SSH Tricks

Don’t type usernames

If your username on a remote server is different from your local username, specify this in your SSH config as well:

Host www* mail
  HostName %h.example.com
  User simon

Now even though my local username is smylers, I can just do:

$ ssh www2

and SSH will connect to the simon account on the server. Again, Putty users can save usernames in their session config to avoid being prompted on each connection.

Resilient Connections

It can be irritating if a network blip terminates your SSH connections. OpenSSH can be told to ignore short outages (though this also means it takes longer to notice permanent outages). The precise numbers to use are a matter of preference, but putting something like this in your SSH config seems to work quite well:

TCPKeepAlive no
ServerAliveInterval 60
ServerAliveCountMax 10

If the network disappears your connection will hang, but if it then re-appears with 10 minutes it will resume working.

Avoiding Delays

If connecting to a server seems to sit there for a few seconds not doing anything, try adding this line to your config:

GSSAPIAuthentication no

GSSAPI is an authentication method related to Kerberos. If you don’t know what it is, you almost certainly aren’t using it. But some servers are configured to attempt GSSAPI authentication, and only try other methods after a 2-second time-out. By instructing your client never to use this authentication method, the attempt, and therefore the time-out, is skipped.

And if that speeds up connecting for you, ask the server’s sys-admin to disable it in the server config, for the benefit of all users ‒ exactly the same line as above, but in /etc/ssh/sshd_config.

Jumping through servers

Sometimes you can’t make a network connection directly to the server you wish to access; you have to first SSH to an intermediate server and then on to the server you want. This can also be automated. First make sure that you have keys and agent forwarding set up so that you can SSH to the intermediate server in one command and from there to the target server in a second command, each without any prompting:

$ ssh gateway
gateway $ ssh db

Then in your local SSH config, specify that a connection to the target server should be proxied through the intermediate server, using the -W option:

Host db
  HostName db.internal.example.com
  ProxyCommand ssh gateway -W %h:%p

Then you can just do:

$ ssh db

And, after a brief pause while SSH chugs through authenticating twice, you’ll have a shell on the second server. The -W option was introduced in OpenSSH 5.4. If you have an older version you can achieve the same result with Netcat instead.

Reverse ssh tunnel with key

At the server

 ssh-keygen -t rsa 
 no passphrase (enter)

Create /usr/bin/tunel.sh and write:

 #!/bin/bash
 while :
  do
    ssh -l user -R 8000:localhost:22  -N example.com
 done

Copy .ssh/id_rsa.pub to the client and put it in .ssh/authorized_keys

 scp .ssh/id_rsa.pub user@example.com:/home/user/.ssh/authorized_keys

Reverse tunnel without key

At the server:

 ssh -l user -R 8000:localhost:22 -f -N example.com

At the client:

 ssh root@localhost -p 8000

last updated on April 11, 2015, 7:40 p.m.
Back