Image of the glider from the Game of Life by John Conway
Skip to content

My SSH Tips - Yes, More Than One

There is a meme going on with Planet Debian right now about SSH tips. Here's mine.

I used to travel the country teaching Linux System Administrators. I have spent many a day in airports, hotels and training centers. Whenever there was a network connection available, I was on it, mainly with SSH. SSH is so flexible, that here is how I configured it, and how I managed it.

First, my ~aaron/.ssh/config:

Host *
    Cipher=blowfish
    CompressionLevel=9
    ServerAliveInterval=30
Host *.server1.com
    GSSAPIAuthentication=yes
Host *.server2.com
    ForwardAgent=yes
Host foo
    Hostname foo.server2.com
    Port=22222
Host bar
    Hostname bar.server2.com
    Port=22000
Host baz
    Hostname baz.server2.com

Then, my ~aaron/.zshrc:

alias foo='ssh foo'
alias bar='ssh bar'
alias baz='ssh baz'

Now, from the terminal (assuming I'm using SSH keys to authenticate):

<<< 15:18.27 Thu Dec 11 2008!~
<<< aaron@kratos!3045 B:94% (0:45:31)
>>> for HOST in foo bar baz; do ssh $HOST 'touch ~/.hushlogin'; done

So, what's going on here? In my SSH config, I've first chosen to use the Blowfish algorithm, as it's light and fast, and I've turned compression on to the max to minimize the data passed on the wire as some connections just suck when it comes to bandwidth. I'm forwarding my SSH agent to *.server2.com, so I don't have to always enter the SSH key passphrase after I've already entered it on my client. Of course, this should be on trusted systems only, and *.server2.com represents my personal servers here. I've set the connection to send a TCP SYN packet every 30 seconds, so I don't lose the connection on some shoddy networks. Then, one specific host, I've setup support for Kerberos authentication, and all the rest, I've setup host shortcuts, telling SSH what hostname and port to use. Basically, I like typing as little as possible on the terminal

Then, on all SSH machines that I have access to, I don't like the message of the day, if one exists, so I create the ~aaron/.hushlogin to stop that from displaying on my terminal. Finally, in my ~aaron/.zshrc, I created a few aliases for making it easy to get to the host- again, minimizing my typing as much as possible. So, I can just type "foo" on the terminal, and I will "ssh foo" which means to "ssh foo.server2.com".

Beautiful.

However, not all is done. I also am a big fan of hiding any and all network traffic. It's no ones business to see my packets. So, I have another alias setup in my ~aaron/.zshrc:

alias tunnelfoo="'pkill ssh; ssh -4fgN -D 8081 -L 8080:localhost:3128 foo"

This connects to foo setting up both a dynamic and static SOCKS proxy. First, however, you'll notice that it runs "pkill ssh" before setting up the tunnel. I do this, because when I suspend my laptop, then resume on a different connection, that process is still running, and trying to re-establish the proxy fails, saying the ports are already bound. So, I just always kill any SSH connection when tunneling. This could be a little of a pain, if I already setup an SSH connection before running this alias. Also, the static SOCKS assumes that there is Squid proxy on the other end to tunnel the connection through. All I need to do now, is setup Firefox to connect to localhost on either port 8080 if I want to use Squid on the other end, or port 8081 if I want SSH to handle the proxied TCP/IP packets. Both are useful. I would recommend the FoxyProxy extension, if you aren't already using it. It makes it easy to connect to these ports and tunnel your SSH traffic.

Finally, when I'm at remote locations, and I want access back into the network before I leave (this could be useful in the training center, where I may need to administer or play with student machines from the hotel), I'll setup a reverse SSH tunnel, to get back into the network:

ssh -4fgNR 8080:remote.server.com:22 foo.server2.com

Now, when I get somewhere else, other than the location I was just at, I can run the following two commands to get back into that network:

<<< 15:33.43 Thu Dec 11 2008!~
<<< aaron@kratos!3048 B:98% (0:20:38)
>>> ssh foo
<<< 15:33.46 Thu Dec 11 2008!~
<<< aaron@foo!471
>>> ssh -p 8080 localhost
Password:
[aaron@remote.server.com:~]$

Now, I'm back into the network where I setup this remote SSH tunnel to begin with. From here, I can do work from home, the hotel, the airport, or wherever I happen to be. Those are my SSH tips. They make SSH much more enjoyable to be working with. Of course, I'm using SSH keys or Kerberos to authenticate, so I never need to deal with passwords when moving about networks.

Cheers!

{ 3 } Comments

  1. Jeff Shipley using Debian IceWeasel 3.0.3 on Debian GNU/Linux | December 11, 2008 at 4:50 pm | Permalink

    .hushlogin is going to save me a lot of screen chatter, thanks.

    I have a question though. On some servers, .hushlogin doesn't seem to work. For example, I have a shell account that I use sometimes which displays some ascii art and then goes to a curses dialog that allows me to check some stats on my account (available vhosts and ports). If I put a .hushlogin file in my ~, then the curses dialog is disabled but the /etc/motd is still displayed when I connect.

    Is there any other way besides .hushlogin to silence ssh login chatter?

  2. Ilja Pavkovic using Firefox 3.0.4 on Ubuntu | December 12, 2008 at 3:46 am | Permalink

    You can do other interesting stuff: For example you can have different identity files for different hosts, for example:

    Host *

    Host bar
    Hostname bar.server2.com
    IdentityFile ~/.ssh/id_dsa.bar.server2.com

    Host foo
    Hostname foo.server.com
    IdentityFile ~/.ssh/id_dsa.foo.server.com

    [WORDPRESS HASHCASH] The poster sent us '0 which is not a hashcash value.

  3. Yorokobi using Firefox 3.0.4 on Ubuntu | December 16, 2008 at 8:16 pm | Permalink

    Something that was pointed out to me earlier today: ControlMaster and ControlPath. Definitely worth using if you need more than one concurrent connection to a SSH host.

    Host *
    ControlMaster auto
    ControlPath ~/.ssh/master-%r@@h:%p

Post a Comment

Your email is never published nor shared.

Switch to our mobile site