10 advanced, yet digestible SSH techniques

Transcript

1. 10 advanced, yet digestible SSH techniques Wil Moore III @wilmoore

2. Full-Stack Web Application Craftsman, TDD and Devops Advocate. http://github.com/wilmoore

3. Public/Private key refresher

4. Key Generation Style Create multiple key pairs Don't share across

   networks

5. Share Public Key Only Never share your "Private Key" Do

   share "Public Key" with trusted hosts Remote login: Provide your passphrase

6. Github <3’s SSH Keys Github OAuth2 API http://developer.github.com/v3/oauth

7. SSH Agent Set and Forget about it http://www.funtoo.org/wiki/Keychain

8. (1) Change a private- key's pass-phrase

9. Periodic Pass-Phrase Change

10. (2) {Multiple,} Single- Use Keys

11. Multiple Single-Use Keys Tedious... $HOME/.ssh/config You'll ♥ doing this:

12. (3) Remove stale known_hosts entries

13. Stale known_hosts entries No sed, awk, grep tricks needed We’ve

    all seen this fun message...

14. (4) SSH Auto-Completion

15. Hostname Completion Type a few characters...press tab https://github.com/wilmoore/ruby-version/blob/master/ruby-version.sh#L67 Completion is

    easy...see: https://github.com/wilmoore/php-version/blob/master/php-version.sh#L73 List filtered based on prefix

16. Remote Filename Completion Type a path prefix...<tab> The kestrel directory

    is expanded...<tab> Directory contents are expanded

17. bash_completion_installed? You probably already have it If not, install it

    (if you have ZSH, DONE)

18. Y-U-NO INIT COMPLETION? Use the source... Homebrew Much?

19. (5) SSHFS

20. Mount remote directory Mount Unmount Thousands of remote files ==

    PAIN

21. (6) Remote Commands

22. Remote Commands Tailing a remote log-file Edit Remote Files Vim

    Edit Remote Files

23. (7) Access Remote Resources Locally

24. Forward local port to remote Access MongoDB as if local

25. (8) Named Remote Screen Sessions

26. Access a remote screen session Create a remote screen session

    Continue session in separate term

27. 4 terminal remote pairing

28. (9) Multi-Line Remote Scripting

29. SSH + HEREDOC % ssh -t … <<ssh-session # body

    of your script goes here # more body # ... ssh-session

30. (10) Tunnel browser traffic through a SOCKS proxy

31. Hey Netflix, your country check is annoying; however, I didn’t

    watch anything so please don’t terminate my account.

32. Y-U-NO NETFLIX IN CANADA? OH come on now Netflix!! Create

    the SOCKS proxy SOME-HOST-NOT-TELLING

33. Browser Network Settings Firefox Chrome

34. All good besides silverlight fail!

35. Github SSH Key Generation Help https://help.github.com/articles/generating-ssh-keys Recover SSH key passphrase

    https://help.github.com/articles/how-do-i-recover- my-ssh-key-passphrase Resources

36. on JoindIn https://joind.in/7991 on Twitter http://twitter.com/wilmoore on Github http://github.com/wilmoore Thanks

    for your feedback

37. Thank You :)

38. Intentionally blank?? :)

39. Bonus Content because you are so awesome!!

40. (11) Google Chrome SSH Client

41. SSH Client in the browser

42. (12) ~/.ssh/authorized_keys restrictions

43. Restrict what clients can do ssh-rsa bbbbB3NzaC1yc2EAAEy0TOB0MTYhzKSaD//szJ9FFR0pY+G0M2pi/ Wcbcj55KtYzBpYPNz8uV3T2N24PU9jybUD+n5ge/nTBRVgGu6Rk/ 7Fu9jdhmwOfxGlfFme/ no-port-forwarding,no-pty

    ssh-rsa bbbbB3NzaC1yc2EAAEy0TOB0MTYhzKSaD/ szJ9FFR0pY+G0M2pi/Wcbcj55KtYzBpYPNz8uV3T2N247Fu9jdhmwOfxGlfFme/ COMMAND=”printf 'Unable to run %s\n' ${SSH_ORIGINAL_COMMAND}” ssh- rsa bbbbB3NzaC1yc2EAAEy0TOB0MTYhzKSaD/szJ9FFR0pY+G0M2pi/ git clone [email protected]:wilmoore/frontend-packagers.git

44. (13) Fail2ban

45. /etc/fail2ban/jail.local [ssh] enabled = true port = ssh filter =

    sshd logpath = /var/log/auth.log maxretry = 6 [ssh-ddos] enabled = true port = ssh filter = sshd-ddos logpath = /var/log/auth.log maxretry = 6