Working Remotely With SSH

by Doug Bell
(he, him, his)
@preaction
preaction

preaction.me/ssh
CC-BY-SA 4.0

For navigation help, press ?
For speaker view and notes, press S
For full-screen, press F

What is SSH?

Secure Shell

Remote Server

More Secure than `rsh`

More Secure than `telnet`

More Than a Shell

Run `ssh`

Install OpenSSH

If we don't have the ssh command, we need to install OpenSSH, or on some systems, "OpenSSH client". Windows users can either get OpenSSH for PowerShell, or the Windows Subsystem for Linux. Windows users might be familiar with PuTTY, but it's different enough that we won't be covering it.

`ssh stage.cpantesters.org`

Once we've installed OpenSSH, we can connect to our remote server, stage.cpantesters.org by running ssh stage.cpantesters.org

doug@local:~$ ssh stage.cpantesters.org

doug@local:~$ ssh stage.cpantesters.org
The authenticity of host 'stage.cpantesters.org (2607:f740:f::914)' can't
be established.
ECDSA key fingerprint is SHA256:AcGEg+DDHplQT8Cc02CYy8Y4p/C4I5ARoEhrA5ZvrOQ.
Are you sure you want to continue connecting (yes/no)? yes

doug@local:~$ ssh stage.cpantesters.org
The authenticity of host 'stage.cpantesters.org (2607:f740:f::914)' can't
be established.
ECDSA key fingerprint is SHA256:AcGEg+DDHplQT8Cc02CYy8Y4p/C4I5ARoEhrA5ZvrOQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'stage.cpantesters.org,2607:f740:f::914' (ECDSA)
to the list of known hosts.

"Warning: Permanently added 'stage.cpantesters.org' (ECDSA) to the list of known hosts". Okay, so SSH is telling us that it's not going to ask us again, but SSH will also refuse to let us connect to any other machine. If we try to connect to stage.cpantesters.org and it doesn't have the right identity key, we'll get this message instead:

doug@local:~$ ssh stage.cpantesters.org
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:AcGEg+DDHplQT8Cc02CYy8Y4p/C4I5ARoEhrA5ZvrOQ.
Please contact your system administrator.
Add correct host key in /Users/doug/.ssh/known_hosts to get rid of this
message.
Offending ECDSA key in /Users/doug/.ssh/known_hosts:40
ECDSA host key for stage.cpantesters.org has changed and you have requested
strict checking.
Host key verification failed.

doug@local:~$ ssh-keygen -R stage.cpantesters.org
# Host stage.cpantesters.org found: line 40
/Users/doug/.ssh/known_hosts updated.
Original contents retained as /Users/doug/.ssh/known_hosts.old

doug@local:~$ ssh stage.cpantesters.org
The authenticity of host 'stage.cpantesters.org (2607:f740:f::914)' can't
be established.
ECDSA key fingerprint is SHA256:AcGEg+DDHplQT8Cc02CYy8Y4p/C4I5ARoEhrA5ZvrOQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'stage.cpantesters.org,2607:f740:f::914' (ECDSA)
to the list of known hosts.
doug@stage.cpantesters.org's password:

doug@local:~$ ssh stage.cpantesters.org
The authenticity of host 'stage.cpantesters.org (2607:f740:f::914)' can't
be established.
ECDSA key fingerprint is SHA256:AcGEg+DDHplQT8Cc02CYy8Y4p/C4I5ARoEhrA5ZvrOQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'stage.cpantesters.org,2607:f740:f::914' (ECDSA)
to the list of known hosts.
doug@stage.cpantesters.org's password:
Permission denied, please try again.
doug@stage.cpantesters.org's password:

`ssh stage.cpantesters.org`

`-l dbell`

We can specify the login account to use on the remote host with the -l flag

`ssh dbell@stage.cpantesters.org`

doug@local:~$ ssh dbell@stage.cpantesters.org
dbell@stage.cpantesters.org's password: 
Linux stage.cpantesters.org 4.9.0-3-amd64 #1 SMP
Debian 4.9.30-2+deb9u2 (2017-06-26) x86_64

The programs included with the Debian GNU/Linux system are free
software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/\*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
dbell@stage:~$

`ssh dbell@stage.cpantesters.org`

SSH Config

`~/.ssh/config`

`~/ssh_config`

Host stage.cpantesters.org
    User dbell

doug@local:~$ ssh stage.cpantesters.org
dbell@stage.cpantesters.org's password:

Host stage.cpantesters.org
    User dbell
Host ct-stage
    Hostname stage.cpantesters.org

doug@local:~$ ssh ct-stage
dbell@stage.cpantesters.org's password:

Host stage.cpantesters.org
    User dbell
Host ct-stage
    Hostname stage.cpantesters.org

Passwords

Identification

Authentication

Password

USB Device

SSH Keys

Asymmetric Cryptography

Key Pair

Public Key

Private Key

Encryption

Message for Alice

+ Public Key

= Encrypted message

Decryption

Encrypted Message

+ Private Key

= Message

Trust

Secure Communication

Key Algorithms

RSA

DSA

ECDSA

Generate a Key

`ssh-keygen`

To generate a key, we can run the ssh-keygen command.

doug@local:~$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/doug/.ssh/id_ed25519):

doug@local:~$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/doug/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):

doug@local:~$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/doug/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

doug@local:~$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/doug/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/doug/.ssh/id_ed25519.
Your public key has been saved in /Users/doug/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:EfNX6BfSBrTgWdTzMC0BB7kLcgtjEGE0hcd0FVLOax0 doug@gwen.local
The key's randomart image is:
+--[ED25519 256]--+
|     .*B= +=@X+o |
|     .o.o* B++X .|
|       o. +.=+EB |
|        =.o.oo...|
|       .S= ooo.  |
|          ...    |
|                 |
|                 |
|                 |
+----[SHA256]-----+

What do keys look like?

ssh-ed25519
AAAAC3NzaC1lZDI1NTE5AAAAIJmSkjt+1JRMMFBhOsF5o60xL0xbrrYZZbySe597QYYD
doug@gwen.local

Copy Public Key

`ssh-copy-id`

Now we have our key pair. In order to use it to log in, we need to copy the public key to the remote server. Nowadays, this is done with the ssh-copy-id command.

doug@local:~$ ssh-copy-id stage.cpantesters.org
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/doug/.ssh/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
dbell@stage.cpantesters.org's password:

The ssh-copy-id command takes the name of the server we want to copy our IDs to. So, for us, stage.cpantesters.org. Then it asks for our password to the remote server.

doug@local:~$ ssh-copy-id stage.cpantesters.org
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/doug/.ssh/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
dbell@stage.cpantesters.org's password:


Number of key(s) added:        1

Now try logging into the machine, with:   "ssh 'stage.cpantesters.org'"
and check to make sure that only the key(s) you wanted were added.

doug@local:~$ ssh stage.cpantesters.org
Enter passphrase for key '/Users/doug/.ssh/id_ed25519':
Linux stage.cpantesters.org 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/\*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

SSH Agent

`ssh-agent`

doug@local:~$ eval $(ssh-agent)
Agent pid 9653

We run the SSH agent using eval $(ssh-agent). That's kind of weird, so what's that doing?

doug@local:~$ ssh-agent
SSH_AUTH_SOCK=/var/folders/m8/pzbmtwsn4qjg898w08gkxlcm0000gn/T//ssh-4B1BPw5Itnoy/agent.9652;
export SSH_AUTH_SOCK;
SSH_AGENT_PID=9653; export SSH_AGENT_PID;
echo Agent pid 9653;

Add Identities (Keys)

`ssh-add`

With the agent running, we need to add our identities. We do that using ssh-add.

doug@local:~$ ssh-add
Enter passphrase for /Users/doug/.ssh/id_ed25519:
Identity added: /Users/doug/.ssh/id_ed25519 (doug@gwen.local)

doug@local:~$ ssh stage.cpantesters.org
Linux stage.cpantesters.org 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/\*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Start SSH Agent at Boot

Automatically Add Keys

`AddKeysToAgent yes`

If we don't want to explicitly call ssh-add, we can add AddKeysToAgent yes in our ssh config file. Then, provided there is a running agent, our keys will automatically be added as they are used. I prefer doing this, as it reduces the things I have to remember to do.

Use MacOS Keychain

`UseKeychain yes`

`ssh-add -K`

Finally, if you're on Mac OS X, you can add UseKeychain yes to your SSH config to look up your passphrase securely from your OS keychain. If you do this, you just need to add your passphrase to your OS keychain (ssh-add -K) and you'll never have to type it again!

Work on code

doug@stage:~$ git clone git@github.com:cpan-testers/cpantesters-web.git
Cloning into 'cpantesters-web'...
The authenticity of host 'github.com (192.30.253.112)' can't be established.
RSA key fingerprint is SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'github.com,192.30.253.112' (RSA) to the list of known hosts.
Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

Agent Forwarding

Host stage.cpantesters.org
    User dbell
    ForwardAgent yes
Host ct-stage
    Hostname stage.cpantesters.org

doug@stage:~$ git clone git@github.com:cpan-testers/cpantesters-web.git
Cloning into 'cpantesters-web'...
remote: Counting objects: 436, done.
Receiving objects: 100% (436/436), 128.08 KiB | 0 bytes/s, done.
remote: Total 436 (delta 0), reused 0 (delta 0), pack-reused 436
Resolving deltas: 100% (169/169), done.

Security

Transfer Files

SCP - Secure Copy

scp

doug@local:~$ scp stage.cpantesters.org:www/README.mkdn ./
README.mkdn        100% 1743    49.1KB/s   00:00

doug@local:~$ scp ./README.mkdn stage.cpantesters.org:www/
README.mkdn        100% 1712    13.5KB/s   00:00

Recursively

`scp -r`

Rsync

For extreme use

Networking

Firewall

Internal Network

SSH Tunnel

`ssh stage.cpantesters.org`

`-L 3000:127.0.0.1:3000`

Localhost

Internal Hosts

External Hosts

SOCKS Proxy

`ssh stage.cpantesters.org -D 3000`

`ssh stage.cpantesters.org`

`-R 3000:127.0.0.1:3000`

Extra Stuff

SSH can run Commands

Pipe those commands

`ssh stage.cpantesters.org find www`

`| grep .ep`

SSH escape sequences

`<Enter> ~ ?`

Sources: ssh(1) ssh-keygen(1) ssh-agent(1) https://blog.g3rt.nl/upgrade-your-ssh-keys.html

Working Remotely With SSH

What is SSH?

Secure Shell

Remote Server

More Secure than rsh

More Secure than telnet

More Than a Shell

Run ssh

Install OpenSSH

ssh stage.cpantesters.org

ssh stage.cpantesters.org

-l dbell

ssh dbell@stage.cpantesters.org

ssh dbell@stage.cpantesters.org

SSH Config

~/.ssh/config

~/ssh_config

Passwords

Identification

Authentication

Password

USB Device

SSH Keys

Asymmetric Cryptography

Key Pair

Public Key

Private Key

Encryption

Message for Alice

+ Public Key

= Encrypted message

Decryption

Encrypted Message

+ Private Key

= Message

Trust

Secure Communication

Key Algorithms

RSA

DSA

ECDSA

Generate a Key

ssh-keygen

What do keys look like?

Copy Public Key

ssh-copy-id

SSH Agent

ssh-agent

Add Identities (Keys)

ssh-add

Start SSH Agent at Boot

Automatically Add Keys

AddKeysToAgent yes

Use MacOS Keychain

UseKeychain yes

ssh-add -K

Work on code

Agent Forwarding

Security

Transfer Files

SCP - Secure Copy

scp

Recursively

scp -r

Rsync

For extreme use

Networking

Firewall

Internal Network

SSH Tunnel

ssh stage.cpantesters.org

-L 3000:127.0.0.1:3000

Localhost

Internal Hosts

External Hosts

SOCKS Proxy

ssh stage.cpantesters.org -D 3000

ssh stage.cpantesters.org

-R 3000:127.0.0.1:3000

Extra Stuff

More Secure than `rsh`

More Secure than `telnet`

Run `ssh`

`ssh stage.cpantesters.org`

`ssh stage.cpantesters.org`

`-l dbell`

`ssh dbell@stage.cpantesters.org`

`ssh dbell@stage.cpantesters.org`

`~/.ssh/config`

`~/ssh_config`

`ssh-keygen`

`ssh-copy-id`

`ssh-agent`

`ssh-add`

`AddKeysToAgent yes`

`UseKeychain yes`

`ssh-add -K`

`scp -r`

`ssh stage.cpantesters.org`

`-L 3000:127.0.0.1:3000`

`ssh stage.cpantesters.org -D 3000`

`ssh stage.cpantesters.org`

`-R 3000:127.0.0.1:3000`

`ssh stage.cpantesters.org find www`

`| grep .ep`

`<Enter> ~ ?`