Security for 200, Alex.

Another brief technical detour today.

I use ssh in all sorts of ways. I make tunnels all the time (and have even hooked them together a time or two), use passkeys, and use ssh-agent to keep from having to repeatedly type in my passphrase. I've set up quite long ssh config files, and modified sshd config's occasionally as well. I even have a shell function on my work machine that sets up two tunnels, each using a custom ssh config, to various places.

So I'm not exactly an ssh newbie.

I knew that you could usefully pipe input into an ssh command, but couldn't remember how to make it useful, so I went googling 'ssh tricks' yesterday. And I found quite a few interesting things. The first was the pipe.

Here's what you need to do:
cat file |ssh -e none user@host "cat > file"

file, of course, is the file you want to copy over (personally, I would use scp for a straight copy as above), '-e none' removes escapes from what you're copying (only useful if it's a binary file), and 'cat > file' dumps it into a destination. Doesn't seem very useful, vs using scp, right? Well, what I was doing was appending my id_dsa.pub to the end of an authorized_keys file, so I wouldn't need to log in again. I'd been doing that via scp, which was a several step process. But then I modified it to this:
cat ~/.ssh/id_dsa.pub |ssh user@host 'cat >> .ssh/authorized_keys'
which reduced it to one step. Win.

And let's talk about some other features I found: You can put wildcards in the ssh config file (look for 'Per-host SSH client config'. This page also has a decent introduction to creating tunnels (it calls it port forwarding, which is not a good phrase, I think) and using passphrases). You can specify a ControlMaster/ControlPath, to have multiple connections to the same host to only use one real connection. That allows a bit more networking efficiency.

That same page also mentions using a keep-alive (which I've occasionally used with putty, but never with command-line ssh), and how to ignore host key matching (not generally a good idea, but he mentions a case where it is useful).

You can also do aliases for hostnames, which is nice. In fact, in the last week or so, I've used this to alias out some tunnel-enabled connections in one step (ie: instead of having to do 'ssh -p 2222 username@localhost', I just do 'ssh myname').

It keeps amazing me just how useful and versatile SSH is.

No comments:

Post a Comment