Get best of the week

SSH Little Tricks

This article has compiled our best practices for using SSH more efficiently. From it you will learn how:

  • Add second factor to SSH login
  • Safe to use agent forwarding
  • Log out of an SSH session
  • Keep Permanent Terminal Open
  • Share a remote terminal session with a friend (without Zoom!)

Adding a second factor to your SSH


The second authentication factor can be added to your SSH connections in five different ways:

  1. Update your OpenSSH and use the encryption key. In February 2020, support for FIDO U2F (Universal Second Factor) encryption keys was added to OpenSSH. This is a great new feature, but there is a nuance: only those clients and servers that have upgraded to OpenSSH version 8.2 and higher will be able to use encryption keys, since the February update introduces new types of keys for them. You ssh –Vcan check the client version of SSH with the command, and the server version with the commandnc [servername] 22

    Two new types of keys were added to the February version - ecdsa-sk and ed25519-sk (together with the corresponding certificates). To generate a key file, just insert your encryption key and run the command:

    $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk

    U2F . U2F — .

    , .

    - OpenSSH -sk-. U2F . - :

    $ ssh-keygen -t ecdsa-sk -O resident -f ~/.ssh/id_ecdsa_sk

    , , :

    $ ssh-add -K

    .
  2. PIV+PKCS11 Yubikey. SSHD . Yubico U2F+SSH PIV/PKCS11. FIDO U2F, , , .
  3. yubikey-agent ssh-. SSH Yubikeys. .
  4. Touch ID sekey. Sekey SSH , Mac’ Touch ID .
  5. Single Sign On SSH. . single sign on SSH — (MFA).

agent forwarding


The SHH agent forwarding allows a remote host to access the SSH agent of your local device. When you use SSH with agent forwarding enabled (usually via ssh -A), there will be two channels in the connection: your interactive session and the channel for agent forwarding. Through this channel, the Unix socket created by your local SSH agent connects to the remote host. This is a risky method, as a user with root access on a remote device can access your local SSH agent and potentially impersonate you on the network. Using the standard SSH agent from the Open SSH kit, you don’t even know that this happened. Having a U2F key (or Sekey) will help you effectively block any attempts to use your SSH agent from the outside.

Even with this precaution, it is a good idea to use agent forwarding as little as possible. You should not use it at every session - use agent forwarding only when you are sure of its necessity for the current session.

Exiting a Hanging Session


Interruption of the network, uncontrolled behavior of programs, or an escape sequence that blocks keyboard input are all possible causes of an SSH session breaking.

There are several ways to end a hung session:

  1. Automatically exit when network is interrupted. In your .ssh / config you need to add the following:

    ServerAliveInterval 5
ServerAliveCountMax 1

    ssh will send echo to the remote host every ServerAliveInterval seconds to verify the connection. If more ServerAliveCountMax echoes do not receive a response, ssh will end the connection in timeout and exit the session.
  2. . ssh ~ () . ~. . ( .) ~? . , ~ , ~ .

? . IPv4 WiFi, IP- . SSH TCP , , , IP-, , SSH . IP-, . , TCP- . . , . IPv6 , . , .


There are two different approaches to how to maintain a connection when switching between different networks or if you want to disconnect for a short time.

1. Use Mosh or Eternal Terminal

If you really need a connection that does not subside even when you switch between networks, use the Mosh mobile shell. This is a secure shell that first uses an SSH handshake and then switches to its own encrypted channel for the duration of the session. So Mosh creates a separate, very stable and secure channel that is able to withstand Internet interruptions, changing the IP address of your laptop, serious network outages, and much more, all thanks to the magic of UDP connections, as well as Mosh sync protocol.

To use Mosh, you will need to install it on both the client and the server, and open the ports 60000-61000 for disconnected UPD traffic to your remote host. In the future, it will be enough to use for the connection mosh user@server.

Mosh operates at the level of screens and keystrokes, which gives it a number of advantages over forwarding the binary stream of standard input and output between the client and the SSH server. If we need to synchronize only screens and keystrokes, then later to restore an interrupted connection becomes much easier. While SSH will buffer and send everything that happened, Mosh only needs to buffer the keystrokes and synchronize the last frame of the terminal window with the client.

2. Use tmux

If you want to “come and go when you want” and keep the terminal session on a remote host, use the terminal multiplexer tmux . I love tmux and use it constantly. If your SSH connection is interrupted, then just to reconnect and enter to return to your tmux session tmux attach. In addition, it has such wonderful functions as intra-terminal tabs and panels, similar to the tabs in the iOS terminal, and the ability to share terminals with others.

Some people like to embellish their tmux with Byobu, a package that greatly improves the usability of tmux and adds a lot of keyboard shortcuts to it. Byobu ships with Ubuntu and is easy to install on a Mac via Homebrew.

Sharing a remote terminal session with a friend


Sometimes when debugging complex problems on your servers, you may want to share an SSH session with someone who is not in the same room as you. tmux is perfect for such a task! It is enough to take just a few steps:

  1. Make sure that tmux is on your bastion host, or on some server you are going to work with.
  2. Both of you will need to connect via SSH to the device using one account.
  3. One of you must start tmux to start a tmux session.
  4. Another should run tmux attach
  5. Voila! You have a common terminal.

If you want more sophisticated multi-user tmux sessions, try tmate, this is a fork of tmux which greatly simplifies joint terminal sessions.

More articles:


All Articles