Out of all of
the utilities available to systems administrators ssh is probably the most useful of them
all. Not only does it allow you to log into systems securely, but it can also be used to copy files, tunnel IP traffic and run remote commands on distant servers. It’s truly
the Swiss army knife of systems administration. Secure Shell, also known as ssh, was developed in 1995 by Tau Ylonen
after the University of Technology in Finland suffered a
password sniffing
attack. Back then it was common to use
tools like rcp, rsh, ftp and telnet to connect to systems and move files across
the network. The main problem with these
tools is they provide no security and transmitted data in plain text including
sensitive login credentials. SSH
provides this security by encrypting all traffic transmitted over the wire to
protect from
password sniffing attacks.
One of the more common use cases involving SSH is found when using scp. Secure Copy (scp) transmits data between hosts using SSH and allows you to easily copy all types of files.
The syntax for the scp command is:
scp /pathlocal/filenamelocal remoteuser@remotehost:/pathremote/filenameremote
In the following simple example, I move a file named myfile from the system test1 to the system test2. I am prompted to provide valid user credentials for the remote host before the transfer will proceed. If I were only using ftp, this information would be unencrypted as it went across the wire. However, because scp uses SSH, my user credentials and the file and its contents are confidential and remain secure throughout the transfer.
[user1@test1
~]# scp /home/user1/myfile user1@test2:/home/user1user1@test2's
password: myfile
100% 0
0.0KB/s 00:00
You can
also use ssh to send network traffic and utilize the
encryption built into ssh to protect traffic over the
wire. This is known as an ssh tunnel. In order to utilize this feature, the server that you intend to connect to (the remote system) must have TCP forwarding enabled within the sshd configuraton. To enable TCP forwarding on the remote system, make sure AllowTCPForwarding is set to yes and enabled in the /etc/ssh/sshd_conf file:
AllowTcpForwarding yes
Once you have this configured, you can connect to the server and setup a local port which you can direct traffic to that will go over the secure tunnel. The following command will setup a tunnel on
port 8989 on your local system. You can
then redirect a web browser to use this local port, allowing the traffic to go through the encrypted tunnel to the remote system. It is important to select a local port that is not being used by a service and is not restricted by firewall rules. In the following example the -D specifies a local dynamic application level port forwarding and the -N specifies not to execute a remote command.
ssh
–D 8989
[email protected] -N
You can also
forward specific ports on both the local and remote host. The following example will setup a port
forward on port 8080 and forward it to port 80 on the remote machine.
ssh -L 8080:farwebserver.com:80
[email protected]
You can
even run remote commands via ssh which
is quite useful for scripting or remote system administration tasks. The following example shows how to log in
remotely and execute the command ls –la
in the home directory of the machine. Because ssh encrypts the traffic, the login credentials and output of the command are completely protected while they travel over the wire.
[rchase@test1
~]$ ssh rchase@test2 'ls -la'rchase@test2's
password: total
24drwx------
2 rchase rchase 4096 Sep 6 15:17 .drwxr-xr-x.
3 root root 4096 Sep 6 15:16 ..-rw-------
1 rchase rchase 12 Sep 6 15:17 .bash_history-rw-r--r--
1 rchase rchase 18 Dec 20 2012 .bash_logout-rw-r--r--
1 rchase rchase 176 Dec 20 2012 .bash_profile-rw-r--r--
1 rchase rchase 124 Dec 20 2012 .bashrc
You can
execute any command contained in the quotations marks as long as you have
permission with the user account that you are using to log in. This can be very powerful and useful for
collecting information for reports, remote controlling systems and performing
systems administration tasks using shell scripts.
To make
your shell scripts even more useful and to automate logins you can use ssh keys
for running commands remotely and securely without the need to enter a
password. You can accomplish this with
key based authentication. The first step
in setting up key based authentication is to generate a public key for the
system that you wish to log in from. In
the following example you are generating a ssh key on a test system. In case you are wondering, this key was generated
on a test VM that was destroyed after this article.
[rchase@test1
.ssh]$ ssh-keygen -t rsaGenerating
public/private rsa key pair.Enter
file in which to save the key (/home/rchase/.ssh/id_rsa): Enter
passphrase (empty for no passphrase): Enter
same passphrase again: Your
identification has been saved in /home/rchase/.ssh/id_rsa.Your
public key has been saved in /home/rchase/.ssh/id_rsa.pub.The
key fingerprint is:7a:8e:86:ef:59:70:ef:43:b7:ee:33:03:6e:6f:69:e8
rchase@test1The
key's randomart image is:+--[
RSA 2048]----+|
||
. . ||
o . ||
. o o ||
o o oS+ ||
+ o.= = ||
o ..o.+ = ||
. .+. = ||
...Eo |+-----------------+
Now that
you have the key generated on the local system you should to copy it to the target server into a temporary
location. The user’s home directory is
fine for this.
[rchase@test1 .ssh]$ scp id_rsa.pub
rchase@test2:/home/rchaserchase@test2's password: id_rsa.pub
Now that the file has been copied to the server, you need to append it to the authorized_keys file. This should be appended to the end of the file
in the event that there are other authorized keys on the system.
[rchase@test2 ~]$ cat id_rsa.pub
>> .ssh/authorized_keys
Once the process is complete you are ready to login. Since you are
using key based authentication you are not prompted for a
password when logging into the system.
[rchase@test1 ~]$ ssh test2Last login: Fri Sep 6 17:42:02 2013 from test1
This makes
it much easier to run remote commands. Here’s an example of the remote command from earlier. With no
password it’s almost as if the command ran locally.
[rchase@test1 ~]$ ssh test2 'ls -la'total 32drwx------ 3 rchase rchase 4096 Sep 6
17:40 .drwxr-xr-x. 3 root root 4096 Sep
6 15:16 ..-rw------- 1 rchase rchase 12 Sep
6 15:17 .bash_history-rw-r--r-- 1 rchase rchase 18 Dec 20
2012 .bash_logout-rw-r--r-- 1 rchase rchase 176 Dec 20
2012 .bash_profile-rw-r--r-- 1 rchase rchase 124 Dec 20
2012 .bashrc
As a security consideration it's important to note the permissions of .ssh and the authorized_keys file. .ssh should be 700 and authorized_keys should be set to 600. This prevents unauthorized access to ssh keys from other users on the system.
An even
easier way to move keys back and forth is to use ssh-copy-id. Instead of copying the file and appending it manually to the authorized_keys file, ssh-copy-id does both steps at once for you. Here’s an example of moving the same key using ssh-copy-id.The –i in the example is
so that we can specify the path to the id file, which in this case is /home/rchase/.ssh/id_rsa.pub
[rchase@test1]$ ssh-copy-id -i
/home/rchase/.ssh/id_rsa.pub rchase@test2
One of the last tips that I will cover is the ssh config file. By using the ssh config file you can setup host aliases to make logins to hosts with
odd ports or long hostnames much easier and simpler to remember. Here’s an example entry in our .ssh/config file.
Host
dev1 Hostname somereallylonghostname.somereallylongdomain.com Port 28372 User somereallylongusername12345678
Let’s
compare the login process between the two. Which would you want to type and remember?
ssh somereallylongusername12345678@ somereallylonghostname.somereallylongdomain.com
–p 28372
ssh dev1
I hope you find these tips useful. There are a number of tools used by system administrators to streamline processes and simplify workflows and whether you are new to Linux or a longtime user, I'm sure you will agree that SSH offers useful features that can be used every day. Send me your comments and let us know the ways you use SSH with Linux. If you have other tools you would like to see covered in a similar post, send in your suggestions.
