SSH, more than a secure shell

SSH (Secure Shell) is a protocol that helps us securely access remote computers, basically as Telnet does, but using encryption algorithms that help us keep our connection secure, especially if we want to access computers that perform an important function within a network. organization.

Generally, to access we must provide our username and the address of the computer, so that the SSH server asks us for the access password:

ssh usuario@equiporemoto

From the moment the client initiates the first connection between the remote computer and us, the information is already traveling safely, preventing someone from obtaining our access credentials to said computer, however SSH is a very adaptable protocol that offers us many possibilities.

SCP

The first one is to be able to transfer files between the client and remote computer, without the need to mount an FTP or NFS server, simply using SCP (Secure CoPy) that most SSH servers implement:

scp archivo.tar.gz usuario@equiporemoto:/home/usuario
scp usuario@equiporemoto:/var/log/messages messages.txt

SSH Tunneling

This feature is very useful, since it allows us to send and receive information that is not necessarily shell commands between the client and the remote computer, for example ordinary browsing. If you do not guess what use this can have, think about the following: you need to access a page, but the place where you are has a firewall implemented that blocks precisely that page, therefore, we can tunnel with a remote computer that does not have said blocks and browsing said page through our SSH session:

ssh -D 8888 usuario@equiporemoto

Once connected, our SSH client 'listens' on port 8888 as a proxy server, so that we can configure our browser and all traffic is transmitted through the SSH session

SSH-Tunnel

Another example that occurs to me is when, due to some geographical restriction, we cannot access a web service from where we are, when making the tunnel, said web service detects the IP of our remote server as the source, not our client IP. This is somewhat equivalent to VPNs (Virtual Private Network)

Reverse SSH

If for some reason we need to access a computer that is behind a firewall and it does not allow us to redirect SSH traffic to it, we can do a 'reverse SSH', in such a way that that computer connects to another SSH server, at which we can also connect to, in order to access the equipment behind the firewall. An example that comes to mind is when we want to help a friend who has no idea how to configure a redirect on his modem, but we need to access his computer remotely:

Friend -> Modem -> SSH Server <- About Us

The steps to follow are relatively very simple:

Friend
ssh -R 9999:localhost:22 usuario@servidorssh

About Us
ssh usuario@servidorssh
Once inside the SSH server, we can connect with our friend's team using
ssh amigo@localhost -p 9999

As you can see, all the magic lies in the -R parameter, which tells the intermediate server that on port 9999 our friend's computer is listening now as a server.

These are just some possibilities that SSH offers us but I invite you to experiment with some more, for example; we can do unattended scripts using RSA keys, redirect X sessions (graphical mode) to our graphical environment, just to mention a few.


21 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Astro said

    Excellent article, I am eager to get home and start practicing them.

    1.    adr14n said

      Thanks a lot! It's actually my first blog post and it's really nice to read these comments. Cheers!

  2.   Pablo cardozo said

    Just yesterday I was asking something about this topic, and it is the following.

    Is there a way to be able to scp a whole folder but taking into account the date of the files? In other words, I have a folder with many files that I downloaded some time ago, I am interested in downloading only what has been uploaded to that folder from a certain date.

    Greetings and many thanks in advance.

    1.    elav said

      You can do it with RSYNC over SSH. 😉

      1.    giskard said

        rsync is the lid of the jar !!! 😀

      2.    Eduardo said

        I recommend you try unison, it is SPECTACULAR, it is available in the repos (debian and ubuntu at least)

        http://www.cis.upenn.edu/~bcpierce/unison/

        I use it to make daily backups of my note to another computer, in addition to having synchronized directories on different computers.

        It is very easy to use

        I hope it is useful to you!

        Exitos
        Eduardo

    2.    Left Handed said

      That seems more like a task for rsync, but I don't know if there is a parameter to do that specifically, if not, maybe it would have to be handled from a script

    3.    adr14n said

      What occurs to me is to make an ls ordered by date, and from there copy the ones you need with a simple scp, because the scp does not have as many functions as they say, it has the rsync.

  3.   anonymous said

    I attest that the reverse ssh is luxurious, I have used it between my pc and another that was more than 700Km away and zero problems.
    Thank you for these articles, they are very valuable.

  4.   cease said

    So salty! Haha I didn't know that ssh had so many possibilities, I already want to learn how to set up a ssh server and start experimenting with its capabilities, just one thing, could you explain what each parameter does?

    1.    adr14n said

      According to the ssh man itself, the -D serves to specify a 'dynamic application forwarder' locally, which as I explained in the article, serves to pass traffic through a tunnel within the same SSH session. The -R specifies the remote port that will be redirected to our local computer through a 'forwarding'. And finally the -p specifies to which port the client should connect, when it does not use the standard port: 22

  5.   manuelmdn said

    Good thing that touches this topic, I have a question about the ssh keys, can you generate more than one key for different services? they will talk about it,

    Regards!

    1.    adr14n said

      When you use authentication using SSL keys, you can export the same (your computer's) to different services and in the same way, if your computer is the server, you can incorporate different keys from different computers. I don't know if I answered your question, but I understood that. Cheers

  6.   Luis said

    I think I remember that there was a way through ssh that allowed us to run an application remotely and view it on our computer as if it were a local application.

    For example, we could run firefox, we see and control it on our local computer but the process runs on the remote computer.

    Especially useful on computers with few resources but unfortunately I do not control the issue and I do not know how to configure the computers to do that.

    Does anyone know anything about it?

    1.    Staff said

      For something like that it would be convenient to use VNC and you can tunnel with SSH.

      1.    x11tete11x said

        @Staff for me it would not be convenient to use VNC .. with VNC if I'm not bad you bring the whole desktop ..

        @Luis, what you do is done by simply adding the parameter "-X" to the ssh (you have to allow X forwarding on your server)

        http://i.imgur.com/NCpfzBL.jpg

      2.    Staff said

        @ x11tete11x
        Considering what Luis mentioned, I thought of offering him another alternative, since:

        1. "Especially useful on computers with few resources ..."

        -In the case of a single application, it may not consume so many resources, but trying to open 10 windows with x forwarding continues to make the system work harder than having a single VNC instance, since VNC does not "bring the entire desktop"
        -When closing the program on the client, it ends up the same on the server (Someone correct me if I'm wrong), while with VNC you can, for example, leave a torrent download all night and log in again in the morning and everything would continue just as I had left.
        -VNC is a system agnostic protocol, you can access it from a client on Win, Andorid, Mac OSX, etc. and use your GNU / Linux programs, without having to install anything other than the VNC client itself.

        And 2. "... unfortunately I do not control the issue and I do not know how to configure the computers to do that."

        It is much easier (And without risk to type something wrong and restart without desktop) to install VNC and configure the SSH tunnel (It is done with GUI) than to move the X configuration files.

      3.    Luis said

        Thank you both for your comments.

        I've been using SSH together with SHFS to access remote content on my small server for a long time, but I've never been able to run remote applications in a graphical environment.

        I'll try both options to see how it works. What I was saying at first seems simpler since according to x11tete11x, you only have to add a parameter.

        Later I will see if I can find a simple way to configure VNC since I am a bit big, I am an Arch user so surely there will be information on the wiki, something else is for me to find out. Hehehe

        A greeting.

    2.    adr14n said

      It can be done by passing the -X parameter to the session, but you have to have your X server configured to accept connections from a computer on the network, I think that is configured with the xhost utility. As Staff mentions, VNC is also a very good option

    3.    mario said

      It's X11 forwarding, here on this same site there is a post about that:
      https://blog.desdelinux.net/x11-forwarding-a-traves-de-ssh/

    4.    Luis said

      Thanks for the info friends.

      I said, I'll do it using both options to see which one suits me better.

      Regards!