16 ultimate SSH hacks
So you think you know OpenSSH inside and out? Test your chops against this hit parade of 16 expert tips and tricks, from identifying monkey-in-the-middle attacks to road warrior security to attaching remote screen sessions. Follow the countdown to the all-time best OpenSSH command!
[ Running SSH on a non-standard port ]
SSH tips #16-14:Detecting MITM attacks
When you log into a remote computer for the first time, you are asked if you want to accept the remote host’s public key. Well how in the heck do you know if you should or not? If someone perpetrated a successful monkey-in-the-middle attack, and is presenting you with a fake key so they can hijack your session and steal all your secrets, how are you supposed to know? You can know, because when new key pairs are created they also create a unique fingerprint and randomart image:
$ ssh-keygen -t rsa -C newserver -f .ssh/newkey Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in .ssh/newkey. Your public key has been saved in .ssh/newkey.pub. The key fingerprint is: 44:90:8c:62:6e:53:3b:d8:1a:67:34:2f:94:02:e4:87 newserver The key's randomart image is: +--[ RSA 2048]----+ |oo +.o. | |. = B o. | | E X + . | | B B .. | | . * o S | | . | | | | | | | +-----------------+
SSH tip #16: Retrieve the fingerprint and randomart image of an SSH key
If you make a copy of this when you create new encryption keys, then you can fetch a key’s fingerprint and randomart image anytime to compare and make sure they have not changed:
$ ssh-keygen -lvf keyname
SSH tip #15: View all fingerprints and randomart images in known_hosts
And you can see all of them in your
~/.ssh/known_hosts
file:
$ ssh-keygen -lvf ~/.ssh/known_hosts
SSH tip #14: Verify server keys
You can see the fingerprint and randomart for any computer you’re logging into by configuring
/etc/ssh/ssh_config
on your client computer. Simply uncomment the VisualHostKey option and set it to yes:
VisualHostKey yes
Then login to any remote computer to test it:
$ ssh user@host2 Host key fingerprint is 66:a1:2a:23:4d:5c:8b:58:e7:ef:2f:e5:49:3b:3d:32 +--[ECDSA 256]---+ | | | | | . o . | | + = . . . | |. + o . S | | o o oo | |. + . .+ + | | . o .. E o | | .o.+ . | +-----------------+ user@host2's password:
Obviously you need a secure method of getting verified copies of the fingerprint and randomart images for the computers you want to log into. Like a hand-delivered printed copy, encrypted email, the
scp
command, secure ftp, read over the telephone…The risk of a successful MITM attack is small, but if you can figure out a relatively painless verification method it’s cheap insurance.
SSH tip #13: Attach to a remote GNU screen session
You can attach a GNU
screen
session remotely over SSH; in this example we’ll open a GNU screen session on host1, and connect to it from host2. First open and then detach a
screen
session on host1, named testscreen:
host1 ~ $ screen -S testscreen
Then detach from your
screen
session with the keyboard combination Ctrl+a+d:
[detached from 3829.testscreen]
You can verify that it’s still there with this command:
host1 ~ $ screen -ls There is a screen on: 3941.testscreen (03/18/2012 12:43:42 PM) (Detached) 1 Socket in /var/run/screen/S-host1.
Then re-attach to your screen session from host2:
host1 ~ $ ssh -t terry@uberpc screen -r testscreen
You don’t have to name the
screen
session if there is only one.
SSH tip #12: Launch a remote screen session
What if you don’t have a running
screen
session? No worries, because you can launch one remotely:
host1 ~ $ ssh -t user@host2 /usr/bin/screen -xRR
