SSH Tips and Tricks
Stephen Warren and Sean Reifschneider
I like SSH
Reiterating much of what Stephen is talking about
Disable SSH password authentication
AllowUser "jafo root"
Can also "AllowGroup sshusers" or similar.
That way adding a user account doesn't convey SSH access.
Authorized_keys and public key auth
Makes having different passwords on every machine easy
Do not put identities on unsecure machines
Create ssh identities with ssh-keygen
ssh-agent can mean not having to type passwords all the time
"ssh-add -D" to drop passwords, say when screen saver kicks in
On remote systems append your ~/.ssh/id_*.pub to ~/.ssh/authorized_keys
Make sure your id_*.pub remains one line
authorized_keys can include restrictions (see below)
Agent forwarding can allow users on remote systems to connect elsewhere.
Agent forwarding can allow you to copy to/access other systems
Not typing passwords into possibly compromised remote systems is good
Limit agent forwarding to only when you need to use it
Prefit the key in ~/.ssh/authorized_keys with things like:
command="rsync --server /directory"
environment="INPUTRC=~/.inputrc-vi" (Requires PermitUserEnvironment)
So, the authorized_keys line looks like:
no-port-forwarding,command="id" ssh-rsa AAAAB3Nz[...]
Automated SSH connections
SSH identities without passwords
Can be used by scripts, for example backup scripts
Create identity with: ssh-keygen -t rsa -N '' -f backup-identity
Generates "backup-identity.pub" and "backup-identity".
Use "backup-identity.pub" in .ssh/authorized_keys as below.
Use "ssh -i backup-identity user@host" to make the connection.
Useful for things like:
Limited, cron-based, SVN access
Pushing e-mail to a client when it connects
Loading data onto remote machines
Limit as in previous slide
SSH config files
Based on system, do special things
For example, use a different port
Can have multiple matches
Last match overrides settings from earlier matches
SSH Config Example
Host hostname hostname.example.com 10.9.8.7
SendEnv requires "AcceptEnv" in remote host sshd_config.