jasondenning

Better SSH Authorized Keys Management

A seemingly common problem that people encounter is how to handle all of your users authorized_keys file.

People struggle over management, ensuring that users only have specific keys in the authorized_keys file or even a method for expiring keys. A centralized key management system could help provide all of this functionality with a little scripting.

One piece of functionality overlooked in OpenSSH is the AuthorizedKeysCommand configuration keyword. This configuration allows you to specify a command that will run during login to retrieve a users public key file from a remote source and perform validation just as if the authorized_keys file was local.

Here is an example directory structure for a set of users with SSH public keys that can be shared out via a web server:

jasondenning

SSH agent forwarding and screen

When connecting to a remote server via SSH it is often convenient to use SSH agent forwarding so that you don't need a separate keypair on that server for connecting to further servers.

This is enabled by adding the

ForwardAgent yes

option to any of your Host entries in ~/.ssh/config (or alternatively with the -A option). Don't set this option in a wildcard Host * section since any user on the remote server that can bypass file permissions can now als use keys loaded in your SSH agent. So only use this with hosts you trust.

jasondenning

Exposing your clipboard over SSH

I frequently administer remote servers over SSH, and need to copy data to my clipboard. If the text I want to copy all fits on one screen, then I simply select it with my mouse and press CMD-C, which asks relies on m y terminal emulator (xterm2) to throw it to the clipboard.

This isn't practical for larger texts, like when I want to copy the whole contents of a file.

If I had been editing large-file.txt locally, I could easily copy its contents by using the pbcopy command:

jasondenning

The fastest remote directory rsync over ssh archival I can muster (40MB/s over 1gb NICs)

This creates an archive that does the following:

rsync (Everyone seems to like -z, but it is much slower for me)

• a: archive mode - rescursive, preserves owner, preserves permissions, preserves modification times, preserves group, copies symlinks as symlinks, preserves device files.
• H: preserves hard-links
• A: preserves ACLs

jasondenning

#!/bin/bash
# ssh-multi
# D.Kovalov
# Based on http://linuxpixies.blogspot.jp/2011/06/tmux-copy-mode-and-how-to-control.html

# a script to ssh multiple servers over multiple tmux panes


starttmux() {
    if [ -z "$HOSTS" ]; then

jasondenning

GPG subkeys marked with the "authenticate" capability can be used for public key authentication with SSH. This is done using gpg-agent which, using the --enable-ssh-support option, can implement the agent protocol used by SSH.

Requirements

A working gpg2 setup is required. It may be possible to use gpg 1.4 but with gpg-agent compiled from gpg2. If you are using OS X 10.9 (Mavericks) then you may find the instructions [here][1] useful.

jasondenning

Keybase proof

I hereby claim:

• I am jasondenning on github.
• I am jasondenning (https://keybase.io/jasondenning) on keybase.
• I have a public key ASCIP0gjGiqhjx0guMp50sSN2Jh3yvlG-6nNayxZBQBsiwo

To claim this, I am signing this object:

jasondenning

#!/bin/bash

TMUX_VERSION="2.1"
LIBEVENT_VERSION="2.0.20"
NCURSES_VERSION="6.0"

# Script for installing tmux on systems where you don't have root access.
# tmux will be installed in $HOME/local/bin.
# It's assumed that wget and a C/C++ compiler are installed.