I have written this guide for developers who might be superficially familiar with the basics of SSH – maybe even fiddled with a file or two without really knowing what’s going on – and would like a more cohesive overview of its most powerful features.
This is essentially an organised collection of the main gotchas and topics that gave me (a dev, not a sysadmin) the most dexterity in jumping about from machine to machine in the cloud.
It is meant to be read in succession as each topic builds on the previous, but I also tried to keep them loosely coupled in case the reader is only interested in a particular section.
Have fun.
Table of Contents:
- Authentication
- Known Hosts
- SSH Agent
- Config
- Jumping Hosts
- Tunnelling and Port Forwarding
- X11 Forwarding
- Multiplexing and Master Mode
Disclaimer: This does not mean to be a complete list of all that is possible with SSH. That would probably take a book. Or two. But any feedback about additions is welcome.
First, a refresher. What is SSH?
SSH is a protocol built on top of TCP that is intended to provide a secure channel for a client and a server to communicate. In its implementation, it consists of two programs:
- An SSH client
- An SSH daemon on the server that accepts connections, typically on port 22
Both client program and daemon are commonly pre-installed on most modern Unix-like operating systems.
Other little helper tools like ssh-keygen, ssh-agent are also part of the family of SSH executables.ssh-add
SSH was originally designed as a replacement for Telnet and older, unsecured remote shell protocols. The encryption used by SSH is intended to provide confidentiality and integrity of data over unsecured networks, such as the Internet. Fun fact: it was developed by a fucked off engineer in response to a password sniffing attack on a university network.
This kind of security is typically thought of as necessary to log into a remote machine and execute commands here and there, but SSH also supports many other advanced use cases such as tunnelling, forwarding TCP ports, transferring files, X11 forwarding, etc. which we’ll see later.
First, let’s make sure we properly cover the main feature and selling point of SSH: authentication.
Next: Authentication →
Resources and Further Reading
- https://www.ssh.com/ssh/agent
- https://security.stackexchange.com/questions/20706/what-is-the-difference-between-authorized-keys-and-known-hosts-file-for-ssh
- https://www.redhat.com/sysadmin/ssh-proxy-bastion-proxyjump
- https://medium.com/kernel-space/why-using-ssh-agent-forwarding-is-a-bad-idea-6cbdff31bbee
- https://www.cyberciti.biz/faq/linux-unix-ssh-proxycommand-passing-through-one-host-gateway-server/
- http://unixetc.co.uk/2017/11/13/ssh-proxying-and-agent-forwarding/
- https://stackoverflow.com/questions/22635613/what-is-the-difference-between-ssh-proxycommand-w-nc-exec-nc
- https://linuxize.com/post/how-to-setup-ssh-tunneling/
- https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding
- https://blog.scottlowe.org/2015/12/11/using-ssh-multiplexing/