ssh

SSH, the secure shell, is the Swiss army knife of the internet. It lets you shunt data from one place to another with little fuss. There are similar tools which are even less fuss, but they are gaping security holes and should not be used.

I am writing from the perspective of someone using ssh as a client, not maintaining a server.

Extra security

One should probably secure ssh. If you want to be extra sensible secure it to modern cryptography standards, such as elliptic ciphers, and smart defaults which are suspected to be less vulnerable to the more quotidian NSA attacks. (With these settings you’re still screwed if cheap quantum factorization becomes a thing, though, but let us set that aside for now.)

tl;dr

ssh-keygen -t ed25519 -o -a 100
ssh-keygen -t rsa -b 4096 -o -a 100

ssh-agent

Starting ssh-agent on startup, but not if it’s already running? See Joseph M. Reagle’s solution:

SSH_ENV="$HOME/.ssh/environment"

function start_agent {
    echo "Initialising new SSH agent…"
    /usr/bin/ssh-agent | sed ’s/^echo/#echo/' > "${SSH_ENV}"
    echo succeeded
    chmod 600 "${SSH_ENV}"
    . "${SSH_ENV}" > /dev/null
    /usr/bin/ssh-add;
}

# Source SSH settings, if applicable

if [ -f "${SSH_ENV}" ]; then
    . "${SSH_ENV}" > /dev/null
    #ps ${SSH_AGENT_PID} doesn’t work under cywgin
    ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
        start_agent;
    }
else
    start_agent;
fi

I am unclear as to how much of this can be avoided for a modern setup.

ssh-agent and macOS

How does ssh-agent work with the macOS keychain? Should it be permitted to do is, or is that inviting hostile actors in?

Things are weird for macOS because you can store things in ssh-agent, or osx keychain, or some weird hybrid options that make my eyes cross. Apple’s Explanation is sorta clear and at least current. Github has an opinion on it. Old macOS SSH behaviour for the vexed.

SSH as VPN

sshuttle (manual) is a VPN-workalike built on SSH. As far as I can tell it’s easy for both the client and server to set up VPN this way, so I’m not sure why it is not more common. Possibly because setting up SSH shells on various servers is in itself easy to make insecure for the server? Anyway, you have a login, you might as well use it.

Installation options:

pip install shuttle
brew install sshuttle
# etc

Run:

sshuttle --dns -r username@sshserver 0/0

Terminal multiplexers

screen, tmux etc.

Amazing handy for remote admin.

See terminal multiplexers.

Over https

The classic is corkscrew, which injects SSH control over, e.g. hostile web-only firewalls at the airport.

Tunnels

sshtunnelmanager (macos) assembles the right commands arguments for you to make tunnels without having to check the manual every time.

ProxyJump Is a magical 2 step proxy for double tunnelling.

ssh -J your.jump.host remote.internal.host

or

scp -o 'ProxyJump your.jump.host' myfile.txt remote.internal.host:/my/dir

Alternatives/extensions

mosh ("mobile shell") is a shell for intermittent connections.

How is mosh better than tmux + ssh, though? I need a Venn diagram of features here.

Enterprise ssh? teleport.

To mention

  • ssh-copy-id is a magical command to deploy your keys to remote servers.