SSH

From DreamHost
Revision as of 15:32, 16 March 2012 by Scjessey (Talk | contribs)

Jump to: navigation, search

SSH, or Secure SHell, is a secure alternative to telnet. SSH can be used to securely copy files, access CVS or SVN, cron jobs and other DreamHost services via standard unix command line also known as shell. All SSH traffic travels over a secured connection rather than in the plain text like in telnet. It is strongly recommended that you use SSH rather than telnet.

Note: Before being able to log into SSH, one must enable SSH on that account. It's a fairly easy process that's detailed in the Enabling Shell Access article. After enabling, your SSH login will be: ssh username@server.dreamhost.com

DreamHost SSH Server Software

DreamHost uses OpenSSH software on the server end. It allows some great features how to manage user rights and access as described in this sample chapter of O'Reilly's guide to SSH.

SSH Client Software

Windows is the only commonly-used operating system that does not include a native SSH client. Windows users need to download SSH software separately (see below). Mac OS X and UNIX/Linux users can run the SSH client from any terminal application. To do this, open your terminal, enter ssh in the command line and hit enter.

Mac OS X

Mac OS X users can find Terminal at /Applications/Utilities/Terminal.app. Once in a terminal session, follow the instructions under Unix/Linux to initiate a secure shell.

Unix/Linux

Most distributions of UNIX/Linux come with the OpenSSH package. Any terminal application (xterm, Konsole, etc.) can be used to initiate a secure shell:

ssh username@yourdomain.com

Windows

Every windows SSH client has its own way to be installed and launched, different from unix ssh command, but once you've set it up, there is no difference in further operations. However, each client is suited to specific (or general needs); you might like to try them all to see what suits your fancy. Take your pick:

  • Free: WinSCP is an open source free SFTP client for Windows using SSH

Quite easy to use with shell like interface and can be scripted

  • Commerical: CWRSYNC is a packaging of rsync and the ssh client with the required cygwin libraries for Windows. It runs on all versions of Windows. Very easy to set up & doesn't need a full cygwin setup.
  • Commercial: SftpDrive adds SFTP support to Windows Explorer and all Windows applications.

And from LinuxMafia.com we have a very thorough list of most of the SSH clients for the Win32 platform:


Note: some of the SSH-based (SSH.com) clients have problems with and Backspace and Delete (and sometimes Home and End) keys.

This seems to be a Linux anomaly more than anything else (in bash, xterm, and vt100), but the workaround is as follows (note that PuTTY isn't affected, but SecureCRT, F-Secure, and SSH, etc. are):

1. Once installed, configure your settings as you like, then locate the key mapping feature of your client.

2) Map your delete, home, and end keys as strings, using the following values (no quotes):

  • Delete: \033[3~
  • Home: \033[1~
  • End: \033[4~


Keep in mind that this is universal for all sites through that particular client - remote access or using another client won't be affected. However, for remote access, use something like PuTTY and your worries are gone.

--Lordkelmain 01:10, 26 Oct 2006 (PDT)


Another method you can use to get your SSH terminal behaving as you want it to is to create a .inputrc file in your home folder (E.G. "cd ~" will take you to your home folder). The .inputrc can hold definitions of standard key mappings. I use the following in mine to enable functionality for the home, end, page up, page down, del, and other keys:

"\e[1~": beginning-of-line
"\e[4~": end-of-line
"\e[5~": beginning-of-history
"\e[6~": end-of-history
"\e[3~": delete-char
"\e[2~": quoted-insert
"\e[5C": forward-word
"\e[5D": backward-word
"\e\e[C": forward-word
"\e\e[D": backward-word

This configuration will be specific to your login user and will work from any machine you SSH into the box from without requiring you to configure your client.

Gaarai 12:21, 10 September 2007 (PDT)

Java

Mindterm from Appgate is a java based SSH client that can be embedded into your site. This will enable you to have shell access to any ssh host from any PC with a web browser that is java capable. Mindterm is free for personal use and can be downloaded from here

iPhone

A powerful, free, SSH application is available on the App Store called TouchTerm. For users that need more, a paid version of the same application is available, called TouchTerm Pro. You can read more about this client on the developer's website.

Android

ConnectBot is an SSH application available for free on the Android Market. You can use it to access SSH, Telnet, and local protocols. It should probably work for FTP as well.

If you use ConnectBot, it is highly recommended that your device have a keyboard and a trackball. The T-Mobile G1 is idea, but the Motorola Droid is perfect for this application since it has a control pad instead of a trackball.

There are a few things you may want to remember when inputing data on ConnectBot.

To input some keys, you need to use the following commands.

Key Command
CTRL Press the track ball once. The cursor will indicate this state with a < symbol. Follow up this command with the key you plan on using with the CTRL character.
ESC Press the track ball twice.
SHIFT Press the Shift key. The triangle outline will appear on the top part of the cursor indicating it has been pressed.
CAPS LOCK (a.k.a. Shift Lock) Press the Shift key twice. The solid triangle will appear on the top part of the cursor indicating it has been pressed. Pressing Shift again disables it.
ALT Press the Alt key. The triangle outline will appear on the bottom part of the cursor indicating it has been pressed.
ALT LOCK Press the Alt key twice. The solid triangle will appear on the bottom part of the cursor indicating it has been pressed. Pressing Alt again disables it.
TAB CTRL+I
Function keys (F1 through F10) Hold down the shift key and press numbers 1 through 0 to send F1 through F10 respectively
Page Up and Page Down Using screen gestures, swipe up and down on the screen respectively.
Arrow Keys Move the trackball in the proper direction or press the appropriate directional key on the control pad.
Backslash (\) SHIFT+ALT+/
Backtick/Accent Mark (`) SHIFT+ALT+1 if you put it over a character. SHIFT+ALT+L for the character itself.</tt>
Square Brackets ([ ]) SHIFT+ALT+O and SHIFT+ALT+P, respectively.
Curly Braces ({ }) SHIFT+ALT+H and SHIFT+ALT+J, respectively.
Vertical Pipe (|) SHIFT+ALT+, (comma)
Tidle (~) SHIFT+ALT+N if you put it over a character. SHIFT+ALT+K for the character

The best way to find out where the other characters are is to experiment with the SHIFT+ALT command. YMMV.

Passwordless Login

Unix, Linux, Mac OS X, and Cygwin

Users can set up SSH so that they have passwordless ssh access to DreamHost servers. (Please read 'Single Password Logon' for security concerns.)

On your home computer, you must generate an RSA private key:

ssh-keygen -t rsa

It will prompt you for three things, hit enter to accept the default on all three.

Next, you must copy your public key to DreamHost's server. Replace user and example.com with your username and domain name, respectively.

scp ~/.ssh/id_rsa.pub user@example.com:~/

Now you must ssh to your account (using your password):

ssh user@example.com

Now append the public key to your authorized keys file and delete the file you uploaded:

mkdir .ssh
cat id_rsa.pub >> .ssh/authorized_keys
rm id_rsa.pub

Now make sure permissions are set properly for all necessary files and directories:

chmod go-w ~
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

If everything is configured properly, you should be able to access your DreamHost account through SSH without a password now! For more information, see the man pages for ssh, ssh-keygen, and sshd.

Single Password Logon

For the security minded, when you run ssh-keygen -t rsa it asks for a password. If you provide one, you will be asked for it in the future. Add the following lines to your .bash_profile or .profile. It will only ask you for the password once per logon-session on the local machine, and subsequent SSH connections will be 'free'.

for cygwin:

#use existing ssh-agent if possible
if [ -f ${HOME}/.ssh-agent ]; then
   . ${HOME}/.ssh-agent > /dev/null
fi
if [ -z "$SSH_AGENT_PID" -o -z "`/usr/bin/ps -a|/usr/bin/egrep \"^[ ]+$SSH_AGENT
_PID\"`" ]; then
   /usr/bin/ssh-agent > ${HOME}/.ssh-agent
   . ${HOME}/.ssh-agent > /dev/null
fi


for unix or linux try the scripts on this site: Using SSH-Agent

Some systems come with this pre-configured for you!

Please note: The above block only starts the ssh-agent, it will not use a key or store the passphrase until you type

ssh-add ~/.ssh/id_rsa

You will then be prompted for the passphrase, which will be remembered for the rest of your session. I just added the line above to the block within my .bash_profile. That way when I firs topen my cygwin console I am asked for the password, but never again!

Windows PuTTY

Good instructions on how to setup PuTTY can be found at:

Generate a new key with the PuTTYgen app:

  • Select the SSH2-RSA option (Although SSH2-DSA will work, it has an intrinsic weakness.)
  • Save both the public and the private key somewhere on your computer where you can find them (named key.pub and key.ppk, for instance)

Upload the public key to your Dreamhost home directory. After you've generated the key and copied it to the server, you'll need to import and append the key to authorized_keys with the following command. Use >> instead of > to append to the file instead of overwriting the contents. (If the directory ~/.ssh does not already exist use an FTP program, such as FileZilla, to create it. Make sure to enable FileZilla to show hidden files (Server > Force showing hidden files)).

 ssh-keygen -i -f key.pub >> ~/.ssh/authorized_keys
 chmod go-rwx ~/.ssh ~/.ssh/authorized_keys
 rm key.pub

Now the keys sit on the server (protected from access by others), you can log out, and start PuTTY. Make a new connection:

  • In Connection/Data, add your Dreamhost username
  • Connection/SSH/Auth, browse to your private key file (key.ppk)
  • Go back to Sessions, give your Dreamhost machine host name (abc.dreamhost.com), name the session, and click Save to save it

Now, we are going to tell Pageant to authenticate automatically. The PuTTY manual says: "Pageant is an SSH authentication agent. It holds your private keys in memory, already decoded, so that you can use them often without needing to type a passphrase.". Fire up Pageant, and:

  • Click Add Key
  • Select your private key file

Now you can double-click the new PuTTY entry it to login, and since Pageant authenticates you in the background, you'll see something like:

 Using username "olleolleolle".
 Authenticating with public key "dsa-key-20060719" from agent
 Linux rossmore 2.4.32-grsec+f6b+gr217+nfs+a32+fuse23+++opt+c6+gr2b-v6.192 #1 SMP Wed Dec 14 17:06:16 PST 2005 i686 GNU/Linux

NOTE: If the Putty console responds with "Server Refused Our Key," this may indicate the public key Putty generated is not in a form the remote system recognizes or can use to authenticate your access. Refer to: http://www.walkernews.net/2009/03/22/how-to-fix-server-refused-our-key-error-that-caused-by-putty-generated-rsa-public-key/ for instructions on how to edit the public key file to a format the remote server recognizes.

Common Tasks in SSH

Decompress ZIP Archives - Upload a gazillion files at once - Mini Windows/SSH/Putty tutorial

I won't pretend to be an expert, but I thought I'd save the next person the grief of going through the dramas again. Those who are not entirely comfortable with the *nix world may be a bit intimidated by the 'features' of dreamhost;) Hopefully this will be of help to someone.

With a combination of your favourite FTP client, any tool that can create ZIP files, and Putty, you can upload your entire site in ZIP format and decompress it using Putty. I'm writing this from a Windows mindset but this will also work with other OSs using comparable tools.

First, ZIP up your site, maintaining the directory structure you want, and FTP it to the directory (the sub/domain you've set up in panel) you want the site decompressed to. Using a GUI FTP client so you can see the structure I find to be the easiest. So you don't get lost, keep the FTP client window open to use as a road map.

Now run Putty, enter the domain and use your FTP login and password to get in.

You will now have the [server]$ prompt, with [server] being the name of your server eg [goober]$. Now type the following.

 [server]$ ls

You should see a list of your directory/sub/domains.

Now type

 [server]$ cd subdomain.name.com

to [C]hange [D]irectory, except obviously use the name of the directory you want rather than 'subdomain.name.com' :P

Now do...

 [server]$ ls

again. You should see the name of the ZIP file you uploaded

 [server]$ ls
 filename.zip

Type

 [server]$ unzip filename.zip

(again, use your OWN file name)

The cursor will drop to the next line and depending on how many files are in the zip, it might take a while to pop up the [server]$ prompt again. Be patient. When it does you will have all your files beautifully decompressed, exactly where you want them ;)

You can use your FTP client to check.

Just as a note: depending on what you have done prior to this you might get some warnings. I'll leave these to your creativity. Use your noodle. Try typing unzip -h to get the list of switches. Hopefully you'll get around it.

Good Luck and Enjoy!

Check if your files are correctly uploaded (check for file integrity)

If you have to upload some large files to the server you might want to check they are correctly uploaded with no errors. To do that, just create a MD5 file and upload it to the server, in the same folder as the files you want to check (a MD5 file is a plain text file that contains checksums of your files so their integrity can be verified afterwards; to create it you can use any MD5 tool, like wxChecksums).

Once you have your MD5 file uploaded, go to your directory with "cd":

 cd xxxxxxx.yourdomain.com/yourdirectory

Then type this to verify all files with the uploaded MD5:

 md5sum -v -c yourfile.md5

After a few seconds, you'll start seeing a list of the files with an "OK" mark at the end of each line if the file is correct, or "FAILED" if the file is not correct (the upload went wrong).

-- OMA

ZIP All Files In A Folder

Let's imagine that you have a Folder named "Images" and that you want all the files and subfolders and files within subfolders to be zipped up in a single files for whatever purpose.

 zip -r filename.zip Images

This will create a file named "filename.zip" in the current folder containing everything that was in the "Images" folder.

Troubleshooting

Directory/filenames which contain non-english/Asian characters show up as ?????? or are corrupt

If you have problems with your filenames not showing up correctly which would also prevent you from creating new files/directories with their correct names via shell then you will want to add the following to your .bash_profile file to enable UTF support:

export LC_ALL=en_US.UTF-8
export LANG=en_US.UTF-8
export LANGUAGE=en_US.UTF-8
export G_FILENAME_ENCODING=UTF-8

Server unexpectedly closed network connection

If you get this error when attempting to SSH (or SFTP/SCP), this can mean your IP has been blocked due to an excessive number of failed login attempts. You will get no notice that this has happened. Contact support and they will remove the block and whitelist your IP address. If you don't know your IP, visit whatismyipaddress.com.

[User] is not in the sudoers group.

Dreamhost does not allow sudo access on shared servers for security purposes, so the sudo command is not available. While many tasks can be accomplished without the use of sudo, if you do need sudo access, you may wish to check out DreamHost PS, where you get full root access!

Idle connections are getting dropped

Dreamhost and other ISPs may kill ssh connections that remain idle longer than a certain number of minutes. The fix is simple: set up keep-alive by editing /etc/ssh/ssh_config or ~/.ssh/config and adding this:

 Host *
     ServerAliveInterval 15
     ServerAliveCountMax 4

Now the ssh client will ask the server for a sign of life every 15 seconds thus keeping the connection open. As an added bonus, if the server fails to respond 4 times in a row the client gives up and closes the connection itself.

(credit: [1] )

Killed

Running processes via SSH that consume large quantities of memory and/or processor power may lead them to be "Killed" - See Killed

Slow SSH Login

Try to login with:

ssh yourusername@yourdomain.com -v

If the connection is delaying on "debug1: SSH2_MSG_SERVICE_ACCEPT received", add this on your /etc/ssh/sshd_config as root

UseDNS no

And restart the service:

/etc/init.d/ssh restart

Problem resolved!


(credit: [2] )

External Links