SSH tip #6: Give SSH keys informative comments
Another useful way to label keys is with a comment:
$ ssh-keygen -t rsa -C "downtown lan webserver" -f .ssh/web-admin
Then you can read your comment which is appended to the end of the public key.
SSH tip #5: Read public key comments
$ less .ssh/web-admin.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1 [snip] KCLAqwTv8rhp downtown lan webserver
SSH tip #4: Logging in with server-specific keys
Then when you log in, specify which key to use with the
$ ssh -i .ssh/web-admin.pub user@webserver
SSH tip #3: Fast easy known_hosts key management
I love this one because it's a nice time-saver, and it keeps my
~/.ssh/known_hosts files tidy: using
ssh-keygen to remove host keys from the
~/.ssh/known_hosts file. When the remote machine gets new SSH keys you'll get a warning, when you try to log in, that the key has changed. Using this is much faster than manually editing the file and counting down to the correct line to delete:
$ ssh-keygen -R remote-hostname
Computers are supposed to make our lives easier, and it's ever so lovely when they do.
SSH tip #2: SSH tunnel for road warriors
When you're at the mercy of hotel and coffee shop Internet, a nice secure SSH tunnel makes your online adventures safer. To make this work you need a server that you control to act as a central node for escaping from hotspot follies. I have a server set up at home to accept remote SSH logins, and then use an SSH tunnel to route traffic through it. This is useful for a lot of different tasks. For example I can use my normal email client to send email, instead of hassling with Web mail or changing SMTP server configuration, and all traffic between my laptop and home server is encrypted. First create the tunnel to your personal server:
carla@hotel:~$ ssh -f firstname.lastname@example.org -L 9999:homeserver.com:25 -N
This binds port 9999 on your mobile machine to port 25 on your remote server. The remote port must be whatever you've configured your server to listen on. Then configure your mail client to use localhost:9999 as the SMTP server and you're in business. I use Kmail, which lets me configure multiple SMTP server accounts and then choose which one I want to use when I send messages, or simply change the default with a mouse click. You can adapt this for any kind of service that you normally use from your home base, and need access to when you're on the road.
#1 Favorite SSH tip: Evading silly web restrictions
The wise assumption is that any public Internet is untrustworthy, so you can tunnel your Web surfing too. My #1 SSH tip gets you past untrustworthy networks that might have snoopers, and past any barriers to unfettered Web-surfing. Just like in tip #2 you need a server that you control to act as a secure relay; first setup an SSH tunnel to this server:
carla@hotel:~$ ssh -D 9999 -C email@example.com
Then configure your Web browser to use port 9999 as a SOCKS 5 proxy. Figure 1 shows how this looks in Firefox.
An easy way to test this is on your home or business network. Set up the tunnel to a neighboring PC and surf some external Web sites. When this works go back and change the SOCKS port number to the wrong number. This should prevent your Web browser from connecting to any sites, and you'll know you set up your tunnel correctly.
How do you know which port numbers to use? Port numbers above 1024 do not require root privileges, so use these on your laptop or whatever you're using in your travels. Always check
/etc/services first to find unassigned ports. The remote port you're binding to must be a port a server is listening on, and there has to be a path through your firewall to get to it.
To learn more try the excellent Pro OpenSSH by Michael Stahnke, and my own Linux Networking Cookbook has more on secure remote administration including SSH, OpenVPN, and remote graphical sessions, and configuring firewalls.