[CHUUG]

Stupid SSH Tricks

Advanced Use


  1. Use a Passphrase! Greatly increases your level of security, but can affect ease of use.

    • ssh-keygen -p will add or change a passphrase.
    • Use ssh-agent and ssh-add to cache your identity; you thus only need to authenticate once on login, and all your remote connections will query the agent (not you) for your identity.
    • Prevents automated scripts using scp. Solution is to use special purpose keys (see below).

  2. X Tunneling: happens by default unless you (or whoever installed sshd) decide otherwise. How it works:

    • DISPLAY variable is automatically set to, e.g., remotehost:10
    • Remote ssh daemon tunnels X events to local ssh client.
    • Local ssh client connects these to local X server (:0 or whatever).
    • No need to manually set variables, use xhost or xauth; it just works.

  3. Compression: most useful across a slow link (e.g., modem). Add -C to command lines, or use ~/.ssh/config to enable for some or all hosts. For text (including PS) transfers, can vastly improve performance. Works for simple X apps too (emacs) but doesn't do much for graphic-intensive X apps.

  4. Special Keys: If you generate a second or subsequent key (NOT your identity file!) and then specify:

    command="/home/mystuff/progname",no-port-forwarding,
    no-X11-forwarding,no-agent-forwarding,no-pty 1024 37 343452435...
    (for example; but no line breaks!) in authorized_keys on that new key, this restricts what ssh using the equivalent private key can do. You can use environment variables:

    • SSH_ORIGINAL_COMMAND and
    • SSH_CLIENT (remote IP)

    within the program or script. Use stdout from your program/script to send output to the other end, or read from stdin if the remote end sends to its stdout.

    This has been used to facilitate many automatic jobs within NRAO that used to use rcp and relied on .rhosts files. Here is a sample perl script that serves up only certain files.

  5. Other Tunneling: You can tunnel arbitrary ports, e.g. POP3, IMAP, and even FTP (tricky; need ports 20, 21). Beyond the scope of this talk; Possible presentation by Brian Mays? See -L and -R options in the manual pages for ssh.
   

Stupid SSH Tricks
Pat Murphy