SSH - Secure SHell

What is SSH?

"SSH ... is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin and rsh, and provide secure encrypted communications between two untrusted hosts over an insecure network. X11 connections and arbitrary TCP/IP ports can also be forwarded over the secure channel." -- the ssh man page

For an article on understanding RSA/DSA authentication, see the series of articles by Daniel Robbins at: http://www-106.ibm.com/developerworks/library/l-keyc.html

The site for the Open Source version of SSH is at http://www.openssh.com/.

[http://www.pegsol.com/whitehorn/downloads.htm WhiteHorn Secure Terminal] FREE SSH client for Windows

port forwarding tricks

Proxy IE through SSH to remote http proxy server: http://kimmo.suominen.com/docs/proxy-through-ssh/

ssh-agent tricks: bash

Learned a new trick... I think I saw it in some Linux magazine a while ago. I use CVS for the MiniWiki. Savannah.gnu.org is similiar to SourceForge, in that you can upload your SSH public key to their system. Advantage being that you don't need to log in for every single action to CVS, when running CVS over the SSH protocol. Here's what I used to do,

wim@impetus:~/code/savannah/miniwiki$ ssh-agent bash
wim@impetus:~/code/savannah/miniwiki$ ssh-add
Enter passphrase for wim@impetus:
Identity added: /home/wim/.ssh/identity (wim@impetus)
wim@impetus:~/code/savannah/miniwiki$

The problem with this method, is that a new bash shell is being spawned. Because of this, the environment variables are getting reset. And, this instance of ssh-agent can only be used by that shell. Here's a better way. Add this to your ~/.bashrc:

SSH_VARS=$HOME/.ssh/vars.sh

[ -s $SSH_VARS ] && . $SSH_VARS

if [ "$SSH_AUTH_SOCK" = "" ] || [ ! -e $SSH_AUTH_SOCK ]\
   || [ ! -S  $SSH_AUTH_SOCK ] ; then
   VAR=`ssh-agent 2>/dev/null`
   eval $VAR >/dev/null
   echo $VAR >> $SSH_VARS
fi

From now on, no matter where you log on from as that user, you can re-use that ssh-agent. Just like when you log on to X. One of the tricky parts is to not echo out any output, or SCP will fail since STDOUT gets messed up.

ssh-agent tricks: tcsh

Here's an equivalent example, from cfreeze ^?, which achieves the same using tcsh instead of bash ^?:

#!/bin/tcsh

set SSH_AGENT = /usr/bin/ssh-agent
set SSH_AGENT_INFO_FILE = $HOME/.ssh-agent.$HOSTNAME

if (-e $SSH_AGENT) then

if(-e $SSH_AGENT_INFO_FILE) then
    source $SSH_AGENT_INFO_FILE
endif

#Check for a preexisting agent
if ($?SSH_AGENT_PID == 0) then   #None set
    echo "No agent pid in enviroment"
    set TSTPID=`ps uxw | grep ssh-agent | grep -v grep | awk \{\ print\ \$2\ \}`
    #if ($TSTPID != "") then
    if ($?TSTPID == 0) then
        echo "Found existing unattached ssh-agent @ $TSTPID, killing it"
        kill -9 $TSTPID
    endif
else if ($?SSH_AGENT_PID == 1) then #Already set
    set TSTPID=`ps uxw | grep $SSH_AGENT_PID | grep -v grep | awk \{\ print\ \$2\ \}`
    if ("$TSTPID" == "") then
        echo "Removing Stale SSH-Agent PID ($SSH_AGENT_PID) from environment"
        unsetenv SSH_AGENT_PID
    endif
endif

    #Start agent, all else failed
    if ($?SSH_AGENT_PID == 0) then
        eval `/usr/bin/ssh-agent -c`
        echo "setenv SSH_AUTH_SOCK $SSH_AUTH_SOCK" > $SSH_AGENT_INFO_FILE
        echo "setenv SSH_AGENT_PID $SSH_AGENT_PID" >> $SSH_AGENT_INFO_FILE
    endif
endif

Rsync and bandwidth shaping

SSH is a UNIX app that follows the idea of small simple tools that can be used together for a greater good. One of the lesser known features is that the old rsync command/protocol can be run over SSH. This provides authentication and encryption, plus some other goodies. What you can also do is force maximum compression, a different crypto cipher such as Blowfish instead of the default of 3DES, and bandwidth limiting. Here is an example.

BWLIMIT=23 # in kbyte/s
RSYNC_RSH="ssh -C -c blowfish -p 22"
RSYNC="rsync -avz --bwlimit=$BWLIMIT"

$RSYNC wim@remote:/path/to/something/big ~/downloads

What this does is uses SSH Keys (via the ssh-agent key tool) to automatically connect up to the remote system without asking for a password. The 'big' remote file is automatically synchronized (not just copied), using compression. To ensure that the network on the remote side (which has an upload speed of 384kbit) is still responsive, the transfer speed is dropped down just enough to allow the pipe to be concurrently used for other purposes.

Note that rsync automatically looks for the RSYNC_RSH environment variable, to locate other transfer agents. So, this is something that could added to ~/.bashrc to always be used when rsync is run. This is similiar to the RSH_CVS variable used for CVS over SSH. --Wim