• Don't show basics, but neat features
• Show possibilities, but not too many details
• Compatibility
  • Everything should work with OpenSSH 4.3 (unless stated otherwise)
  • Most things also work with even older OpenSSH versions
  • Many things also work with other implementations

• Verifying Host Keys
• Making Life Easier with Onboard Features
• Tunneling is Important, not Evil
• Connected! And now?
• New in OpenSSH 6.9 and Upcoming Changes in 7.0
• Neat Tools in the SSH Ecosystem
• SSH is not only for Unix
• Restrict Usage of SSH Keys
• Links, Resources and Contact

Verifying the identity of an SSH server by its host keys

• Public Key Cryptography
• RFC 4255 (2006, Draft from 2003)
• ssh-keygen -l -f /etc/ssh/ssh_host_<algorithm>_key.pub (adds .pub automatically if omitted):

  $ ssh-keygen -l -f /etc/ssh/ssh_host_ecdsa_key
  256 fd:89:37:8e:f0:76:f0:c9:47:ee:73:31:0f:48:fe:20  root@c-cactus (ECDSA)

• GET https://db.debian.org/debian_known_hosts > ~/.ssh/known_hosts2 (~/.ssh/known_hosts and~/.ssh/known_hosts2 are both checked by default. How convenient! :-)

Verifying SSH Host Keys via DNS — DNSSEC recommended

• ssh-keygen -r <hostname>:

  $ ssh-keygen -r c-cactus.deuxchevaux.org
  c-cactus.deuxchevaux.org IN SSHFP 1 1 8270d67451d29af5b2cc3d0a00c2df20060746fa
  c-cactus.deuxchevaux.org IN SSHFP 1 2 7683a04bbd2dbbae9c6d487493c251de69100287e09fa6c72d7d74555c8a4912
  c-cactus.deuxchevaux.org IN SSHFP 2 1 f43b0e9d2367bf6cd47fb405288d7304a10a41d9
  c-cactus.deuxchevaux.org IN SSHFP 2 2 0e6b6d17e1565ec05d9c400abda79eae935e44b6a1faa22d20083d38c517f7b9

• host -t SSHFP <hostname>:

  $ host -t SSHFP www.ccczh.ch
  www.ccczh.ch is an alias for proxy.ccczh.ch.
  proxy.ccczh.ch has SSHFP record 3 1 CC60D7A88E96BDAD570EAA39CDC86FED
  proxy.ccczh.ch has SSHFP record 1 1 9BA56C02A0A82E2BED5D946413E6A62B
  proxy.ccczh.ch has SSHFP record 2 1 99C0844B0A0692EEC6601B5ACBDC81D5

• ssh -o "VerifyHostKeyDNS ask" <hostname>:

  $ ssh -o "VerifyHostKeyDNS ask" host.example.com
  […]
  Matching host key fingerprint found in DNS.
  Are you sure you want to continue connecting (yes/no)?

SSH Keys for Authentication and Authorization

• Public Key Cryptography
• ssh-keygen (only in special cases without passphrase!)
• ssh-copy-id (copies key(s) into the remote ~/.ssh/authorized_keys)
• eval `ssh-agent` (often started via Xsession)
• ssh-add
• ssh-add -l (List fingerprints) / ssh-add -L (List public key parameters)
• ssh other.computer -t -A ssh-add (Loading key from other computer into the local key agent.)

• GnuPG Agent (gpg-agent)
• GNOME Keyring
• KWallet via kwalletcli, kwalletaskpass und gpg-agent

• ssh-add -x (Lock)
• ssh-add -X (Unlock)
• ssh -A (Forward Agent)
• ssh -a (Don't forward Agent)

• Host *.deuxchevaux.org *.noone.org
    ForwardAgent yes

Transfering files with SSH

• $ scp file myaccount@computer:directory/
  file                             100%  337     0.3KB/s    00:00

  
  (Path on remote computer relative to $HOME or chroot)

• $ sftp myaccount@computer
  Connecting to rechner...
  sftp> ls
  file1 file2
  sftp> get file1
  Fetching /home/myaccount/file1 to file1
  /home/abe/file1                      100%  337     0.3KB/s   00:00
  sftp> lls
  file1 file3
  sftp> put file3
  Uploading file3 to /home/myaccount/file3
  file3                                100%   65     0.1KB/s   00:00
  sftp> quit

$EDITOR ~/.ssh/config

Host *
        HashKnownHosts no
        NoHostAuthenticationForLocalhost yes

Host sym
        HostName symlink.to.noone.org
        ForwardAgent yes
        ForwardX11Trusted yes

Host sf
        Hostname shell.sourceforge.net
        User xtaran

Host avaya
        StrictHostKeyChecking no
        UserKnownHostsFile /dev/null

$EDITOR ~/.ssh/config

# OpenSSH < 5.4
Host myhomeserver
        ProxyCommand ssh myhomegateway nc myhomeserver 22

# OpenSSH ≥ 5.4
Host myhomeserver
        ProxyCommand ssh myhomegateway -W myhomeserver:22

$EDITOR ~/.ssh/config

Host host-with-picky-firewall
        ControlMaster autoask
        ControlPath ~/.ssh-master-%l-%h-%p-%r

• Tunneling is not evil and serves your own security and privacy (Hello to the NSA! *blblblbl* :-P)
• Take care when creating tunnels into non-trustworthy countries (i.e. where the government is known to issue faked SSL certificates)
• Subtopics:
  • Applications which call ssh themselves
  • Tunneling X Applications ("DISPLAY Forward")
  • Tunneling single connections
  • SSH as SOCKS Proxy

• Often call the unencrypted rsh by default.
• rsh may be a symbolic link to ssh if rsh is not installed
• rsync -e ssh
• Many Version Control Systems (VCS) support ssh "out of the box": cvs (CVS_RSH=ssh), svn (svn+ssh://…), git, hg, etc.
• "Pre-Authenticated IMAP" (needs SSH keys)
  • mutt (.muttrc: set tunnel="ssh -q imap.example.org /etc/rimapd")
  • pine (.pinerc)

    inbox-path={imap.example.org/user=myaccount/secure}INBOX
    folder-collections=Mail {imap.example.org/user=myaccount/secure}[]
    rsh-open-timeout=0
    ssh-path=/usr/bin/ssh

  • Supported by at least UW IMAPd and Dovecot.

• Standard "forwarding" of X applications is unencrypted
• ssh can setup the right tunnel and $DISPLAY automatically. Needs xauth in the search path on the remote computer.
• -X or ForwardX11 yes
• -Y or ForwardX11 yes + ForwardX11Trusted yes (Details in ssh_config(5))
• -x or ForwardX11 no

• A connection to a local "port" will be forwarded to another port behind the remote computer (or vice versa)
• Forward ports by default only accessible from "localhost". Use -g to allow access from everywhere.
• ssh -L 8080:proxy:8080 router.at.home (Use the proxy at home from elsewhere)
• ssh -R 8000:localhost:8001 company.computer (Give a computer at work access to your local web server)
• ssh -R 8000:localhost:8001 -g company.computer (Give all computers at work access to your local web server)

Using SSH as SOCKS proxy

• ssh -D 1080 remote.computer and configure localhost:1080 as SOCKS proxy in your browser, e-mail client, other program or with tsocks.
• All TCP connections of the program will appear to come from "remote.computer".
• Attention: DNS requests (usually UDP) won't be tunnelled by default, possible with protocol SOCKS4a and higher.

• After pressing <Enter>~ nothing seems to happen.
• A tilde (~) after an Enter is the escape sequence of SSH
• ~~ results in one tilde
• ~. disconnects immediately
• ~<Ctrl-Z> stops the SSH (continue with fg)
• ~& puts the SSH in the backgound, e.g. in case there are still tunnels open after logging out.
• ~? shows the help.

• Primarily a bug fix release
• Change of the default cipher (now "chacha20-poly1305@openssh.com")
• Bruteforcing a locked ssh-agent will mitigated by delaying the password prompt after entering a wrong password.
• http://www.openssh.com/txt/release-6.9

• The default value for PermitRootLogin will change from "yes" to "no". (Debian and Ubuntu already default to "without-password".)
• Version 1 of the SSH protocol will be disabled at compile time by default.
• Support for ssh-dss host and user keys will be disabled by default.
• Several ciphers will be disabled by default: blowfish-cbc, cast128-cbc, all arcfour variants and the rijndael-cbc aliases for AES
• Refusing all RSA keys smaller than 1024 bits. (The current minimum is 768 bits.)
• See http://www.openssh.com/txt/release-6.9 for the announcement of these plans.

GNU Screen allow one (amongst other things) to continue to use shell sessions and other text mode programs (e.g. mutt, irssi, mcabber) on remote computers without the need to keep the SSH session always open.

• Starting: screen
• Starting a program with a screen session around it: screen irssi
• Detach: <Ctrl-A><Ctrl-D> (Tmux: <Ctrl-B><Ctrl-D>)
• Reattach: screen -r
• Attach here, detach the current connection: screen -r -d
• Attach here, but keep the existing connection: screen -x
• tmux is similar, but rewritten from scratch, colorful by default, misses some features, offers others.

• Tests via a pair of automatically created SSH port forwardings the availability of the connection and restarts the SSH session if necessary.
• Perfect together with GNU Screen or Tmux
• Use autossh -t computer 'screen -RD' and you will be connected to your shell again if the network connection is good again.

• SSH alternative for network connections with high latency or high packet loss.
• mosh-server needs to be installed on the server.
• No open port if unused
• Uses SSH for authentification, authorization, and for starting the server.
• Uses UDP ports 60000 to 61000 by default.
• Doesn't need to "Detach" — client and server just wait, until there is a network connection again.
• Supports only UTF-8 (no ISO-8859-*, etc.).
• Non-roaming IPv6 support from version 1.2.5 (expected soon, RC2 released recently) onwards.

• Mounts directories from computer reachable by SSH using FUSE.
• Uses the SFTP subsystem on the remote computer.
  • Doesn't work with a dropbear server — unless a 3rd party SFTP server is installed, too.
  • openssh-sftp-server available as separate package starting with Debian 8 "Jessie" and Ubuntu 14.04 LTS "Trusty"
  • mysecureshell available since Debian 8 "Jessie" and Ubuntu 15.04 "Vivid"

• sshfs computer:/home/myaccount home-on-computer
  cd home-on-computer

• Allows one to use HTTPS as well as SSH on port 443 (HTTPS).
• Automatically recognizes the protocol (SSL or SSH) and forwards the connection to the right service. (HTTPS often runs on port 442 then.)
• Helps against firewalls which forbid SSH but allow HTTPS.
• Can also be used to combine SSH with other SSL based protocols on the same port.

• Windows:
  • Cygwin: POSIX environment for Windows including OpenSSH (Client+Server)
  • Putty: Free SSH client for Windows among others
  • KiTTY: a Putty fork, more features, windows-only
  • MobaXterm: terminal, SSH client and X server in one (GPLed, but with "freemium" scheme)
  • WinSCP: Drag & Drop SCP, based on Putty, requires SFTP service.
• dropbear: Free SSH implementation (Client+Server) for embedded systems (including iPhone, AppleTV, Dreambox, many NAS and routers)
  • no SFTP backend included, but the one from OpenSSH can be used.
• PSPSSH: Free SSH client for the Sony PSP, based on dropbear
• MidpSSH: Free SSH client for MIDP/J2ME capable mobile phones
• S2Putty: Free SSH client for Symbian S60 mobile phones

• Sometimes you want to allow only access to one single program or command.
• Laborious, complicated and error-prone if done via a web service.
• command="foobar" ssh-rsa AAAAB3Nza… calls "foobar" and only "foobar" upon every login with this key
• from="computer" ssh-rsa AAAAB3Nza… allows access with this key only from the host "computer".
• no-{agent,port,X11}-forwarding ssh-rsa AAAAB3Nza… disallows misc. forwardings.
• no-pty ssh-rsa AAAAB3Nza… disallows the allocation of a pseudo terminal.

• SSH is far more than just a logging in somewhere else via command line.
• Tunneling is important, not evil.
• SSH doesn't only work with computers running Linux.

• OpenSSH: http://www.openssh.org/
• Cygwin: http://www.cygwin.com/
• Dropbear: http://matt.ucc.asn.au/dropbear/dropbear.html
• WinSCP: http://winscp.net/
• Putty: http://www.chiark.greenend.org.uk/~sgtatham/putty/
• KiTTY: http://www.9bis.net/kitty/
• MobaXterm: http://mobaxterm.mobatek.net/
• Putty for Symbian S60: http://s2putty.sf.net/
• PSPSSH: http://ur1.ca/2bw8
• MidpSSH: http://www.midpssh.org/

• kwalletcli, kwalletaskpass: https://www.mirbsd.org/kwalletcli.htm
• autossh: http://www.harding.motd.ca/autossh/
• mosh: http://mosh.mit.edu/
• Pre-Authenticated IMAP:
  https://readme.phys.ethz.ch/mail/how_to_use_email_with_pine_imap/
  https://readme.phys.ethz.ch/mail/how_to_use_email_with_mutt_imap/
• sslh: http://www.rutschle.net/tech/sslh.shtml
• This talk: http://noone.org/talks/ssh-tricks/

Thanks goes to

• Fabian Wenk for showing me -D and hence giving me the idea to this talk
• Aaron Toponce, Michael Pobega, Michael Prokop, Sven Guckes, Jörg Jaspert, Alexander Wirt, Michael Stapelberg, Raoul vom CCC ZH and Venty for tips and ideas about the talk
• Eric S. Meyer for S5

Feedback to

• Axel Beckert
• E-Mail: axel@beckert.ch