SSH Tricks

At the urging of the tech lead at the time, my team has pursued the ultimate ssh trick: not using it.<p>i.e. we intentionally do not enable (human) ssh access to the production hosts. In an autoscaling AWS world, logging into an individual machine by hand is the last thing you want to be doing. So we are learning the (sometime difficult!) lessons of how to rely only on what our logging, tracing, monitoring, and deployment automation (including snapshotting) can afford us. I suspect sooner or later we will break down and swap in a login-enabled image to diagnose some sticky problem, but -- as much as I resented the idea when he presented it -- it&#x27;s an interesting discipline.<p>Anyone else living by that principle?

I&#x27;d be inclined to call this &quot;basic usage of ssh&quot;, rather than &quot;ssh tricks&quot;. For some more interesting tips see <a href="http://www.jedi.be/blog/2010/08/27/ssh-tricks-the-usual-and-beyond/" rel="nofollow">http:&#x2F;&#x2F;www.jedi.be&#x2F;blog&#x2F;2010&#x2F;08&#x2F;27&#x2F;ssh-tricks-the-usual-and-...</a>

The ~&#x2F;.ssh&#x2F;config file was something I discovered when my my company was going through some changes and I had 2 different usernames for accessing internal systems.<p><pre><code> Host hosta hostb hostc User usera Host * User userb </code></pre> Since my local system username was different than many of the remote systems I could wildcard to a different default username then had a list of servers that would use my other username.<p>The bad thing is, as the blog post shows, &quot;Host&quot; above is really just an alias. So if I have an entry like:<p><pre><code> Host hosta.mycompany.com User usera </code></pre> and then try to do &quot;ssh hosta&quot;, even if hosta resolves to hosta.mycompany.com, it won&#x27;t match the config entry, as config entry data is all used prior to DNS lookup.<p>EDIT: thanks for all the suggestions below.

Any list of &#x27;SSH tricks&#x27; should contain: &#x27;ssh -D 2001 user@host.com&#x27;. This creates a SOCKS proxy on localhost:2001 that goes through host.com. For example, I use a digital ocean instance hosted in the US to tunnel through, so that I can watch hulu (I&#x27;m from Europe).

The list misses one of the best. Connect through a jump host directly to the target server using ProxyCommand and nc:<p><a href="http://undeadly.org/cgi?action=article&amp;sid=20070925181947" rel="nofollow">http:&#x2F;&#x2F;undeadly.org&#x2F;cgi?action=article&amp;sid=20070925181947</a><p>Combines well with aliases - prefix all hosts with a common name and use &quot;Host prefix-*&quot; to setup the ProxyCommand.

Does anyone read man pages anymore? This is all well documented in the ssh, sshd, and ssh_config man pages...

I liked the mention of Ansible (which thankfully abstracts away the need to log into a server via SSH altogether), but the author left out the fact that you can easily use <i>any</i> ansible module (250+ right now, more added all the time[1]) to manage your servers ad-hoc.<p>Or use the same syntax to build a playbook that you can run to manage infrastructure with the `ansible-playbook` command. Since Ansible uses SSH as it&#x27;s transport (in most cases—you can do it other ways), if you can connect to a server via SSH (and who can&#x27;t?), you can have it completely managed&#x2F;version-controlled pretty simply.<p>[1] <a href="http://docs.ansible.com/list_of_all_modules.html" rel="nofollow">http:&#x2F;&#x2F;docs.ansible.com&#x2F;list_of_all_modules.html</a>

One interesting bit is that ssh aliases also work for scp. For example I have ssh keys setup on a VPS and to copy a file I can type<p><pre><code> scp vps:~&#x2F;www&#x2F;back&lt;tab&gt; </code></pre> and it&#x27;ll autocomplete to<p><pre><code> scp vps:&#x2F;home&#x2F;vhosting&#x2F;c&#x2F;vhost12345&#x2F;www&#x2F;backup-2014-07-02.tar.gz </code></pre> Or if there are multiple matches for file or directory names, it&#x27;ll list them like bash normally would. This seamless integration is so awesome, I can highly recommend ssh keys (and cygwin for Windows users).

Dynamic port forwarding with ssh is a life saver!<p>Not on this web page???<p>-D #### (Whatever port not being used) and then I just use a proxy extension on my web client and instant privacy.

see also my post from a couple of years ago: <a href="http://www.tenshu.net/2012/02/sysadmin-talks-openssh-tips-and-tricks.html" rel="nofollow">http:&#x2F;&#x2F;www.tenshu.net&#x2F;2012&#x2F;02&#x2F;sysadmin-talks-openssh-tips-an...</a>

There&#x27;s been a bunch of articles about ssh that all say more or less the same things recently.

Also check out proxychains for tunneling through multiple ssh servers, for example to ssh into an intranet machine via the internet:<p><a href="https://github.com/haad/proxychains" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;haad&#x2F;proxychains</a>

The chmod commands listed can be chained into a single one:<p>chmod u=rw,go-rwx &#x2F;path&#x2F;to&#x2F;lol

Nobody ever seems to show off the &#x27;-w&#x27; flag for OpenSSH in these articles.<p>It creates a virtual network interface and allows for &quot;real&quot; tunneling, which is pretty cool.

If the author is reading this... You have a typo on your example config file, your line for aws says &quot;How aws&quot; instead of &quot;Host aws&quot;.

sshuttle (<a href="https://github.com/apenwarr/sshuttle" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;apenwarr&#x2F;sshuttle</a>) is one of my favorite SSH tricks. It behaves like a VPN more than other ssh-based proxies that I&#x27;ve used.

<i>Sometimes, if we have a lot of SSH keys in our ~&#x2F;.ssh directory</i><p>No, that&#x27;s not how it&#x27;s supposed to work. Ideally, one key per machine per user.