Filed under: Internet Tools, Terminal Tips
SSHing for fun and profit
I'm sure you've heard all the cool kids talking about SSH in the cafeteria during lunch, but you had no idea what it was. Be ignorant no more, because Devanshu Mehta is writing a series of posts about using SSH for Apple Matters.The first in the series explains the basics of SSH and what you'll need to setup before you can start securely tunneling like a spy.
Here's the really short explanation of SSH: it allows you to create secure connections between two computers. The protocol is a standard, so you can SSH into almost any kind of computer, assuming it is running SSH and you have the proper credentials.
I'll be keeping my eye out for the upcoming parts in this series, because who can't use some more secure connections in their life?
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 1)
nano said 4:59PM on 5-05-2008
it took me a while to figure out what ssh really was and how to do it. yeah i know i know. i just heard misinformation that kept throwing me off.
this will be good for some.
Reply
Aron T said 5:23PM on 5-05-2008
SSH FTW!
I use it daily - I have an automator workflow that I drop files onto which copies them to the downloads directory of my mac mini @home.
I also have an applescript to mount/unmount an sshfs volume on the same mac mini if I need read/write access.
Ps, One should also be compelled to visit here: http://tinyurl.com/5hlz9a (not blog spam, I promise) and look at the instructions for setting up keys and aliases so SSH'ing is as easy as "ssh server".
Reply
Pat said 5:36PM on 5-05-2008
To follow-on to Aron T's comment, once you have ssh figured out you'll probably fall in love with sshfs. Basically, if you can ssh to a computer, then you can mount that computer as a drive on your Mac.
I'm a big fan of the MacFUSE sshfs which can be found here:
http://code.google.com/p/macfuse/wiki/MACFUSE_FS_SSHFS
Reply
Adam said 5:48PM on 5-05-2008
If you want something that'll really bake your noodle, you can use an SSH connection as a full SOCKS proxy to dodge frustrating port restrictions or just get yourself some easy encryption when you're surfing from public places. It's kinda like magic, but the cool kind, not the kind your great uncle does with the quarter.
ssh -D username@server
You've now got a SOCKS proxy running on your localhost:9999. Hicka bicka boo.
I gotta imagine that this is what our AppleMatters guy will get to in the end. He'll probably talk about specific port tunneling as well, which is also supremely useful, but the SOCKS proxy thing really shook the foundations of my worldview.
Reply
Adam said 5:50PM on 5-05-2008
Sigh. I used angle brackets. Command is:
ssh -D 9999 username@server
You can change that 9999 to whatever you like, it's the port number of your local proxy.
Aron T said 9:48AM on 5-06-2008
Further, if you throw in a "-N", making it ssh -ND 9999 username@server, you can obviate the need to actually open a terminal session on the remote server. This is useful if you're going to be rolling up some scripts or whatever and you don't want hanging term sessions.
brian said 11:11AM on 5-06-2008
Great tips guys. I *finally* got around to doing this. Details and screenshots of browser settings here:
http://lifehacker.com/software/ssh/geek-to-live--encrypt-your-web-browsing-session-with-an-ssh-socks-proxy-237227.php
Trimalchio said 5:57PM on 5-05-2008
Can you guys talk about how to do ssh tunneling for the apple vnc server? I just have it checked on and I can get to it with just the vnc password which I hear is very insecure. A simple step by step tutorial might help plenty of people out, especially those that are too lazy to figure it out :D
Reply
jus10 said 8:00AM on 5-06-2008
You want the -L command:
ssh -L (port-on-client):host:(remoteport) example.org
or in the case of VNC running on example.org port 5900
ssh -L 5900:localhost:5900 example.org
What that says is "connect to example.org and redirect port 5900 on localhost(example.org) to the ssh client's localhost on port 5900".
Then on the client machine just VNC to localhost and everything will magically flow across the ssh tunnel.
Aron T said 9:59AM on 5-06-2008
Don't forget to close port 5900 from the outside once you have done that - because you'll be tunneling directly in you won't need that port open.
For further security you can change the default listening port of ssh to something not obvious to attackers. The default port is 22, so you could use 2222 and when someone tries to ssh to your server on the default port they'll just hit a wall.
To do that edit your ssh_config file using your Terminal:
1) sudo vi /etc/sshd_config
1a) To enter insert mode press "i"
2) Look for this line: "#Port 22"
3) Change it to be like this "Port 2222"
4) Save your changes and close vi.
4a) To exit insert mode press ESC
4b) To save type "!wq" and hit ENTER
5) Restart sshd using preferences and BLAM!
For future connections you'll have to add "-p 2222" to tell your ssh client to connect using port 2222.
Ps, I accept no responsibility if you screw something up. But if you have questions post them here, I or someone else will answer them.
Justin said 10:30AM on 5-06-2008
To address what Aron said above, you won't have to firewall local port 5900 unless you use the -g flag to ssh. This flag allows hosts other than your own to connect to your port. So your tunnels are inherently safe from other machines if you don't use this flag.
Trimalchio said 10:57AM on 5-06-2008
When I tried this I ran into some issues, but figured out the solutions. (I had a vnc server running on the client box too, so it was saying "bind: Address already in use" which i fixed by just turning off vnc on the client, but I know i could've changed the client port to something else and just connected vnc to localhost:5909 or whatever i chose.)
Thanks for the directions, I'm gonna make this into a script so I can do this fast.
And Aron, Thanks for the instructions on how to change my ssh port, I'm gonna have to do that too, partly for this but also because I have a internet facing IP and I always get a lot of failed attempts to log in to root on my machine.
Thanks for all the help!
Trimalchio said 5:05PM on 5-06-2008
Justin, I think that he meant firewalling off 5900 on the server side. Along with switching the port for ssh, which should help with the sshd hang that i've been experiencing.
fabianjaeger said 6:25PM on 5-05-2008
For those of you who don't like to fight with the terminal: Try Shimo 2.0 - it comes with full tunnel support with SSH!
--> http://www.nexumoja.org/projects/Shimo2/
Reply
David Lawrence said 10:21PM on 5-05-2008
Interarchy is another excellent GUI SSH client for OSX:
http://nolobe.com/interarchy/
Justin said 5:14AM on 5-06-2008
I have to make a quick plug for my nearly-released SSH tunnel managing app, Meerkat:
http://codesorcery.net/meerkat/
You can check out some screenshots in these posts:
http://codesorcery.net/category/meerkat/
If anyone would like to test it and provide some useful feedback, I'd be happy to add you to the beta testing.
Reply
Aron T said 10:05AM on 5-06-2008
Your app looks really solid form the posts I read. I'd love to be added to the beta group. The application triggers are most intriguing.
Aron T said 10:05AM on 5-06-2008
Your app looks really solid form the posts I read. I'd love to be added to the beta group. The application triggers are most intriguing.
Trimalchio said 11:13AM on 5-06-2008
I would really be interested in trying this application out. It looks like crazy fun! (In fact one of your use case posts is exactly something that I've wanted to do but hadn't figured out how!)
I can't wait till you release it! It sounds like it's perfect for my uses!
Aron T said 10:06AM on 5-06-2008
Sorry for the double post TUAW overlords.
Reply