SSH: Difference between revisions
From charlesreid1
No edit summary |
|||
| Line 4: | Line 4: | ||
== SSH Tunnels == | == SSH Tunnels == | ||
SSH can be used to create tunnels between ports on two computers. This comes in handy if, for example, you want to use a protocol that shares information between two computers, but the protocol is completely and hopelessly insecure. A perfect example is file sharing, or remote desktop sharing. | SSH can be used to create tunnels between ports on two computers. This comes in handy if, for example, you want to use a protocol that shares information between two computers, but the protocol is completely and hopelessly insecure. A perfect example is file sharing, or remote desktop sharing. Another situation where this comes in handy is if you're trying to run a service (like the above) through a computer that has a firewall blocking most ports. It is possible to route traffic to a port on your local machine, which won't have a firewall issue, through the SSH port (port 22). | ||
An SSH tunnel works like this: normally, two computers would communicate to each other. Machine A, acting as the server, would open a port, perhaps port 4000, and Machine B would connect to port 4000 of Machine A to send and receive information. However, if the connection between Machine A and Machine B is not encrypted, someone could sit on the network and see everything that's passing between Machine A and Machine B. | An SSH tunnel works like this: normally, two computers would communicate to each other. Machine A, acting as the server, would open a port, perhaps port 4000, and Machine B would connect to port 4000 of Machine A to send and receive information. However, if the connection between Machine A and Machine B is not encrypted, someone could sit on the network and see everything that's passing between Machine A and Machine B. | ||
| Line 27: | Line 27: | ||
=== Tunneling AFP over SSH === | === Tunneling AFP over SSH === | ||
AFP, or Apple File Protocol, is the built-in filesharing protocol on Mac. | AFP, or Apple File Protocol, is the built-in filesharing protocol on Mac. | ||
= References = | |||
Tunneling AFP through SSH - http://hea-www.harvard.edu/~fine/OSX/afp_tunneling.html | |||
[[wikipedia:Apple Filing Protocol]] | |||
How to create a self signed certificate - http://www.akadia.com/services/ssh_test_certificate.html | |||
== Passwordless Login == | == Passwordless Login == | ||
Revision as of 07:36, 9 October 2010
Handy SSH Tricks
SSH Tunnels
SSH can be used to create tunnels between ports on two computers. This comes in handy if, for example, you want to use a protocol that shares information between two computers, but the protocol is completely and hopelessly insecure. A perfect example is file sharing, or remote desktop sharing. Another situation where this comes in handy is if you're trying to run a service (like the above) through a computer that has a firewall blocking most ports. It is possible to route traffic to a port on your local machine, which won't have a firewall issue, through the SSH port (port 22).
An SSH tunnel works like this: normally, two computers would communicate to each other. Machine A, acting as the server, would open a port, perhaps port 4000, and Machine B would connect to port 4000 of Machine A to send and receive information. However, if the connection between Machine A and Machine B is not encrypted, someone could sit on the network and see everything that's passing between Machine A and Machine B.
Alternatively, MachineB can create an encrypted SSH tunnel between itself and MachineA. The power of SSH tunnels is, they can be made between any ports. So MachineB can create an SSH tunnel that forwards all information coming from port 4000 on MachineA through the encrypted tunnel to port 4000 on the local machine. Or, it could forward all information to port 4001 on the local machine, or port 5000 on the local machine - you get the idea.
To create a tunnel from port XXXX on MachineA to port YYYY on MachineB,
[MachineB] $ ssh -L XXXX:localhost:YYYY user@MachineA.com
The SSH tunnel will stay alive for as long as this SSH session remains open. If you don't want to have to keep this window open, you can create the SSH tunnel and run it in the background:
[MachineB] $ ssh -L XXXX:localhost:YYYY -f -N user@MachineA.com
The -f argument runs SSH in the background, and -N runs no commands.
Tunneling AFP over SSH
AFP, or Apple File Protocol, is the built-in filesharing protocol on Mac.
References
Tunneling AFP through SSH - http://hea-www.harvard.edu/~fine/OSX/afp_tunneling.html
wikipedia:Apple Filing Protocol
How to create a self signed certificate - http://www.akadia.com/services/ssh_test_certificate.html
Passwordless Login
These instructions will enable you to log in to MachineB from MachineA without entering your password.
DO THIS STEP ONCE:
Generate a public and private key. Use the DSA encryption algorithm. To do this, execute the command:
[MachineA] $ ssh-keygen -t dsa
You'll be prompted for a passphrase that must be entered every time you use your public key. This operation will create two files, ~/.ssh/{id_dsa,id_dsa.pub}.
The file id_dsa is your private key - DO NOT SHARE YOUR PRIVATE KEY WITH ANYONE!
Now remote-login to MachineB and paste the public key for MachineA into MachineB's list of authorized keys:
[MachineB] $ vi ~/.ssh/authorized_keys
and paste the contents of MachineA's public key.
END OF STEP TO DO ONLY ONCE.
To login to MachineB from MachineA without entering your password, perform the following steps:
[MachineA] $ ssh-agent # <-- copy and paste the output of this command into a terminal;
# this will set 2 environmental variables
[MachineA] $ ssh-add
You will be prompted for your public key passphrase once per session, and once you enter it, you will have passwordless access to MachineB from MachineA.
These steps are somewhat cumbersome, and can be shortened to a much more convenient bash function as follows. I want to create a bash function on MachineA so that when I type:
[MachineA] $ MachineB
I will instantaneously be logged in to MachineB. To do this, I will create a function in my ~/.bashrc (or somewhere similar, I use a ~/.aliases file). This will look as follows:
alias MachineB="MachineB"
function MachineB() {
# put environmental variables in ssh.file
ssh-agent > ~/ssh.file
# execute this file, sending output to /dev/null
chmod +x ~/ssh.file
~/ssh.file > /dev/null
# echo $SSH_AGENT_PID
# echo $SSH_AUTH_SOCK
rm -f ~/ssh.file
# ssh to MachineB
ssh -Y user@MachineB.com
}
Voila!