ALF 2008: SSH & GPG (Part 1: OpenSSH)

Yesterday I gave a talk at Atlanta Linux Fest 2008 on SSH and GPG.  I quickly received requests to post notes from my talk, so I’m going to try to write it up here.  If I miss anything, I’ll try to keep it updated.

Slides are available here: SSH & GPG. They don’t show everything, as a lot of it was Demo and Q&A, documented below.

This is Part 1 of a two part series.  I got far more questions about the OpenSSH content, so I’ll be focusing on that here.  I’ll add GnuPG content shortly, time permitting.

SSH Basics

Connect to a remote servia via ssh:

ssh USERNAME@HOSTNAME [Optional command to execute]

To generate a SSH keypair and transfer it to remote server for authentication:

ssh-keygen -t rsa && ssh-copy-id HOSTNAME

You can then send it to more HOSTNAMEs just be repeating the ssh-copy-id HOSTNAME step.

Setting up a Config File

By creating a file .ssh/config, you can permanently set certain options.  Each server is represented by a Host stanza, and the value of this is how you refer to the server.  For example:

Host router1
    HostName router1.example.com
    Port 2222
    Username admin

Performing “ssh router1” with this config file is equivalent to “ssh admin@router1.example.com -p2222”, saving a lot of typing for those servers you connect to all the time!  In the advanced section below, I’ll demonstrate both the command-line option and the config file option.

Advanced SSH Features

The following sections demonstrate some of the more advanced ways SSH can help secure your communications and save you time.

TCP Connection Tunneling

If you want to create an encrypted tunnel out of your current network for a service, you can use the -L SSH option.  It takes -L localport:remotehost:remoteport.  You then connect your application to localhost:localport, and it acts like you’re connecting from your SSH server!  Great for getting around/behind firewalls.

ssh -L 25:mailserver:25 user@host
ssh -L 1080:socksserver:1080 user@host

In .ssh/config:

LocalForward localport remotehost:remoteport

If you want, you can also have SSH act like a SOCKS server, and all communications between your client and this virtual socks server will be encrypted!  Set up your client application to connect to a SOCKS 4/5 proxy on localhost, port 8080, and then connect to an SSH server via:

ssh -D 8080 user@host

In .ssh/config:

DynamicForward 8080

Multiple SSH sessions in one connection

You can use a single TCP connection for multiple SSH sessions to the same server.  This reduces latency in starting the 2nd and further connections, and does not require additional authentications.  This is very useful when doing frequent operations over SSH.  This is only really useful when specified in the .ssh/config file as this:

ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p

Using ssh in a pipe.

It can be useful to send data from one side to another via an ssh connection.  Perhaps there is some filter only installed on the remote system, or you wish to copy over a large directory structure but rsync is absent on the remote system.

# copy dir1 to dir2 on target without rsync, as one command:
tar cz dir1 | ssh target tar xz -C dir2
# use hexdump on the remote system
cat somefile | ssh target hexdump

Store your SSH key in memory for your session.

You can store the SSH key in memory, already decrypted, to avoid having to put in your passphrase repeatedly.  This allows it to stay encrypted on disk and protect your key from tampering.

eval `ssh-agent`
ssh-add

You can also use Keychain from the Gentoo project (though now available in most distributions) to maintain a per-reboot ssh-agent session.  This is very useful on desktops as it is available to all terminals and applications rather than a single shell session.  Full documentation for keychain is available at: http://www.gentoo.org/proj/en/keychain/

Conclusion

If you have any questions or feel anything needs a clarification, leave a comment and I’ll be happy to update with more content!

Advertisements

One Response to ALF 2008: SSH & GPG (Part 1: OpenSSH)

  1. Hi. I happened upon your website while I was searching for something else. While I do not agree with everything you said we do have similar thoughts for the most part. I’ve bookmarked your website and will visit again in the near future to see what you are writing about in 2010!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: