Slide 1

Slide 1 text

10 advanced, yet digestible SSH techniques Wil Moore III @wilmoore

Slide 2

Slide 2 text

Full-Stack Web Application Craftsman, TDD and Devops Advocate. http://github.com/wilmoore

Slide 3

Slide 3 text

Public/Private key refresher

Slide 4

Slide 4 text

Key Generation Style Create multiple key pairs Don't share across networks

Slide 5

Slide 5 text

Share Public Key Only Never share your "Private Key" Do share "Public Key" with trusted hosts Remote login: Provide your passphrase

Slide 6

Slide 6 text

Github <3’s SSH Keys Github OAuth2 API http://developer.github.com/v3/oauth

Slide 7

Slide 7 text

SSH Agent Set and Forget about it http://www.funtoo.org/wiki/Keychain

Slide 8

Slide 8 text

(1) Change a private- key's pass-phrase

Slide 9

Slide 9 text

Periodic Pass-Phrase Change

Slide 10

Slide 10 text

(2) {Multiple,} Single- Use Keys

Slide 11

Slide 11 text

Multiple Single-Use Keys Tedious... $HOME/.ssh/config You'll ♥ doing this:

Slide 12

Slide 12 text

(3) Remove stale known_hosts entries

Slide 13

Slide 13 text

Stale known_hosts entries No sed, awk, grep tricks needed We’ve all seen this fun message...

Slide 14

Slide 14 text

(4) SSH Auto-Completion

Slide 15

Slide 15 text

Hostname Completion Type a few characters...press tab https://github.com/wilmoore/ruby-version/blob/master/ruby-version.sh#L67 Completion is easy...see: https://github.com/wilmoore/php-version/blob/master/php-version.sh#L73 List filtered based on prefix

Slide 16

Slide 16 text

Remote Filename Completion Type a path prefix... The kestrel directory is expanded... Directory contents are expanded

Slide 17

Slide 17 text

bash_completion_installed? You probably already have it If not, install it (if you have ZSH, DONE)

Slide 18

Slide 18 text

Y-U-NO INIT COMPLETION? Use the source... Homebrew Much?

Slide 19

Slide 19 text

(5) SSHFS

Slide 20

Slide 20 text

Mount remote directory Mount Unmount Thousands of remote files == PAIN

Slide 21

Slide 21 text

(6) Remote Commands

Slide 22

Slide 22 text

Remote Commands Tailing a remote log-file Edit Remote Files Vim Edit Remote Files

Slide 23

Slide 23 text

(7) Access Remote Resources Locally

Slide 24

Slide 24 text

Forward local port to remote Access MongoDB as if local

Slide 25

Slide 25 text

(8) Named Remote Screen Sessions

Slide 26

Slide 26 text

Access a remote screen session Create a remote screen session Continue session in separate term

Slide 27

Slide 27 text

4 terminal remote pairing

Slide 28

Slide 28 text

(9) Multi-Line Remote Scripting

Slide 29

Slide 29 text

SSH + HEREDOC % ssh -t … <

Slide 30

Slide 30 text

(10) Tunnel browser traffic through a SOCKS proxy

Slide 31

Slide 31 text

Hey Netflix, your country check is annoying; however, I didn’t watch anything so please don’t terminate my account.

Slide 32

Slide 32 text

Y-U-NO NETFLIX IN CANADA? OH come on now Netflix!! Create the SOCKS proxy SOME-HOST-NOT-TELLING

Slide 33

Slide 33 text

Browser Network Settings Firefox Chrome

Slide 34

Slide 34 text

All good besides silverlight fail!

Slide 35

Slide 35 text

Github SSH Key Generation Help https://help.github.com/articles/generating-ssh-keys Recover SSH key passphrase https://help.github.com/articles/how-do-i-recover- my-ssh-key-passphrase Resources

Slide 36

Slide 36 text

on JoindIn https://joind.in/7991 on Twitter http://twitter.com/wilmoore on Github http://github.com/wilmoore Thanks for your feedback

Slide 37

Slide 37 text

Thank You :)

Slide 38

Slide 38 text

Intentionally blank?? :)

Slide 39

Slide 39 text

Bonus Content because you are so awesome!!

Slide 40

Slide 40 text

(11) Google Chrome SSH Client

Slide 41

Slide 41 text

SSH Client in the browser

Slide 42

Slide 42 text

(12) ~/.ssh/authorized_keys restrictions

Slide 43

Slide 43 text

Restrict what clients can do ssh-rsa bbbbB3NzaC1yc2EAAEy0TOB0MTYhzKSaD//szJ9FFR0pY+G0M2pi/ Wcbcj55KtYzBpYPNz8uV3T2N24PU9jybUD+n5ge/nTBRVgGu6Rk/ 7Fu9jdhmwOfxGlfFme/ no-port-forwarding,no-pty ssh-rsa bbbbB3NzaC1yc2EAAEy0TOB0MTYhzKSaD/ szJ9FFR0pY+G0M2pi/Wcbcj55KtYzBpYPNz8uV3T2N247Fu9jdhmwOfxGlfFme/ COMMAND=”printf 'Unable to run %s\n' ${SSH_ORIGINAL_COMMAND}” ssh- rsa bbbbB3NzaC1yc2EAAEy0TOB0MTYhzKSaD/szJ9FFR0pY+G0M2pi/ git clone [email protected]:wilmoore/frontend-packagers.git

Slide 44

Slide 44 text

(13) Fail2ban

Slide 45

Slide 45 text

/etc/fail2ban/jail.local [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6