Skip to content

ssh

ssh-agent

ssh agent keeps track of your keys and enables login without having to type passwords every time. Normally it is started by the system.

1 S kees        7060    7017  0  80   0 -  1517 -      Sep01 ?        00:00:00 /usr/bin/ssh-agent mate-session
0 S kees        9880    7012  0  80   0 -  1517 -      Sep01 ?        00:00:00 /usr/bin/ssh-agent -D -a /run/user/1000/keyring/.ssh

You could start it by hand, but mostly there is no need to.

You can add new keys with ssh-add, it can also be used to list your current keys.

ssh-add -l
2048 SHA256:eGmmeo13q9NbRQUZguMi1v+kpcxVRWCj9rK9AHNIlCo /home/kees/.ssh/id_rsa (RSA)
3072 SHA256:ofH8FK3LtcnaGpcOIcEGVPqlDHVa6T5kkdhP5sssw1M kees@hoek (RSA)
256 SHA256:BtL7zaxi0qoPaGgDMnDDCTp47o0db5JJ669gwHadOyg kees@hoek (ED25519)
2048 SHA256:ybxPjx3dowYsCsY5W3SU+kXgNoM+Sc2nBncnbG66oMY ssh-key-2020-11-25 (RSA)

These are :

  • my ssh key for hoek
  • mu ed25519 key for UVT
  • two other keys i forgot about

However there are 4 .pub files in my ~/.ssh directory so the count matches.

Adding a key kan be done explicitly or implicit :

ssh-add
Identity added: /home/kees/.ssh/id_rsa (/home/kees/.ssh/id_rsa)

It just adds some standard key locations like :

  • ~/.ssh/id_rsa
  • .ssh/id_dsa
  • ~/.ssh/id_ecdsa,
  • ~/.ssh/id_ed25519
  • ~/.ssh/identity

ssh forwarding

ssh has options to forward port from localhost to (-L) a remote host and vice-versa (-R). Basic operation is like this : map port 8888 on your localhost to the webserver on another host (othermachine) :

map localhost:8888 to othermachine:80
1
localhost> ssh -L 8888:localhost:80 othermachine

Now when you open your browser, on your local machine with url visit you get the website on othermachine. This does not however work on other machines. So if your machine is mymachine, visit fails to give the correct website. You could do this in the opposite direction on the host othermachine with the -R option: (again your localhost is mymachine)

same but done on the other machine (othermachine)
1
othermachine> ssh -R 8888:localhost:80 mymachine

Both involve a 'normal' login over which all extra transactions are tunnelled, so during the whole tunnel you have a login session just like a normal ssh login. And terminating this login means terminating the tunnel. So beware this is not port forwarding in the iptables sense. You do not assign a port An example, i would like to reach the port of othermachine whenever i open the url visit from anywhere in the world. This means forwarding all traffic on that port to port 80 on othermachine. This means at least a ssh tunnel from obelix 8989:localhost:80 to othermachine. That way you con open visit on obelix itself and it will work. But what about the rest of the world ?? See the next sections for an attempt :