10 advanced, yet digestible SSH techniques Wil Moore III @wilmoore

Full-Stack Web Application Craftsman, TDD and Devops Advocate. http://github.com/wilmoore

Public/Private key refresher

Key Generation Style Create multiple key pairs Don't share across networks

Share Public Key Only Never share your "Private Key" Do share "Public Key" with trusted hosts Remote login: Provide your passphrase

Github <3’s SSH Keys Github OAuth2 API http://developer.github.com/v3/oauth

SSH Agent Set and Forget about it http://www.funtoo.org/wiki/Keychain

(1) Change a private- key's pass-phrase

Periodic Pass-Phrase Change

(2) {Multiple,} Single- Use Keys

Multiple Single-Use Keys Tedious... $HOME/.ssh/config You'll ♥ doing this:

(3) Remove stale known_hosts entries

Stale known_hosts entries No sed, awk, grep tricks needed We’ve all seen this fun message...

(4) SSH Auto-Completion

Hostname Completion Type a few characters...press tab https://github.com/wilmoore/ruby-version/blob/master/ruby-version.sh#L67 Completion is easy...see: https://github.com/wilmoore/php-version/blob/master/php-version.sh#L73 List filtered based on prefix

Remote Filename Completion Type a path prefix... The kestrel directory is expanded... Directory contents are expanded

bash_completion_installed? You probably already have it If not, install it (if you have ZSH, DONE)

Y-U-NO INIT COMPLETION? Use the source... Homebrew Much?

(5) SSHFS

Mount remote directory Mount Unmount Thousands of remote files == PAIN

(6) Remote Commands

Remote Commands Tailing a remote log-file Edit Remote Files Vim Edit Remote Files

(7) Access Remote Resources Locally

Forward local port to remote Access MongoDB as if local

(8) Named Remote Screen Sessions

Access a remote screen session Create a remote screen session Continue session in separate term

4 terminal remote pairing

(9) Multi-Line Remote Scripting

SSH + HEREDOC % ssh -t … <

(10) Tunnel browser traffic through a SOCKS proxy

Hey Netflix, your country check is annoying; however, I didn’t watch anything so please don’t terminate my account.

Y-U-NO NETFLIX IN CANADA? OH come on now Netflix!! Create the SOCKS proxy SOME-HOST-NOT-TELLING

Browser Network Settings Firefox Chrome

All good besides silverlight fail!

Github SSH Key Generation Help https://help.github.com/articles/generating-ssh-keys Recover SSH key passphrase https://help.github.com/articles/how-do-i-recover- my-ssh-key-passphrase Resources

on JoindIn https://joind.in/7991 on Twitter http://twitter.com/wilmoore on Github http://github.com/wilmoore Thanks for your feedback

Thank You :)

Intentionally blank?? :)

Bonus Content because you are so awesome!!

(11) Google Chrome SSH Client

SSH Client in the browser

(12) ~/.ssh/authorized_keys restrictions

Restrict what clients can do ssh-rsa bbbbB3NzaC1yc2EAAEy0TOB0MTYhzKSaD//szJ9FFR0pY+G0M2pi/ Wcbcj55KtYzBpYPNz8uV3T2N24PU9jybUD+n5ge/nTBRVgGu6Rk/ 7Fu9jdhmwOfxGlfFme/ no-port-forwarding,no-pty ssh-rsa bbbbB3NzaC1yc2EAAEy0TOB0MTYhzKSaD/ szJ9FFR0pY+G0M2pi/Wcbcj55KtYzBpYPNz8uV3T2N247Fu9jdhmwOfxGlfFme/ COMMAND=”printf 'Unable to run %s\n' ${SSH_ORIGINAL_COMMAND}” ssh- rsa bbbbB3NzaC1yc2EAAEy0TOB0MTYhzKSaD/szJ9FFR0pY+G0M2pi/ git clone git@github.com:wilmoore/frontend-packagers.git

(13) Fail2ban

/etc/fail2ban/jail.local [ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 6 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6