An A-Z Index of the Linux BASH command line
alias Create an alias
apropos Search Help manual pages (man -k)
awk Find and Replace text, database sort/validate/indexbreak Exit from a loop
builtin Run a shell builtin
bzip2 Compress or decompress named file(s)
cal Display a calendar
case Conditionally perform a commandcat Display the contents of a file
cd Change Directory
cfdisk Partition table manipulator for Linuxchgrp Change group ownershipchmod Change access permissionschown Change file owner and group
chroot Run a command with a different root directorycksum Print CRC checksum and byte counts
clear Clear terminal screen
cmp Compare two files
comm Compare two sorted files line by line
command Run a command - ignoring shell functions
continue Resume the next iteration of a loopcp Copy one or more files to another locationcron Daemon to execute scheduled commands
crontab Schedule a command to run at a later timecsplit Split a file into context-determined pieces
cut Divide a file into several parts
date Display or change the date & time
dc Desk Calculator
dd Data Dump - Convert and copy a file
ddrescue Data recovery tool
declare Declare variables and give them attributesdf Display free disk spacediff Display the differences between two filesdiff3 Show differences among three files
dig DNS lookup
dir Briefly list directory contents
dircolors Colour setup for `ls'dirname Convert a full pathname to just a path
dirs Display list of remembered directories
du Estimate file space usage
echo Display message on screen
egrep Search file(s) for lines that match an extended expression
eject Eject removable media
enable Enable and disable builtin shell commands
env Environment variables
ethtool Ethernet card settings
eval Evaluate several commands/arguments
exec Execute a command
exit Exit the shell
expand Convert tabs to spaces
export Set an environment variable
expr Evaluate expressions
false Do nothing, unsuccessfully
fdformat Low-level format a floppy disk
fdisk Partition table manipulator for Linux
fgrep Search file(s) for lines that match a fixed string
file Determine file type
find Search for files that meet a desired criteria
fmt Reformat paragraph text
fold Wrap text to fit a specified width.
for Expand words, and execute commands
format Format disks or tapes
free Display memory usage
fsck File system consistency check and repair
ftp File Transfer Protocol
function Define Function Macros
gawk Find and Replace text within file(s)
getopts Parse positional parameters
grep Search file(s) for lines that match a given pattern
groups Print group names a user is in
gzip Compress or decompress named file(s)
hash Remember the full pathname of a name argument
head Output the first part of file(s)history Command History
hostname Print or set system name
id Print user and group id's
if Conditionally perform a command
ifconfig Configure a network interface
import Capture an X server screen and save the image to file
install Copy files and set attributes
join Join lines on a common field
kill Stop a process from running
less Display output one screen at a time
let Perform arithmetic on shell variables
ln Make links between files
local Create variables
locate Find files
logname Print current login name
logout Exit a login shell
look Display lines beginning with a given string
lpc Line printer control program
lpr Off line print
lprint Print a file
lprintd Abort a print job
lprintq List the print queue
lprm Remove jobs from the print queue
ls List information about file(s)
lsof List open files
make Recompile a group of programs
man Help manual
mkdir Create new folder(s)
mkfifo Make FIFOs (named pipes)
mkisofs Create an hybrid ISO9660/JOLIET/HFS filesystem
mknod Make block or character special files
more Display output one screen at a time
mount Mount a file system
mtools Manipulate MS-DOS files
mv Move or rename files or directories
netstat Networking information
nice Set the priority of a command or job
nl Number lines and write files
nohup Run a command immune to hangups
nslookup Query Internet name servers interactively
passwd Modify a user password
paste Merge lines of files
pathchk Check file name portability
ping Test a network connection
popd Restore the previous value of the current directory
pr Prepare files for printing
printcap Printer capability database
printenv Print environment variables
printf Format and print data
ps Process status
pushd Save and then change the current directory
pwd Print Working Directory
quota Display disk usage and limits
quotacheck Scan a file system for disk usage
quotactl Set disk quotas
ram ram disk device
rcp Copy files between two machines.
read read a line from standard input
readonly Mark variables/functions as readonly
remsync Synchronize remote files via email
return Exit a shell function
rm Remove files
rmdir Remove folder(s)
rsync Remote file copy (Synchronize file trees)
screen Terminal window manager
scp Secure copy (remote file copy)
sdiff Merge two files interactively
sed Stream Editor
select Accept keyboard input
seq Print numeric sequences
set Manipulate shell variables and functions
sftp Secure File Transfer Program
shift Shift positional parameters
shopt Shell Options
shutdown Shutdown or restart linux
sleep Delay for a specified time
sort Sort text files
source Run commands from a file `.'
split Split a file into fixed-size pieces
ssh Secure Shell client (remote login program)
strace Trace system calls and signals
su Substitute user identity
sum Print a checksum for a file
symlink Make a new name for a file
sync Synchronize data on disk with memory
tail Output the last part of files
tar Tape ARchiver
tee Redirect output to multiple files
test Evaluate a conditional expression
time Measure Program running time
times User and system times
touch Change file timestamps
top List processes running on the system
traceroute Trace Route to Host
trap Run a command when a signal is set(bourne)
tr Translate, squeeze, and/or delete characters
true Do nothing, successfully
tsort Topological sort
tty Print filename of terminal on stdin
type Describe a command
ulimit Limit user resources
umask Users file creation mask
umount Unmount a device
unalias Remove an alias
uname Print system information
unexpand Convert spaces to tabs
uniq Uniquify files
units Convert units from one scale to another
unset Remove variable or function names
unshar Unpack shell archive scripts
until Execute commands (until error)
useradd Create new user account
usermod Modify user account
users List users currently logged in
uuencode Encode a binary file uudecode Decode a file created by uuencode
v Verbosely list directory contents (`ls -l -b')
vdir Verbosely list directory contents (`ls -l -b')
vi Text Editor
watch Execute/display a program periodically
wc Print byte, word, and line counts
whereis Report all known instances of a command
which Locate a program file in the user's path.
while Execute commands
who Print all usernames currently logged in
whoami Print the current user id and name (`id -un')
Wget Retrieve web pages or files via HTTP, HTTPS or FTP
xargs Execute utility, passing constructed argument list(s)
yes Print a string until interrupted
.period Run commands from a file
### Comment / Remark
Sunday, December 30, 2007
An A-Z Index of the Linux BASH command line
import large mysql dumps via command line
Are you tired by maximum execution time errors, php time out errors or mysql import size error?
Author: Naqi Khan
Do you got BIG Size database dumps and try to import quickly?
Don't worry there is a simple way :)
I am assuming you are logged in as root on your server
# database=db-name-here <>
Suppose your db is in your public_html folder
# database=db-name-here < /home/accountname/public_html/dbdump.sql
And hit enter YOU ARE DONE MY FRIEND :)
Thanks
Author: Naqi Khan
Do you got BIG Size database dumps and try to import quickly?
Don't worry there is a simple way :)
I am assuming you are logged in as root on your server
# database=db-name-here <>
Suppose your db is in your public_html folder
# database=db-name-here < /home/accountname/public_html/dbdump.sql
And hit enter YOU ARE DONE MY FRIEND :)
Thanks
GBs or Tetrabytes data server to server transfer on linux
Are you planning to shift your GBs or Tetra Bytes data to new server with comfort and ease?
Author: Naqi Khan
I am going to discuss with you a simple and quick method:
Here we go:-
On very first step i m going to tell you how to install NCFTP support we have LINUX CENTOS 5 and we are already logged in as root.
Now we use "wget" command to download:
# wget http://centos.osmirror.nl/2.1/final/i386/CentOS/RPMS/ncftp-3.0.3-6.i386.rpm
Author: Naqi Khan
I am going to discuss with you a simple and quick method:
Here we go:-
On very first step i m going to tell you how to install NCFTP support we have LINUX CENTOS 5 and we are already logged in as root.
Now we use "wget" command to download:
# wget http://centos.osmirror.nl/2.1/final/i386/CentOS/RPMS/ncftp-3.0.3-6.i386.rpm
Now we have to install NCFTP:
# rpm --install ncftp-3.0.3-6.i386.rpm
And you are done :)
Now launching NCFTP:
# ncftp -u usernamehere mydomainname.com
(where "-u usernamehere" will be your remote server ftp user & "mydomianname.com" will be your remote server")
Now it will established the connection and prompt you for your password. Type your password and hit enter.
Confirmation messaged will be display on your screen once you LOGGED in.
Suppose you are planning to copy folder "data" from your public_html allyou have to do is:
# cd public_html
# get -R data
And hit enter your DONE it will start transfering your files.
Related & Usefull NCFTP Commands:
ncftpget [options] remote-host "local-directory" "remote-files..."
ncftpget -f login.cfg [options] local-directory "remote-files..."
ncftpget [options] ftp://url.style.host/path/name
ncftpget -c [options] remote-host "remote-file" > stdout
ncftpget -C [options] remote-host "remote-file" "local-path-name"
ncftpget -c [options] ftp://url.style.host/path/name > stdout
OptionsCommand line flags:
-u XX
Use username XX instead of anonymous.
-p XX
Use password XX with the username.
-P XX
Use port number XX instead of the default FTP service port (21).
-j XX
Use account XX in supplement to the username and password (deprecated).
-d XX
Use the file XX for debug logging.
-a
Use ASCII transfer type instead of binary.
-t XX
Timeout after XX seconds.
-v/-V
Do (do not) use progress meters. The default is to use progress meters if the output stream is a TTY.
-f XX
Read the file XX for host, user, and password information.
-c
Read from remote host and write locally to standard out.
-C
Read from remote host and write locally to specified pathname.
-A
Append to local files, instead of overwriting them.
-z/-Z
Do (do not) try to resume transfers. The default is to try to resume (-z).
-E
Use regular (PORT) data connections.
-F
Use passive (PASV) data connections. The default is to use passive, but to fallback to regular if the passive connection fails or times out.
-DD
Delete remote file after successfully downloading it.
-R
Recursive mode; copy whole directory trees.
-T
Do not use automatic on-the-fly TAR mode for downloading whole directory trees. ncftpget uses TAR whenever possible since this usually preserves symbolic links and file permissions. TAR mode can also result in faster transfers for directories containing many small files, since a single data connection can be used rather than an FTP data connection for each small file. The downside to using TAR is that it forces downloading of the whole directory, even if you had previously downloaded a portion of it earlier, so you may want to use this option if you want to resume downloading of a directory.
-r XX
Redial a maximum of XX times until connected to the remote FTP server.
-b
Run in background (by submitting a batch job and then spawning ncftpbatch).
-bb
Similar to -b option, but only submits the batch job. You will need to run ncftpbatch for the batch job to be processed. This is useful if you already have a ncftpbatch process running, or wish to have better control of when batch jobs are processed.
For example,
if you wanted to do background processing of three files all on the same remote server, it is more polite to use just one ncftpbatch process to process the three jobs sequentially, rather than having three ncftpbatch processes open three simultaneous FTP sessions to the same server.
-B XX
Try setting the TCP/IP socket buffer size to XX bytes.
-W XX
Send raw FTP command XX after logging in.
-X XX
Send raw FTP command XX after each file transferred.
-Y XX
Send raw FTP command XX before logging out.
The
-W, -X, and -Y options are useful for advanced users who need to tweak behavior on some servers. For example, users accessing mainframes might need to send some special SITE commands to set blocksize and record format information.
For these options, you can use them multiple times each if you need
to send multiple commands. For the -X option, you can use the cookie %s to expand into the name of the file that was transferred.
-o XX
Set advanced option XX.
This option is used primarily for debugging.
It sets the value of an internal variable to an integer value. An example usage would be: -o useFEAT=0,useCLNT=1 which in this case, disables use of the FEAT command and enables the CLNT command. The available variables include: usePASV, useSIZE, useMDTM, useREST, useNLST_a, useNLST_d, useFEAT, useMLSD, useMLST, useCLNT, useHELP_SITE, useSITE_UTIME, STATfileParamWorks, NLSTfileParamWorks, require20, allowProxyForPORT, doNotGetStartCWD.
What is NCFTP?
What is NCFTP?
NCFTP is an enhanced FTP client that automates many of the login steps necessary with FTP and adds its own special features. To access NCFTP, at the Unix prompt, enter: ncftp
At Indiana University, you can access NCFTP on most UITS shared Unix systems.
When logging into a remote site, NCFTP automatically sends the username and password strings for anonymous access for you. This lets you log in and arrive at the NCFTP prompt ( ncftp> ) with a minimum of typing. If you plan to log in as yourself rather than using anonymous FTP, you can start NCFTP with the -u option to disable the automatic login process.
Most NCFTP commands are identical to the standard FTP commands. The same commands are used for moving files, changing directories, listing directory contents, and so on.
One nice feature of NCFTP is that it displays the current directory path on the remote site at each ncftp> prompt. In addition, NCFTP remembers the last directory you accessed on a site; the next time you log into that site, you will be placed back at that directory automatically.
Name completion for remote hostnames is another feature of NCFTP. For example, if you've logged into the site ftp.skywalker.jedi.com before, the next time you need to access this site, you can just enter: ncftp jedi
NCFTP will then search its database looking for a complete site name that contains the string jedi. If it finds one, then it will go to that site and log you in.
To get a list of NCFTP commands, at the ncftp> prompt, enter a question mark ( ? ).
NCFTP is an enhanced FTP client that automates many of the login steps necessary with FTP and adds its own special features. To access NCFTP, at the Unix prompt, enter: ncftp
At Indiana University, you can access NCFTP on most UITS shared Unix systems.
When logging into a remote site, NCFTP automatically sends the username and password strings for anonymous access for you. This lets you log in and arrive at the NCFTP prompt ( ncftp> ) with a minimum of typing. If you plan to log in as yourself rather than using anonymous FTP, you can start NCFTP with the -u option to disable the automatic login process.
Most NCFTP commands are identical to the standard FTP commands. The same commands are used for moving files, changing directories, listing directory contents, and so on.
One nice feature of NCFTP is that it displays the current directory path on the remote site at each ncftp> prompt. In addition, NCFTP remembers the last directory you accessed on a site; the next time you log into that site, you will be placed back at that directory automatically.
Name completion for remote hostnames is another feature of NCFTP. For example, if you've logged into the site ftp.skywalker.jedi.com before, the next time you need to access this site, you can just enter: ncftp jedi
NCFTP will then search its database looking for a complete site name that contains the string jedi. If it finds one, then it will go to that site and log you in.
To get a list of NCFTP commands, at the ncftp> prompt, enter a question mark ( ? ).
Eleven SSH Tricks
Run remote GUI applications and tunnel any Net connection securely using a free utility that's probably already installed on your system.
SSH is the descendant of rsh and rlogin, which are non-encrypted programs for remote shell logins. Rsh and rlogin, like telnet, have a long lineage but now are outdated and insecure. However, these programs evolved a surprising number of nifty features over two decades of UNIX development, and the best of them made their way into SSH. Following are the 11 tricks I have found useful for squeezing the most power out of SSH.
Installation and Versions
OpenSSH is the most common free version of SSH and is available for virtually all UNIX-like operating systems. It is included by default with Debian, SuSE, Red Hat, Mandrake, Slackware, Caldera and Gentoo Linux, as well as OpenBSD, Cygwin for Windows and Mac OS X. This article is based on OpenSSH, so if you are using some other version, check your documentation before trying these tricks.
X11 Forwarding
You can encrypt X sessions over SSH. Not only is the traffic encrypted, but the DISPLAY environment variable on the remote system is set properly. So, if you are running X on your local computer, your remote X applications magically appear on your local screen.
Turn on X11 forwarding with ssh -X host. You should use X11 forwarding only for remote computers where you trust the administrators. Otherwise, you open yourself up to X11-based attacks.
A nifty trick using X11 forwarding displays images within an xterm window. Run the web browser w3m with the in-line image extension on the remote machine; see the Debian package w3m-img or the RPM w3m-imgdisplay. It uses X11 forwarding to open a borderless window on top of your xterm. If you read your e-mail remotely using SSH and a text-based client, it then is possible to bring up in-line images over the same xterm window.
Config File
SSH looks for the user config file in ~/.ssh/config. A sample might look like: ForwardX11 yes
Protocol 2,1
Using ForwardX11 yes is the same as specifying -X on the command line. The Protocol line tells SSH to try SSH2 first and then fall back to SSH1. If you want to use only SSH2, delete the ,1.
The config file can include sections that take effect only for certain remote hosts by using the Host option. Another useful config file option is User, which specifies the remote user name. If you often log in to a machine with ssh -l remoteuser remotehost or ssh remoteuser@remotehost, you can shorten this by placing the following lines in your config file: Host remotehost
ForwardX11 yes
User remoteuser
Host *
ForwardX11 no
Now, you can type ssh remotehost to log on as user remoteuser with the ForwardX11 option turned on. Otherwise, ForwardX11 is turned off, as recommended above. The asterisk matches all hosts, including hosts already matched in a Host section, but only the first matching option is used. Put specific Host sections before generic sections in your config file.
A system-wide SSH config file, /etc/ssh/ssh_config, also is available. SSH obtains configuration data in the following order: command-line options, user's configuration file and system-wide configuration file. All of the options can be explored by browsing man ssh_config.
Speeding Things Up: Compression and Ciphers
SSH can use gzip compression on any connection. The default compression level is equivalent to approximately 4× compression for text. Compression is a great idea if you are forwarding X sessions on a dial-up or slow network. Turn on compression with ssh -C or put Compression yes in your config file.
Another speed tweak involves changing your encryption cipher. The default cipher on many older systems is triple DES (3DES), which is slower than Blowfish and AES. New versions of OpenSSH default to Blowfish. You can change the cipher to blowfish with ssh -c blowfish.
Cipher changes to your config file depend on whether you are connecting with SSH1 or SSH2. For SSH1, use Cipher blowfish; for SSH2, use: Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
Port Forwarding
Ports are the numbers representing different services on a server; such as port 80 for HTTP and port 110 for POP3. You can find the list of standard port numbers and their services in /etc/services. SSH can translate transparently all traffic from an arbitrary port on your computer to a remote server running SSH. The traffic then can be forwarded by SSH to an arbitrary port on another server. Why would you want to do this? Two reasons: encryption and tunneled connections.
Encryption
Many applications use protocols where passwords and data are sent as clear text. These protocols include POP3, IMAP, SMTP and NNTP. SSH can encrypt these connections transparently. Say your e-mail program normally connects to the POP3 port (110) on mail.example.net. Also, say you can't SSH directly to mail.example.net, but you have a shell login at shell.example.net. You can instruct SSH to encrypt traffic from port 9110 (chosen arbitrarily) on your local computer and send it to port 110 on mail.example.net, using the SSH server at shell.example.net: ssh -L 9110:mail.example.net:110 shell.example.net
That is, send local port 9110 to mail.example.net port 110, over an SSH connection to shell.example.net.
Then, simply tell your e-mail program to connect to port 9110 on localhost. From there, data is encrypted, transmitted to shell.example.net over the SSH port, then decrypted and passed to mail.example.net over port 110. As a neat side effect, as far as the POP3 dæmon on mail.example.net knows, it is accepting traffic from shell.example.net.
Tunneled Connections
SSH can act as a bridge through a firewall whether the firewall is protecting your computer, a remote server or both. All you need is an SSH server exposed to the other side of the firewall. For example, many DSL and cable-modem companies forbid sending e-mail from your own machine over port 25 (SMTP).
Our next example is sending mail to your company's SMTP server through your cable-modem connection. In this example, we use a shell account on the SMTP server, which is named mail.example.net. The SSH command is: ssh -L 9025:mail.example.net:25 mail.example.net
Then, tell your mail transport agent to connect to port 9025 on localhost to send mail. This exercise should look quite similar to the last example; we are tunneling from local port 9025 to mail.example.net port 25 over mail.example.net. As far as the firewall sees, it is passing normal SSH data on the normal SSH port, 22, between you and mail.example.net.
A final example is connecting through an ISP firewall to a mail or news server inside a restricted network. What would this look like? In fact, it would be the same as the first example; mail.example.net can be walled away inside the network, inaccessible to the outside world. All you need is an SSH connection to a server that can see it, such as shell.example.net. Is that neat or what?
Limitations/Refinements to Port Forwarding
If a port is reassigned on a computer (the local port in the examples above), every user of that computer sees the reassigned port. If the local system has multiple users, tunnel only from unused, high-numbered ports to avoid confusion. If you want to forward a privileged local port (lower than 1024), you need to do so as root. Forwarding a lower-numbered port might be useful if a program won't let you change its port, such as standard BSD FTP.
By default, a tunneled local port is accessible only to local users and not by remote connection. However, any user can make the tunneled port available remotely by using the -g option. Again, you can do this to privileged ports only if you are root.
Any user who can log in with SSH can expose any port inside a private network to the outside world using port forwarding. As an administrator, if you allow incoming SSH connections, you're really allowing incoming connections of any kind. You can configure the OpenSSH dæmon to refuse port forwarding with AllowTcpForwarding no, but a determined user can forward anyway.
A config file option is available to forward ports; it is called LocalForward. The first port-forwarding example given above could be written as: Host forwardpop
Hostname shell.example.com
LocalForward 9110 mail.example.com:110
This way, if you type ssh forwardpop you receive the same result as in the first example. This example uses the Host command described above and the HostName command, which specifies a real hostname with which to connect.
Finally, a command similar to LocalForward, called RemoteForward, forwards a port from the computer to which you are connected, to your computer. Please read the ssh_config man pages to find out how.
Piping Binary Data to a Remote Shell
Piping works transparently through SSH to remote shells. Consider: cat myfile ssh user@desktop lpr
tar -cf - source_dir \
ssh user@desktop 'cat > dest.tar'
The first example pipes myfile to lpr running on the machine named desktop. The second example creates a tar file and writes it to the terminal (because the tar file name is specified as dash), which is then piped to the machine named desktop and redirected to a file.
Running Remote Shell Commands
With SSH, you don't need to open an interactive shell if you simply want some output from a remote command, such as: ssh user@host w
This command runs the command w on host as user and displays the result. It can be used to automate commands, such as: perl -e 'foreach $i (1 .. 12) \
{print `ssh server$i "w"`}'
Notice the back-ticks around the SSH command. This uses Perl to call SSH 12 times, each time running the command w on a different remote host, server1 through server12. In addition, you need to enter your password each time SSH makes a connection. However, read on for a way to eliminate the password requirement without sacrificing security.
Authentication
How does SSH authenticate that you should be allowed to connect? Here are some options:
By hostnames only: uses .rhosts file; insecure; disabled by default.
By hostnames and host-key checking.
The S/Key one-time password system.
Kerberos: private-key encryption with time-expired “tickets”.
Smart card.
Password prompt.
Public key.
The most common authentication method is by password prompt, which is how most SSH installations are run out of the box.
However, public key encryption is worth investigating; it is considerably more secure than passwords, and by using it you can do away with all or most of your password typing.
Briefly, public key encryption relies on two keys: a public key to encrypt, which you don't keep secret, and a private key to decrypt, which is kept private on your local computer. The general idea is to run ssh-keygen to generate your keys. Press Return when it asks you for a passphrase. Then copy your public key to the remote computer's authorized_keys file.
The details depend on whether the computer to which you are connecting uses SSH1 or SSH2. For SSH1 type ssh-keygen -t rsa1, and copy ~/.ssh/identity.pub to the end of the file ~/.ssh/authorized_keys on the remote computer. For SSH2, type ssh-keygen -t rsa, and copy ~/.ssh/id_rsa.pub to the end of the file ~/.ssh/authorized_keys on the remote computer. This file might be called ~/.ssh/authorized_keys2, depending on your OpenSSH version. If the first one doesn't work, try the second. The payoff is you can log in without typing a password.
You can use a passphrase that keeps the private key secret on your local computer. The passphrase encrypts the private key using 3DES. At no time is your passphrase or any secret information sent over the network. You still have to enter the passphrase when connecting to a remote computer.
Authentication Agent
You might wonder: if we want to use a passphrase, are we stuck back where we started, typing in a passphrase every time we log in? No. Instead, you can use a passphrase, but type it only once instead of every time you use the private key. To set up this passphrase, execute ssh-agent when you first start your session. Then execute ssh-add, which prompts for your passphrase and stores it in memory, not on disk. From then on, all connections authenticating with your private key use the version in memory, and you won't be asked for a password.
Your distribution may be set up to start ssh-agent when you start X. To see if it's already running, enter ssh-add -L. If the agent is not running already, you need to start it, which you can do by adding it to your .bash_login, logging out and logging back in again.
Authentication Agent Forwarding
If you connect from one server to another using public key authentication, you don't need to run an authentication agent on both. SSH automatically can pass any authentication requests coming from other servers, back to the agent running on your own computer. This way, it never passes your secret key to the remote computer; rather, it performs authentication on your computer and sends the results back to the remote computer.
To set up authentication agent forwarding, simply run ssh -A or add the following line to your config file: ForwardAgent yes
You should use authentication agent forwarding only if you trust the administrators of the remote computer; you risk them using your keys as if they were you. Otherwise, it is quite secure.
Traveling with SSH Java Applet
Many people carry a floppy with PuTTY or another Windows SSH program, in case they need to use an unsecured computer while traveling. This method works if you have the ability to run programs from the floppy drive. You also can download PuTTY from the web site and run it.
Another alternative is putting an SSH Java applet on a web page that you can use from a browser. An excellent Java SSH client is Mindterm, which is free for noncommercial use. You can find it at www.appgate.com/mindterm.
Conclusion
An SSH configuration can go wrong in a few places if you are using these various tricks. You can catch many problems by using ssh -v and watching the output. Of course, none of these tricks is essential to using SSH. Eventually, though, you may encounter situations where you're glad you know them. So give a few of them a try.
Daniel R. Allen (da@coder.com) discovered UNIX courtesy of a 1,200-baud modem, a free local dial-up and a guest account at MIT, back when those things existed. He has been an enthusiastic Linux user since 1995. He is president of Prescient Code Solutions, a software consulting company in Kitchener, Ontario and Ithaca, New York.
SSH is the descendant of rsh and rlogin, which are non-encrypted programs for remote shell logins. Rsh and rlogin, like telnet, have a long lineage but now are outdated and insecure. However, these programs evolved a surprising number of nifty features over two decades of UNIX development, and the best of them made their way into SSH. Following are the 11 tricks I have found useful for squeezing the most power out of SSH.
Installation and Versions
OpenSSH is the most common free version of SSH and is available for virtually all UNIX-like operating systems. It is included by default with Debian, SuSE, Red Hat, Mandrake, Slackware, Caldera and Gentoo Linux, as well as OpenBSD, Cygwin for Windows and Mac OS X. This article is based on OpenSSH, so if you are using some other version, check your documentation before trying these tricks.
X11 Forwarding
You can encrypt X sessions over SSH. Not only is the traffic encrypted, but the DISPLAY environment variable on the remote system is set properly. So, if you are running X on your local computer, your remote X applications magically appear on your local screen.
Turn on X11 forwarding with ssh -X host. You should use X11 forwarding only for remote computers where you trust the administrators. Otherwise, you open yourself up to X11-based attacks.
A nifty trick using X11 forwarding displays images within an xterm window. Run the web browser w3m with the in-line image extension on the remote machine; see the Debian package w3m-img or the RPM w3m-imgdisplay. It uses X11 forwarding to open a borderless window on top of your xterm. If you read your e-mail remotely using SSH and a text-based client, it then is possible to bring up in-line images over the same xterm window.
Config File
SSH looks for the user config file in ~/.ssh/config. A sample might look like: ForwardX11 yes
Protocol 2,1
Using ForwardX11 yes is the same as specifying -X on the command line. The Protocol line tells SSH to try SSH2 first and then fall back to SSH1. If you want to use only SSH2, delete the ,1.
The config file can include sections that take effect only for certain remote hosts by using the Host option. Another useful config file option is User, which specifies the remote user name. If you often log in to a machine with ssh -l remoteuser remotehost or ssh remoteuser@remotehost, you can shorten this by placing the following lines in your config file: Host remotehost
ForwardX11 yes
User remoteuser
Host *
ForwardX11 no
Now, you can type ssh remotehost to log on as user remoteuser with the ForwardX11 option turned on. Otherwise, ForwardX11 is turned off, as recommended above. The asterisk matches all hosts, including hosts already matched in a Host section, but only the first matching option is used. Put specific Host sections before generic sections in your config file.
A system-wide SSH config file, /etc/ssh/ssh_config, also is available. SSH obtains configuration data in the following order: command-line options, user's configuration file and system-wide configuration file. All of the options can be explored by browsing man ssh_config.
Speeding Things Up: Compression and Ciphers
SSH can use gzip compression on any connection. The default compression level is equivalent to approximately 4× compression for text. Compression is a great idea if you are forwarding X sessions on a dial-up or slow network. Turn on compression with ssh -C or put Compression yes in your config file.
Another speed tweak involves changing your encryption cipher. The default cipher on many older systems is triple DES (3DES), which is slower than Blowfish and AES. New versions of OpenSSH default to Blowfish. You can change the cipher to blowfish with ssh -c blowfish.
Cipher changes to your config file depend on whether you are connecting with SSH1 or SSH2. For SSH1, use Cipher blowfish; for SSH2, use: Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
Port Forwarding
Ports are the numbers representing different services on a server; such as port 80 for HTTP and port 110 for POP3. You can find the list of standard port numbers and their services in /etc/services. SSH can translate transparently all traffic from an arbitrary port on your computer to a remote server running SSH. The traffic then can be forwarded by SSH to an arbitrary port on another server. Why would you want to do this? Two reasons: encryption and tunneled connections.
Encryption
Many applications use protocols where passwords and data are sent as clear text. These protocols include POP3, IMAP, SMTP and NNTP. SSH can encrypt these connections transparently. Say your e-mail program normally connects to the POP3 port (110) on mail.example.net. Also, say you can't SSH directly to mail.example.net, but you have a shell login at shell.example.net. You can instruct SSH to encrypt traffic from port 9110 (chosen arbitrarily) on your local computer and send it to port 110 on mail.example.net, using the SSH server at shell.example.net: ssh -L 9110:mail.example.net:110 shell.example.net
That is, send local port 9110 to mail.example.net port 110, over an SSH connection to shell.example.net.
Then, simply tell your e-mail program to connect to port 9110 on localhost. From there, data is encrypted, transmitted to shell.example.net over the SSH port, then decrypted and passed to mail.example.net over port 110. As a neat side effect, as far as the POP3 dæmon on mail.example.net knows, it is accepting traffic from shell.example.net.
Tunneled Connections
SSH can act as a bridge through a firewall whether the firewall is protecting your computer, a remote server or both. All you need is an SSH server exposed to the other side of the firewall. For example, many DSL and cable-modem companies forbid sending e-mail from your own machine over port 25 (SMTP).
Our next example is sending mail to your company's SMTP server through your cable-modem connection. In this example, we use a shell account on the SMTP server, which is named mail.example.net. The SSH command is: ssh -L 9025:mail.example.net:25 mail.example.net
Then, tell your mail transport agent to connect to port 9025 on localhost to send mail. This exercise should look quite similar to the last example; we are tunneling from local port 9025 to mail.example.net port 25 over mail.example.net. As far as the firewall sees, it is passing normal SSH data on the normal SSH port, 22, between you and mail.example.net.
A final example is connecting through an ISP firewall to a mail or news server inside a restricted network. What would this look like? In fact, it would be the same as the first example; mail.example.net can be walled away inside the network, inaccessible to the outside world. All you need is an SSH connection to a server that can see it, such as shell.example.net. Is that neat or what?
Limitations/Refinements to Port Forwarding
If a port is reassigned on a computer (the local port in the examples above), every user of that computer sees the reassigned port. If the local system has multiple users, tunnel only from unused, high-numbered ports to avoid confusion. If you want to forward a privileged local port (lower than 1024), you need to do so as root. Forwarding a lower-numbered port might be useful if a program won't let you change its port, such as standard BSD FTP.
By default, a tunneled local port is accessible only to local users and not by remote connection. However, any user can make the tunneled port available remotely by using the -g option. Again, you can do this to privileged ports only if you are root.
Any user who can log in with SSH can expose any port inside a private network to the outside world using port forwarding. As an administrator, if you allow incoming SSH connections, you're really allowing incoming connections of any kind. You can configure the OpenSSH dæmon to refuse port forwarding with AllowTcpForwarding no, but a determined user can forward anyway.
A config file option is available to forward ports; it is called LocalForward. The first port-forwarding example given above could be written as: Host forwardpop
Hostname shell.example.com
LocalForward 9110 mail.example.com:110
This way, if you type ssh forwardpop you receive the same result as in the first example. This example uses the Host command described above and the HostName command, which specifies a real hostname with which to connect.
Finally, a command similar to LocalForward, called RemoteForward, forwards a port from the computer to which you are connected, to your computer. Please read the ssh_config man pages to find out how.
Piping Binary Data to a Remote Shell
Piping works transparently through SSH to remote shells. Consider: cat myfile ssh user@desktop lpr
tar -cf - source_dir \
ssh user@desktop 'cat > dest.tar'
The first example pipes myfile to lpr running on the machine named desktop. The second example creates a tar file and writes it to the terminal (because the tar file name is specified as dash), which is then piped to the machine named desktop and redirected to a file.
Running Remote Shell Commands
With SSH, you don't need to open an interactive shell if you simply want some output from a remote command, such as: ssh user@host w
This command runs the command w on host as user and displays the result. It can be used to automate commands, such as: perl -e 'foreach $i (1 .. 12) \
{print `ssh server$i "w"`}'
Notice the back-ticks around the SSH command. This uses Perl to call SSH 12 times, each time running the command w on a different remote host, server1 through server12. In addition, you need to enter your password each time SSH makes a connection. However, read on for a way to eliminate the password requirement without sacrificing security.
Authentication
How does SSH authenticate that you should be allowed to connect? Here are some options:
By hostnames only: uses .rhosts file; insecure; disabled by default.
By hostnames and host-key checking.
The S/Key one-time password system.
Kerberos: private-key encryption with time-expired “tickets”.
Smart card.
Password prompt.
Public key.
The most common authentication method is by password prompt, which is how most SSH installations are run out of the box.
However, public key encryption is worth investigating; it is considerably more secure than passwords, and by using it you can do away with all or most of your password typing.
Briefly, public key encryption relies on two keys: a public key to encrypt, which you don't keep secret, and a private key to decrypt, which is kept private on your local computer. The general idea is to run ssh-keygen to generate your keys. Press Return when it asks you for a passphrase. Then copy your public key to the remote computer's authorized_keys file.
The details depend on whether the computer to which you are connecting uses SSH1 or SSH2. For SSH1 type ssh-keygen -t rsa1, and copy ~/.ssh/identity.pub to the end of the file ~/.ssh/authorized_keys on the remote computer. For SSH2, type ssh-keygen -t rsa, and copy ~/.ssh/id_rsa.pub to the end of the file ~/.ssh/authorized_keys on the remote computer. This file might be called ~/.ssh/authorized_keys2, depending on your OpenSSH version. If the first one doesn't work, try the second. The payoff is you can log in without typing a password.
You can use a passphrase that keeps the private key secret on your local computer. The passphrase encrypts the private key using 3DES. At no time is your passphrase or any secret information sent over the network. You still have to enter the passphrase when connecting to a remote computer.
Authentication Agent
You might wonder: if we want to use a passphrase, are we stuck back where we started, typing in a passphrase every time we log in? No. Instead, you can use a passphrase, but type it only once instead of every time you use the private key. To set up this passphrase, execute ssh-agent when you first start your session. Then execute ssh-add, which prompts for your passphrase and stores it in memory, not on disk. From then on, all connections authenticating with your private key use the version in memory, and you won't be asked for a password.
Your distribution may be set up to start ssh-agent when you start X. To see if it's already running, enter ssh-add -L. If the agent is not running already, you need to start it, which you can do by adding it to your .bash_login, logging out and logging back in again.
Authentication Agent Forwarding
If you connect from one server to another using public key authentication, you don't need to run an authentication agent on both. SSH automatically can pass any authentication requests coming from other servers, back to the agent running on your own computer. This way, it never passes your secret key to the remote computer; rather, it performs authentication on your computer and sends the results back to the remote computer.
To set up authentication agent forwarding, simply run ssh -A or add the following line to your config file: ForwardAgent yes
You should use authentication agent forwarding only if you trust the administrators of the remote computer; you risk them using your keys as if they were you. Otherwise, it is quite secure.
Traveling with SSH Java Applet
Many people carry a floppy with PuTTY or another Windows SSH program, in case they need to use an unsecured computer while traveling. This method works if you have the ability to run programs from the floppy drive. You also can download PuTTY from the web site and run it.
Another alternative is putting an SSH Java applet on a web page that you can use from a browser. An excellent Java SSH client is Mindterm, which is free for noncommercial use. You can find it at www.appgate.com/mindterm.
Conclusion
An SSH configuration can go wrong in a few places if you are using these various tricks. You can catch many problems by using ssh -v and watching the output. Of course, none of these tricks is essential to using SSH. Eventually, though, you may encounter situations where you're glad you know them. So give a few of them a try.
Daniel R. Allen (da@coder.com) discovered UNIX courtesy of a 1,200-baud modem, a free local dial-up and a guest account at MIT, back when those things existed. He has been an enthusiastic Linux user since 1995. He is president of Prescient Code Solutions, a software consulting company in Kitchener, Ontario and Ithaca, New York.
Why Linux?
Author: michuk
Microsoft has reached an enormous success with its Windows product during the last decade and practically monopolized the market for home computer operating systems. But, does it mean Windows is still the best OS around, especially for power users?
No, it’s not. At least not always. And on this page you are going to see why.
Summary
If we draw a comparison between the two operating systems considering licensing, selling, and upgrading models, and if we add the supreme configurability (resulting from the system’s philosophy), and a low pricing then it will appear the GNU/Linux is decidedly more user friendly in terms of software then any other system existing on the market at present (perhaps apart from niche systems like GNU/Hurd and Haiku). Microsoft Windows systems are still dug in on the other pole with their restricted licensing allowing users to — at the most — conditionally run the systems (not even in every case) and their applications.
By friendliness we mean something more general that the ease-of-use and availability of applications! It is about not constraining the users but granting them full freedom to exert their rights to use software in their own way. It is about a freedom of choice — the possibility to use any window manager, any file system, and any package system the user wants to choose, about the possibility to work in a console or GUI environment, locally or remotely. It’s all about the security schema, well designed and overt, instead of “security by obscurity” model which has been compromised over and over. Do the users need such freedom? Certainly 90% PC users will do well without it. For the remaining 10%, including me, the GNU/Linux systems have appeared to be the only solution.
Read 10 reasons to choose Linux
Security — why are the default security settings of Windows XP so bad?
Desktop usability — what is wrong with Windows’ usability and how it is corrected in GNU/Linux desktops?
— ok, you thought it can’t be easier than double-clicking the setup.exe file? Think again!
Upgrading — ever thought that upgrading your system and all its appliactions could be as executing one single command? No? Well, GNU/Linux is exactly this way.
System crashes — every desktop crashes, but how to get over it?
Performance — is Linux really that much faster than Windows? Well… it is.
The power of console — learn how to improve your productivity by using the terminal
Remote access in GNU/Linux — how to connect remotely to your Linux box
Philosophy and licencing of Linux — how does it differ from the proprietary software?
Cost and TCO of Linux — what is cheaper — Linux or Windows?
If this does not convince you, please visit the website Get GNU/Linux for further reading about the Windows licencing, monopoly and the cool features of GNU/Linux operating system. They do it even better than us
Subscribe to:
Posts (Atom)