Out of all of
the utilities available
to systems administrators ssh is probably the most useful of them
all. Not only does it allow you
to log into systems securely, but it can also be used
to copy files, tunnel IP traffic and run remote commands on distant servers. It’s truly
the Swiss army knife of systems administration. Secure Shell, also known as ssh, was developed in 1995 by Tau Ylonen
after the University of Technology in Finland suffered a password sniffing
attack. Back then it was common
to use
tools like rcp, rsh, ftp and telnet
to connect
to systems and move files across
the network. The main problem with these
tools is they provide no security and transmitted data in plain text including
sensitive login credentials. SSH
provides this security by encrypting all traffic transmitted over the wire
to
protect from password sniffing attacks.
One of the more common use cases involving SSH is found when using scp. Secure Copy (scp) transmits data between hosts using SSH and allows you
to easily copy all types of files.
The syntax for the scp command is:
scp /pathlocal/filenamelocal remoteuser@remotehost:/pathremote/filenameremote
In the following simple example, I move a file named myfile from the system test1
to the system test2. I am prompted
to provide valid user credentials for the remote host before the transfer will proceed. If I were only using ftp, this information would be unencrypted as it went across the wire. However, because scp uses SSH, my user credentials and the file and its contents are confidential and remain secure throughout the transfer.
[user1@test1
~]# scp /home/user1/myfile user1@test2:/home/user1user1@test2's
password: myfile
100% 0
0.0KB/s 00:00
You can
also use ssh
to send network traffic and utilize the
encryption built into ssh
to protect traffic over the
wire. This is known as an ssh tunnel. In order
to utilize this feature, the server that you intend
to connect
to (the remote system) must have TCP forwarding enabled within the sshd configuraton.
To enable TCP forwarding on the remote system, make sure AllowTCPForwarding is set
to yes and enabled in the /etc/ssh/sshd_conf file:
AllowTcpForwarding yes
Once you have this configured, you can connect
to the server and setup a local port which you can direct traffic
to that will go over the secure tunnel. The following command will setup a tunnel on
port 8989 on your local system. You can
then redirect a web browser
to use this local port, allowing the traffic
to go through the encrypted tunnel
to the remote system. It is important
to select a local port that is not being used by a service and is not restricted by firewall rules. In the following example the -D specifies a local dynamic application level port forwarding and the -N specifies not
to execute a remote command.
ssh
–D 8989
[email protected] -N
You can also
forward specific ports on both the local and remote host. The following example will setup a port
forward on port 8080 and forward it
to port 80 on the remote machine.
ssh -L 8080:farwebserver.com:80
[email protected]
You can
even run remote commands via ssh which
is quite useful for scripting or remote system administration tasks. The following example shows how to log in
remotely and execute the command ls –la
in the home directory of the machine. Because ssh encrypts the traffic, the login credentials and output of the command are completely protected while they travel over the wire.
[rchase@test1
~]$ ssh rchase@test2 'ls -la'rchase@test2's
password: total
24drwx------
2 rchase rchase 4096 Sep 6 15:17 .drwxr-xr-x.
3 root root 4096 Sep 6 15:16 ..-rw-------
1 rchase rchase 12 Sep 6 15:17 .bash_history-rw-r--r--
1 rchase rchase 18 Dec 20 2012 .bash_logout-rw-r--r--
1 rchase rchase 176 Dec 20 2012 .bash_profile-rw-r--r--
1 rchase rchase 124 Dec 20 2012 .bashrc
You can
execute any command contained in the quotations marks as long as you have
permission with the user account that you are using
to log in. This can be very powerful and useful for
collecting information for reports, remote controlling systems and performing
systems administration tasks using shell scripts.
To make
your shell scripts even more useful and
to automate logins you can use ssh keys
for running commands remotely and securely without the need
to enter a
password. You can accomplish this with
key based authentication. The first step
in setting up key based authentication is
to generate a public key for the
system that you wish
to log in from. In
the following example you are generating a ssh key on a test system. In case you are wondering, this key was generated
on a test VM that was destroyed after this article.
[rchase@test1
.ssh]$ ssh-keygen -t rsaGenerating
public/private rsa key pair.Enter
file in which
to save the key (/home/rchase/.ssh/id_rsa): Enter
passphrase (empty for no passphrase): Enter
same passphrase again: Your
identification has been saved in /home/rchase/.ssh/id_rsa.Your
public key has been saved in /home/rchase/.ssh/id_rsa.pub.The
key fingerprint is:7a:8e:86:ef:59:70:ef:43:b7:ee:33:03:6e:6f:69:e8
rchase@test1The
key's randomart image is:+--[
RSA 2048]----+|
||
. . ||
o . ||
. o o ||
o o oS+ ||
+ o.= = ||
o ..o.+ = ||
. .+. = ||
...Eo |+-----------------+
Now that
you have the key generated on the local system you should
to copy it
to the target server into a temporary
location. The user’s home directory is
fine for this.
[rchase@test1 .ssh]$ scp id_rsa.pub
rchase@test2:/home/rchaserchase@test2's password: id_rsa.pub
Now that the file has been copied
to the server, you need
to append it
to the authorized_keys file. This should be appended
to the end of the file
in the event that there are other authorized keys on the system.
[rchase@test2 ~]$ cat id_rsa.pub
>> .ssh/authorized_keys
Once the process is complete you are ready
to login. Since you are
using key based authentication you are not prompted for a password when logging into the system.
[rchase@test1 ~]$ ssh test2Last login: Fri Sep 6 17:42:02 2013 from test1
This makes
it much easier
to run remote commands. Here’s an example of the remote command from earlier. With no password it’s almost as if the command ran locally.
[rchase@test1 ~]$ ssh test2 'ls -la'total 32drwx------ 3 rchase rchase 4096 Sep 6
17:40 .drwxr-xr-x. 3 root root 4096 Sep
6 15:16 ..-rw------- 1 rchase rchase 12 Sep
6 15:17 .bash_history-rw-r--r-- 1 rchase rchase 18 Dec 20
2012 .bash_logout-rw-r--r-- 1 rchase rchase 176 Dec 20
2012 .bash_profile-rw-r--r-- 1 rchase rchase 124 Dec 20
2012 .bashrc
As a security consideration it's important
to note the permissions of .ssh and the authorized_keys file. .ssh should be 700 and authorized_keys should be set
to 600. This prevents unauthorized access
to ssh keys from other users on the system.
An even
easier way
to move keys back and forth is
to use ssh-copy-id. Instead of copying the file and appending it manually
to the authorized_keys file, ssh-copy-id does both steps at once for you. Here’s an example of moving the same key using ssh-copy-id.The –i in the example is
so that we can specify the path
to the id file, which in this case is /home/rchase/.ssh/id_rsa.pub
[rchase@test1]$ ssh-copy-id -i
/home/rchase/.ssh/id_rsa.pub rchase@test2
One of the last tips that I will cover is the ssh config file. By using the ssh config file you can setup host aliases
to make logins
to hosts with
odd ports or long hostnames much easier and simpler
to remember. Here’s an example entry in our .ssh/config file.
Host
dev1 Hostname somereallylonghostname.somereallylongdomain.com Port 28372 User somereallylongusername12345678
Let’s
compare the login process between the two. Which would you want
to type and remember?
ssh somereallylongusername12345678@ somereallylonghostname.somereallylongdomain.com
–p 28372
ssh dev1
I hope you find these tips useful. There are a number of tools used by system administrators
to streamline processes and simplify workflows and whether you are new
to Linux or a longtime user, I'm sure you will agree that SSH offers useful features that can be used every day. Send me your comments and let us know the ways you use SSH with Linux. If you have other tools you would like
to see covered in a similar post, send in your suggestions.
