Clip Man

daniele


Daniel Einspanjer's journal

Data warehousing, ETL, BI, and general hackery


Previous Entry Add to Memories Share Next Entry
SSH magic
Clip Man
daniele
I use SSH on a daily basis. Most of the machines I connect to can be accessed in one of two ways:
  1. OpenSSL VPN
  2. SSH to a jumphost then SSH from there to the desired machine

I wanted to share the configuration I use to make that easier.

My Bash Aliases
These aliases make it easy for me to do a few useful things quickly:
  • SSH to the vpn box with or without SSH compression
  • Run the omnitty terminal multiplexer to be able to interactively work with a cluster of machines
  • SSH to a particular machine and resume a screen session with my SSH agent variables fixed so I can connect to other machines with my pubkey properly.

$ cat .bash_aliases
#!/bin/bash
alias vpn='ssh vpn'

# VPN with compression (useful when on cellular modem)
alias zvpn='ssh -C vpn'

# omnitty doesn't work well inside screen so this is a separate alias for running it.
alias omnicluster=' ssh -t vpn "ssh -t cluster01 \"omnitty -W 15 -T 125\""'

alias h01=' ssh -t vpn "ssh -t cluster01 \"/home/me/bin/grabssh; screen -xRR\""'
alias h02=' ssh -t vpn "ssh -t cluster02 \"/home/me/bin/grabssh; screen -xRR\""'
alias h03=' ssh -t vpn "ssh -t cluster03 \"/home/me/bin/grabssh; screen -xRR\""'
alias h04=' ssh -t vpn "ssh -t cluster04 \"/home/me/bin/grabssh; screen -xRR\""'
alias h05=' ssh -t vpn "ssh -t cluster05 \"/home/me/bin/grabssh; screen -xRR\""'
alias h06=' ssh -t vpn "ssh -t cluster06 \"/home/me/bin/grabssh; screen -xRR\""'


My SSH Config
This config sets up several important SSH features:
SSH MasterControl
The master control feature lets you share just one SSH communication connection among multiple SSH sessions to the same server. Since All of my sessions are going through my VPN jumphost, this makes all my sessions a little snapier since they aren't each doing their own encryption etc.
ServerAliveInterval
If I suspend my laptop or otherwise lose connectivity, this option makes sure that my SSH connections terminate rather than hanging for an annoyingly long time.
ForwardAgent
Some of the machines I connect to use pubkey and some of my other machines don't. I can configure which groups of machines should use it.
User
Same as above. On some machines, I need to log in as a different user. Specifying it here means I don't have to remember to type ssh user@host all the time.

HostName
I can give a short easy machine name alias here so I don't have to type the FQDN everywhere else


$ cat config
Host othercluster*
ForwardAgent=yes
User metrics

Host vpn
ForwardAgent=yes
ProxyCommand none
# ControlMaster is magic that lets you re-use one SSH connection when you connect to the same machine multiple times.
# Since all my connections to the servers I use go through vpn, if I use ControlMaster on vpn, I only have one encrypted tunnel
# that all the connections to the different servers use. This actually makes it feel much snappier to connect and use them remotely.
ControlMaster auto
ControlPath=~/.ssh/%r@%h:%p
HostName my-vpn.domain.net

Host *.domain.net *.domain.com vpn cluster*
ForwardAgent=yes
# Magic so I don't try to use my machine username by default.
User otherusername

# ProxyCommands ended up being a bit flaky in combination with ControlMaster so I'm just using raw bash aliases instead now.
#Host cluster??
# ProxyCommand ssh -t vpn "ssh cluster%h"

Host *
# ServerAliveInterval makes sure that if I close my laptop or lose my net connection, the SSH session doesn't "hang" but rather returns me to a command prompt.
ServerAliveInterval 15
IdentityFile=~/.ssh/id_dsa


My grabssh Script
Found this script on Sam Rowe's website. It lets me update my SSH agent environment variables so an existing screen session can still connect to other machines with pubkey authentication.
$ cat grabssh
#!/bin/bash
# This magic script helps when using SSH to connect to a preexisting Screen session. If grabssh is run
# before the screen session is reconnected, then you can run the generated "fixssh" script inside of Screen and it
# will update your SSH agent variables so that you can ssh to other machines without a problem.
SSHVARS="SSH_CLIENT SSH_TTY SSH_AUTH_SOCK SSH_CONNECTION DISPLAY"

for x in ${SSHVARS} ; do
(eval echo $x=\$$x) | sed 's/=/="/
s/$/"/
s/^/export /'
done 1>/home/me/bin/fixssh
Tags: , ,

for x in ${!SSH_*} do echo export "$x='$!x'" done >/home/me/bin/fixssh

Nice! That is a lot cleaner than my current grabssh script. :)

Whoops, there's a typo or two in there, and it formatted badly. Let me try again: for x in ${!SSH_*}; do echo export "$x=\'${!x}\'"; done > /home/me/bin/fixssh

Screen? Save Session?

(Anonymous)

2010-08-26 07:44 pm (UTC)

Omnitty not playing well with screen is a problem for me, since I use screen mostly for preserving sessions between disconnects without having to nohup everything. Is there any way to get it to play nicely with screen?

Also, can you save a session configuration? Adding 40 servers each time omnitty starts is a real pain.

Re: Screen? Save Session?

daniele

2010-08-26 08:41 pm (UTC)

I think to get it to play nice, someone needs to port it to use the new replacement library for rote.

As far as configuration, you can write a file that consists of a line with the username@hostname for each server you want to connect to, then import that file by running omnitty, hitting F5, then using @/path/to/file

You are viewing daniele