a network connection available, I was on it, mainly with SSH. SSH is so flexible, that here is how I configured it, and how I managed it.

First, my ~aaron/.ssh/config:

Host *
    Cipher=blowfish
    CompressionLevel=9
    ServerAliveInterval=30
Host *.server1.com
    GSSAPIAuthentication=yes
Host *.server2.com
    ForwardAgent=yes
Host foo
    Hostname foo.server2.com
    Port=22222
Host bar
    Hostname bar.server2.com
    Port=22000
Host baz
    Hostname baz.server2.com

Then, my ~aaron/.zshrc:

alias foo='ssh foo'
alias bar='ssh bar'
alias baz='ssh baz'

Now, from the terminal (assuming I'm using SSH keys to authenticate):

<<< 15:18.27 Thu Dec 11 2008!~
<<< aaron@kratos!3045 B:94% (0:45:31)
>>> for HOST in foo bar baz; do ssh $HOST 'touch ~/.hushlogin'; done

So, what's going on here? In my SSH config, I've first chosen to use the Blowfish algorithm, as it's light and fast, and I've turned compression on to the max to minimize the data passed on the wire as some connections just suck when it comes to bandwidth. I'm forwarding my SSH agent to *.server2.com, so I don't have to always enter the SSH key passphrase after I've already entered it on my client. Of course, this should be on trusted systems only, and *.server2.com represents my personal servers here. I've set the connection to send a TCP SYN packet every 30 seconds, so I don't lose the connection on some shoddy networks. Then, one specific host, I've setup support for Kerberos authentication, and all the rest, I've setup host shortcuts, telling SSH what hostname and port to use. Basically, I like typing as little as possible on the terminal

Then, on all SSH machines that I have access to, I don't like the message of the day, if one exists, so I create the ~aaron/.hushlogin to stop that from displaying on my terminal. Finally, in my ~aaron/.zshrc, I created a few aliases for making it easy to get to the host- again, minimizing my typing as much as possible. So, I can just type "foo" on the terminal, and I will "ssh foo" which means to "ssh foo.server2.com".

Beautiful.

However, not all is done. I also am a big fan of hiding any and all network traffic. It's no ones business to see my packets. So, I have another alias setup in my ~aaron/.zshrc:

alias tunnelfoo="'pkill ssh; ssh -4fgN -D 8081 -L 8080:localhost:3128 foo"

This connects to foo setting up both a dynamic and static SOCKS proxy. First, however, you'll notice that it runs "pkill ssh" before setting up the tunnel. I do this, because when I suspend my laptop, then resume on a different connection, that process is still running, and trying to re-establish the proxy fails, saying the ports are already bound. So, I just always kill any SSH connection when tunneling. This could be a little of a pain, if I already setup an SSH connection before running this alias. Also, the static SOCKS assumes that there is Squid proxy on the other end to tunnel the connection through. All I need to do now, is setup Firefox to connect to localhost on either port 8080 if I want to use Squid on the other end, or port 8081 if I want SSH to handle the proxied TCP/IP packets. Both are useful. I would recommend the FoxyProxy extension, if you aren't already using it. It makes it easy to connect to these ports and tunnel your SSH traffic.

Finally, when I'm at remote locations, and I want access back into the network before I leave (this could be useful in the training center, where I may need to administer or play with student machines from the hotel), I'll setup a reverse SSH tunnel, to get back into the network:

ssh -4fgNR 8080:remote.server.com:22 foo.server2.com

Now, when I get somewhere else, other than the location I was just at, I can run the following two commands to get back into that network:

<<< 15:33.43 Thu Dec 11 2008!~
<<< aaron@kratos!3048 B:98% (0:20:38)
>>> ssh foo
<<< 15:33.46 Thu Dec 11 2008!~
<<< aaron@foo!471
>>> ssh -p 8080 localhost
Password:
[aaron@remote.server.com:~]$

Now, I'm back into the network where I setup this remote SSH tunnel to begin with. From here, I can do work from home, the hotel, the airport, or wherever I happen to be. Those are my SSH tips. They make SSH much more enjoyable to be working with. Of course, I'm using SSH keys or Kerberos to authenticate, so I never need to deal with passwords when moving about networks.

Cheers!

Posted by Aaron Toponce on Thursday, December 11, 2008, at 4:09 pm. Filed under Linux, Security. Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog. For IM, Email or Microblogs, here is the Shortlink.

{ 3 } Comments