OpenSSH Tips and Tricks: Beyond Secure Shell



OpenSSH is one of the most vital tools on any Linux system, at least if you ever need to connect to another Linux system. But OpenSSH is capable of doing much more than just providing a secure shell into another system.

Most Linux users already know the bare basics of using OpenSSH. You use ssh to get a secure shell into a remote system, sftp for Secure FTP, and scp for copying files. All well and good.

But OpenSSH can do quite a bit more than many users realize. Let’s take a look at some of the things you can do with OpenSSH and associated tools.

X Forwarding

The -X option is very useful if you’re in a Linux environment and need to run a GUI app from another machine but display it locally. I know many Linux users are familiar with this one, but I’d be remiss not to mention it at all.

Let’s say, for example, that you’re on your laptop in a meeting but need to pull up a few notes from Tomboy that are on your PC. You should be syncing them, but haven’t gotten around to it yet. No worries, you have ssh -X:

ssh -X user@host

That will log you into the target system with X11 forwarding enabled. Of course, X11Forwarding should be set to “yes” in /etc/ssh/sshd_config or whatever configuration file you’re using for the OpenSSH daemon. Then just run tomboy and you’re good to go.

Note that you can use this on different operating systems as well. For example, if you have X11 installed on Mac OS X, you can run and display Linux apps on your Mac desktop if you use one.

Quick and Dirty SOCKS

It’s very important, when you’re on an unsecured and non-private network, to be careful about threats like Firesheep. One way to protect yourself is to make sure that you’re connecting using SSL/HTTPS rather than sending passwords or other credentials over the Internet unsecured.

But you may not have a choice — or you might just want to avoid a firewall that prevents you from connecting over HTTP, SMTP, etc. In that case, you can use OpenSSH to set up a quick and dirty SOCKS configuration. This will let traffic pass through the SSH connection rather than unprotected through the Starbucks Wi-Fi connection.

Sound difficult? Not at all — it’s just a couple of options on the command line, as a matter of fact:

ssh -ND 9999 user@hostname

Then you configure your client to use localhost as the proxy, port 9999. You can vary the port number, so long as it doesn’t conflict with another service.

This is something I use from time to time when traveling. If you use this for your browser, you’re going to see a slowdown in speeds — so I don’t use the SSH SOCKS proxy unless I need to hit a site that requires privacy. I don’t really care if the other folks in a coffeeshop snoop on me browsing xkcd.

OpenSSH can also be used to set up a VPN in a pinch, though it’s not really ideal for doing so compared to something like OpenVPN.

Use Yafc for Better SFTP

I make frequent use of Secure FTP (SFTP) to get files from a remote system or put files up on my server. In fact, even on my home network I use sftp frequently because I can’t be bothered to set up FTP to pass files around.

But the basic sftp client that you get with OpenSSH leaves a bit to be desired. In particular, sftp doesn’t support command line completion. Which makes it a pain when you’re navigating via the command line and need to grab a file with a really long, complex name. I’d much rather use tab completion.

Yafc (Yet Another FTP Client) provides this and a bit more than the standard sftp utility. Just grab the yafc package for your distro and then log into your remote system:

yafc -nq sftp://user@host/directory/

Note that you do need to specify the protocol here — because Yafc does support FTP as well.

But even better, Yafc also supports bookmarks and has a more full-featured set of commands at your disposal. For example, you could create a bookmark for your Web server once you’ve logged in and then save it using the bookmark command within yafc. Then run yafc later and simply type open name, where name is the name of the bookmark.

My only hesitation with Yafc is that development seems a bit calcified, with the 1.1.1 release being from 2005. However, it seems to be humming along just fine despite the lack of attention.

SSH Filesystem

Another way to get at files on remote hosts? The SSH Fuse filesystem. This effectively mounts remote filesystems using SSH. It’s a bit complicated, but not bad. Here’s how we do it (it’s easier after the first time):

  1. Make sure you have the sshfs and FUSE packages installed. If you install sshfs on Ubuntu, for instance, it should pull in the necessary packages.
  2. Make sure that the fusemodule is loaded. Check using lsmod | grep fuse and if it isn’t loaded, run sudo modprobe fuse.
  3. Make sure you’re in the fuse group. May require a log out and in again. (adduser username fuse or just append your username to the fuse line in /etc/group.)
  4. Now, make sure you have a directory to serve as a local mount point. I usually just use the server name. So I might make a local directory under my home directory called “kang” for a remote server called
  5. To mount the remote filesystem, run: sshfs hostname:/directory localdirectory. For example, I might run: sshfs
    This e-mail address is being protected from spambots. You need JavaScript enabled to view it
    :/home/jzb/ kang

That’s it. Now you can browse the remote filesystem as if it were local. Naturally, like copying files over SFTP or scp, it’s going to be slower. But this makes remote file management dead easy.

This is, of course, not comprehensive — but a good sampling of what you can do with OpenSSH that isn’t immediately obvious. Happy, and secure, system management!