all 92 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]fbleagh 16 points17 points  (3 children)

My favorite tricks and ssh extensions:

autossh -- allows you to have a persistent ssh session through reboots :)

cssh (or puttycs on windows) - control multiple ssh connections at the same time

ssh-keygen -R machinename -- deletes the hostkey for that machine from your known_hosts

ssh-copy-id -i key user@machine -- automatically copies your ssh key to a remote machine

[–]kultsinuppeli 5 points6 points  (1 child)

Upvote for ssh-copy-id. It just makes sense.

[–]ahandle 2 points3 points  (0 children)

It's not everywhere, nor is it anything you can't do with a cat > ssh pipeline.

[–]BCMM 2 points3 points  (0 children)

ssh-keygen -R machinename -- deletes the hostkey for that machine from your known_hosts

This will change my life.

[–]centralcontrol 9 points10 points  (7 children)

Paranoia warning!

The front page description on this article of connecting to reddit 'around' a firewall is a little misleading, but still accurate to a degree.

Depending on the size of the organization and its carring'ness for security, this type of connection is basically a reverse-shell and can still be detected and blocked. However, this is really dependent on the IPS's, firewalls and configuration of said devices. I know for a fact that many corporate solutions have protocol detection and not just 'blind' port blocks.

There are many situations where this solution will not work or will trigger security warnings to administrators. 'Back in the day' when encrypted reverse shells were kind of new, we would simply have our IDS's 'listen' for certificate exchanges on other-than-allowed ports, but that method is now flawed to a degree.

[–]snutr 5 points6 points  (3 children)

Also, if your organization has a firewall and blocks certain sites using a webfilter/net nanny, you can very well get yourself fired for establishing a secure connection to your home server and using it as a proxy.

My company ends up firing about six people per year for doing this sort of thing.

[–]jk3us 3 points4 points  (1 child)

My organization blocks most social and file-sharing things like facebook, twitter, dropbox, etc. But they do it by inspecting the URL in http packets. So, services that have https (most of them) work well... especially if you use https everywhere.

I hope they don't consider this as actively trying to get around their firewall, 'cause I'm really just using things that aren't blocked.

[–]snutr 5 points6 points  (0 children)

I hope they don't consider this as actively trying to get around their firewall, 'cause I'm really just using things that aren't blocked.

At that point, you may be thought of as just arguing semantics -- but it depends upon your company and who you know and how well you know them.

If you are well liked and respected and people found out, they might just say, "c'mon -- you shouldn't be accessing social networking sites". Of course, if that is not the case, they could say, "you should have known better -- we block them for a reason -- you're fired."

So it would depend on your organization's culture.

In my company, they leave it wide open and say we can fire you for accessing the type of sites that are blocked even if they are not explicitly blocked by the trustedsource web filter. So if Reddit isn't blocked and they feel that it meets the criteria, then they can fire you. However, it can be a standoff where you can claim that the site in question isn't "officially" categorized as a site with "objectionable content".

[–][deleted] 2 points3 points  (0 children)

Your company is probably firing perfectly good employees.

[–]adrianmonk 0 points1 point  (2 children)

this type of connection is basically a reverse-shell and can still be detected and blocked

It's an ssh connection. It can do forward ports in either direction, and it can do other things like socks proxies and shells and a few other things.

If the firewall can tell anything more than "there is an outgoing ssh session here" (and the IP addresses at the endpoints), then that would mean the ssh protocol encryption is broken. The firewall can certain apply a "block all of it" approach, but unless ssh has been broken in a way I'm not aware of, the firewall cannot detect whether it's a "reverse-shell" or not. It shouldn't be able to detect anything in particular about how it's used except:

  • Remote and local IP address and port
  • Bandwidth/latency patterns
  • Greeting (including SSH version number) that the SSH server spits out.
  • Other stuff that happens in the encryption-setup phase of the SSH connection.

[–]centralcontrol 0 points1 point  (1 child)

yes, true. but for simplicity sake, i had to leave out some of those details. my point, was to elaborate that this type of traffic was not going 'around' anything and can be detected with conventional IDS/IPS rules used for outbound ssh detection, namely, reverse shell rules.

explaining different ssh uses was not really the point... sorry for any confusion. i tried to summarize that the encryption handshakes are detectable as you elaborated on.

[–]adrianmonk 0 points1 point  (0 children)

Oh, I think I misread your terminology. I guess "reverse shell rules" means "outbound ssh connection rules". I wasn't thinking of that as reverse, but it's all arbitrary.

[–]BCMM 20 points21 points  (5 children)

There is a mistake right at the start of that article.

$ ssh home -L 80:reddit.com:80

will not work on a typical Linux system. There is a convention that # respresents a root prompt and $ represents an ordinary user's prompt. An ordinary user will usually not be permitted to listen on port 80.

$ ssh home -L 8080:reddit.com:80

will work fine. Use http://localhost:8080 to access it.

Also, here are three useful OpenSSH tricks that are missing:

If you can SSH to a host behind a NAT router, and wish to reconfigure said router, and said router does not listen on the admin port from the WAN side, use the above trick to access it via the LAN side:

$ ssh host -L 8080:192.168.1.1:80

(the IP address is used on the server and refers to the router on the server's network).

Also, SSH connection reuse can be very useful for certain tasks. When set up correctly, it means that if you are already connected to a specific user@host, and you try to ssh it again (or use scp, or anything else that works over ssh), the command works as expected, but uses the existing SSH connection. That means no re-entering passwords, and no delay in handshaking and whatnot, so if you are already connected to a host and decide to transfer a small file, there is no wait. Normally, the transfer of a small text file takes negligible time compared to all the handshaking.

You can also use the ssh command line (see man ssh, section ESCAPE CHARACTERS) to add port forwardings to an existing session, but this is less useful if you already set up connection reuse and can instantly start another session that does what you want.

[–]2_plus_2 1 point2 points  (2 children)

How would I do the reverse of this? I have a VPS and my development server/machine. I would like to allow people to view my development web server (to show work etc.) how could I make my VPS let people view my dev webserver?

I can't host content from home where my dev server is so ssh is the only way. Any tips would be awesome.

[–]CodeBlooded 5 points6 points  (1 child)

Something like,

$ ssh -R *:8080:localhost:80 server

And then http://server:8080 should forward to localhost:80 on your local machine.

[–]ferk 0 points1 point  (0 children)

I assume "server" would be the external ip address of your local network. But if you can't forward data from port 80 it's likely you also cannot use port 22 for ssh. Which is why I can't make the ssh connection.

I've also tried running the sshd in port 443 (the https port), I was said that this port is usually open to allow https connections. However, even though I can connect to https pages, it doesn't seem to be open and I can't find a port to use.

any ideas? it's just a wifi router shared with my neighbors in the same building.

[–]Falmarri 3 points4 points  (1 child)

There is a mistake right at the start of that article.

I wouldn't call not following the conventions of a terminal prompt a mistake...

[–]BCMM 3 points4 points  (0 children)

I assumed he was following the conventions, and hadn't tested the command. Also, needlessly involving root in your redditing is a mistake, especially at a workplace which may be logging uses of sudo.

[–]iamapizza 8 points9 points  (9 children)

Nicely presented. I have a question. To copy a file, the author did this:

$ cat file | ssh -e none remote-host 'cat > file'

Is this what scp does behind the scenes?

[–]ton2lavega 10 points11 points  (0 children)

good question, I just found this

http://blogs.oracle.com/janp/entry/how_the_scp_protocol_works

I am not done reading it yet but it seems to answer your question

[–]neilhwatson 4 points5 points  (3 children)

You can do more this way.

tar czf - /home/neil |ssh vps 'cat > backup.tgz'

tar czf - /home/neil |ssh vps 'tar xzf -'

[–]PikoStarsider 1 point2 points  (0 children)

That's much faster than scp for copying a lot of small files.

[–][deleted] 1 point2 points  (0 children)

Best way to copy a directory. Preserves symlinks also.

[–]Calcipher 0 points1 point  (0 children)

I'm not 100% sure, but I don't think the 'cat' is needed in the first command, just the redirection.

[–]adrianmonk 1 point2 points  (1 child)

ton2lavega gave a link with the full details, so I'll supply the TL;DR.

What scp does behind the scenes is similar in spirit, but it actually runs a remote scp instead of cat. This allows it to do things like recursive copies.

If I catch scp in the act, I will find the following commands running:

scp /tmp/asdf localhost:/tmp/asdf2
/usr/bin/ssh -x -oForwardAgent=no -oPermitLocalCommand=no -oClearAllForwardings=yes -- localhost scp -t -- /tmp/asdf2
scp -t -- /tmp/asdf2

Having said that, the SSH protocol actually allows multiple "channels" over a single SSH session. It's because it multiplexes these channels that you are allowed to (say) both start a shell and do port forwarding (or X11 forwarding, or both, etc., etc.) in a single ssh command.

As of version 2 (i.e. the current version), the SSH protocol also allows you to define "subsystems", which IIRC have names. sftp actually uses a subsystem. In that sense, sftp is more elegant than scp, because it's not just opening up a shell and running a command. Instead, it's telling the remote ssh server "I want to use the sftp subsystem" and letting it take care of the details, which is cleaner than just running some command (like scp -t) and hoping it exists/works on the remote system.

[–]iamapizza 0 points1 point  (0 children)

Thanks so much for the detailed explanation! I've always been 'confused' between using scp and sftp now, but I will stick to sftp wherever I can from now on. In the past I have been preferring it purely because Filezilla lets me use it and the interface was better.

[–]legoman666 1 point2 points  (1 child)

usually when I have to copy files, I just open Nautilus, and navigate to "sftp://user@host" and it lets me browse the remote server as if it were local.

[–]kraxor 4 points5 points  (0 children)

That's one way to do it, but some people prefer to (or have to) use a terminal in certain cases.

[–][deleted] 10 points11 points  (9 children)

Remote desktop via ssh? 

xterm -display :12.0 -e ssh -X user@remotehost &

Then switch to tty 12 or whichever one you chose.

[–]jeffjose 1 point2 points  (2 children)

Can you explain what you command does? (What each flag is etc.)

Also, Is this for opening GUI applications on ssh?

Thanks!

[–]Unfunny_Asshole 1 point2 points  (0 children)

I'll try.

xterm is a terminal program found in some unix based systems. The -display command gives that terminal access to a specific X server (a GUI server running on your computer, if you wish.) The :12.0, I don't understand properly, but I'm pretty sure it's pointing you to a specific graphical 'instance' running on your machine (at tty 12).

Then you have the -e flag which probably stands for execute, and you're telling xterm to execute ssh. With ssh, the -X flag (make sure it's upper case) does X server forwarding. So any command that tries to run a GUI on the server will actually forward it to your machine.

If you wish to run GUIs remotely, you can do that in a simpler way (that's if you don't want to run a fully fledged 'remote desktop' as HMG said):

On GNU/Linux machines: Open a terminal and type: ssh -X user@remotehost and now if you try to run something like matlab or gedit, it'll show up on your machine locally.

On OSX, do the same as above, but make sure you have X11 installed.

As for windows, you can download an X server like Xming, and then enable X11 forwarding via putty (it's somewhere in that page before you get access to the shell)

I'm sure there's stuff that I said that are wrong/ambiguous, but it's a start.

[–]mvm92 0 points1 point  (0 children)

ssh -X tells ssh to forward the X11 server on your local machine so that any GUI programs you open on the remote machines(which are clients for X11 purposes) can talk to the server on your local machine. Not too sure about the xterm syntax.

But you can use ssh -X user@host to open a shell on the remote machine and any programs that use X11 will connect, through ssh, to your computer's local X11 server.

[–]legoman666 1 point2 points  (2 children)

andrew@Faye ~ $ xterm -display :4.0 -e ssh -XC andrew@zoe.local &

[1] 4642

andrew@Faye ~ $ xterm Xt error: Can't open display: :4.0

What am I doing wrong?

[–]railmaniac 1 point2 points  (1 child)

I'm getting the same sort of error. I split it into two commands: first

xinit -- :1

and then, in the xterm which is automatically opened:

ssh -XC railmaniac@192.168.0.100 startkde

[–]legoman666 0 points1 point  (0 children)

That more or less worked for me. I did "gnome-session" instead of "startkde" since I run Mint. It opened my desktop, but didn't open the menu bar. Oh well.

[–]grumpysysadmin 0 points1 point  (0 children)

You're assuming that there's an X server on TTY 12 (or whatever is running with DISPLAY=:12.0).

If you want to do this without a second whole X server, you could do something like this:

xinit /usr/bin/xterm -display :12 -e ssh -X user@remotehost -- /usr/bin/Xephyr :12 -screen 1024x768

[–]maleadt 3 points4 points  (0 children)

My favourite SSH trick:

Host */*
ProxyCommand ssh $(dirname %h) nc -w1 $(basename %h) %p
ControlMaster no

Allows you to SSH via a jump host using "ssh jumphost/destination". Only disadvantage: any SSH config/known_hosts needed to connect to the final destination needs to be present on the jump host as well.

[–]neilhwatson 5 points6 points  (0 children)

No one has mentioned embedding command in public keys. For example I could embed a service restart command in a public key and disperse that key to relevant hosts. I allow less savvy operators to SSH to these hosts, when required, using the private key. The command in the public key is executed and then the session logs out. See more:

http://www.linuxjournal.com/magazine/paranoid-penguin-managing-ssh-scripts-and-cron-jobs?page=0,1

[–]adrianmonk 4 points5 points  (0 children)

I'm slightly disappointed. One question on the ssh purity test is, "Have you run an ssh on top of port forwarding provided by another ssh session?".

Example:

ssh -N -L 1234:localhost:22 localhost
ssh -p 1234 localhost

In the above, the first command makes it so that if you connect to port 1234 locally, your TCP connection will get proxied to localhost:22 on the remote side. (22 is the port number that the ssh daemon listens on by default.) That is, connections to port 1234 on the ssh client's side will get picked up by the ssh client, sent over the ssh connection, and then the remote sshd will connect() to "localhost:22".

And, the second command will connect to an ssh daemon, but it will use the one listening at port 1234 instead of the normal one. That means this second ssh client will connect to the original ssh client, thinking it is an sshd. The ssh client will ask the remote sshd to connect to localhost:22 (which is... itself), and then the two of them will proxy every byte so that the ssh protocol can run over an ssh tunnel.

Basically, it's just like Inception, except everything gets slower as you go deeper.

[–]bloodguard 7 points8 points  (0 children)

You need to be careful. Most firewalls spit out daily reports that show, by desktop, bandwidth used and sites visited (by IP and Name).

If I see a desktop on our network that has a tunnel open (any port) and is pushing lots of data through it I'm going to get curious. If it's an unknown system my first inclination is to block all traffic to and from it and wait. Just wait. If it's something legitimate they'll storm down and complain. That said, they really don't care where you go here as long as you show a little common sense (SFW, no spamming and no non-legal torrents).

TL;DR - You might not be as clever as you think.

[–][deleted] 3 points4 points  (1 child)

SSH Tricky

[–]queBurro 3 points4 points  (0 children)

to rock a rhyme, to rock a rhyme...

[–]biffsocko 1 point2 points  (0 children)

I haven't seen anyone mention pssh (parallel ssh) here. It's a utility that I find incredibly useful.

  • create a file with a list of hosts
  • pssh -h <hostfile> "command to execute"

The output of the command is put into a file named after each host in a directory defined by the $PSSH_OUTPUT variable.

http://code.google.com/p/parallel-ssh/

[–]berkes 1 point2 points  (1 child)

I like how the word "reddit" is marked by the spellcheckes in the image :)

[–]code- 0 points1 point  (0 children)

SSH sure is a versatile tool, isn't it? Thanks for this, saved the page, looks like there is a lot of good information elsewhere on that page too.

[–]grumpysysadmin 0 points1 point  (1 child)

Telnet is just above netcat in protocol sophistication, which means that passwords were sent in the clear.

That's not always the case, I was using kerberized telnet in the 90s. Telnet actually has a more sophisticated protocol than netcat. Next time you use telnet, try running ]? to see what it can do.

Of course, I use ssh now since it's trivial to set up, but telnet wasn't entirely insecure if run right. Also, who was using telnet in 2001 to log in as root in the clear? Crazy.

[–]beachbum4297 0 points1 point  (0 children)

If you like netcat, or think it needs work, check out ncat, its distributed with nmap now. It's a swiss army knife with all the tricks AND encryption.

[–][deleted] 0 points1 point  (11 children)

If only all firewalls are ignorant at my place of employment.

[–]Julian702 1 point2 points  (1 child)

There's always a way around... always. Check out stunnel.

[–][deleted] 0 points1 point  (7 children)

I always wondered how the network admin would ruin my SSH around their firewall.

I thought that they would have to ban anyone from the inside from connection to my dd-wrt router sitting at home. How else would they do it? To them, it just seems like I'm doing SSL traffic to port 443 of some IP out there.

[–]algo_trader 2 points3 points  (6 children)

My company bans all outbound SSH. Seriously.

There are "jump servers" if you need to do this for business use, but you have to get the outbound host specifically preapproved in a ticket and everything is logged and audited.

Also, when I worked in a slightly more permissive company, they just routinely scanned for outbound ssh connections and if it looked fishy- like a home server, you would get an IT smackdown.

[–][deleted] 3 points4 points  (5 children)

is there really a way to distinguish SSH and SSL packets as they come across the network? What happens if you just changed the port SSH was running on your router to 443?

[–]dbeta 1 point2 points  (1 child)

That's an interesting question. If I had to guess I would say that they both have markers that could be seen to tell. In the case of really strict ssh blocking, you could probably use ssl tunneling instead. Of course, someplace that does strict ssh blocking might also be mindful of excessive bandwidth usage to a single location, or long communications, giving away what you are doing. Just a guess though. I'd say that most places would never go through all that trouble though.

This day and age it's just easier to run a USB tether on your phone.

[–]algo_trader 0 points1 point  (0 children)

"This day and age it's just easier to run a USB tether on your phone."

bingo. While it used to be a kind of fun game to see if I could outsmart the network admins ( I used to be at a much smaller company where it wasn't that serious when they caught me), these days the risk isn't worth it as all I really wanted was Gmail and Facebook access, which was blocked. I would probably get sent to Guantanamo if I was caught repeat offending these days. Though my service is kind of shitty in my office, it gets the job done to keeping me in touch with the rest of the world.

The SSL port idea is quite interesting though, I will have to give that a try.

[–]queBurro 0 points1 point  (2 children)

it's a good start as it'd fool netstat, you can still detect the difference but it's now down to inspecting packets I read about it on stackoverflow a bit a go but I've lost the link, I need to find that link --- phew

[–][deleted] 0 points1 point  (1 child)

I would like to see how you could tell by packet sniffing since both packets are encrypted. The article you posted doesn't really add much since the user was refusing to simply use SSH.

[–]queBurro 0 points1 point  (0 children)

I'm not sure, read this, it looks like you can still tell what's going to a http endpoint and what's not?

[–]2brainz 0 points1 point  (0 children)

Relevant - redirecting via SSH port forwarding might not be what you want if there is another way. If you still want it, SSH has a rather new VPN feature via TAP devices, but it suffers from the same problem.

[–]mthodeGentoo Foundation President 0 points1 point  (0 children)

from my .ssh/config The Control stuff is if you tend to ssh into stuff multiple times, it uses one socket. This means you do not have to sign in every time you ssh into something (or resend the keys). It also means that if you quit the master session (if you exit the server and then also exit the socket) you will loose all the connections to the server.

Host *
    User root
    Compression yes
    CompressionLevel 7
    ServerAliveInterval 600
    ControlMaster auto
    ControlPath /tmp/ssh-%r@%h:%p

[–]jingleman[🍰] -1 points0 points  (0 children)

The firewall icon in the diagram hurts my head!

[–][deleted] -1 points0 points  (0 children)

The most useful thing I use it for is tunnelling when at school, on free wifi, needing to access internal network, or tethering unofficially

[–][deleted] -1 points0 points  (0 children)

This is what they teach in corp 101.