16 ultimate SSH hacks

By , ITworld |  IT Management, ssh

So you think you know OpenSSH inside and out? Test your chops against this hit parade of 16 expert tips and tricks, from identifying monkey-in-the-middle attacks to road warrior security to attaching remote screen sessions. Follow the countdown to the all-time best OpenSSH command!

[ Running SSH on a non-standard port ]

SSH tips #16-14:Detecting MITM attacks

When you log into a remote computer for the first time, you are asked if you want to accept the remote host's public key. Well how in the heck do you know if you should or not? If someone perpetrated a successful monkey-in-the-middle attack, and is presenting you with a fake key so they can hijack your session and steal all your secrets, how are you supposed to know? You can know, because when new key pairs are created they also create a unique fingerprint and randomart image:


$ ssh-keygen -t rsa -C newserver -f .ssh/newkey
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in .ssh/newkey.
Your public key has been saved in .ssh/newkey.pub.
The key fingerprint is:
44:90:8c:62:6e:53:3b:d8:1a:67:34:2f:94:02:e4:87 newserver
The key's randomart image is:
+--[ RSA 2048]----+
|oo   +.o.        |
|. = B o.         |
| E X +  .        |
|  B B ..         |
| . * o  S        |
|  .              |
|                 |
|                 |
|                 |
+-----------------+

SSH tip #16: Retrieve the fingerprint and randomart image of an SSH key

If you make a copy of this when you create new encryption keys, then you can fetch a key's fingerprint and randomart image anytime to compare and make sure they have not changed:

$ ssh-keygen -lvf  keyname

 

SSH tip #15: View all fingerprints and randomart images in known_hosts

And you can see all of them in your ~/.ssh/known_hosts file:

$ ssh-keygen -lvf ~/.ssh/known_hosts

SSH tip #14: Verify server keys

You can see the fingerprint and randomart for any computer you're logging into by configuring /etc/ssh/ssh_config on your client computer. Simply uncomment the VisualHostKey option and set it to yes:

VisualHostKey yes

Then login to any remote computer to test it:


$ ssh user@host2
Host key fingerprint is 66:a1:2a:23:4d:5c:8b:58:e7:ef:2f:e5:49:3b:3d:32
+--[ECDSA  256]---+
|                 |
|                 |
|  . o   .        |
| + = . . .       |
|. + o . S        |
| o   o oo        |
|. + . .+ +       |
| . o .. E o      |
|      .o.+ .     |
+-----------------+

user@host2's password: 

Obviously you need a secure method of getting verified copies of the fingerprint and randomart images for the computers you want to log into. Like a hand-delivered printed copy, encrypted email, the scp command, secure ftp, read over the telephone...The risk of a successful MITM attack is small, but if you can figure out a relatively painless verification method it's cheap insurance.

 

SSH tip #13: Attach to a remote GNU screen session

You can attach a GNU screen session remotely over SSH; in this example we'll open a GNU screen session on host1, and connect to it from host2. First open and then detach a screen session on host1, named testscreen:

host1 ~ $ screen -S testscreen

Then detach from your screen session with the keyboard combination Ctrl+a+d:


[detached from 3829.testscreen]

You can verify that it's still there with this command:


host1 ~ $ screen -ls

There is a screen on:
        3941.testscreen (03/18/2012 12:43:42 PM) (Detached)
1 Socket in /var/run/screen/S-host1.

Then re-attach to your screen session from host2:


host1 ~ $ ssh -t terry@uberpc screen -r testscreen

You don't have to name the screen session if there is only one.

 

SSH tip #12: Launch a remote screen session

What if you don't have a running screen session? No worries, because you can launch one remotely:


host1 ~ $ ssh -t user@host2 /usr/bin/screen -xRR

  Sign me up for ITworld's FREE daily newsletter!
Email: 
 

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Spotlight on ...
Online Training

    Upgrade your skills and earn higher pay

    Readers to share their best tips for maximizing training dollars and getting the most out self-directed learning. Here’s what they said.

     

    Learn more

IT ManagementWhite Papers & Webcasts

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness