Sunday, 9 September 2012

Four tips for better SSHing

If you use any large Linux-based computer network, you either are, will be or should be familiar with using Secure Shell (SSH) to connect to networked machines from inside or outside the network. I've been doing so for years, but I only recently discovered this post explaining a range of useful tricks for SSH. I invite you to read the linked post but I've reproduced below the tricks I found handy. Note that these tips are all written with the Linux terminal in mind. Mac users should be okay but I'm not sure about Windows.

Security without passwords

If you find yourself cursing the need to enter your password each time you connect to a machine, you can set up a secure RSA key for a particular connection. You'll be prompted for a passphrase once per boot but that's it. First, open a terminal and type


You'll be prompted for a filename and passphrase. You then need to copy the public key to the server, which is most easily accomplished by executing


at the command line. If this doesn't work or you can't get ssh-copy-id, you can read the full instructions in the link I provided above. Also, if you use ssh-keygen to generate different private keys for different servers, then you should execute

ssh-copy-id -i identity_file

Use of the same private key on different systems means that if your private key is compromised, your identity can be faked on any relevant server. It's up to you whether you think this is worth risking.

Hostname aliases

Tired of always having to type out ssh user@gateway.​group.​​department.​​ Fortunately, this is easily fixed but creating aliases for hosts. Open ~/.ssh/config in your favourite text editor and add the segment

Host YourAlias

You can now login simply with ssh YourAlias. If the remote username differs from your local one, you'll also need

  User remote_username

in the segment above. For really pro-use, you can use wildcards to group similar aliases. The examples in the link are

Host dev intranet backup 

Host www* mail 

Automatic gateway skip

Networks are often set up so that remote access is through a gateway machine. That is, you log into something like gateway.dept.​ and thence connect to useful_computer.​ You can modify your SSH aliases so that this is done automatically. The alias should point to your destination host and have an extra line (called ProxyCommand) that gives the intermediate server. For example,

Host work1
  ProxyCommand ssh -W %h:%p
  User username

The %h:%p part is literal: these wildcards must appear in the alias. If your remote username is the same as your local one, you don't need to specify it in ProxyCommand. You also don't need the User line.

Mount remote filesystems locally

This is a trick I've mentioned before but it's worth raising again now because it inherits behaviour from SSH. To mount a remote folder as if it were local, you can use the sshfs command. (You might need to install it.) First, create a suitable local mount point, e.g.

mkdir ~/remotefs

Then, mount the remote filesystem with

sshfs user@host:/absolute/location ~/remotefs

The useful thing to mention here is that sshfs knows about your aliases. So if you aliased gateway.dept.​ to uni, you can replace host with uni in the line above.

Have fun and spread the word about the power of SSH! If you have any more pro-tips, let me know in the comments.