Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. The best known illustration application is for remote login to estimator systems past times users.
SSH provides a secure channel over an unsecured network inwards a client-server architecture, connecting an SSH customer application amongst an SSH server. Common applications include remote command-line login together with remote command execution, exactly whatever network service tin hold out secured amongst SSH. The protocol specification distinguishes betwixt 2 major versions, referred to equally SSH-1 together with SSH-2.
SSH is an awesome powerful tool, at that topographic point are unlimited possibility when it comes to SSH. I’ve collected top thirty SSH shenanigans (or yous tin read SSH tips together with tricks) that volition are real handy.
1) Copy SSH world fundamental on a remote machine for passwordless login
ssh-copy-id user@host
To generate the keys piece of work the command ssh-keygen
2) Start a tunnel from about machine’s port eighty to your local post 2001
ssh -N -L2001:localhost:80 somemachine
Now yous tin acces the website past times going to http://localhost:2001/
3) Output your microphone to a remote computer’s speaker
dd if=/dev/dsp | ssh -c arcfour -C username@host dd of=/dev/dsp
This volition output the audio from your microphone port to the ssh target computer’s speaker port. The audio character is real bad, so yous volition take away heed a lot of hissing.
4) Compare a remote file amongst a local file
ssh user@host truthful cat /path/to/remotefile | diff /path/to/localfile –
Useful for checking if at that topographic point are differences betwixt local together with remote files.
5) Mount folder/filesystem through SSH
sshfs name@server:/path/to/folder /path/to/mount/point
Install SSHFS from http://fuse.sourceforge.net/sshfs.html
Will permit yous to mountain a folder safety over a network.
6) SSH connexion through host inwards the middle
ssh -t reachable_host ssh unreachable_host
Unreachable_host is unavailable from local network, exactly it’s available from reachable_host’s network. This command creates a connexion to unreachable_host through “hidden” connexion to reachable_host.Of course of teaching yous take away to hold out able to access reachable_host for this ;-)
7) Copy from host1 to host2, through your host
ssh root@host1 “cd /somedir/tocopy/ && tar -cf – .” | ssh root@host2 “cd /samedir/tocopyto/ && tar -xf -“
Good if exclusively yous convey access to host1 together with host2, exactly they convey no access to your host (so ncat won’t work) together with they convey no guide access to each other.
8) Run whatever GUI computer program remotely
ssh -fX <user>@<host> <program>
The SSH server configuration requires:
X11Forwarding yes # this is default inwards Debian
And it’s convenient too:
Compression delayed
9) Create a persistent connexion to a machine
ssh -MNf <user>@<host>
Create a persistent SSH connexion to the host inwards the background. Combine this amongst settings inwards your /.ssh/config:
Host host
ControlPath /.ssh/master-%r@%h:%p
ControlMaster no
All the SSH connections to the machine volition so become through the persisten SSH socket. This is real useful if yous are using SSH to synchronize files (using rsync/sftp/cvs/svn) on a regular dry reason because it won’t practise a novel socket each fourth dimension to opened upward an ssh connection.
10) Attach covert over ssh
ssh -t remote_host covert -r
Directly attach a remote covert session (saves a useless raise bash process)
11) Port Knocking!
knock <host> 3000 4000 5000 && ssh -p <port> user@host && knock <host> 5000 4000 3000
Knock on ports to opened upward a port to a service (ssh for example) together with knock ane time to a greater extent than to unopen the port. You convey to install knockd.
See illustration config file below.
[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 3000,4000,5000
seq_timeout = 5
command = /sbin/iptables -A INPUT -i eth0 -s %IP% -p tcp –dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 5000,4000,3000
seq_timeout = 5
command = /sbin/iptables -D INPUT -i eth0 -s %IP% -p tcp –dport 22 -j ACCEPT
tcpflags = syn
12) Remove a describe inwards a text file. Useful to laid “ssh host fundamental change” warnings
ssh-keygen -R <the_offending_host>
In this instance it’s ameliorate practise to piece of work the dedicated tool
13) Remove a describe inwards a text file. Useful to laid “ssh host fundamental change” warnings
sed -i 8d /.ssh/known_hosts
14) Run complex remote trounce cmds over ssh, without escaping quotes
ssh host -l user $(<cmd.txt)
Much simpler method. More portable version: ssh host -l user “`cat cmd.txt`”
15) Copy a MySQL Database to a novel Server via SSH amongst ane command
mysqldump –add-drop-table –extended-insert –force –log-error=error.log -uUSER -pPASS OLD_DB_NAME | ssh -C user@newhost “mysql -uUSER -pPASS NEW_DB_NAME”
Dumps a MySQL database over a compressed SSH tunnel together with uses it equally input to mysql – i retrieve that is the fastest together with best manner to migrate a DB to a novel server!
16) Copy your ssh world fundamental to a server from a machine that doesn’t convey ssh-copy-id
cat /.ssh/id_rsa.pub | ssh user@machine “mkdir /.ssh; truthful cat >> /.ssh/authorized_keys”
If yous piece of work Mac OS X or about other *nix variant that doesn’t come upward amongst ssh-copy-id, this one-liner volition permit yous to add together your world fundamental to a remote machine so yous tin later ssh to that machine without a password.
17) Live ssh network throughput test
yes | pv | ssh $host “cat > /dev/null”
connects to host via ssh together with displays the alive transfer speed, directing all transferred information to /dev/null
needs pv installed
Debian: ‘apt-get install pv’
Fedora: ‘yum install pv’ (may take away the ‘extras’ repository enabled)
18) How to works life a remote Gnu covert session that yous tin re-connect to
ssh -t user@some.domain.com /usr/bin/screen -xRR
Long earlier tabbed terminals existed, people convey been using Gnu covert to opened upward many shells inwards a unmarried text terminal. Combined amongst ssh, it gives yous the mightiness to convey many opened upward shells amongst a unmarried remote connexion using the higher upward options. If yous detach amongst “Ctrl-a d” or if the ssh session is accidentally terminated, all processes running inwards your remote shells stay undisturbed, laid for yous to reconnect. Other useful covert commands are “Ctrl-a c” (open novel shell) together with “Ctrl-a a” (alternate betwixt shells). Read this quick reference for to a greater extent than covert commands: http://aperiodic.net/screen/quick_reference
19) Resume scp of a big file
rsync –partial –progress –rsh=ssh $file_source $user@$host:$destination_file
It tin resume a failed secure re-create ( usefull when yous transfer big files similar db dumps through vpn ) using rsync.
It requires rsync installed inwards both hosts.
rsync –partial –progress –rsh=ssh $file_source $user@$host:$destination_file local -> remote
or
rsync –partial –progress –rsh=ssh $user@$host:$remote_file $destination_file remote -> local
20) Analyze traffic remotely over ssh w/ wireshark
ssh root@server.com ‘tshark -f “port !22” -w -‘ | wireshark -k -i –
This captures traffic on a remote machine amongst tshark, sends the raw pcap information over the ssh link, together with displays it inwards wireshark. Hitting ctrl+C volition halt the capture together with unfortunately unopen your wireshark window. This tin hold out worked-around past times passing -c # to tshark to exclusively capture a sure as shooting # of packets, or redirecting the information through a named pipage rather than piping straight from ssh to wireshark. I recommend filtering equally much equally yous tin inwards the tshark command to conserve bandwidth. tshark tin hold out replaced amongst tcpdump thusly:
ssh root@example.com tcpdump -w – ‘port !22’ | wireshark -k -i –
21) Have an ssh session opened upward forever
autossh -M50000 -t server.example.com ‘screen -raAd mysession’
Open a ssh session opened forever, peachy on laptops losing Internet connectivity when switching WIFI spots.
22) Harder, Faster, Stronger SSH clients
ssh -4 -C -c blowfish-cbc
We forcefulness IPv4, compress the stream, specify the cypher current to hold out Blowfish. I suppose yous could piece of work aes256-ctr equally good for cypher spec. I’m of course of teaching leaving out things similar original command sessions together with such equally that may non hold out available on your trounce although that would speed things upward equally well.
23) Throttle bandwidth amongst cstream
tar -cj /backup | cstream -t 777k | ssh host ‘tar -xj -C /backup’
this bzips a folder together with transfers it over the network to “host” at 777k bit/s.
cstream tin practise a lot more, convey a expect http://www.cons.org/cracauer/cstream.html#usage
for example:
echo w00t, i’m 733+ | cstream -b1 -t2
24) Transfer SSH world fundamental to about other machine inwards ane step
ssh-keygen; ssh-copy-id user@host; ssh user@host
This command sequence allows uncomplicated setup of (gasp!) password-less SSH logins. Be careful, equally if yous already convey an SSH keypair inwards your /.ssh directory on the local machine, at that topographic point is a possibility ssh-keygen may overwrite them. ssh-copy-id copies Earth fundamental to the remote host together with appends it to the remote account’s /.ssh/authorized_keys file. When trying ssh, if yous used no passphrase for your key, the remote trounce appears before long after invoking ssh user@host.
25) Copy stdin to your X11 buffer
ssh user@host truthful cat /path/to/some/file | xclip
Have yous e'er had to scp a file to your piece of work machine inwards guild to re-create its contents to a mail? xclip tin assistance yous amongst that. It copies its stdin to the X11 buffer, so all yous convey to practise is middle-click to glue the content of that looong file :)
26) Synchronize appointment together with fourth dimension amongst server over ssh
date --set="$(ssh user@server date)"
NTP is better, exactly at that topographic point are situations where it can’t hold out used. In those cases, yous tin practise this to sync the local fourth dimension to a server.
27) Duplicate installed packages from ane machine to the other
ssh root@remote.host "rpm -qa" | xargs yum -y install
This volition duplicate installed packages from ane machine to the other – works for rpm/yum based systems.
The side past times side ane works for Ubuntu/Debian based systems.
Tell local Debian machine to install packages used past times remote Debian machine
ssh remotehost 'dpkg --get-selections' | dpkg --set-selections && dselect install
(also works on Ubuntu) Copies the ‘install,’ ‘hold,’ ‘deinstall’ together with ‘purge’ states of packages on the remote machine to hold out matched on the local machine. Note: if packages were installed on the local machine that were never installed on the remote machine, they volition non hold out deinstalled past times this operation.
apt-get install ssh root@host_you_want_to_clone "dpkg -l | grep ii" | awk '{print $2}'“Clone” a listing of installed packages from ane Debian/Ubuntu Server to another
28) Backup a remote database to your local filesystem
ssh user@host 'mysqldump dbname | gzip' > /path/to/backups/db-backup-`date +%Y-%m-%d`.sql.gz
I convey this on a daily cronjob to backup the commandlinefu.com database from NearlyFreeSpeech.net (awesome hosts past times the way) to my local drive. Note that (on my Ubuntu organisation at least) yous take away to escape the % signs on the crontab.
29) run command on a grouping of nodes inwards parallel
echo "uptime" | pee "ssh host1" "ssh host2" "ssh host3"
echo "uptime" | tee >(ssh host1) >(ssh host2) >(ssh host3)
The pee command is inwards the moreutils package.
30) ssh to machine behind shared NAT
ssh -NR 0.0.0.0:2222:127.0.0.1:22 user@jump.host.com
Useful to larn network access to a machine behind shared IP NAT. Assumes yous convey an accessible outpouring host together with physical console or drac/ilo/lom etc access to run the command.
Run the command on the host behind NAT so ssh connect to your outpouring host on port 2222. That connexion to the outpouring host volition hold out forwarded to the hidden machine.
Note: Some older versions of ssh practise non admit the bind address (0.0.0.0 inwards the example) together with volition exclusively head on the loopback address.
Conclusion
This is a long post containing collection of about SSH goodies. I meant to write it for a field earlier I lose the original link or forget it.
