pages tagged scpyakkinghttp://yakking.branchable.com/tags/scp/yakkingikiwiki2015-02-18T11:00:17ZUses of SSHhttp://yakking.branchable.com/posts/uses-of-ssh/Richard Maw2015-02-18T11:00:17Z2015-02-18T11:00:12Z
<p><a href="http://www.openssh.com/">OpenSSH</a> is a handy tool for logging into other machines to run
a remote shell, but it's handy for other things too, giving the same
authentication mechanism and encryption.</p>
<h1>Passwordless logins</h1>
<p>Instead of requiring the entry of a password every time you want to log
in, you can use a local password manager, or key based authentication.</p>
<p>I prefer key based authentication. Keys can be generated by running
<code>ssh-keygen</code>, then future ssh connections can be made connection-less
by running <code>ssh copy-id USER@HOST</code>.</p>
<h1>File transfer</h1>
<p>The <a href="http://man7.org/linux/man-pages/man1/scp.1.html">scp</a> command can be used to securely copy files between two
machines, or even the same machine if it's a shared computing resource,
and sensitive data needs to be transferred between users.</p>
<p>For a less ad-hoc file server, OpenSSH includes an <a href="http://man7.org/linux/man-pages/man8/sftp-server.8.html">sftp-server</a>,
though you generally don't invoke it directly, but via <a href="http://man7.org/linux/man-pages/man5/sshd_config.5.html">sshd_config</a>.</p>
<p>It's very flexible, you can convert the SSH service into an SFTP server
by adding the following to <code>/etc/ssh/sshd_config</code>:</p>
<pre><code>ForceCommand internal-sftp
</code></pre>
<p>You can then view files in your home directory with the <a href="http://man7.org/linux/man-pages/man1/sftp.1.html">sftp</a> client,
or mount it with <a href="http://fuse.sourceforge.net/sshfs.html">sshfs</a>.</p>
<h1>Git server</h1>
<p>Git supports the ssh protocol. If you have a machine you can ssh to,
you can run <code>git init --bare reponame.git</code> to create a repository,
then clone it with <code>git clone ssh://USER@HOST/path/to/reponame.git</code>.</p>
<p>However for a shared git server this is cumbersome, as it requires every
git user to have an associated login account.</p>
<p>Instead, git servers like <a href="http://gitolite.com/">gitolite</a> and <a href="https://www.gitano.org.uk/">gitano</a> use one "git"
user, and handle authentication by assigning ssh keys to users.</p>
<h1>Port forwarding</h1>
<p>The <code>-R</code> option to ssh can be used to layer encryption and authentication
on top of an existing protocol that supports neither.</p>
<p>Supposing HOST has a service that isn't secure, it can instead bind to
a local only port, using the host address 127.0.0.1, and a port such
as 1234.</p>
<p>This port could be made available to your local machine on port 4321 by
running <code>ssh -R 127.0.0.1:1234:127.0.0.1:4321 USER@HOST</code>.</p>
<p>This service can then be connected to by connecting to the address
127.0.0.1:4312 locally.</p>
<h1>Advanced</h1>
<h2>sslh</h2>
<p>Corporate firewalls often block all ports not related to web browsing,
which limits it to plain HTTP on port 80, and HTTPS on 443.</p>
<p>One way around this is to use <a href="http://www.rutschle.net/tech/sslh.shtml">sslh</a>, which lets you run both HTTPS
and SSH on the same port. To make use of such services, add <code>-p 443</code>
to your ssh command-line.</p>
<p>If you regularly make use of such connections, it may be worthwhile to
add something like the following to your <code>~/.ssh/config</code> file.</p>
<pre><code>Host HOST
Port 443
</code></pre>
<h2>Using different keys for different machines</h2>
<p>I mentioned earlier that it is possible to do passwordless logins by
creating ssh keys.</p>
<p>By default this results in using your one key for authentication to every
host. You can generate extra keys by running <code>ssh-keygen -f KEYFILE</code>, and
use them instead of the default key by running ssh with <code>ssh -i KEYFILE</code>.</p>
<p>You can specify in your ssh config file to use a different key per host
with something like:</p>
<pre><code>Host HOST
IdentityFile KEYFILE
</code></pre>
<p>You might want to do this to avoid the association of a given key to a
person, by using different keys per service, and potentially to mitigate
the damage of future ssh key reverse engineering attacks, as only the
service for the reverse-engineered key is compromised.</p>
<h2>Making local resources available remotely</h2>
<p>I'm often annoyed that my local configuration is not available on remote
machines, so I wrote a script called <a href="http://richard.maw.name/blog/posts/2015-02-10-homely-ssh/">homely-ssh</a>, which makes the
home directory of my local machine available on the remote machine.</p>
<p>I would not recommend its use on shared machines, as it allows other
users to access your local machine.</p>