General Tips and Traps
-
The permissions of the directory
~/.ssh
and its subcontents on both the local machine and the remote server must be properly set in order for SSH login via public key to work. A good pratice is to set the permission of~/.ssh
to700
(on both the local machine and the rmeote server) and set permissions of files under~/.ssh
to600
. -
SSH automatically maintains and checks a database containing identification for all hosts it has ever been used with. Host keys are stored in
~/.ssh/known_hosts
in the user's home directory. Additionally, the file/etc/ssh/ssh_known_hosts
is automatically checked for known hosts. Any new hosts are automatically added to the user's file. If a host's identification ever changes, SSH warns about this and disables password authentication to prevent server spoofing or man-in-the-middle attacks, which could otherwise be used to circumvent the encryption. The option-o StrictHostKeyChecking=no
can be used to turn off strict host key checking (on both new host keys and changed host keys).ssh -o StrictHostKeyChecking=no your_server
You can also turn of strickt host key checking permanently by adding the following line into
~/.ssh/config
.StrictHostKeyChecking no
This is helpful for automation when you are in a safe environment (e.g., private VPN). However, be aware of the risk and avoid using it in public environment. For more details, please refer to ssh(1) - Linux man page and SSH: Disable Host Checking for Scripts & Automation.
-
You can use the option
-o ProxyCommand='ssh proxy_server -W %h:%p'
to SSH into a machine via a proxy server. Below is an illustration. For more details, please refer to SSH Proxies and Jump Hosts.ssh -o ProxyCommand='ssh proxy_server -W %h:%p' target_server
-
When using
sshfs
andfuse
, make sure to add your user account into thefuse
group.gpasswd -a `id -un` fuse newgrp fuse
-
It is suggested that you do not set any password for your SSH keys. First, setting passwords for SSH keys defeats the purpose of using SSH keys. Seconds, settings passwords for SSH keys might causes problems to other applicatons (e.g., keyring management, cron jobs, duplicity, etc.) rely on SSH.
-
You can use SSH to run commands on a remote server in non-interactive mode. For example, the following command logs into a server named
vm1.example.com
using SSH and then usersync
to synchronize the directory/workdir/
on the servervm2.example.com
to the directory/workdir/
on the servervm1.example.com
(which is the local machine ofrsync
).ssh vm1.example.com rsync -avh --info=progress2 --delete vm2.example.com:/workdir/ /workdir/ \ > backup.log 2> backup.err
Multiplexing / ControlMaster
-
The
ControlMaster auto
option can be used to allow SSH reuse an existing connection. TheControlPersist yes
option goes one step further to persist a connection once it's established. This means that there will essentially be one long-term SSH connection to each host. Those 2 options together is a very good way to avoid frequently SSH logins especially when you have to rely on bastion servers to login (e.g., in an Enterprise environment). Notice that you must also specify aControlPath
if you useControlMaster
. For more discussions, please refer to How To Reuse SSH Connection To Speed Up Remote Login Process Using Multiplexing .Host * # ControlMaster: persist connections for reuse ControlPath ~/.ssh/control/%r@%h:%p ControlMaster auto ControlPersist yes # SendEnv LANG LC_* HashKnownHosts yes GSSAPIAuthentication yes GSSAPIDelegateCredentials no # make connection alive ServerAliveInterval 10 ServerAliveCountMax 3
-
There are some potential drawbacks with
ControlMaster
turned on though. It is mainly due to limited bandwidth. This is, generally speaking, not really an issue unless you transfer huge amount of data over SSH. For more discussions, please refer to SSH ControlMaster: The Good, The Bad, The Ugly .
References
How To Reuse SSH Connection To Speed Up Remote Login Process Using Multiplexing
SSH ControlMaster: The Good, The Bad, The Ugly
https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Proxies_and_Jump_Hosts
https://www.cyberciti.biz/faq/linux-unix-ssh-proxycommand-passing-through-one-host-gateway-server/
https://stackoverflow.com/questions/22635613/what-is-the-difference-between-ssh-proxycommand-w-nc-exec-nc