Behold SSH !
If you are working in Unix-Like environment(*nix), It’s very unlikely that you you haven’t heard about ‘SSH’ [ Secure Shell ]. With the advent of public cloud infrastructures, full control on your purchased server instance may not be possible without SSH. I work in *nix cluster farms where ‘SSH’ is fundamental and part of necessities. Though it’s fundamental, it doesn’t mean or enforce on its own the proper, efficient and safe usage.
Most of the work on SSH are done in ‘quick-and-dirty’ fashion. Some quick tasks like.
- Generate password less SSH
- Login for X11 forwarding
- File transfer (scp/sftp)
- Port forwarding
Though this things gets our work done, there are vast things to improve upon.
This improvements will bring efficiency and security.
Before you scratch your head for the bottom line, Let me put forward a ‘ssh’ questionnaire.
- What is OpenSSH ?
- How you can trust any host on network, what’s the proof that its the intended host you have to connect ?
- How can you select the encryption algorithms for any connection ?
- How can you enforce your users to use key-based (passphrase protected) logins with the help of ssh-agent, which remembers the passphrase till the user shutdowns the machine ?
- Why do you use ‘-X’ or ‘-Y’ for X11 forwarding, what difference they make ?
- How you can debug SSH safely without interrupting already running process ?
- How you can allow all users in particular group except the one who may you dislike or left your organization ?
- How can you safely (if not secretly) download a file from your ftp over ssh encrypted channels ?
- How can you allow root logins on private network but not over Internet ?
- How can you reduce the new connection times for already connected hosts ?
- How can you safely hide the hosts information in your ‘known_hosts’ (if incase your host is compromised.)
- How to reuse your private key on one host to authenticate on other hosts which have your public key ?
- How to restrict the ssh connection to run only limited commands (for automated jobs like backup or monitoring) ?
- When and where to use each port forwarding (Local, Remote, Dynamic) ?
- How to retain your connections in case of Idle times in a session (useful in port forwarding scenarios, where data transmissions are not continuous) ?
- Do you know you can create VPN tunnel over your SSH to forward all traffic, including TCP/IP or any other protocols.
If you know answers for atleast 30% of above questions, well you need a pat on your shoulder. But unsurprisingly it’s not the case, most of the system administrators use ‘ssh’ without its awesome powers. All the above questions can be searched online for answers in no time.
When you are typing your next ssh connection, ask yourself following questions.
- Where is the finger-print of the host i’m connecting now, is it matching with the shared finger-print from the admin of other host.
- Why I’m not using key-based login with passphrase protection
- How can I avoid typing passphrases again and again for multiple connections in a active session of your desktop.
- How can I gain full X11 support for the application on remote server.
- If someone steals your login key, how to recover or regenerate.
In any case whether you are a user of ssh (client) or a manager of sshd (server), you be aware that there is vast options (powers, if you use them properly) at your disposal.