Another thing worth mentioning is your ssh config file. Many people seem to forget about this, and if you find yourself using ssh on a daily basis, it's well worth setting up some things like ControlMasters and aliases.
I wrote an
article on ssh tips a while ago. I'm not generally a fan of blog spam, so feel free to not click on that link. I'll paste the important bits here:
general aliasing and host configuration
You can break down each host entry into a single configuration stanza. Within this stanza you can pass specific configuration options on a per-host basis. For example:
will alias "myhost" to whatever you specify for the Hostname parameter, so if you type the command ssh user@myhost it will connect you to that hostname.
specifies the IP you want bound to the name used in Host.
Code:
IdentityFile ~/.ssh/id_rsa
is the path to whichever private key you wish to use for that connection
User nate is the user with which you wish to establish the session.
All together now:
Code:
Host myhost
Hostname 10.0.0.1
IdentityFile ~/.ssh/config
User nate
This will set an alias, the private key, and the user for this specific host. This means that when you want to connect to the specified host, with the specified key, as the specified user, all you have to do is type ssh myhost. Keep in mind that you can also specify Port if some of your hosts are on non-standard ports.
Protip:
Code:
Host github.com
IdentityFile ~/.ssh/github.key
re-using connections
This is a pretty neat trick if you're not too far away from your servers latency-wise. Instead of opening up a socket every time you create an additional ssh session into a server, you can configure ssh to just re-use the background connection you've already established. No password prompts, or authentication handshaking, you just drop right in to the encrypted connection established by your initial session. Here's how:
Code:
Host *
ControlMaster auto
ControlPath ~/.ssh/control/%h-%l-%p
ControlPersist 600
The first line tells ssh to open the "initial" sockets as needed, and fall back to a normal connection if something breaks.
The second line is where your connection sockets will reside. Each file will be named for the connection's hostname-username-port.
The third line tells your "initial" connections how long to remain idle for before terminating. In the example above, it's 10 minutes. The default is for them to just remain open as long as you retain network connectivity, which is great if you have five servers, but if you're working on hundreds per day, you're gonna end up with a whole lot of ssh processes on your local machine.
If for some weird reason you need to be more of a control freak, you can be more specific by wrapping the ControlPath into a per-host stanza (as seen above).
jump hosts
Picture this:
Code:
[localhost]---[webserver]---[CDN]
The CDN is in a DMZ which can only be accessed via the webserver's network range; a range your localhost doesn't share. How do you gain ssh access to the CDN from your localhost when you don't have the routing for it? You use the webserver as a jump host. This is pretty much the same as sshing into the webserver, and then sshing into the CDN. Unless you want to access it via HTTP...
Code:
ssh -L 8888:cdn.derp.com:80 webserver.derp.com
Using our friendly -L flag we learned about earlier, we can forward a local port through an intermediary and on to destination port 80 on the CDN. Thus, if you open your web browser and go to
http://localhost:8888, you should be presented with the webserver on the CDN itself.
You could add this to your ssh config, but I tend to chop and change ports on a regular basis and don't want something static. So for your homework, go and do some reading up on the ssh config parameter ProxyCommand to find out the most dynamic way to configure a host stanza for a jump host that is able to forward various ports.
