Anyone else use ssh to manage their computers at home? There are five Linux computers and a router in our house. I typically use the command line to update anyway so ssh is a natural for me. Accessing them with ssh lets me update their systems, make snapshots and backups, install new stuff, even change monitor settings using xrandr, all without leaving my desk.
Please note I did all this in a secure environment, behind a firewall, on my home network. Some of what's below I wouldn't recommend in a less secure environment. This is really basic stuff. There are many additional configuration settings that can make things more secure, so do some research if that's a concern for you.
SETTING UP SSH SERVER ON YOUR MACHINES:
This couldn't be much easier and there's lots of How-To's on the web. Basically, just install "openssh-server" on every machine you want to "ssh" into. Then edit the config file /etc/ssd/sshd_config and uncomment (remove the "#") the "Port" line and change "22" to something else. This is considered a marginally more secure way to use ssh. Then restart the ssh server:
sudo systemctl restart sshd
Now you can log into the computer from any computer running openssh-client (usually installed by default so you already have it). Obviously, you have to have a user account on the computer before you will be above to log into it. Once you log in you will be able to issue any command in the terminal just like you would if you were sitting in front of it;
ssh -p 9999 <username>@<hostname or ip address>
You can use the hostname if it's defined in your local hosts file or the IP (more on that below). The number following "-p" is the port you chose when you edited sshd_config.
Note: Another more secure practice is to disable or stop the ssh-server whenever you're not on a network known to you.
SHORTCUTS TO LOGGING INTO A MACHINE:
All the info in the above command can be "built-in" to your computer. Combine that with a bash alias and a single word in the terminal will log you in. In your home folder, make a hidden folder named ".ssh" (it may already be there). In that folder create a file named "config" and fill it with the info needed to log into your other PC using ssh like so:
"Host" is the shortcut name your wish to use for this computer.
"Port" is the target machine's ssh port.
"User" is your username on that computer.
"Hostname" is either the computer's hostname or IP address (still more to come on that topic
)
Enter one paragraph as above for each PC you have ssh access to. Now you don't have to remember the port numbers or IP addresses to log in, just enter this:
ssh myserver
If you want to shrink it further add a line to your ~/.bash_aliases file like so:
alias myserver='ssh myserver'
Now a simple "myserver" will start the ssh login for you.
FINDING THE IP ADDRESSES OF YOUR MACHINES:
SSH does not search your network for hostnames, but it can read your hosts file. Any computer defined in your hosts file can be addressed by it's hostname in the above commands. If you have a computer that has a static IP, just enter it into /etc/hosts like so:
192.168.1.88 mydesktop
Three of my five computers are desktop/servers so they're set with a fixed IP. The two laptops use DHCP because they "travel" and need to be able to connect to other networks occasionally. This means I don't know their IP addresses all the time because they can change if powered down or rebooted so I can't enter them into my hosts file this way. This matters because ssh does not parse hostnames using DNS which basically means unless the hostname and IP address are in your hosts file, ssh can't "find" the target on the network without knowing the IP. Yesterday, I decided their must be a simple one-liner to get the IP of some machine on my network. I wanted to share it because; a. it's useful, b. I'm a scripting noob so I'm sure there's a better way I haven't thought of. Here's what I came up with:
Breaking it down:
"nmap -sn" along with your local network IP range will list all the attached computers, their hostnames, and IPs. It takes about 2.5 seconds to run here (there were 11 devices up this morning!). The output for each device looks like:
running "grep" on the output searching for the known hostname reduces the output to a single line so only the host and it's IP is listed. Finally, the "awk" command strips the first and last characters from field number 6, which in this example is "(192.168.1.88)". This leaves just the IP sitting alone: 192.168.1.88. The ssh command at the front now comes together with this info and results in:
ssh -p 2345 stuart@192.168.1.88
This can't be added to the ~/.ssh/config file like the other PCs with known IPs. So I put the above one-liner into an executable file and named it "laptopssh". Then I added that to my bash_aliases like:
alias mylaptop='~/.local/scripts/laptopssh'
Now I just type "mylaptop" and ssh login prompt appears.
LOGGING INTO SSH WITHOUT A PASSWORD:
GASP! This must be dangerous, right? No password? Actually, by using an encrypted secure key to log into ssh instead of your password, not only is it more secure, it's a couple steps faster too.
Once you're logging into your other machine using ssh, on your client (the machine where your using ssh to log into the other machine) in a terminal type:
ssh-keygen -t rsa
It will ask for a filename - use the default - and a passphrase - leave it empty too. Then enter this command using your user info and machine address:
ssh-copy-id <username>@<hostname or IP>
You will be prompted for your password, then the encrypted key will copy to the other computer. From now on, when you log into the other machine using ssh, it will compare it's key file to the one on your machine and not ask for a password. Combined with the other methods above, you now have a truly one-word login to the other machine.
OTHER USES AND TIPS:
If you've set up the secure key above, you can use it to copy files to and from the other machine using "secure copy". The command is "scp" and it works like this:
scp -i ~/.ssh/id_rsa.pub <filename> <username>@<hostname or IP>:/home/<username>/<filename>
Since you're not root, you have to target your home folder (or some folder in your home on the other machine) for the file. Once it's there, you can log in and move it about as needed. You can also "pull" a file from your client machine while in an ssh session like this:
scp -i ~/.ssh/id_rsa.pub <username>@<hostname or IP>:/home/<username>/<filename> /home/<username>/<filename>
Pretty slick. This isn't the quickest way to transfer a lot of files, but it's great if you need to grab one thing from the other machine like a copy of a config or log file.
Also you can issue a one-liner command to the server machine using "rsh" instead of "ssh". Say you want to see what files are in your documents folder on the other machine. You could log into ssh and do "ls ~/Documents" or you can just enter:
rsh <hostname or IP> ls ~
and wait for your file listing.
Please note I did all this in a secure environment, behind a firewall, on my home network. Some of what's below I wouldn't recommend in a less secure environment. This is really basic stuff. There are many additional configuration settings that can make things more secure, so do some research if that's a concern for you.
SETTING UP SSH SERVER ON YOUR MACHINES:
This couldn't be much easier and there's lots of How-To's on the web. Basically, just install "openssh-server" on every machine you want to "ssh" into. Then edit the config file /etc/ssd/sshd_config and uncomment (remove the "#") the "Port" line and change "22" to something else. This is considered a marginally more secure way to use ssh. Then restart the ssh server:
sudo systemctl restart sshd
Now you can log into the computer from any computer running openssh-client (usually installed by default so you already have it). Obviously, you have to have a user account on the computer before you will be above to log into it. Once you log in you will be able to issue any command in the terminal just like you would if you were sitting in front of it;
ssh -p 9999 <username>@<hostname or ip address>
You can use the hostname if it's defined in your local hosts file or the IP (more on that below). The number following "-p" is the port you chose when you edited sshd_config.
Note: Another more secure practice is to disable or stop the ssh-server whenever you're not on a network known to you.
SHORTCUTS TO LOGGING INTO A MACHINE:
All the info in the above command can be "built-in" to your computer. Combine that with a bash alias and a single word in the terminal will log you in. In your home folder, make a hidden folder named ".ssh" (it may already be there). In that folder create a file named "config" and fill it with the info needed to log into your other PC using ssh like so:
Code:
Host myserver Port 2345 User bob Hostname 192.168.1.200
"Port" is the target machine's ssh port.
"User" is your username on that computer.
"Hostname" is either the computer's hostname or IP address (still more to come on that topic
)Enter one paragraph as above for each PC you have ssh access to. Now you don't have to remember the port numbers or IP addresses to log in, just enter this:
ssh myserver
If you want to shrink it further add a line to your ~/.bash_aliases file like so:
alias myserver='ssh myserver'
Now a simple "myserver" will start the ssh login for you.
FINDING THE IP ADDRESSES OF YOUR MACHINES:
SSH does not search your network for hostnames, but it can read your hosts file. Any computer defined in your hosts file can be addressed by it's hostname in the above commands. If you have a computer that has a static IP, just enter it into /etc/hosts like so:
192.168.1.88 mydesktop
Three of my five computers are desktop/servers so they're set with a fixed IP. The two laptops use DHCP because they "travel" and need to be able to connect to other networks occasionally. This means I don't know their IP addresses all the time because they can change if powered down or rebooted so I can't enter them into my hosts file this way. This matters because ssh does not parse hostnames using DNS which basically means unless the hostname and IP address are in your hosts file, ssh can't "find" the target on the network without knowing the IP. Yesterday, I decided their must be a simple one-liner to get the IP of some machine on my network. I wanted to share it because; a. it's useful, b. I'm a scripting noob so I'm sure there's a better way I haven't thought of. Here's what I came up with:
Code:
ssh -p 2345 stuart@`nmap -sn 192.168.1.* |grep dell_laptop | awk '{print substr($6, 2, length($6) - 2)}'`
"nmap -sn" along with your local network IP range will list all the attached computers, their hostnames, and IPs. It takes about 2.5 seconds to run here (there were 11 devices up this morning!). The output for each device looks like:
Code:
[FONT=monospace][COLOR=#000000]Nmap scan report for dell_laptop.smith.lan (192.168.1.88)[/COLOR] Host is up (0.00041s latency).[/FONT]
ssh -p 2345 stuart@192.168.1.88
This can't be added to the ~/.ssh/config file like the other PCs with known IPs. So I put the above one-liner into an executable file and named it "laptopssh". Then I added that to my bash_aliases like:
alias mylaptop='~/.local/scripts/laptopssh'
Now I just type "mylaptop" and ssh login prompt appears.
LOGGING INTO SSH WITHOUT A PASSWORD:
GASP! This must be dangerous, right? No password? Actually, by using an encrypted secure key to log into ssh instead of your password, not only is it more secure, it's a couple steps faster too.
Once you're logging into your other machine using ssh, on your client (the machine where your using ssh to log into the other machine) in a terminal type:
ssh-keygen -t rsa
It will ask for a filename - use the default - and a passphrase - leave it empty too. Then enter this command using your user info and machine address:
ssh-copy-id <username>@<hostname or IP>
You will be prompted for your password, then the encrypted key will copy to the other computer. From now on, when you log into the other machine using ssh, it will compare it's key file to the one on your machine and not ask for a password. Combined with the other methods above, you now have a truly one-word login to the other machine.
OTHER USES AND TIPS:
If you've set up the secure key above, you can use it to copy files to and from the other machine using "secure copy". The command is "scp" and it works like this:
scp -i ~/.ssh/id_rsa.pub <filename> <username>@<hostname or IP>:/home/<username>/<filename>
Since you're not root, you have to target your home folder (or some folder in your home on the other machine) for the file. Once it's there, you can log in and move it about as needed. You can also "pull" a file from your client machine while in an ssh session like this:
scp -i ~/.ssh/id_rsa.pub <username>@<hostname or IP>:/home/<username>/<filename> /home/<username>/<filename>
Pretty slick. This isn't the quickest way to transfer a lot of files, but it's great if you need to grab one thing from the other machine like a copy of a config or log file.
Also you can issue a one-liner command to the server machine using "rsh" instead of "ssh". Say you want to see what files are in your documents folder on the other machine. You could log into ssh and do "ls ~/Documents" or you can just enter:
rsh <hostname or IP> ls ~
and wait for your file listing.
Comment