How to become an SSH master
Overview
What is SSH? Secure shell (SSH) allows users to securely connect to a remote computer by way of an encrypted tunnel. SSH is extremely powerful and allows one to manage hundreds if not thousands of machines with ease in a very secure way.
SSH also has a mechanism for password-less authentication through keys. Key-based authentication is far superior to standard passwords, and saves you time by not having to enter your password every time you login. Keys are comprised of two parts: a public key, and a private key. The public key is copied to any machine you want to securely connect to, and your private key acts as a key to a lock, where the lock is your public key. Your private key should not be shared or copied to any other machine, since this is your “key to the kingdom”.
This might look daunting, but I promise you that time was taken to ensure that little work will have to be done on your part. This process could be scripted, but it is better to do this manually so that you understand the process and how SSH is setup, in case there is a problem in the future.
Generate RSA SSH Keys
-
Create SSH configuration directory by running the following command:
mkdir -p ~/.ssh ; chmod 700 ~/.ssh ; cd ~/.ssh
-
Generate private and public SSH keys
ssh-keygen -o -a 100 -t ed25519 -C "<your-username>@<server>"
- Hit
enter
orreturn
to choose the default key-name and location.1 - Enter a passphrase for your key.2
- An ascii key image, which represents your unique RSA key.
- Both
id_ed25519
andid_ed25519.pub
files (private and public keys) should now exist in your~/.ssh
folder. Theid_ed25519.pub
can be copied to any machine you want to tunnel to (Instructions on how to do this below).3
Transfer Public Key to a remote host
-
Transfer key
ssh <your-username>@<remote-host> "mkdir -p .ssh; \ chmod 0700 .ssh" cat ~/.ssh/id_ed25519.pub | ssh \ <your-username>@<remote-host> \ "cat >> ~/.ssh/authorized_keys"
-
Test password-less
ssh
ssh <your-username>@<remote-host>
If you didn’t get a password prompt, you’re good to go!
Set up a custom SSH Configuration file
Before you race off and start logging into a bunch of systems, consider making an ~/.ssh/config
file to ease your use of ssh.
An SSH Configuration file can be an absolute life saver. It prevents you from having to pass a bunch of variables all the time, but can also serve some really neat purposes. For instance, if you wanted to tunnel traffic through another host, or even proxy all your web traffic to a ssh host; all of this can be done easily using your ~/.ssh/config
.
Here’s a quick example to get you started:
export USERNAME=spikebyte ; echo -e "ControlMaster auto\nControlPath ~/.ssh/tmp/%h_%p_%r\n\nInclude ~/.ssh/config.d/*\n\nHost *\n User $USERNAME\n\nForwardAgent yes" > ~/.ssh/config ; mkdir -p ~/.ssh/tmp/ ~/.ssh/config.d
The above command populates the ~/.ssh/config
file. This file allows a user to fully configure how to connect to hosts. This can be especially useful if you want to override a host.
It used to be common for people to create a huge ~/.ssh/config
file, but with the newer versions addition of the Include
function, this file allows you to put as many separate files as needed. This is especially useful when using host profiles for work and personal.
(OPTIONAL) Setup Port Forwarding
Let’s say that you need to access a port on a machine or server that is behind another server, and normally cannot be accessed due to the multi-hop SSH setup. This can be easily remedied by adding a few lines to your ~/.ssh/config
file. This can be done by specifying the port that is to be forwarded, say port 5900
as in the VNC example, and forwarding that port to your local machine’s port 5999
.
Connecting to machine via VNC
# Example using VNC forwarding ('vnc server')
Host LINUX_MACHINE
LocalForward 5999 LINUX_MACHINE:5900
- SSH into the host machine
- Connect to
localhost:5999
OR127.0.0.1:5999
using VNC clients such as: TightVNC, OSX Screen Sharing, RealVNC, etc.
Multiple Port Forwards (General case)
Please be sure to change all port numbers in the example below.
Basic idea:
LocalForward
: Your local machine’s port to use.REMOTE_MACHINE:REMOTE_MACHINE'S_PORT
: remote port.
# Multiple port forwards on one machine
Host MACHINE
ProxyCommand ssh -q -W %h:%p remote-host
LocalForward 10000 MACHINE:5000
LocalForward 11000 MACHINE:6000
- SSH into the host machine
- Connect via
localhost:PORT
OR127.0.0.1:PORT
using each specified ports.
(OPTIONAL) Use machine as PROXY
This uses SSH as a proxy through a remote host. Any machine within your network can be used. This mainly allows Firefox to browse the web as if it were located on our local network.
Enable Web Proxy through remote host
Make sure that after you are done to disable the proxy config you just setup to return to normal browsing.
- Open a terminal and run:
ssh -ND 9999 USERNAME@remote-host
- Open up Firefox and configure the following settings:
- Go to Preferences
- Select Advanced tab
- Select Network sub-tab
- Click Settings under “Configure how Firefox connects to the internet”
- Select “Manual proxy configuration:”
- Enter “localhost” under “SOCKS Host:” and “9999” under “Port:”
- Select SOCKS v5
- Enter “localhost, 127.0.0.1” for “No Proxy for:”
- Select OK
- Browse the web using tunnel1 as a proxy! That is it!
Enable Web Proxy through remote host
- Open up Firefox preferences
- Select Advanced tab
- Select Network sub-tab
- Click Settings under “Configure how Firefox connects to the internet”
- Select “Use system proxy settings”
- Select OK
- Close Preferences
- Kill ssh tunnel you ran in step 1 of “Enable Web Proxy through remote host”
References:
Footnotes:
-
If you already have a generated key, feel free to change the default key-name. To do this, enter a name such as ‘id_ed25519_my_key’, then hit enter. If you do choose to use a different key-name, you will have to change all the following commands to reflect this change. ↩
-
An SSH key passphrase is a secondary form of security that gives you a little time when your keys are stolen. If your ED25519 key has a strong passphrase, it might take your attacker a few hours to guess by brute force. That extra time should be enough to log in to any computers you have an account on, delete your old key from the .ssh/authorized_keys file, and add a new key. ↩
-
Do not share your private key with anyone! Your private key should remain on your computer, and never be transferred. It is easy enough to generate a new key, so there is no need to copy your private key. So, one might ask oneself, if I am only supposed to copy my public key to machines ↩