Posted inTricks

SSH Tricks and Tips for System Administrators

SSH Tricks and Tips for System Administrators

SSH (Secure Shell) is one of the most powerful tools in a system administrator’s toolkit. Beyond basic remote login, SSH offers a wealth of features that can streamline your workflow, enhance security, and solve complex networking challenges. Here’s a comprehensive collection of SSH tricks that every sysadmin should know.

Connection and Authentication Tricks

1. SSH Key Authentication Setup

# Generate a new SSH key pair
ssh-keygen -t ed25519 -C "your_email@example.com"
Copy public key to remote server
ssh-copy-id user@hostname
Or manually copy the key
cat ~/.ssh/id_ed25519.pub | ssh user@hostname 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'

2. SSH Agent for Key Management

# Start SSH agent
eval $(ssh-agent)
Add keys to agent
ssh-add ~/.ssh/id_ed25519
List loaded keys
ssh-add -l
Remove all keys from agent
ssh-add -D

3. SSH Config File Magic

Create ~/.ssh/config for easier connections:

Host myserver
    HostName 192.168.1.100
    User admin
    Port 2222
    IdentityFile ~/.ssh/special_key
Host *.dev
User developer
Port 22
ForwardAgent yes
Host jump
HostName jumphost.company.com
User jumpuser
Host internal
HostName 10.0.0.50
ProxyJump jump

Port Forwarding and Tunneling

4. Local Port Forwarding

Forward local port to remote service:

# Forward local port 8080 to remote port 80
ssh -L 8080:localhost:80 user@remote-server
Forward to different host through SSH server
ssh -L 3306:database-server:3306 user@ssh-gateway

5. Remote Port Forwarding

Make local service available on remote server:

# Make local web server accessible from remote
ssh -R 8080:localhost:80 user@remote-server
Bind to all interfaces on remote (requires GatewayPorts yes)
ssh -R *:8080:localhost:80 user@remote-server

6. Dynamic Port Forwarding (SOCKS Proxy)

# Create SOCKS proxy on local port 1080
ssh -D 1080 user@remote-server
Use with curl
curl --socks5-hostname localhost:1080 http://internal-site.com

7. SSH Tunnel in Background

# Create persistent tunnel
ssh -f -N -L 8080:localhost:80 user@remote-server
Kill background SSH processes
pkill -f "ssh.*8080:localhost:80"

File Transfer Tricks

8. SCP with Progress and Compression

# Copy with progress bar
scp -v file.txt user@remote:/path/
Copy with compression
scp -C largefile.tar user@remote:/path/
Copy preserving permissions and timestamps
scp -p file.txt user@remote:/path/
Recursive copy with compression
scp -rC directory/ user@remote:/path/

9. SFTP Batch Operations

# SFTP with batch file
sftp -b commands.txt user@remote
Contents of commands.txt:
cd /var/www
put *.html
chmod 644 *.html
quit

10. Rsync over SSH

# Sync directories with progress
rsync -avz --progress /local/path/ user@remote:/remote/path/
Dry run to see what would be transferred
rsync -avz --dry-run /local/path/ user@remote:/remote/path/
Exclude files
rsync -avz --exclude='*.log' /local/path/ user@remote:/remote/path/

Advanced Connection Management

11. SSH Multiplexing

Share connections to reduce overhead:

# In ~/.ssh/config
Host *
    ControlMaster auto
    ControlPath ~/.ssh/sockets/%r@%h-%p
    ControlPersist 600

12. Jump Hosts and ProxyJump

# Direct jump through intermediate host
ssh -J jumphost target-server
Multiple jumps
ssh -J jump1,jump2 target-server
In config file:
Host target
ProxyJump jump1,jump2

13. SSH Keep-Alive

Prevent connection timeouts:

# In ~/.ssh/config
Host *
    ServerAliveInterval 60
    ServerAliveCountMax 3
    TCPKeepAlive yes

Security and Monitoring

14. SSH with Specific Cipher

# Use specific encryption cipher
ssh -c aes256-ctr user@hostname
List available ciphers
ssh -Q cipher

15. SSH Connection Logging

# Log SSH session to file
ssh user@hostname | tee session.log
Or use script command
script -c "ssh user@hostname" session.log

16. Restrict SSH Commands

In ~/.ssh/authorized_keys, restrict what a key can do:

command="rsync --server -vlogDtpre.iLsfx . /backup/",restrict ssh-rsa AAAAB3...

17. SSH with Timeout

# Connection timeout
ssh -o ConnectTimeout=10 user@hostname
Set multiple timeouts
ssh -o ConnectTimeout=10 -o ServerAliveInterval=5 user@hostname

Debugging and Troubleshooting

18. Verbose SSH Debugging

# Basic verbose output
ssh -v user@hostname
More verbose (up to -vvv)
ssh -vvv user@hostname
Debug specific issues
ssh -o LogLevel=DEBUG3 user@hostname

19. SSH without Host Key Checking

# Skip host key verification (dangerous!)
ssh -o StrictHostKeyChecking=no user@hostname
Don't save host key
ssh -o UserKnownHostsFile=/dev/null user@hostname

20. Test SSH Configuration

# Test config file syntax
ssh -T git@github.com
Test connection without executing commands
ssh -o BatchMode=yes user@hostname true

Remote Command Execution

21. Execute Commands Remotely

# Single command
ssh user@hostname 'ls -la /var/log'
Multiple commands
ssh user@hostname 'cd /var/log && tail -n 20 syslog'
Commands with local variables
local_var="test"
ssh user@hostname "echo $local_var"

22. Remote Script Execution

# Execute local script on remote server
ssh user@hostname 'bash -s' < local_script.sh
With arguments
ssh user@hostname 'bash -s' < script.sh arg1 arg2
Pipe script content
cat script.sh | ssh user@hostname 'bash -s'

23. SSH with Here Document

ssh user@hostname << 'EOF'
cd /var/www
sudo service apache2 restart
echo "Service restarted"
EOF

Network and System Administration

24. SSH Mount (SSHFS)

# Mount remote directory locally
sshfs user@hostname:/remote/path /local/mount/point
Unmount
fusermount -u /local/mount/point
Mount with options
sshfs -o allow_other,default_permissions user@hostname:/path /mount

25. X11 Forwarding

# Forward X11 for GUI applications
ssh -X user@hostname
Trusted X11 forwarding
ssh -Y user@hostname
Run GUI application
ssh -X user@hostname firefox

26. SSH Escape Sequences

During an SSH session, use these escape sequences:

  • ~. – Terminate connection
  • ~^Z – Background SSH
  • ~# – List forwarded connections
  • ~& – Background SSH at logout
  • ~? – Display escape sequence help

27. SSH Banner and MOTD

# Display banner before authentication
# In /etc/ssh/sshd_config:
Banner /etc/ssh/banner.txt
Custom MOTD
echo "Welcome to $(hostname)" > /etc/motd

28. SSH Key Fingerprints

# Show key fingerprint
ssh-keygen -lf ~/.ssh/id_ed25519.pub
Show visual fingerprint
ssh-keygen -lvf ~/.ssh/id_ed25519.pub
Get server key fingerprint
ssh-keyscan hostname | ssh-keygen -lf -

Performance and Optimization

29. SSH Compression

# Enable compression
ssh -C user@hostname
Compression in config
Host slow-connection
Compression yes

30. SSH Cipher Selection for Performance

# Fast cipher for local networks
ssh -c chacha20-poly1305@openssh.com user@hostname
View cipher performance
ssh -c aes128-ctr user@hostname 'time dd if=/dev/zero bs=1M count=100 | cat > /dev/null'

SSH Server Configuration Tips

31. Secure SSH Server Settings

Add to /etc/ssh/sshd_config:

# Change default port
Port 2222
Disable root login
PermitRootLogin no
Key-only authentication
PasswordAuthentication no
PubkeyAuthentication yes
Limit users
AllowUsers alice bob
Connection limits
MaxAuthTries 3
MaxSessions 10

32. SSH Fail2ban Integration

# Install fail2ban
sudo apt-get install fail2ban
Configure for SSH
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit [sshd] section in jail.local

Automation and Scripting

33. SSH in Scripts with Error Handling

#!/bin/bash
if ssh -o ConnectTimeout=5 user@hostname 'command'; then
    echo "Command succeeded"
else
    echo "SSH failed with exit code $?"
fi

34. SSH with Expect for Automation

#!/usr/bin/expect
spawn ssh user@hostname
expect "password:"
send "your_password\r"
interact

35. Parallel SSH Execution

# Using GNU parallel
parallel -j10 ssh user@{} 'uptime' ::: server{1..10}
Simple background execution
for host in server{1..5}; do
ssh user@$host 'command' &
done
wait

Monitoring and Logging

36. SSH Connection Monitoring

# Monitor active SSH connections
ss -tuln | grep :22
Show SSH processes
ps aux | grep sshd
SSH login history
last | grep ssh

37. SSH Audit Logging

# Enable detailed logging in /etc/ssh/sshd_config
LogLevel VERBOSE
Monitor SSH logs
sudo tail -f /var/log/auth.log | grep ssh

Advanced Use Cases

38. SSH as a VPN Alternative

# Create TUN interface tunnel
ssh -w 0:0 root@remote-server
Configure tunnel interfaces (on both ends)
ip addr add 10.0.0.1/30 dev tun0  # local
ip addr add 10.0.0.2/30 dev tun0  # remote

39. SSH Database Connections

# Connect to remote MySQL through SSH tunnel
ssh -L 3306:localhost:3306 user@db-server &
mysql -h localhost -P 3306 -u dbuser -p
PostgreSQL through tunnel
ssh -L 5432:localhost:5432 user@pg-server &
psql -h localhost -p 5432 -U pguser dbname

40. SSH for Git Operations

# Use specific SSH key for Git
GIT_SSH_COMMAND="ssh -i ~/.ssh/specific_key" git clone user@server:repo.git
SSH config for Git hosts
Host github-work
HostName github.com
User git
IdentityFile ~/.ssh/work_key

Conclusion

These SSH tricks represent just a fraction of what’s possible with this incredibly versatile tool. Mastering these techniques will significantly improve your efficiency as a system administrator and open up new possibilities for secure remote management, file transfers, and network troubleshooting.

Remember to always prioritize security when implementing these tricks, especially in production environments. Regularly update your SSH software, use strong key-based authentication, and monitor your SSH logs for any suspicious activity.

Happy SSH-ing!