10 advanced, yet digestible SSH techniques

10 advanced, yet digestible SSH techniques

In today's world of Github, Bitbucket, AWS/EC2, and Virtualization in General, it is helpful to understand public key authentication and SSH in general. The good news is that this seemingly cryptic and magical technology is quite easy to get a handle on once you know a few snazzy recipes.

BONUS: There are two easter eggs "hidden" plainly in the slides. Both are language constructs (one ruby-ism and one regex-ism). Where are they and what do they do?

B75805f5c6b8a35089415ae88eebfd10?s=128

Wil Moore III

March 01, 2013
Tweet

Transcript

  1. 10 advanced, yet digestible SSH techniques Wil Moore III @wilmoore

  2. Full-Stack Web Application Craftsman, TDD and Devops Advocate. http://github.com/wilmoore

  3. Public/Private key refresher

  4. Key Generation Style Create multiple key pairs Don't share across

    networks
  5. Share Public Key Only Never share your "Private Key" Do

    share "Public Key" with trusted hosts Remote login: Provide your passphrase
  6. Github <3’s SSH Keys Github OAuth2 API http://developer.github.com/v3/oauth

  7. SSH Agent Set and Forget about it http://www.funtoo.org/wiki/Keychain

  8. (1) Change a private- key's pass-phrase

  9. Periodic Pass-Phrase Change

  10. (2) {Multiple,} Single- Use Keys

  11. Multiple Single-Use Keys Tedious... $HOME/.ssh/config You'll ♥ doing this:

  12. (3) Remove stale known_hosts entries

  13. Stale known_hosts entries No sed, awk, grep tricks needed We’ve

    all seen this fun message...
  14. (4) SSH Auto-Completion

  15. Hostname Completion Type a few characters...press tab https://github.com/wilmoore/ruby-version/blob/master/ruby-version.sh#L67 Completion is

    easy...see: https://github.com/wilmoore/php-version/blob/master/php-version.sh#L73 List filtered based on prefix
  16. Remote Filename Completion Type a path prefix...<tab> The kestrel directory

    is expanded...<tab> Directory contents are expanded
  17. bash_completion_installed? You probably already have it If not, install it

    (if you have ZSH, DONE)
  18. Y-U-NO INIT COMPLETION? Use the source... Homebrew Much?

  19. (5) SSHFS

  20. Mount remote directory Mount Unmount Thousands of remote files ==

    PAIN
  21. (6) Remote Commands

  22. Remote Commands Tailing a remote log-file Edit Remote Files Vim

    Edit Remote Files
  23. (7) Access Remote Resources Locally

  24. Forward local port to remote Access MongoDB as if local

  25. (8) Named Remote Screen Sessions

  26. Access a remote screen session Create a remote screen session

    Continue session in separate term
  27. 4 terminal remote pairing

  28. (9) Multi-Line Remote Scripting

  29. SSH + HEREDOC % ssh -t … <<ssh-session # body

    of your script goes here # more body # ... ssh-session
  30. (10) Tunnel browser traffic through a SOCKS proxy

  31. Hey Netflix, your country check is annoying; however, I didn’t

    watch anything so please don’t terminate my account.
  32. Y-U-NO NETFLIX IN CANADA? OH come on now Netflix!! Create

    the SOCKS proxy SOME-HOST-NOT-TELLING
  33. Browser Network Settings Firefox Chrome

  34. All good besides silverlight fail!

  35. Github SSH Key Generation Help https://help.github.com/articles/generating-ssh-keys Recover SSH key passphrase

    https://help.github.com/articles/how-do-i-recover- my-ssh-key-passphrase Resources
  36. on JoindIn https://joind.in/7991 on Twitter http://twitter.com/wilmoore on Github http://github.com/wilmoore Thanks

    for your feedback
  37. Thank You :)

  38. Intentionally blank?? :)

  39. Bonus Content because you are so awesome!!

  40. (11) Google Chrome SSH Client

  41. SSH Client in the browser

  42. (12) ~/.ssh/authorized_keys restrictions

  43. Restrict what clients can do ssh-rsa bbbbB3NzaC1yc2EAAEy0TOB0MTYhzKSaD//szJ9FFR0pY+G0M2pi/ Wcbcj55KtYzBpYPNz8uV3T2N24PU9jybUD+n5ge/nTBRVgGu6Rk/ 7Fu9jdhmwOfxGlfFme/ no-port-forwarding,no-pty

    ssh-rsa bbbbB3NzaC1yc2EAAEy0TOB0MTYhzKSaD/ szJ9FFR0pY+G0M2pi/Wcbcj55KtYzBpYPNz8uV3T2N247Fu9jdhmwOfxGlfFme/ COMMAND=”printf 'Unable to run %s\n' ${SSH_ORIGINAL_COMMAND}” ssh- rsa bbbbB3NzaC1yc2EAAEy0TOB0MTYhzKSaD/szJ9FFR0pY+G0M2pi/ git clone git@github.com:wilmoore/frontend-packagers.git
  44. (13) Fail2ban

  45. /etc/fail2ban/jail.local [ssh] enabled = true port = ssh filter =

    sshd logpath = /var/log/auth.log maxretry = 6 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6