Friday Nov 08, 2013

Oracle Linux Tips and Tricks: Using SSH

Out of all of the utilities available to systems administrators ssh is probably the most useful of them all. Not only does it allow you to log into systems securely, but it can also be used to copy files, tunnel IP traffic and run remote commands on distant servers. It’s truly the Swiss army knife of systems administration. Secure Shell, also known asssh, was developed in 1995 by Tau Ylonen after the University of Technology in Finland suffered a password sniffing attack. Back then it was common to use tools like rcp, rsh, ftp and telnet to connect to systems and move files across the network. The main problem with these tools is they provide no security and transmitted data in plain text including sensitive login credentials. SSH provides this security by encrypting all traffic transmitted over the wire to protect from password sniffing attacks.

One of the more common use cases involving SSH is found when using scp. Secure Copy (scp) transmits data between hosts using SSH and allows you to easily copy all types of files.

The syntax for the scp command is:

scp /pathlocal/filenamelocal remoteuser@remotehost:/pathremote/filenameremote

In the following simple example, I move a file named myfile from the system test1 to the system test2. I am prompted to provide valid user credentials for the remote host before the transfer will proceed.  If I were only usingftp, this information would be unencrypted as it went across the wire.  However, because scp uses SSH, my user credentials and the file and its contents are confidential and remain secure throughout the transfer. 

[user1@test1 ~]# scp /home/user1/myfile user1@test2:/home/user1
user1@test2's password: 
myfile                                    100%    0     0.0KB/s   00:00

You can also use ssh to send network traffic and utilize the encryption built into ssh to protect traffic over the wire. This is known as an ssh tunnel. In order to utilize this feature, the server that you intend to connect to (the remote system) must have TCP forwarding enabled within the sshd configuraton. To enable TCP forwarding on the remote system, make sure AllowTCPForwarding is set to yes and enabled in the /etc/ssh/sshd_conf file:

AllowTcpForwarding yes

Once you have this configured, you can connect to the server and setup a local port which you can direct traffic to that will go over the secure tunnel. The following command will setup a tunnel on port 8989 on your local system. You can then redirect a web browser to use this local port, allowing the traffic to go through the encrypted tunnel to the remote system. It is important to select a local port that is not being used by a service and is not restricted by firewall rules.  In the following example the -D specifies a local dynamic application level port forwarding and the -Nspecifies not to execute a remote command.  

ssh –D 8989 -N

You can also forward specific ports on both the local and remote host. The following example will setup a port forward on port 8080 and forward it to port 80 on the remote machine.

ssh -L

You can even run remote commands via ssh which is quite useful for scripting or remote system administration tasks. The following example shows how to  log in remotely and execute the command ls –la in the home directory of the machine. Because ssh encrypts the traffic, the login credentials and output of the command are completely protected while they travel over the wire.

[user1@test1 ~]$ ssh user1@test2 'ls -la'
user1@test2's password: 
total 24
drwx------  2 user1 user1 4096 Sep  6 15:17 .
drwxr-xr-x. 3 root   root   4096 Sep  6 15:16 ..
-rw-------  1 user1 user1   12 Sep  6 15:17 .bash_history
-rw-r--r--  1 user1 user1   18 Dec 20  2012 .bash_logout
-rw-r--r--  1 user1 user1  176 Dec 20  2012 .bash_profile
-rw-r--r--  1 user1 user1  124 Dec 20  2012 .bashrc

You can execute any command contained in the quotations marks as long as you have permission with the user account that you are using to log in. This can be very powerful and useful for collecting information for reports, remote controlling systems and performing systems administration tasks using shell scripts.

To make your shell scripts even more useful and to automate logins you can use ssh keys for running commands remotely and securely without the need to enter a password. You can accomplish this with key based authentication. The first step in setting up key based authentication is to generate a public key for the system that you wish to log in from. In the following example you are generating a ssh key on a test system. In case you are wondering, this key was generated on a test VM that was destroyed after this article.

[user1@test1 .ssh]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user1/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user1/.ssh/id_rsa.
Your public key has been saved in /home/user1/.ssh/
The key fingerprint is:
7a:8e:86:ef:59:70:ef:43:b7:ee:33:03:6e:6f:69:e8 user1@test1
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|  . .            |
|   o .           |
|    . o o        |
|   o o oS+       |
|  +   o.= =      |
|   o ..o.+ =     |
|    . .+. =      |
|     ...Eo       |

Now that you have the key generated on the local system you should to copy it to the target server into a temporary location. The user’s home directory is fine for this.

[user1@test1 .ssh]$ scp user1@test2:/home/user1
user1@test2's password:                 

Now that the file has been copied to the server, you need to append it to the authorized_keys file. This should be appended to the end of the file in the event that there are other authorized keys on the system.

[user1@test2 ~]$ cat >> .ssh/authorized_keys

Once the process is complete you are ready to login. Since you are using key based authentication you are not prompted for a password when logging into the system.  

[user1@test1 ~]$ ssh test2
Last login: Fri Sep  6 17:42:02 2013 from test1

This makes it much easier to run remote commands. Here’s an example of the remote command from earlier. With no password it’s almost as if the command ran locally.

[user1@test1 ~]$ ssh test2 'ls -la'
total 32
drwx------  3 user1 user1 4096 Sep  6 17:40 .
drwxr-xr-x. 3 root   root   4096 Sep  6 15:16 ..
-rw-------  1 user1 user1   12 Sep  6 15:17 .bash_history
-rw-r--r--  1 user1 user1   18 Dec 20  2012 .bash_logout
-rw-r--r--  1 user1 user1  176 Dec 20  2012 .bash_profile
-rw-r--r--  1 user1 user1  124 Dec 20  2012 .bashrc

As a security consideration it's important to note the permissions of .ssh and the authorized_keys file.  .sshshould be 700 and authorized_keys should be set to 600.  This prevents unauthorized access to ssh keys from other users on the system.  

An even easier way to move keys back and forth is to use ssh-copy-id. Instead of copying the file and appending it manually to the authorized_keys file, ssh-copy-id does both steps at once for you.  Here’s an example of moving the same key using ssh-copy-id.The –i in the example is so that we can specify the path to the id file, which in this case is /home/user1/.ssh/

[user1@test1]$ ssh-copy-id -i /home/user1/.ssh/ user1@test2

One of the last tips that I will cover is the ssh config file. By using the ssh config file you can setup host aliases to make logins to hosts with odd ports or long hostnames much easier and simpler to remember. Here’s an example entry in our .ssh/config file.

Host dev1
Port 28372
User somereallylongusername12345678

Let’s compare the login process between the two. Which would you want to type and remember?

ssh somereallylongusername12345678@ –p 28372

ssh dev1

I hope you find these tips useful.  There are a number of tools used by system administrators to streamline processes and simplify workflows and whether you are new to Linux or a longtime user, I'm sure you will agree that SSH offers useful features that can be used every day.  Send me your comments and let us know the ways you  use SSH with Linux.  If you have other tools you would like to see covered in a similar post, send in your suggestions.

Oracle Linux Friday Spotlight - November 8, 2013

Happy Friday, everyone!

This week, I want to highlight a really wonderful resource, the Oracle Linux Wiki on You can find a lot of in-depth technical information there and it’s probably worthy of a bookmark to check in on occasionally.

One of my favorite types of content on the wiki is the do it yourself hands on labs. We do these at in person events like Oracle OpenWorld and also online for our Virutal SysAdmin Days, and those are great because you can get real-time assistance if you have any questions. But, if you’re eager to learn more about Oracle Linux and don’t want to wait for one of those events, you can step through these labs in your own time. All of the information you need is on the wiki.

We’ll see you next week!


Get the latest updates on strategy, products, events, news, customers, partners and all things Oracle Linux! Connect with Oracle's Linux experts.

Stay Connected




« November 2013 »