OpenSSH, the admin’s Swiss Army Knife for daily remote access. The project provides individual tools that are easy to use and are considered very secure, so they can be classified in the category
. But that doesn’t mean that everyday life is always comfortable with it. Who does not know, the coveted server is behind a JumpHost or you first have to go through a VPN tunnel. Or both.
Now the way to get there has to be adapted, e.g. the conversion of the VPN tunnel to the customer. From here the tedious loop begins. The customer reports completion on his side and he has already adjusted his VPN config, but a login attempt via SSH still fails:
- Own firewall rules changed again.
- The next manual login attempt.
- Still does not work.
- Write to customer
- The customer will get in touch sometime later. Try again..
- Next manual login attempt.
- Nothing is happening.
Running a normal ping at the same time in a terminal to simplify the procedure is unfortunately useless here, since a JumpHost is in between. It does not forward the ICMP echo request. We also want to know whether SSH access is possible – not a ping. A check on port 22, for example with Netcat, has no effect here either. This is where theinto play, the KISS principle adding .
Scripts for the OpenSSH client
The ssh-tools are wrapper scripts around the OpenSSH client that make a lot more convenient. For the problem described above, there is, for example, ssh-ping , which checks whether an SSH server can actually be reached. This even works through JumpHosts, provided that these are set up via the SSH Config. You can now concentrate on your VPN, firewall or SSH config in peace and look at ssh-ping at the same time to see whether the adjustments are fruitful.
In addition to ssh-ping, there are other tools that sweeten the admin’s life:
- ssh-version: Shows the version of the SSH server
- ssh-diff: Diffen a file via SSH
- ssh-facts: Show basic information about the remote system (e.g. which distro is installed)
- ssh-hostkeys: Output the fingerprints of the host keys in various formats
- ssh-keyinfo: Output SSH PublicKeys in different formats (old SSH servers e.g. still write MD5 fingerprints in the syslog)
- ssh-certinfo: Shows whether and for how long SSH certificates (not PublicKeys) are still valid. (This can be used, for example, to monitor whether SSH certificates need to be renewed.)
- ssh-force-password: Forces the password query for PubKey authentication (e.g. to test password changes)
The ssh tools are now for the common distributions, but can also be downloaded and executed directly from Github.