Get best of the week

Interesting tricks and SSH tricks

Some tips on using SSH efficiently. Let's talk about how:

  • Use two-factor authentication for SSH connections
  • it is safe to use "key forwarding" (agent forwarding);
  • exit a hung SSH session;
  • leave the terminal open when you exit or disconnect;
  • Share the remote terminal with a friend (without Zoom!).

image

SSH multi-factor authentication


There are five ways to add a second factor for authentication in SSH:

  1. OpenSSH ( ).

    2020 OpenSSH FIDO U2F (Universal Second Factor). , .

    , 8.2 . ssh -V, nc [servername] 22.

    β€” ecdsa-sk ed25519-sk ( ). $ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk. , U2F . U2F , .

    . OpenSSH -sk-«» . U2F . , . $ ssh-keygen -t ecdsa-sk -O resident -f ~/.ssh/id_ecdsa_sk. , $ ssh-add -K. .
  2. PIV+PKCS11 Yubikey. , SSH-, . Yubikey U2F+SSH with PIV/PKCS11. , FIDO U2F. , .
  3. ssh- yubikey-agent. Filippo Valsorda SSH- Yubikeys. .
  4. Touch ID sekey. Sekey β€” SSH- , secure enclave MacOS Touch ID.
  5. Single Sign On SSH. . Single Sign On SSH , , .


(agent forwarding)


Forwarding a key in SSH gives the remote host access to your local SSH agent. When your SSH client uses key forwarding (usually activated by the option ssh -A), there are 2 channels in the connection - your interactive session and the key forwarding channel. The local SSH agent creates an IPC socket that connects to the remote host through this channel. This is dangerous because A user with root privileges on a remote host has access to your local SSH agent and can potentially use it to access network resources on your behalf. With the standard SSH agent that ships with OpenSSH, you never know what happened. But if you use a U2F key (or Sekey ), you can stop any attempts to use your SSH agent.

Even with this limitation, periodic use of key forwarding is perfectly acceptable. Do not use this method for all of your connections. Use only if you are sure of its need in specific situations.

Exiting a Hanging SSH Session


SSH sessions often freeze due to network outages, loss of control by an executable program or one of the terminal control sequences that block keyboard input.

Here are some ways to get out of a hung session:

  1. Automatic exit when the network breaks. In your SSH configuration, .ssh/configyou need to add: it will check the connection by sending echo requests to the remote host every second. If more than such requests go unanswered, then SSH will close the connection.

    ServerAliveInterval 5
    ServerAliveCountMax 1


    sshServerAliveIntervalServerAliveCountMax
  2. . ssh ~ . ~. ( ).

    ~? , . , ~ , .

?When the Internet was invented, computers were not particularly mobile. When you work on a laptop and switch between IPv4 WiFi networks, your IP address changes. Since SSH is based on a TCP connection, and TCP connections depend on connection points with fixed IP addresses, each time you connect to another network, your SSH connection is lost. When your IP address changes, it takes some time before the network stack detects that the connection is lost. A TCP connection does not imply a quick shutdown of one of the parties in case of network problems, so it will try to retry sending the data for some more time. In your terminal, the session will look stuck. IPv6 adds functionality that allows devices to maintain their IP address when switching between networks.So someday this will cease to be a problem.

How to leave a terminal open on a remote host


There are two options for saving a session when you switch between networks or want to disconnect for a while:

  1. Use Mosh or Eternal Terminal . If you really need a connection that does not crash , even if you switch between networks, use the Mosh - mobile shell. Mosh is a secure shell that uses SSH to initialize a session (handshake), after which it switches to its own encrypted channel. This channel is very stable. It can handle various situations, including disconnections from the Internet, changing the IP address of your laptop, large delays when transmitting over the network, and others. Thanks to the magic of UDP and the synchronization protocol used by Mosh.

    Mosh , 60000–61000 UDP . mosh user@server .

    Mosh , SSH, - . , . SSH , , Mosh .
  2. tmux. , , tmux. SSH- , tmux attach, tmux. β€” , macOS .

    tmux Byobu β€” , . Byobu Ubuntu macOS Homebrew.



When you solve a complex problem with servers, I would like to share an SSH session with someone else who is in another place. tmux is the best sharing terminal tool.
So, you need to do the following:

  1. Make sure that it is tmuxinstalled on your server in DMZ (or where you want to connect).
  2. Both of you need to connect to the server via SSH using the same account .
  3. One of you must run tmuxto create a tmuxsession.
  4. Another must execute the command tmux attach.
  5. Voila! You have shared the terminal.

If you need more fine-tuning of multi-user sessions, use tmate, this fork tmux, which allows you to make shared sessions even easier.

Translated by Andrey Zinchenko, Head of Rexoft Analytics Department

More articles:


All Articles