SSH

18 of march of 2023

SSH

Historical introduction

This notebook has been automatically translated to make it accessible to more people, please let me know if you see any typos.

In the early days of the Internet, the telnet protocol was created to communicate with several computers, but it had the problem that it was not encrypted, so anyone who got in the way could read the communication without any problem, that is why SSH (Secure Shell) was created.

`SSH` encryption

The SSH encryption system works by means of the public key and private key system, so that if the communication is encrypted with one of the two keys, it can only be decrypted by the other key.

And why is there a public key and a private key? The public key is the one you give to everyone and the private key is the one that only you have to possess.

So if you want to communicate with another computer by SSH, first you give them your public key, then you encrypt the message with your private key and they can only decrypt the message with the public key you have given to the other computer.

The same happens the other way around, if the other computer wants to send you a message, it encrypts it with your public key and can only be decrypted with the private key that only you have.

`SSH` requirements

Service `SSH`

In order to use SSH you need to have a SSH service. On Linux it is usually already installed, but if it is not you can install it using

	
		!apt install openssh-server

During the installation process you will be prompted for your location to set the time zone.

We then lift the service

	
		!apt install openssh-server
!systemctl enable ssh

`SSH` Client

Once you have the service you need a client, although in Linux it usually comes installed, but if it doesn`t you can install it via

	
		!apt install openssh-server
!systemctl enable ssh
!apt install openssh-client

`SSH` connection

To connect via SSH you need to enter the command ssh <user>@<ip>.

	
		!apt install openssh-server
!systemctl enable ssh
!apt install openssh-client
!ssh root@172.17.0.1

	
		The authenticity of host '172.17.0.1 (172.17.0.1)' can't be established.
ECDSA key fingerprint is SHA256:M+qsqSC4HiYztm1ij8iDkh9KHJz+pxrTm9GTZIf2N9k.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

As you can see, the first time it asks you if you want to save the fingerprint, this is so that if the next time you connect to the same machine (to the same public key) if the fingerprint has changed you must be careful because there can be something dangerous, like that they make to go through that machine.

If we rely on it, we enter yes.

	
		!ssh root@172.17.0.1

	
		The authenticity of host '172.17.0.1 (172.17.0.1)' can't be established.
ECDSA key fingerprint is SHA256:M+qsqSC4HiYztm1ij8iDkh9KHJz+pxrTm9GTZIf2N9k.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.17.0.1' (ECDSA) to the list of known hosts.
root@172.17.0.1's password:

Next, the machine to which we connect asks us for the password, we enter it and we will be inside the machine.

	
		!ssh root@172.17.0.1

	
		The authenticity of host '172.17.0.1 (172.17.0.1)' can't be established.
ECDSA key fingerprint is SHA256:M+qsqSC4HiYztm1ij8iDkh9KHJz+pxrTm9GTZIf2N9k.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.17.0.1' (ECDSA) to the list of known hosts.
root@172.17.0.1's password: 
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.15.0-58-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
1 device has a firmware upgrade available.
Run `fwupdmgr get-upgrades` for more information.
 * Introducing Expanded Security Maintenance for Applications.
   Receive updates to over 25,000 software packages with your
   Ubuntu Pro subscription. Free for personal use.
     https://ubuntu.com/pro
Se pueden aplicar 0 actualizaciones de forma inmediata.
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Thu Dec  1 16:32:23 2022 from 127.0.0.1
root@172.17.0.1:~$

Connection without password

As we have seen when we connect we are asked for the password of the destination machine, but if it is a machine to which we are going to connect a lot we can do that it does not ask us for the password every time we want to connect.

For them, we first generate a ssh key using ssh-keygen.

	
		!ssh-keygen

	
		Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:4HxRXkVkcK5kNXNyzakfQ6t8a24wRGCUYz4s5KL5ZEc root@e108f6f395b3
The key's randomart image is:
+---[RSA 3072]----+
|          o+==@.=|
|         +.= * Oo|
|      . + = = + .|
|     o o E * + + |
|      = S . = o o|
|     o + .   = o |
|      + .     + .|
|       .       + |
|              +. |
+----[SHA256]-----+

As we can see, first it asks us where we want to save the key, if we do not enter anything it saves it in the default path. And then a phrase to generate the key, if you write a phrase you must always remember it. Also if you write a phrase, it will ask for it every time you try to access the key, so every time we want to access the machine through SSH, it will not ask for the password of the machine, but it will ask for this phrase. So you choose if you do not enter a phrase so that it never asks for it, or if you do enter it and you will always enter it.

We then ask the remote machine to save our key using ssh-copy-id <user>@<id>:.

	
		!ssh-copy-id root@172.17.0.1:

	
		/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.17.0.1's password: 
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh 'root@172.17.0.1'"
and check to make sure that only the key(s) you wanted were added.
root@103b6040196a:/# ssh root@172.17.0.1
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.15.0-58-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
4 devices have a firmware upgrade available.
Run `fwupdmgr get-upgrades` for more information.
58 updates can be applied immediately.
41 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
New release '22.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Your Hardware Enablement Stack (HWE) is supported until April 2025.
Last login: Thu Feb  2 08:05:48 2023 from 172.17.0.2
(base) root@172.17.0.1:~$

Using the remote terminal via `SSH

Maybe we don't need to get into the remote machine because we only need to execute a single command, so we can remotely use its terminal by adding the -t flag to the SSH command, i.e. by ssh -t <user>@<id> <command>.

	
		!ssh -t root@172.17.0.1 ping -c 4 google.com

	
		PING google.com (172.217.168.174) 56(84) bytes of data.
64 bytes from mad07s10-in-f14.1e100.net (172.217.168.174): icmp_seq=1 ttl=111 time=2.94 ms
64 bytes from mad07s10-in-f14.1e100.net (172.217.168.174): icmp_seq=2 ttl=111 time=2.55 ms
64 bytes from mad07s10-in-f14.1e100.net (172.217.168.174): icmp_seq=3 ttl=111 time=2.78 ms
64 bytes from mad07s10-in-f14.1e100.net (172.217.168.174): icmp_seq=4 ttl=111 time=2.69 ms
--- google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 2.550/2.739/2.940/0.142 ms
Connection to 172.17.0.1 closed.

As you can see the command is performed on the remote machine and when it finishes, the last line tells us that the connection is closed.

Proxy `SSH`

If you are browsing in a not very secure place, or in a place that has a proxy that does not let you access some ports, you can browse through the proxy of another machine using SSH, this can be done by adding the -D flag and the port you want to connect to the remote proxy, as the port for the tcp/ip is 9999 the command could look like ssh -D 9999 <user>@<id>.

To make this look better, before running it I get my rogue IP

	
		!curl ifconfig.me

	
		188.127.184.59

I now use the proxy of a web server that I have set up

	
		!ssh -D 9999 root@194.62.99.222

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-53-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
  System information as of Wed Feb 22 06:08:51 AM UTC 2023
  System load:           0.02978515625
  Usage of /:            11.7% of 24.53GB
  Memory usage:          33%
  Swap usage:            0%
  Processes:             89
  Users logged in:       0
  IPv4 address for eth0: 194.62.99.222
  IPv4 address for eth1: 10.7.0.168
  IPv6 address for eth2: 2a04:3542:8000:1000:d48a:cbff:fefb:5b1
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Wed Feb 22 06:02:35 2023 from 188.127.184.59
root@server1:~#

Change my computer's proxy settings

proxy ssh

Now I look at my public IP again, but taking the newly configured proxy

	
		!curl -x socks5h://localhost:9999 ifconfig.me

	
		194.62.99.222

We see that we get the public IP of the server

Remote graphical interface via `SSH

In linux the gŕafica interface is a server, so we can take advantage of it and we can run programs with graphical interfaces that are on a remote machine by SSH, for this we must use the -X flag. The command would be ssh -X <user>@<id>.

First I login to my server and install xeyes using sudo apt install x11-apps and then run it remotely from my computer.

	
		!ssh -X root@194.62.99.222

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-53-generic x86_64)
Last login: Wed Feb 22 06:39:52 2023 from 188.127.184.59
/usr/bin/xauth:  file /root/.Xauthority does not exist
root@server1:~sudo apt install x11-apps
root@server1:~#xeyes

Now on my computer the xeyes window opens but it is not running on my computer.

xeyes

Tunnel `SSH`

As I said, I have set up a server to which I have ssh access.

	
		!ssh root@194.62.99.222

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-53-generic x86_64)
Last login: Wed Feb 22 06:40:58 2023 from 188.127.184.59
root@server1:~#

And I also set up a second server from which I have access from server1, but I have no access from my computer.

Next, I try to access server2 from my computer and I can't access it

	
		!ssh root@194.62.99.235

	
		ssh: connect to host 194.62.99.235 port 22: Connection timed out

And then I try to access server2 from server1 and I can see that I can

	
		!root@server1:~# ssh root@10.7.2.228

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-53-generic x86_64)
Last login: Wed Feb 22 06:59:01 2023 from 10.7.0.168
root@server2:~#

So what we create is a tunnel from my computer to server2 through server1, for this we use the -L flag. To create the tunnel you have to indicate the port of your computer where you are going to create the tunnel, then the IP of destination of the tunnel, the port through which the tunnel will go and finally the device that will create the tunnel. It would look like this

ssh -L &ltHOST PORT&gt:&ltDEST IP&gt:&ltTUNNEL PORT&gt &ltTUNNEL CREATOR USER&gt@&ltTUNNEL CREATOR IP&gt

Let's see it with my example, I have server1 with a public IP that we can call ip_pub1 and to which I have access by SSH and a private IP that we can call ip_priv1 that is inside the same network as server2. And I have server2 with a public IP that we can call ip_pub2 that I don't have access to via SSH and a private IP that we can call ip_priv2 that is inside the same network as server1.

First I create the tunnel

ssh -L host_port:ip_priv2:22 root@ip_pub1

I have created a tunnel to the private IP of server2 through the public IP of server1.

Finally, to connect to server2 I do it through the localhost and the host port that I have declared in the tunnel

ssh -p 2020 root@localhost

Lets see it in reality, theIP`s of my servers are

server1:
- public IP: 194.62.99.222.
- private IP: 10.7.0.168.
server2:
- public IP: 194.62.99.235.
- Private IP: 10.7.2.228.

First I create the tunnel

	
		!ssh -L 2020:10.7.2.228:22 root@194.62.99.222

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-53-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
  System information as of Wed Feb 22 11:13:39 AM UTC 2023
  System load:           0.0
  Usage of /:            13.3% of 24.53GB
  Memory usage:          36%
  Swap usage:            0%
  Processes:             91
  Users logged in:       1
  IPv4 address for eth0: 194.62.99.222
  IPv4 address for eth1: 10.7.0.168
  IPv6 address for eth2: 2a04:3542:8000:1000:d48a:cbff:fefb:5b1
101 updates can be applied immediately.
60 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Last login: Wed Feb 22 09:29:52 2023 from 188.127.184.59
]0;root@server1: ~root@server1:~# ^C
]0;root@server1: ~root@server1:~#

With the tunnel created I can now connect to server2 from my computer.

	
		!ssh -p 2020 root@localhost

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-53-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
  System information as of Wed Feb 22 11:14:15 AM UTC 2023
  System load:           0.0
  Usage of /:            13.3% of 24.53GB
  Memory usage:          33%
  Swap usage:            0%
  Processes:             90
  Users logged in:       0
  IPv4 address for eth0: 194.62.99.235
  IPv4 address for eth1: 10.7.2.228
  IPv6 address for eth2: 2a04:3542:8000:1000:d48a:cbff:fefb:7f47
 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.
   https://ubuntu.com/engage/secure-kubernetes-at-the-edge
101 updates can be applied immediately.
60 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Last login: Wed Feb 22 11:14:16 2023 from 10.7.0.168
]0;root@server2: ~root@server2:~# ^C
]0;root@server2: ~root@server2:~#

Reverse connection

Let's suppose again that I want to connect to server2, but now I cannot, for whatever reason, tunnel from server1. What we can do is to create a reverse connection from another server.

Suppose I have a third server, called server3, which can be accessed by SSH from either side, i.e. both me from my computer and server2 have access. So if we can physically access to server2 we can make a reverse connection from server2 to server3.

ssh -R &ltserver3port&gt:localhost:22 root@&ltIPserver3&gt

With this, what I have done is to enable a connection from server3 to server2 (which was not possible before), through localhost and port server3port of server3.

Now from my computer I can connect to server3 and from server3 we can connect to server2 via

ssh -p &ltserver3port&gt root@localhost

Let's see it with the data from my servers

server2:
- public IP: 194.62.99.235.
server3:
- public IP: 194.62.96.236.

First I make the reverse connection from server2 to server3.

	
		!root@server2:~# ssh -R 2020:localhost:22 root@194.62.96.236

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-53-generic x86_64)
Last login: Wed Feb 22 15:25:58 2023 from 188.127.184.59
root@server3:~#

Now I connect to server3.

	
		!ssh root@194.62.96.236

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-53-generic x86_64)
Last login: Wed Feb 22 15:12:19 2023 from 188.127.184.59
root@server3:~#

And now that I am on server3 I connect to server2.

	
		!root@server3:~# ssh -p 2020 root@localhost

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-53-generic x86_64)
Last login: Wed Feb 22 15:12:07 2023 from 188.127.184.59
root@server2:~#

Success! Through my computer I cannot connect directly to server2, but when connecting to server3 I have been able to access server2 thanks to the reverse connection I had made from server2 to server3.

Jump

Finally, another way to enter server2 is to enter server1 and then from server1 enter server2. But this is a bit cumbersome, because first you have to make a SSH connection to server1 and then another to server2, so to do it all in one go you can use the -J (jump) flag, i.e. ssh -J server1 server2.

Resumem, first we would do ssh root@194.62.99.222 and then ssh root@10.7.2.228 (since inside server1 we connect to server2 through the private IP).

So we could do everything in one go by doing ssh -J root@194.62.99.222 root@10.7.2.228

Let's try

	
		!ssh -J root@194.62.99.222 root@10.7.2.228

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-60-generic x86_64)
Last login: Fri Feb 24 06:46:11 2023 from 10.7.0.168
root@server2:~#

We were able to make the jumps!

User `SSH` configuration file

Devices with Aliases

On every computer there is a configuration file for the SSH which is usually located in the user's folder.

	
		!cat ~/.ssh/config

	
		# Read more about SSH config files: https://linux.die.net/man/5/ssh_config
Host 192.168.1.138
    HostName 192.168.1.138
    User maximo.fernandez

In this file I have saved the user and ip of some devices that I usually connect to so I don't have to fill in everything myself. Let's see it with the servers I have

My server server1 has the user root and the IP 194.62.99.222, so I add it to the list

	
		!echo "Host server1
    HostName 194.62.99.222
    User root" >> ~/.ssh/config

Let's see how the configuration file looks like again

	
		!echo "Host server1
    HostName 194.62.99.222
    User root" >> ~/.ssh/config
!cat ~/.ssh/config

	
		# Read more about SSH config files: https://linux.die.net/man/5/ssh_config
Host 192.168.1.138
    HostName 192.168.1.138
    User maximo.fernandez
Host server1
    HostName 194.62.99.222
    User root

Now that we have added it to connect to server1 we only need to do ssh server1.

	
		!ssh server1

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-60-generic x86_64)
Last login: Fri Feb 24 05:18:59 2023 from 188.127.184.59
root@server1:~#

Proxy

As we already saw, adding the flag -D &ltport&gt we could change the proxy. To leave this saved in the configuration file we only have to add the line DynamicForward &ltport&gt to the host that we are saving

Repeating the previous example in which we use server1 as a proxy for port tcp/ip (9999), the configuration file would look like this

Host proxyServer1
          HostName 194.62.99.222
          User root
          DynamicForward 9999

We add

	
		!echo "Host proxyServer1
    HostName 194.62.99.222
    User root
    DynamicForward 9999" >> ~/.ssh/config

Let's see how the configuration file looks like

	
		!echo "Host proxyServer1
    HostName 194.62.99.222
    User root
    DynamicForward 9999" >> ~/.ssh/config
!cat ~/.ssh/config

	
		# Read more about SSH config files: https://linux.die.net/man/5/ssh_config
Host 192.168.1.138
    HostName 192.168.1.138
    User maximo.fernandez
Host server1
    HostName 194.62.99.222
    User root
Host proxyServer1
    HostName 194.62.99.222
    User root
    DynamicForward 9999

I get my public IP.

	
		!curl ifconfig.me

	
		188.127.184.59

I connect to the proxy server

	
		!ssh proxyServer1

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-60-generic x86_64)
Last login: Fri Feb 24 05:42:32 2023 from 188.127.184.59
root@server1:~#

Change my computer's proxy settings

proxy ssh

I see my public IP again, but taking the newly configured proxy

	
		!curl -x socks5h://localhost:9999 ifconfig.me

	
		194.62.99.222

We see that we get the public IP of the server

SSH Tunnel

If as before I want to create a tunnel to server2 through server1, before we had to do ssh &ltHOST PORT&gt:&ltDEST IP&gt:&ltTUNNEL PORT&gt &ltTUNNEL CREATOR USER&gt@&ltTUNNEL CREATOR IP&gt, now we have to add the line

LocalForward &ltlocalhost&gt:&ltHOST PORT&gt &ltDEST IP&gt:&ltTUNNEL PORT&gt

That is, the configuration file would look like this

Host tunelToServer2
          HostName 194.62.99.222
          User root
          LocalForward 127.0.0.1.1:2020 10.7.2.228:22

But as it is not very well understood, let's see it with something concrete.

server1:
- public IP: 194.62.99.222.
- Private IP: 10.7.0.168.
server2:
- public IP: 194.62.99.235.
- Private IP: 10.7.2.228.

Previously the command was

ssh -L 2020:10.7.2.228:22 root@194.62.99.222

So the configuration file has to look like this

Host tunelToServer2
          HostName 194.62.99.222
          User root
          LocalForward 127.0.0.1.1:2020 10.7.2.228:22

Let's see if it works

Add the new configuration

	
		!echo "Host tunelToServer2
    HostName 194.62.99.222
    User root
    LocalForward 127.0.0.1:2020 10.7.2.228:22" >> ~/.ssh/config

Let's see what the configuration file looks like

	
		!echo "Host tunelToServer2
    HostName 194.62.99.222
    User root
    LocalForward 127.0.0.1:2020 10.7.2.228:22" >> ~/.ssh/config
!cat ~/.ssh/config

	
		# Read more about SSH config files: https://linux.die.net/man/5/ssh_config
Host 192.168.1.138
    HostName 192.168.1.138
    User maximo.fernandez
Host server1
    HostName 194.62.99.222
    User root
Host proxyServer1
    HostName 194.62.99.222
    User root
    DynamicForward 9999
Host tunelToServer2
    HostName 194.62.99.222
    User root
    LocalForward 127.0.0.1:2020 10.7.2.228:22

We create the tunnel

	
		!ssh tunelToServer2

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-60-generic x86_64)
Last login: Fri Feb 24 06:02:20 2023 from 188.127.184.59
root@server1:~#

Now we try to connect to server2 from my computer

	
		!ssh -p 2020 root@localhost

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-60-generic x86_64)
Last login: Fri Feb 24 06:02:36 2023 from 10.7.0.168
root@server2:~#

Successful! But we can make everything a bit cleaner, we can add this last connection to the configuration file

	
		!echo "Host server2ByTunel
    HostName localhost
    User root
    Port 2020" >> ~/.ssh/config

Let's see how the configuration file looks like

	
		!echo "Host server2ByTunel
    HostName localhost
    User root
    Port 2020" >> ~/.ssh/config
!cat ~/.ssh/config

	
		# Read more about SSH config files: https://linux.die.net/man/5/ssh_config
Host 192.168.1.138
    HostName 192.168.1.138
    User maximo.fernandez
Host server1
    HostName 194.62.99.222
    User root
Host proxyServer1
    HostName 194.62.99.222
    User root
    DynamicForward 9999
Host tunelToServer2
    HostName 194.62.99.222
    User root
    LocalForward 127.0.0.1:2020 10.7.2.228:22
Host server2ByTunel
    HostName localhost
    User root
    Port 2020

Now we connect again to server2 from my computer, through the tunnel, but with the last configuration we just saved.

	
		!ssh server2ByTunel

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-60-generic x86_64)
Last login: Fri Feb 24 06:13:33 2023 from 10.7.0.168
root@server2:~#

In summary, with all that we have done, we can create the tunnel to server2 with the command ssh tunnelToServer2 and then connect to server2 with the command ssh server2ByTunel.

Impressive!

Reverse connection

We remember that now our problem was that we could not connect to server2 through the server1 tunnel. So by creating a reverse connection from server2 (we have someone on server2 who can make that reverse connection, or we left it done ourselves before we left) to a server3, from my computer I can connect to server3 and then connect to server2.

First we have to make the reverse connection from server2 to server3. This could be done by using a command

ssh -R &ltserver3port&gt:localhost:22 root@&ltIPserver3&gt

Or save the connection in the configuration file by adding

Host reverseToServer3
          HostName &ltIPserver3&gt
          User root
          RemoteForward &ltserver3port&gt localhost:22

And make the reverse connection by

ssh reverseToServer3

As it is not well understood, let's look at it with concrete data

server2:
- public IP: 194.62.99.235.
server3:
- public IP: 194.62.96.236.

To make the reverse connection you would have to use the command

ssh -R 2020:localhost:22 root@194.62.96.236

Or save the following configuration

Host reverseToServer3
          HostName 194.62.96.236
          User root
          RemoteForward 2020 localhost:22

And connect via

ssh reverseToServer3

So I save the configuration on server 2 and make the connection

	
		!root@server2:~# echo "Host reverseToServer3
    HostName 194.62.96.236
    User root
    RemoteForward 2020 localhost:22" >> ~/.ssh/config

Let's see how well it has been stored

	
		!root@server2:~# echo "Host reverseToServer3
    HostName 194.62.96.236
    User root
    RemoteForward 2020 localhost:22" >> ~/.ssh/config
!root@server2:~# cat .ssh/config

	
		Host reverseToServer3
    HostName 194.62.96.236
    User root
    RemoteForward 2020 localhost:22

I make the reverse connection

	
		!root@server2:~# ssh reverseToServer3

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-53-generic x86_64)
Last login: Wed Feb 22 15:26:18 2023 from 194.62.99.235
root@server3:~#

Jump

As we have said we made jumps through the -J flag, so that with the command ssh -J root@194.62.99.222 root@10.7.2.228 we could connect to server2.

There are two options for configuring the configuration file

The first is that since we already have the server1 saved in the configuration file, we only add server2 to the configuration file.

Host server2
          HostName 10.7.2.228
          User root

And then we could connect via

ssh -J server1 server2

Let's try it

	
		!echo "Host server2
    HostName 10.7.2.228
    User root
" >> ~/.ssh/config

We see the configuration file

	
		!echo "Host server2
    HostName 10.7.2.228
    User root
" >> ~/.ssh/config
!cat ~/.ssh/config

	
		# Read more about SSH config files: https://linux.die.net/man/5/ssh_config
Host 192.168.1.138
    HostName 192.168.1.138
    User maximo.fernandez
Host server1
    HostName 194.62.99.222
    User root
Host proxyServer1
    HostName 194.62.99.222
    User root
    DynamicForward 9999
Host tunelToServer2
    HostName 194.62.99.222
    User root
    LocalForward 127.0.0.1:2020 10.7.2.228:22
Host server2ByTunel
    HostName localhost
    User root
    Port 2020
Host server2
    HostName 10.7.2.228
    User root

Now we connect using the jumps

	
		!ssh -J server1 server2

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-60-generic x86_64)
Last login: Fri Feb 24 12:05:16 2023 from 10.7.0.168
root@server2:~#

This has been the first option, save each server and set the hops, but a second option is to save all the hops in a single configuration, which would look like this

Host server2jumping
          HostName 10.7.2.228
          User root
          ProxyJump root@194.62.99.222

And all that would be needed is to connect via

ssh server2jumping

Let's try

	
		!echo "Host server2jumping
    HostName 10.7.2.228
    User root
    ProxyJump root@194.62.99.222" >> ~/.ssh/config

Let's look at the configuration file

	
		!echo "Host server2jumping
    HostName 10.7.2.228
    User root
    ProxyJump root@194.62.99.222" >> ~/.ssh/config
!cat ~/.ssh/config

	
		# Read more about SSH config files: https://linux.die.net/man/5/ssh_config
Host 192.168.1.138
    HostName 192.168.1.138
    User maximo.fernandez
Host server1
    HostName 194.62.99.222
    User root
Host proxyServer1
    HostName 194.62.99.222
    User root
    DynamicForward 9999
Host tunelToServer2
    HostName 194.62.99.222
    User root
    LocalForward 127.0.0.1:2020 10.7.2.228:22
Host server2ByTunel
    HostName localhost
    User root
    Port 2020
Host server2
    HostName 10.7.2.228
    User root
Host server2jumping
    HostName 10.7.2.228
    User root
    ProxyJump root@194.62.99.222

Now we try to connect

	
		!ssh server2jumping

	
		Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-60-generic x86_64)
Last login: Fri Feb 24 12:06:22 2023 from 10.7.0.168
root@server2:~#

System `SSH` configuration file

Earlier we saw the SSH configuration file of the user, where we saved configurations of machines where we wanted to connect via SSH, but there is another SSH configuration file but in this case of the system, which is located in /etc/ssh/ssh_config, let's see it

	
		!cat /etc/ssh/sshd_config

	
		#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile	.ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem	sftp	/usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

With this file we can change the configuration of how SSH works on our computer. For example we can see a commented line that says

#Port 22

If we uncomment it and change the SSH number, it will no longer go to port 22, which is its default port, and will go to the port number specified there.

File copying by `SSH`

We can copy files by SSH using the scp (secure copy) command, the syntax is as follows

scp &ltpath local file&gt &ltuser&gt@&ltIP&gt:&ltpath to save&gt

scp &ltuser&gt@&&ltip&gt:&ltpath to remote file&gt &ltpath to save&gt

The first way is to copy a file from our computer to another computer and the second way from another computer to ours.

For example let's do an ls of server1.

	
		!ssh -t server1 "ls"

	
		snap
Connection to 194.62.99.222 closed.

Now let's see what we have in stock that we can pass on to you.

!ls

	
		 2021-02-11-Introduccion-a-Python.ipynb         html_files
 2021-04-23-Calculo-matricial-con-Numpy.ipynb   html.ipynb
 2021-06-15-Manejo-de-datos-con-Pandas.ipynb    introduccion_python
 2022-09-12-Introduccion-a-la-terminal.ipynb    mi_paquete_de_python
 2023-01-22-Docker.ipynb		        movies.csv
 2023-02-01-Bash-scripting.ipynb	        movies.dat
 2023-02-04-Blip-2.ipynb		        notebooks_translated
 2023-XX-XX-SSH.ipynb			        __pycache__
 california_housing_train.csv		        scripts_bash
 command-line-cheat-sheet.pdf		        ssh.ipynb
 CSS.ipynb				        test.ipynb
'Expresiones regulares.ipynb'

We are going to send the html.ipynb file to the server since it occupies little space.

	
		!scp html.ipynb server1:/root/

	
		html.ipynb                                    100%   14KB 229.0KB/s   00:00

Let's go back to see what is inside server1.

	
		!ssh -t server1 "ls"

	
		html.ipynb  snap
Connection to 194.62.99.222 closed.

Copied

Synchronization of files by `SSH`.

The bad thing about the scp command is that if something happens in the middle of the copy and the file is not copied, when you try again you have to start from scratch, this is especially a problem with very large files.

To solve this problem you can use rsync, the syntax is

rsync --partial --progress --rsh=ssh <path local file> <user>@<IP>:<path to save>

rsync --partial --progress --rsh=ssh <user>@<ip>:<path to remote file> <path to save>

As before, in the first way a file is copied from our computer to another one and in the second way from another one to ours. The --partial flag is to indicate that partially copied files are saved, that is to say, if the copy is stopped before it finishes, that what has been copied is kept. The --progress flag is to indicate to show the progress of the copy. The --rsh=ssh flag is to indicate that the file transfer is done over SSH.

We pass a file

	
		!rsync --partial --progress -rsh=ssh 2021-06-15-Manejo-de-datos-con-Pandas.ipynb  server1:/root/

	
		sending incremental file list
2021-06-15-Manejo-de-datos-con-Pandas.ipynb
        608.34K 100%  197.78MB/s    0:00:00 (xfr#1, to-chk=0/1)

And we see if it has been copied

	
		!ssh -t server1 "ls"

	
		2021-06-15-Manejo-de-datos-con-Pandas.ipynb  html.ipynb  snap
Connection to 194.62.99.222 closed.

Mount remote folders on local

In case we want to have a folder from another machine as if it were on our computer we have to uasr sshfs.

First it is necessary to install it by means of

sudo apt install sshfs

And once it is installed, it is used with the syntax

sshfs &ltuser&&gt@&&ltip&gt:&ltremote path&gt &ltlocal path to mount&gt

We are going to mount the /root folder of server1, but for this we will first create a folder in which we are going to mount it

	
		!mkdir server1folder

We can see that there is nothing inside the folder we have created

	
		!mkdir server1folder
!ls server1folder

Now we mount the server folder

	
		!mkdir server1folder
!ls server1folder
!!sshfs server1:/root/ server1folder

Back to see what's inside

	
		!mkdir server1folder
!ls server1folder
!!sshfs server1:/root/ server1folder
!ls server1folder

	
		2021-06-15-Manejo-de-datos-con-Pandas.ipynb  html.ipynb  snap

When we no longer want to have the folder mounted we can unmount it by fusermount -u server1folder.

	
		!!fusermount -u server1folder

We look again at what is inside to see that there is nothing.

	
		!!fusermount -u server1folder
!ls server1folder

Debugging `SSH` connection

We can debug the SSH connection by adding from -v, up to -vvvv to the connection, the more vs we add the higher level of information.

	
		!!fusermount -u server1folder
!ls server1folder
!ssh -v server1

	
		OpenSSH_8.2p1 Ubuntu-4ubuntu0.5, OpenSSL 1.1.1f  31 Mar 2020
debug1: Reading configuration data /home/wallabot/.ssh/config
debug1: /home/wallabot/.ssh/config line 6: Applying options for server1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 194.62.99.222 [194.62.99.222] port 22.
debug1: Connection established.
debug1: identity file /home/wallabot/.ssh/id_rsa type 0
debug1: identity file /home/wallabot/.ssh/id_rsa-cert type -1
debug1: identity file /home/wallabot/.ssh/id_dsa type -1
debug1: identity file /home/wallabot/.ssh/id_dsa-cert type -1
debug1: identity file /home/wallabot/.ssh/id_ecdsa type -1
debug1: identity file /home/wallabot/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/wallabot/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/wallabot/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/wallabot/.ssh/id_ed25519 type -1
debug1: identity file /home/wallabot/.ssh/id_ed25519-cert type -1
debug1: identity file /home/wallabot/.ssh/id_ed25519_sk type -1
debug1: identity file /home/wallabot/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/wallabot/.ssh/id_xmss type -1
debug1: identity file /home/wallabot/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3
debug1: match: OpenSSH_8.9p1 Ubuntu-3 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 194.62.99.222:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:jwpQt2a69LQcuvvYPPKL32bBwTi1Je/ZmUdr4zEiD1Y
debug1: Host '194.62.99.222' is known and matches the ECDSA host key.
debug1: Found key in /home/wallabot/.ssh/known_hosts:14
debug1: rekey out after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey in after 134217728 blocks
debug1: Will attempt key: /home/wallabot/.ssh/id_rsa RSA SHA256:ID3HcrbyPBGjFx/qeiJK50eqihLGrpDVu02oRSyKGh4 agent
debug1: Will attempt key: wallabot@wallabot RSA SHA256:Qlq6hXbToInW+efEK666BFT26EeUSpBhzcqxTLrDBpQ agent
debug1: Will attempt key: /home/wallabot/.ssh/id_dsa 
debug1: Will attempt key: /home/wallabot/.ssh/id_ecdsa 
debug1: Will attempt key: /home/wallabot/.ssh/id_ecdsa_sk 
debug1: Will attempt key: /home/wallabot/.ssh/id_ed25519 
debug1: Will attempt key: /home/wallabot/.ssh/id_ed25519_sk 
debug1: Will attempt key: /home/wallabot/.ssh/id_xmss 
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519@openssh.com,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256@openssh.com,webauthn-sk-ecdsa-sha2-nistp256@openssh.com>
debug1: kex_input_ext_info: publickey-hostbound@openssh.com (unrecognised)
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/wallabot/.ssh/id_rsa RSA SHA256:ID3HcrbyPBGjFx/qeiJK50eqihLGrpDVu02oRSyKGh4 agent
debug1: Authentications that can continue: publickey
debug1: Offering public key: wallabot@wallabot RSA SHA256:Qlq6hXbToInW+efEK666BFT26EeUSpBhzcqxTLrDBpQ agent
debug1: Server accepts key: wallabot@wallabot RSA SHA256:Qlq6hXbToInW+efEK666BFT26EeUSpBhzcqxTLrDBpQ agent
debug1: Authentication succeeded (publickey).
Authenticated to 194.62.99.222 ([194.62.99.222]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: pledge: network
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Remote: /root/.ssh/authorized_keys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
debug1: Sending environment.
debug1: Sending env LANG = es_ES.UTF-8
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-60-generic x86_64)
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
  System information as of Fri Feb 24 01:25:10 PM UTC 2023
  System load:           0.0
  Usage of /:            15.2% of 24.53GB
  Memory usage:          34%
  Swap usage:            0%
  Processes:             89
  Users logged in:       0
  IPv4 address for eth0: 194.62.99.222
  IPv4 address for eth1: 10.7.0.168
  IPv6 address for eth2: 2a04:3542:8000:1000:d48a:cbff:fefb:5b1
 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.
   https://ubuntu.com/engage/secure-kubernetes-at-the-edge
43 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
Last login: Fri Feb 24 13:10:05 2023 from 188.127.184.59
]0;root@server1: ~root@server1:~# ^C
]0;root@server1: ~root@server1:~#

Continue reading

Agents patterns

Are your agents falling short? Elevate your AI projects with advanced patterns: ReAct, planning, multi-agents, and more. Practical guide with code!

LangGraph: Revolutionize your AI agents

🚀 Revolutionize your AI agents! 🧠 LangGraph is not just another library, it's the orchestration framework that gives you total control to build complex agents, with long-term memory and even human intervention! Say goodbye to basic chatbots, it's time to create true intelligence. Dive into this post and discover it!

Create virtual environments with uv

Learn how to create virtual environments with uv, a package manager and environment for Python written in Rust, which makes it very fast. If you have had problems with the waiting times using conda, or want a faster and easier alternative to venv, enter and see how to use uv.

Last posts -->

Have you seen these projects?

Horeca chatbot

Naviground

Subtify

View all projects -->

Do you want to apply AI in your project? Contact me!

Do you want to improve with these tips?

Memory profiler

See the memory usage of a script

DataLoader with pin_memory and num_workers

Increase DataLoader performance with pin_memory and num_workers

py-smi

Python library to get GPU data like `nvidia-smi`

Last tips -->

Use this locally

Hugging Face spaces allow us to run models with very simple demos, but what if the demo breaks? Or if the user deletes it? That's why I've created docker containers with some interesting spaces, to be able to use them locally, whatever happens. In fact, if you click on any project view button, it may take you to a space that doesn't work.

Flow edit

FLUX.1-RealismLora

token_hmr

View all containers -->

Do you want to apply AI in your project? Contact me!

Do you want to train your model with these datasets?

short-jokes-dataset

Dataset with jokes in English

opus100

Dataset with translations from English to Spanish

netflix_titles

Dataset with Netflix movies and series

View more datasets -->

SSH

Historical introduction

SSH encryption

SSH requirements

Service SSH

SSH Client

SSH connection

Connection without password

Using the remote terminal via `SSH

Proxy SSH

Remote graphical interface via `SSH

Tunnel SSH

Reverse connection

Jump

User SSH configuration file

Devices with Aliases

Proxy

SSH Tunnel

Reverse connection

Jump

System SSH configuration file

File copying by SSH

Synchronization of files by SSH.

Mount remote folders on local

Debugging SSH connection

Continue reading

Agents patterns

LangGraph: Revolutionize your AI agents

Create virtual environments with uv

Have you seen these projects?

Do you want to apply AI in your project? Contact me!

Do you want to improve with these tips?

Memory profiler

DataLoader with pin_memory and num_workers

py-smi

Use this locally

Do you want to apply AI in your project? Contact me!

Do you want to train your model with these datasets?

short-jokes-dataset

opus100

netflix_titles

`SSH` encryption

`SSH` requirements

Service `SSH`

`SSH` Client

`SSH` connection

Proxy `SSH`

Tunnel `SSH`

User `SSH` configuration file

System `SSH` configuration file

File copying by `SSH`

Synchronization of files by `SSH`.

Debugging `SSH` connection