16 ultimate SSH hacks

So you think you know OpenSSH inside and out? Test your chops against this hit parade of 16 expert tips and tricks, from identifying monkey-in-the-middle attacks to road warrior security to attaching remote screen sessions. Follow the countdown to the all-time best OpenSSH command!

[ Running SSH on a non-standard port ]

SSH tips #16-14:Detecting MITM attacks

When you log into a remote computer for the first time, you are asked if you want to accept the remote host's public key. Well how in the heck do you know if you should or not? If someone perpetrated a successful monkey-in-the-middle attack, and is presenting you with a fake key so they can hijack your session and steal all your secrets, how are you supposed to know? You can know, because when new key pairs are created they also create a unique fingerprint and randomart image:

$ ssh-keygen -t rsa -C newserver -f .ssh/newkey
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in .ssh/newkey.
Your public key has been saved in .ssh/newkey.pub.
The key fingerprint is:
44:90:8c:62:6e:53:3b:d8:1a:67:34:2f:94:02:e4:87 newserver
The key's randomart image is:
+--[ RSA 2048]----+
|oo   +.o.        |
|. = B o.         |
| E X +  .        |
|  B B ..         |
| . * o  S        |
|  .              |
|                 |
|                 |
|                 |

SSH tip #16: Retrieve the fingerprint and randomart image of an SSH key

If you make a copy of this when you create new encryption keys, then you can fetch a key's fingerprint and randomart image anytime to compare and make sure they have not changed:

$ ssh-keygen -lvf  keyname

SSH tip #15: View all fingerprints and randomart images in known_hosts

And you can see all of them in your


$ ssh-keygen -lvf ~/.ssh/known_hosts

SSH tip #14: Verify server keys

You can see the fingerprint and randomart for any computer you're logging into by configuring

on your client computer. Simply uncomment the VisualHostKey option and set it to yes:

VisualHostKey yes

Then login to any remote computer to test it:

$ ssh user@host2
Host key fingerprint is 66:a1:2a:23:4d:5c:8b:58:e7:ef:2f:e5:49:3b:3d:32
+--[ECDSA  256]---+
|                 |
|                 |
|  . o   .        |
| + = . . .       |
|. + o . S        |
| o   o oo        |
|. + . .+ +       |
| . o .. E o      |
|      .o.+ .     |

user@host2's password: 

Obviously you need a secure method of getting verified copies of the fingerprint and randomart images for the computers you want to log into. Like a hand-delivered printed copy, encrypted email, the

command, secure ftp, read over the telephone...The risk of a successful MITM attack is small, but if you can figure out a relatively painless verification method it's cheap insurance.

SSH tip #13: Attach to a remote GNU screen session

You can attach a GNU

session remotely over SSH; in this example we'll open a GNU screen session on host1, and connect to it from host2. First open and then detach a
session on host1, named testscreen:

host1 ~ $ screen -S testscreen

Then detach from your

session with the keyboard combination Ctrl+a+d:

[detached from 3829.testscreen]

You can verify that it's still there with this command:

host1 ~ $ screen -ls

There is a screen on:
        3941.testscreen (03/18/2012 12:43:42 PM) (Detached)
1 Socket in /var/run/screen/S-host1.

Then re-attach to your screen session from host2:

host1 ~ $ ssh -t terry@uberpc screen -r testscreen

You don't have to name the

session if there is only one.

SSH tip #12: Launch a remote screen session

What if you don't have a running

session? No worries, because you can launch one remotely:

host1 ~ $ ssh -t user@host2 /usr/bin/screen -xRR
1 2 3 Page 1
ITWorld DealPost: The best in tech deals and discounts.