Improve the way you work with Secure Shell
Safety First
Many Linux users employ Secure Shell to log in remotely and work as if on a local machine. But SSH can do even more – the application will send commands, route other TCP connections through an encrypted tunnel, and provide multiplexing support.
The man pages for the OpenSSH tool [1] read like novels. Most users know only a fraction of the options, and this article, too, is restricted to just a few features. It provides tips on SSH multiplexing, tunneling, and various configuration files.
On My Mark!
One of the oldest SSH tricks is to define a command that SSH runs at the opposite end when executed; this saves you time and typing. The output appears in the local terminal:
<heike@home:~$> ssh huhn@example.com pwd /home/huhn
The command displays the working directory for the user huhn
after logging onto the example.com
machine; in other words, the home directory. Multiple commands are also possible. It is important to quote the commands to make sure they really run on the remote system:
heike@home:~$ ssh huhn@example.com pwd;whoami /home/huhn heike heike@home:~$ ssh huhn@example.com 'pwd; whoami' /home/huhn huhn
If you want SSH to run commands that require user interaction on the other machine, the t
option is also necessary to start a pseudo terminal. This ensures that users remain logged in until the program is finished. In this way, you can, say, edit files with a text editor, use top
to list the active programs list, or view log files with tail-f
(Figure 1).
Well Prepared
If you juggle several accounts on remote servers that listen on different ports, or each use a different SSH key pair for authentication, you can specify the options each time you run SSH. However, you may find a separate ~/.ssh/config
configuration file (Listing 1) more convenient.
Listing 1
Setup file ~/.ssh/config
Each line contains a keyword; this is followed by one or more arguments. In addition to options that apply only to one computer (sections following host
name), global settings (host *
) are also possible. Because SSH evaluates the information in sequence, the general settings are available at the end of the file. The man page lists all the options for ssh_config
.
The example in Listing 1 contains two blocks for individual hosts. For the first computer (accessible via the alias ssh work
), it defines that the SSH server listens on port 2220. Also, the IP address is entered instead of a hostname, and the key to be used is defined, which removes the need to try out all the keys – this speeds up the connection if several key pairs are located in the ~/.ssh
directory.
The following applies for the second computer home.example.com
: It is accessible using the home
short name. CheckHostIP no
prevents matching the IP address against the ~/.ssh/known_hosts
file, which is useful for hosts with a changing, dynamically allocated IP.
In the general instructions, ServerAliveInterval 300
makes sure that the client sends a packet to the server after five minutes, to keep the connection alive and prevent a timeout. Additionally, the behavior of log is defined; users can choose from QUIET
, FATAL
, ERROR
, INFO
(standard), VERBOSE
, Debug
, DEBUG1
, DEBUG2
, and DEBUG3
.
Data compression is turned on in this case, but this is only useful for hosts where the users are faced with a slow connection.
Bundled, We Are Strong
The multiplexing feature, which can send several signals via a TCP connection ensures a speed advantage. The SSH client uses an existing connection to the SSH server, which eliminates the handshake with the opposite end. You do not save time with the first SSH session, but from the second. Users control multiplexing with two options: ControlMaster
and ControlPath
:
ssh -o ControlMaster=yes -o ControlPath=~/.ssh/control-%h_%p_%r user@example.org
The statement ControlMaster = yes
generates a master link, which other sessions with the same destination can use. ControlPath
defines the required socket, composed of the file name control
, the hostname (%h
), the port (%p
), and user name (%r
) of the target computer. For the next connection to this host, users state the socket; ControlMaster
is left at the default value (no
):
ssh -o ControlPath=~/.ssh/control-%h_%p_%r user@example.org
The second link attempts to dock onto the first. Should that fail, the SSH client establishes a normal connection as a fallback solution. Listing 2 shows the comparison with the time
for the who
command measured on the remote machine with and without multiplexing. In a small test setup, the difference is not particularly impressive, but in larger environments the feature should have a positive effect.
Listing 2
SSH without and with multiplexing
The multiplexing configuration does not need to be enabled with -o
; you can also do this in the SSH setup file. Besides the instructions, ControlMaster
and ControlPath
users can optionally define ControlPersist
here; this determines how long the master connection waits for clients in the background after the first connection is done. Users can enter either no
(master does not wait), yes
(master waits forever) or a period of time in seconds. Listing 3 gives you an example.
Listing 3
Multiplexing settings in ~/.ssh/config
By the way, it is not only SSH clients that benefit from the multiplexing feature, but also scp
, rsync
, git,
and other commands that use the SSH protocol.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.