Announcement

Collapse
No announcement yet.

SSH to manage your computers - some tips

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    SSH to manage your computers - some tips

    Anyone else use ssh to manage their computers at home? There are five Linux computers and a router in our house. I typically use the command line to update anyway so ssh is a natural for me. Accessing them with ssh lets me update their systems, make snapshots and backups, install new stuff, even change monitor settings using xrandr, all without leaving my desk.

    Please note I did all this in a secure environment, behind a firewall, on my home network. Some of what's below I wouldn't recommend in a less secure environment. This is really basic stuff. There are many additional configuration settings that can make things more secure, so do some research if that's a concern for you.

    SETTING UP SSH SERVER ON YOUR MACHINES:
    This couldn't be much easier and there's lots of How-To's on the web. Basically, just install "openssh-server" on every machine you want to "ssh" into. Then edit the config file /etc/ssd/sshd_config and uncomment (remove the "#") the "Port" line and change "22" to something else. This is considered a marginally more secure way to use ssh. Then restart the ssh server:

    sudo systemctl restart sshd

    Now you can log into the computer from any computer running openssh-client (usually installed by default so you already have it). Obviously, you have to have a user account on the computer before you will be above to log into it. Once you log in you will be able to issue any command in the terminal just like you would if you were sitting in front of it;

    ssh -p 9999 <username>@<hostname or ip address>

    You can use the hostname if it's defined in your local hosts file or the IP (more on that below). The number following "-p" is the port you chose when you edited sshd_config.

    Note: Another more secure practice is to disable or stop the ssh-server whenever you're not on a network known to you.

    SHORTCUTS TO LOGGING INTO A MACHINE:
    All the info in the above command can be "built-in" to your computer. Combine that with a bash alias and a single word in the terminal will log you in. In your home folder, make a hidden folder named ".ssh" (it may already be there). In that folder create a file named "config" and fill it with the info needed to log into your other PC using ssh like so:
    Code:
    Host myserver
      Port 2345
      User bob
      Hostname 192.168.1.200
    "Host" is the shortcut name your wish to use for this computer.
    "Port" is the target machine's ssh port.
    "User" is your username on that computer.
    "Hostname" is either the computer's hostname or IP address (still more to come on that topic )

    Enter one paragraph as above for each PC you have ssh access to. Now you don't have to remember the port numbers or IP addresses to log in, just enter this:

    ssh myserver

    If you want to shrink it further add a line to your ~/.bash_aliases file like so:

    alias myserver='ssh myserver'

    Now a simple "myserver" will start the ssh login for you.

    FINDING THE IP ADDRESSES OF YOUR MACHINES:
    SSH does not search your network for hostnames, but it can read your hosts file. Any computer defined in your hosts file can be addressed by it's hostname in the above commands. If you have a computer that has a static IP, just enter it into /etc/hosts like so:

    192.168.1.88 mydesktop

    Three of my five computers are desktop/servers so they're set with a fixed IP. The two laptops use DHCP because they "travel" and need to be able to connect to other networks occasionally. This means I don't know their IP addresses all the time because they can change if powered down or rebooted so I can't enter them into my hosts file this way. This matters because ssh does not parse hostnames using DNS which basically means unless the hostname and IP address are in your hosts file, ssh can't "find" the target on the network without knowing the IP. Yesterday, I decided their must be a simple one-liner to get the IP of some machine on my network. I wanted to share it because; a. it's useful, b. I'm a scripting noob so I'm sure there's a better way I haven't thought of. Here's what I came up with:

    Code:
    ssh -p 2345 stuart@`nmap -sn 192.168.1.* |grep dell_laptop | awk '{print substr($6, 2, length($6) - 2)}'`
    Breaking it down:
    "nmap -sn" along with your local network IP range will list all the attached computers, their hostnames, and IPs. It takes about 2.5 seconds to run here (there were 11 devices up this morning!). The output for each device looks like:
    Code:
    [FONT=monospace][COLOR=#000000]Nmap scan report for dell_laptop.smith.lan (192.168.1.88)[/COLOR]
    Host is up (0.00041s latency).[/FONT]
    running "grep" on the output searching for the known hostname reduces the output to a single line so only the host and it's IP is listed. Finally, the "awk" command strips the first and last characters from field number 6, which in this example is "(192.168.1.88)". This leaves just the IP sitting alone: 192.168.1.88. The ssh command at the front now comes together with this info and results in:

    ssh -p 2345 stuart@192.168.1.88

    This can't be added to the ~/.ssh/config file like the other PCs with known IPs. So I put the above one-liner into an executable file and named it "laptopssh". Then I added that to my bash_aliases like:

    alias mylaptop='~/.local/scripts/laptopssh'

    Now I just type "mylaptop" and ssh login prompt appears.

    LOGGING INTO SSH WITHOUT A PASSWORD:
    GASP! This must be dangerous, right? No password? Actually, by using an encrypted secure key to log into ssh instead of your password, not only is it more secure, it's a couple steps faster too.

    Once you're logging into your other machine using ssh, on your client (the machine where your using ssh to log into the other machine) in a terminal type:

    ssh-keygen -t rsa

    It will ask for a filename - use the default - and a passphrase - leave it empty too. Then enter this command using your user info and machine address:

    ssh-copy-id <username>@<hostname or IP>

    You will be prompted for your password, then the encrypted key will copy to the other computer. From now on, when you log into the other machine using ssh, it will compare it's key file to the one on your machine and not ask for a password. Combined with the other methods above, you now have a truly one-word login to the other machine.

    OTHER USES AND TIPS:
    If you've set up the secure key above, you can use it to copy files to and from the other machine using "secure copy". The command is "scp" and it works like this:

    scp -i ~/.ssh/id_rsa.pub <filename> <username>@<hostname or IP>:/home/<username>/<filename>

    Since you're not root, you have to target your home folder (or some folder in your home on the other machine) for the file. Once it's there, you can log in and move it about as needed. You can also "pull" a file from your client machine while in an ssh session like this:

    scp -i ~/.ssh/id_rsa.pub <username>@<hostname or IP>:/home/<username>/<filename> /home/<username>/<filename>

    Pretty slick. This isn't the quickest way to transfer a lot of files, but it's great if you need to grab one thing from the other machine like a copy of a config or log file.

    Also you can issue a one-liner command to the server machine using "rsh" instead of "ssh". Say you want to see what files are in your documents folder on the other machine. You could log into ssh and do "ls ~/Documents" or you can just enter:

    rsh <hostname or IP> ls ~

    and wait for your file listing.
    Last edited by oshunluvr; Aug 09, 2018, 08:28 AM.

    Please Read Me

    #2
    So, if your hosts file already has
    127.0.0.1 mydesktop
    should that line be commented out?

    Would having
    127.0.0.1 mydesktop
    192.168.11.100 mydesktop
    in the hosts file cause ssh to always go to 127.0.0.1?
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    Comment


      #3
      The default hosts file looks like:

      Code:
      127.0.0.1       localhost
      127.0.1.1       <Your hostname here>
      
      
      # The following lines are desirable for IPv6 capable hosts
      ::1     ip6-localhost ip6-loopback
      fe00::0 ip6-localnet
      ff00::0 ip6-mcastprefix
      ff02::1 ip6-allnodes
      ff02::2 ip6-allrouters
      Assuming "mydesktop" and "mylaptop" for the above purposes, The desktop is fixed IP, so it's hosts file looks like:
      Code:
      127.0.0.1       localhost
      127.0.1.1       mydesktop
      
      
      # The following lines are desirable for IPv6 capable hosts
      ::1     ip6-localhost ip6-loopback
      fe00::0 ip6-localnet
      ff00::0 ip6-mcastprefix
      ff02::1 ip6-allnodes
      ff02::2 ip6-allrouters
      Where the laptop might look like:
      Code:
      127.0.0.1       localhost
      127.0.1.1       mylaptop
      192.168.1.99    mydesktop
      
      
      # The following lines are desirable for IPv6 capable hosts
      ::1     ip6-localhost ip6-loopback
      fe00::0 ip6-localnet
      ff00::0 ip6-mcastprefix
      ff02::1 ip6-allnodes
      ff02::2 ip6-allrouters
      AFAIK, removing "localhost" from your hosts file will break some network functionality.

      The nmap one-liner is used to retrieve the IP from the laptop since it's not fixed.

      Please Read Me

      Comment


        #4
        Ah, I see what you are doing.
        You must leave your machines up for long periods of time. Doing that nmap one-liner every day would get irritating. Just curious, why don't you have your router assign a fixed 192.168.x.y address based on the MAC of the laptop? That way it will always be the same everytime you boot up and nmap isn't necessary.
        "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
        – John F. Kennedy, February 26, 1962.

        Comment


          #5
          Originally posted by GreyGeek View Post
          Just curious, why don't you have your router assign a fixed 192.168.x.y address based on the MAC of the laptop? That way it will always be the same everytime you boot up and nmap isn't necessary.
          See? I knew there was something I hadn't thought of!

          In answer to your other questions, I tend to leave my desktop on 12 or more hours a day and the server obviously 24/7, the others vary with use. My work laptop - formerly a windows machine - I shut down every day just because windows 7 sort of needed it. Now with linux I have the option, but I rarely use it when not working.

          Please Read Me

          Comment

          Working...
          X