SSH - Secure SHell

What is SSH?

"SSH ... is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel." -- the ssh man page

For an article on understanding RSA/DSA authentication, see the series of articles by Daniel Robbins at:

The site for the Open Source version of SSH is at

port forwarding tricks

ssh-agent tricks: bash

Learned a new trick... I think I saw it in some Linux magazine a while ago. I use CVS for the MiniWiki. is similiar to SourceForge, in that you can upload your SSH public key to their system. Advantage being that you don't need to log in for every single action to CVS, when running CVS over the SSH protocol. Here's what I used to do,

wim@impetus:~/code/savannah/miniwiki$ ssh-agent bash
wim@impetus:~/code/savannah/miniwiki$ ssh-add
Enter passphrase for wim@impetus:
Identity added: /home/wim/.ssh/identity (wim@impetus)

The problem with this method, is that a new bash shell is being spawned. Because of this, the environment variables are getting reset. And, this instance of ssh-agent can only be used by that shell. Here's a better way. Add this to your ~/.bashrc:


[ -s $SSH_VARS ] && . $SSH_VARS
if [ "$SSH_AUTH_SOCK" = "" ] || [ ! -e $SSH_AUTH_SOCK ]\
   || [ ! -S  $SSH_AUTH_SOCK ] ; then
   VAR=`ssh-agent 2>/dev/null`
   eval $VAR >/dev/null
   echo $VAR >> $SSH_VARS

From now on, no matter where you log on from as that user, you can re-use that ssh-agent. Just like when you log on to X. One of the tricky parts is to not echo out any output, or SCP will fail since STDOUT gets messed up.

ssh-agent tricks: tcsh

Here's an equivalent example, from cfreeze ?, which achieves the same using tcsh instead of bash ?:


set SSH_AGENT = /usr/bin/ssh-agent
if (-e $SSH_AGENT) then

if(-e $SSH_AGENT_INFO_FILE) then
#Check for a preexisting agent
if ($?SSH_AGENT_PID == 0) then   #None set
    echo "No agent pid in enviroment"
    set TSTPID=`ps uxw | grep ssh-agent | grep -v grep | awk \{\ print\ \$2\ \}`
    #if ($TSTPID != "") then
    if ($?TSTPID == 0) then
        echo "Found existing unattached ssh-agent @ $TSTPID, killing it"
        kill -9 $TSTPID
else if ($?SSH_AGENT_PID == 1) then #Already set
    set TSTPID=`ps uxw | grep $SSH_AGENT_PID | grep -v grep | awk \{\ print\ \$2\ \}`
    if ("$TSTPID" == "") then
        echo "Removing Stale SSH-Agent PID ($SSH_AGENT_PID) from environment"
        unsetenv SSH_AGENT_PID

    #Start agent, all else failed
    if ($?SSH_AGENT_PID == 0) then
        eval `/usr/bin/ssh-agent -c`

Rsync and bandwidth shaping

SSH is a UNIX app that follows the idea of small simple tools that can be used together for a greater good. One of the lesser known features is that the old rsync command/protocol can be run over SSH. This provides authentication and encryption, plus some other goodies. What you can also do is force maximum compression, a different crypto cipher such as Blowfish instead of the default of 3DES, and bandwidth limiting. Here is an example.

BWLIMIT=23 # in kbyte/s
RSYNC_RSH="ssh -C -c blowfish -p 22"
RSYNC="rsync -avz --bwlimit=$BWLIMIT"

$RSYNC wim@remote:/path/to/something/big ~/downloads

What this does is uses SSH Keys (via the ssh-agent key tool) to automatically connect up to the remote system without asking for a password. The 'big' remote file is automatically synchronized (not just copied), using compression. To ensure that the network on the remote side (which has an upload speed of 384kbit) is still responsive, the transfer speed is dropped down just enough to allow the pipe to be concurrently used for other purposes.

Note that rsync automatically looks for the RSYNC_RSH environment variable, to locate other transfer agents. So, this is something that could added to ~/.bashrc to always be used when rsync is run. This is similiar to the RSH_CVS variable used for CVS over SSH. --Wim

See also Linux, Putty