SSH Tricks

other tips

• http://matt.might.net/articles/ssh-hacks/
• https://serversforhackers.com/editions/2014/07/01/ssh-tricks/
• http://www.itworld.com/it-managementstrategy/261500/16-ultimate-openssh-hacks
• http://www.rackaid.com/blog/linux-screen-tutorial-and-how-to/

BASIC PROXY

It is sometimes convenient to securely access the internet as if from another location. The three most common situations are:

1. You are connected to a public wifi and must access a website as securely as possible, bypassing any man-in-the-middle attacks (e.g. online banking)
2. You must get around a firewall to access an internal network (e.g. MPE's "for staff only" page)
3. You want to bypass a paywall so as to access full journal articles`

We will use the following example for the setup detailed below: you sitting at home on your desktop named "desktop", and you want to surf the internet as if you were sitting at a computer within MPE. This can be done using the built-in SOCKS5 feature of OpenSSH. That is: desktop (you are here) -> login server at MPE -> internet

1. Create an SSH-based tunnel from port 8080 on desktop to login:
   $ ssh -C2TN <user>@<loginserver> -D 8080
   where the following options used are:
   -C - enables data compression (for faster throughput)
   -2 - enables the SSHv2 protocol
   -T - disables tty allocation (i.e. no user terminal on the remote computer)
   -N - no remote commands (good for only port forwarding)
   <user> - the local user account on login
   <loginserver> - the server name for login

2. Now you must inform your web browser about this SOCKS5 proxy. Just use the following credentials:
   proxy host: localhost or 127.0.0.1
port: 8080
type: socks5

Unless you have a fast internet connection, it may be the best idea for you to use a selective filter for the proxy, so that it is active for only certain websites. In Firefox, the "FoxyProxy" add-on works well for this. If you don't want to use an add-on, you can manually create your own "Proxy Automatic Configuration" file.. the same probably goes for most other browsers. See http://codeverge.com/mozilla.support.firefox/proxy-per-tab-or-proxy-per-site/1484092 for more info.

ref: https://calomel.org/firefox_ssh_proxy.html

ADVANCED USE - A SERIES OF TUNNELS

You can use the more generic port forwarding feature to tunnel through multiple computers, such as if you want to do something like: desktop (you are here) -> login server -> remote office -> internet

In this case, the internet is being accessed specifically by office, and login only serves to forward traffic between desktop and office.

1. The port forwarding on login is activated via something like:
   $ ssh -C2 <user>@<loginserver> -L <port>:localhost:<port>
   where the following options used are:
   -C - enables data compression (for faster throughput)
   -2 - enables the v2 protocol
   <user> - the local user account on login
   <login> - the server name for login
   <port> - the port number of your liking

2. Then, from this SSH session:
   $ ssh -AC2qTnN <user>@<officeserver> -D <port>
   where -A forwards all agents (but may not be necessary..)

If you need to tunnel through yet a third (or fourth, or fifth, or...), then just keep repeating the "ssh -L..." command for successive tunnels. The "ssh -D..." command is then just used for the final connection to last server

Note: I believe that you are tying up the chosen port for ANY AND ALL traffic through the intermediate servers! If this is true, odd things will happen if somebody else tries use the same port. It's probably a wise idea to choose an uncommon, unprivileged (no root required) port number. See the following sites to see if your favorite number may be used for common services:

• common port usage - http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
• port usage frequency - http://svn.nmap.org/nmap/nmap-services
• most common ports - http://www.iss.net/security_center/advice/Exploits/Ports/default.htm

Alternatively, instead of steps 1 and 2 above, you can also use a user configuration file at .ssh/config to set default options for individual hosts. For example, the follow entry:

Host mpelogin
    HostName login.mpe.mpg.de
    Compression yes
    ForwardX11 yes
    User jclaas

sets default options for x-forwarding, compression, and username.

If passwordless login is already enabled, then the command
$ ssh mpelogin
will automatically cover most of what you might want.

You can even use the user configuration for multiple tunnels. If you were to add the following (and also have the mpelogin entry above):

Host office
    HostName 130.183.132.69
    Compression no
    ForwardX11 yes
    User jake
    ProxyCommand ssh -q mpelogin nc -q0 %h 22

then "ssh centigrade" will forward the user agent all the way through mpelogin, to centigrade.

A command like:
$ scp thisisfromyourlocaldesktop office:~
will copy your local file directly to the home folder on office.

ref: http://sshmenu.sourceforge.net/articles/transparent-mulithop.html

ADVANCED USE - SPECIFIC PORT FORWARDING

Sometimes the rare occasion occurs where you only need access to a specific port/service on a remote computer. For example, an internal webpage, or a specific application service.

The former example might look something like desktop (you are here) -> remote server -> http://localhost:631
where http://localhost:631 is the web GUI for the printer manager.

This can be done just by something like:
$ ssh -C2 <user>@<remoteserver> -L 7070:localhost:631
where now http://localhost:631/ on desktop will take you to http://localhost:631/ as if you were directly on remote.

The latter example might look like local (you are here) -> remote server -> localhost:XXXX
where localhost:XXXX could be a service (such as a music stream) running on the remote computer, but which isn't accessible from the outside.

The generic form would like
$ ssh -C2 <user>@<remoteserver> -L <localport>:localhost:<XXXX>

Many other uses can come from this handy OpenSSH trick!

SCP - SECURE FILE COPY

To send a file to a remote computer (e.g. to the remote home folder)
$ scp <localfile> <remoteuser>@<remoteserver>:~

If one must copy something from the remote computer, then do:
$ scp <remoteuser>@<remoteserver>:/this/is/a/remote/file/you/want/to/receive .

SSHFS

See:

• https://www.digitalocean.com/community/tutorials/how-to-use-sshfs-to-mount-remote-file-systems-over-ssh
• https://help.ubuntu.com/community/SSHFS

PASSWORDLESS LOGINS

Not only is it annoying to type in your password each time you want to login, but it's also quite insecure, as it can be rather easy for a man-in-the-middle (MITM) attack to obtain your password. Passwordless logins can be done in such a way that a pair of authentication keys keep you from constantly typing your password, and also let you feel secure knowing you are connecting exactly to the computer you've previously authenticated with.

For the directions below, we are assuming you are sitting at the "local" computer as "localuser", and want to connect to "remote" as "remoteuser".

1. Generate a pair of authentication keys as "localuser" on "local". Accept the default options (no passphrase, and create keys at /home/localuser/.ssh/id_rsa*):
   $ ssh-keygen -t rsa

2. Copy/append your public key to /home/remoteuser/.ssh/authorized_keys. First make sure the .ssh directory on "remote" exists:
   $ ssh remoteuser@remote mkdir -p .ssh

3. Then, from "local":
   $ cat .ssh/id_rsa.pub | ssh remoteuser@remote 'cat >> .ssh/authorized_keys'

ref: http://www.linuxproblem.org/art_9.html

WHEN SSH SESSION BECOMES INACTIVE

try <ENTER>~.<ENTER>

OPTIONS FOR PERSISTENT SESSIONS

x11vnc + SSH:

• http://www.karlrunge.com/x11vnc/
• http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch09_03.htm

GNU Screen (text-based terminals only..):

• http://pissedoffadmins.com/os/using-ssh-and-screen-to-create-persistent-terminal-sessions-accessible-from-almost-anywhere.html
• http://shebang.brandonmintern.com/tips-for-remote-unix-work-ssh-screen-and-vnc/
• http://www.princessleia.com/sshscreen.php

"screen for X" via xpra:

• http://xpra.org/
• https://code.google.com/p/partiwm/