SSHFP records are a defense against people blindly typing ‘yes’ when asked if they want to continue connecting to an SSH host who’s authenticity is unknown.

$ ssh some.host.tld
The authenticity of host 'some.host.tld (123.456.789.10)' can't be established.
ED25519 key fingerprint is 69:76:51:39:a4:c6:de:15:7c:50:4b:4a:a7:98:40:5e.
Are you sure you want to continue connecting (yes/no)?

This prompt is likely to be extremely familiar to you and, most people seem to just type ‘yes’ to move on with their lives, which defeats the whole purpose of this prompt.

If you use DNSSEC you can bypass this prompt entirely by publishing your server’s key fingerprints via DNS and having SSH authenticate them for you.

Generating your SSHFP record

You can get SSH to generate the DNS records for you, log in …

24 hours of SSH attacks against a single server, visualised on a world map using Python.

When a country stays lit up for more than 1 tick of the clock in the left hand corner it means that multiple attacks are happening from different IP addresses. An attacker is banned after;

  • 1 failed root login,
  • 3 failed user logins (including invalid users) and
  • 3 failed system logins.

Quite a simple one:

ssh -f USER@INTERMEDIATE_DEVICE -L LOCAL_PORT:DESTINATION_DEVICE:DESTINATION_PORT -N

-f tells ssh to go to background -L binds a local port to a remote device and port -N tells ssh not to execute any commands

So use this to tunnel from local port 8000 in to a remote machine on port 22 you’d use

ssh -f user@server.test.com -L 8000:server.destination.com:22 -N

Once the tunnel is open you can use the following to ssh or scp data around

ssh localhost -p 8000
scp -P 8000 /path/to/local/file user@localhost:~
scp -P 8000 user@localhost:/path/to/remote/file .

I use ssh tunnels all the time to remote access and use one of our Solr servers that is blocked behind a firewall.

First we need to install sshfs.

sudo apt-get install sshfs fuse-utils

Now we make a mount point, I’m going to use a directory in my home directory for this.

mkdir ~/remote-content

And now we simply mount our remote directory to it.

sshfs user@host:/path/to/location ~/remote-content

It’s as simple as that.

Today I finally got round to setting up my local user ssh config on my new work laptop and figured I’d do a quick write up on it and it’s uses.

You can create a configuration file in your home directory that will override the options set in your machine-wide config.

Your configuration files

Your local config can be found/created in:

~/.ssh/config

And your machine-wide configuration is in:

/etc/ssh/ssh_config

Rather than editing my ssh config across my whole machine I’m doing it for my local user specifically.

Reading the man page for ssh_config will give you a full list of available options, below I will outline several that I use and find very useful.

Your host definitions

First things first, we need to define a host.

Host host.domain.com

Each host you add to your config will need to have a host …