SSH 201

Caleb X. Berger / c-x-berger

Topics covered in ~~CS 193~~ SSH 101:

Using SSH as a remote shell
Using scp
Remote desktop (but only through a GUI)

`scp` review

From	To	Command
Local	Remote	`scp file user@remote:~/dest/dir`
Remote	Local	`scp user@remote:~/source/file ~/local/copy.txt`

You can recursively copy entire directories with the -r flag

Topics covered here:

Tunneling and SOCKS proxying
SSH Certificates
Multiplexing
Escape Sequences / "The Menu"

A quick note on keys

man ssh-keygen will tell you there are four key types

You know, like a liar.

Practically, three work for most hosts:

ecdsa
rsa
ed25519

wat

dsa has systemic flaws that can leak the private key - yikes!

RSA will work on everything, but requires big keys

Ed25519 is the favorite child - short keys, doesn't have DSA's issues... but it's new enough that some Purdue machines don't support it

Like RHEL 6 machines in the ECN.

Hail Purdue.

Tunneling / Port Forwarding

Map a port on one machine to another

Make remote services available at local addresses, or vice versa

Why?

Honestly? Usually, to bypass a firewall.

Forward Tunneling

ssh -L 123:localhost:456 fred@example.org routes traffic bound for localhost:123 to example.org:456 via example.org

Traffic can also pass through the remote to an even further host: -L 8000:example.com:443 example.org

You probably want to add -fNT to be "nicer"

The Nice SSH Tunnel

ssh -fNT -L localport:destination:port user@viahost

Not All Magic is Perfect

Many hosts read e.g. the HTTP Host header and either block or act very strangely when they see an unexpected value

We will see a way around this later

Reverse Tunneling

ssh -R 123:localhost:456 fred@example.org sends traffic from example.org:123 to localhost:456

Ask a remote to forward traffic to you (or through you, anyway)

The Nice Reverse SSH Tunnel

ssh -fNT -R srcport:destination:destport user@srchost

Put your SOCKS on

We saw that some services freak out when tunneled to

SOCKS is a way of forwarding that's actually meant to be a proxy. As such, the application (e.g. your browser) has to support it


                        ssh -D 1337 -fCNT fred@example.org

Certificates

Sign SSH keys with some given "master key"

A host can authorize any keys signed by some root certificate for authentication, and clients may choose to trust host keys signed by some root.

Useful within organizations to reduce friction with new keys/hosts

Step 1: Create a Root Certificate

This will later sign our host and user keys

ssh-keygen -t ed25519 -f example-ca -C "Comment"

Keep example-ca well-secured! example-ca.pub should go to wherever you intend to trust signed keys.

A note on algorithms

I'm using ed25519, but RSA is also fine. You can sign RSA keys with ed25519 and vice versa.

Just be sure to set keysize on RSA keys.

Step 2: Sign a user's key


ssh-keygen -s example-ca \
    -n your,usernames \
    -V +52w \
    -I logging-name \
    key.pub

Step 2.5: Trust signed users

Place example-ca.pub on the host
In sshd_config, add a line TrustedUserCAKeys /path/to/example-ca.pub

After that, any key signed by example-ca is allowed for the user(s) in that key's principals list. In our example, that would be your,usernames

Step 3: Sign a host key

Literally the same as user keys but with -h in there.


ssh-keygen -h -s example-ca \
    -n host.example.com \
    -V +52w \
    -I host.name-key \
    keyfile.pub

Add HostCertificate /path/to/keyfile-cert.pub to sshd_config

Step 3.5: Trust signed hosts


@cert-authority *.purdue.edu ssh-ed25519 ...

Add @cert-authority some,hosts XXX to known_hosts where XXX is the contents of example-ca.pub

Multiplexing

nyoom

Speed up SSH by only logging in once

Specifically, after first login TCP/IP connection is kept open for a set time after exit.

And "all" we have to to is edit ~/.ssh/config

Example multiplexing configuration:


Host *.cs.purdue.edu
    # user@host:port
    ControlPath ~/.ssh/controls/%r@%h:%p
    # use master connection iff available
    ControlMaster auto
    # keep master connection alive for 10 minutes after last session ends
    ControlPersist 10m

This complicates the tunnel

Options like -L, -R will add a new forward, but it won't close until the master closes as well

We also can't change forwarded ports on the fly

To cancel a forward on a master connection, use ssh -O cancel -L ... user@host

Escape Sequences/"The Menu"

Special key sequences that instruct SSH to do particular things "mid-flight"

These are used during a session to alter that session.

Some are client-side only, not dependent on host

Entering an escape sequence

Press, in order, one at a time, Enter, ~, ?

Examples:

~. kills that session and all multiplexed sessions
~C is really interesting (the "SSH command-line") but is unavailable on multiplexed
~V/~v increases/decreases SSS's verbosity

Credits

Thomas Kennel for giving me enough material to actually make this a talk
erik on unix.se for the tunneling diagrams
explainshell.com for making man pages easier
reddit user dyerjohn42 for posting the excellent opening image (originally from The Internet Guide for New Users)

These slides are on GitHub at https://github.com/c-x-berger/ssh-201

The slide deck is also served as a GitHub pages site.