Upgrade to Pro — share decks privately, control downloads, hide ads and more …

10 advanced, yet digestible SSH techniques

10 advanced, yet digestible SSH techniques

In today's world of Github, Bitbucket, AWS/EC2, and Virtualization in General, it is helpful to understand public key authentication and SSH in general. The good news is that this seemingly cryptic and magical technology is quite easy to get a handle on once you know a few snazzy recipes.

BONUS: There are two easter eggs "hidden" plainly in the slides. Both are language constructs (one ruby-ism and one regex-ism). Where are they and what do they do?

Wil Moore III

March 01, 2013
Tweet

More Decks by Wil Moore III

Other Decks in Technology

Transcript

  1. 10 advanced, yet
    digestible SSH
    techniques
    Wil Moore III
    @wilmoore

    View full-size slide

  2. Full-Stack Web
    Application Craftsman,
    TDD and Devops
    Advocate.
    http://github.com/wilmoore

    View full-size slide

  3. Public/Private
    key refresher

    View full-size slide

  4. Key Generation Style
    Create multiple key pairs
    Don't share across networks

    View full-size slide

  5. Share Public Key Only
    Never share your "Private Key"
    Do share "Public Key" with trusted hosts
    Remote login: Provide your passphrase

    View full-size slide

  6. Github <3’s SSH Keys
    Github OAuth2 API
    http://developer.github.com/v3/oauth

    View full-size slide

  7. SSH Agent
    Set and Forget about it
    http://www.funtoo.org/wiki/Keychain

    View full-size slide

  8. (1)
    Change a private-
    key's pass-phrase

    View full-size slide

  9. Periodic Pass-Phrase Change

    View full-size slide

  10. (2)
    {Multiple,} Single-
    Use Keys

    View full-size slide

  11. Multiple Single-Use Keys
    Tedious...
    $HOME/.ssh/config
    You'll ♥ doing this:

    View full-size slide

  12. (3)
    Remove stale
    known_hosts entries

    View full-size slide

  13. Stale known_hosts entries
    No sed, awk, grep tricks needed
    We’ve all seen this fun message...

    View full-size slide

  14. (4)
    SSH Auto-Completion

    View full-size slide

  15. Hostname Completion
    Type a few characters...press tab
    https://github.com/wilmoore/ruby-version/blob/master/ruby-version.sh#L67
    Completion is easy...see:
    https://github.com/wilmoore/php-version/blob/master/php-version.sh#L73
    List filtered based on prefix

    View full-size slide

  16. Remote Filename Completion
    Type a path prefix...
    The kestrel directory is expanded...
    Directory contents are expanded

    View full-size slide

  17. bash_completion_installed?
    You probably already have it
    If not, install it (if you have ZSH, DONE)

    View full-size slide

  18. Y-U-NO INIT COMPLETION?
    Use the source...
    Homebrew Much?

    View full-size slide

  19. Mount remote directory
    Mount
    Unmount
    Thousands of remote files == PAIN

    View full-size slide

  20. (6)
    Remote Commands

    View full-size slide

  21. Remote Commands
    Tailing a remote log-file
    Edit Remote Files
    Vim Edit Remote Files

    View full-size slide

  22. (7)
    Access Remote
    Resources Locally

    View full-size slide

  23. Forward local port to remote
    Access MongoDB as if local

    View full-size slide

  24. (8)
    Named Remote
    Screen Sessions

    View full-size slide

  25. Access a remote screen session
    Create a remote screen session
    Continue session in separate term

    View full-size slide

  26. 4 terminal remote pairing

    View full-size slide

  27. (9)
    Multi-Line Remote
    Scripting

    View full-size slide

  28. SSH + HEREDOC
    % ssh -t … <# body of your script goes here
    # more body
    # ...
    ssh-session

    View full-size slide

  29. (10)
    Tunnel browser
    traffic through a
    SOCKS proxy

    View full-size slide

  30. Hey Netflix, your country
    check is annoying; however,
    I didn’t watch anything so
    please don’t terminate my
    account.

    View full-size slide

  31. Y-U-NO NETFLIX IN CANADA?
    OH come on now Netflix!!
    Create the SOCKS proxy
    SOME-HOST-NOT-TELLING

    View full-size slide

  32. Browser Network Settings
    Firefox
    Chrome

    View full-size slide

  33. All good besides silverlight fail!

    View full-size slide

  34. Github SSH Key Generation Help
    https://help.github.com/articles/generating-ssh-keys
    Recover SSH key passphrase
    https://help.github.com/articles/how-do-i-recover-
    my-ssh-key-passphrase
    Resources

    View full-size slide

  35. on JoindIn
    https://joind.in/7991
    on Twitter
    http://twitter.com/wilmoore
    on Github
    http://github.com/wilmoore
    Thanks for your feedback

    View full-size slide

  36. Thank You :)

    View full-size slide

  37. Intentionally
    blank?? :)

    View full-size slide

  38. Bonus Content
    because you are so awesome!!

    View full-size slide

  39. (11)
    Google Chrome
    SSH Client

    View full-size slide

  40. SSH Client in the browser

    View full-size slide

  41. (12)
    ~/.ssh/authorized_keys
    restrictions

    View full-size slide

  42. Restrict what clients can do
    ssh-rsa bbbbB3NzaC1yc2EAAEy0TOB0MTYhzKSaD//szJ9FFR0pY+G0M2pi/
    Wcbcj55KtYzBpYPNz8uV3T2N24PU9jybUD+n5ge/nTBRVgGu6Rk/
    7Fu9jdhmwOfxGlfFme/
    no-port-forwarding,no-pty ssh-rsa bbbbB3NzaC1yc2EAAEy0TOB0MTYhzKSaD/
    szJ9FFR0pY+G0M2pi/Wcbcj55KtYzBpYPNz8uV3T2N247Fu9jdhmwOfxGlfFme/
    COMMAND=”printf 'Unable to run %s\n' ${SSH_ORIGINAL_COMMAND}” ssh-
    rsa bbbbB3NzaC1yc2EAAEy0TOB0MTYhzKSaD/szJ9FFR0pY+G0M2pi/
    git clone [email protected]:wilmoore/frontend-packagers.git

    View full-size slide

  43. (13)
    Fail2ban

    View full-size slide

  44. /etc/fail2ban/jail.local
    [ssh]
    enabled = true
    port = ssh
    filter = sshd
    logpath = /var/log/auth.log
    maxretry = 6
    [ssh-ddos]
    enabled = true
    port = ssh
    filter = sshd-ddos
    logpath = /var/log/auth.log
    maxretry = 6

    View full-size slide