Accessing ssh servers behind NAT

Create a "config" file in your "~/.ssh" directory with the below contents:

Host server1
  HostKeyAlias server1
  CheckHostIP no
  Port 221

Host server2
  HostKeyAlias server2
  CheckHostIP no
  Port 222

The key is to set CheckHostIP to "no" and use "HostKeyAlias" to specify an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files.

The Port line avoids having to specify the port when connectig.

Connect to corresponding host via:

$ ssh {user}@server1
$ ssh {user}@server2

ssh keygen RSA versus DSA

While generating ssh keys, I usually use RSA type since it can be used to generate 2048 bits key, while DSA is restricted to exactly 1024 bits.

ssh-keygen -t rsa -b 2048

Remote backups with tar over ssh

Below is example of backing up users' home directory to remote host piped via ssh:

tar -cvzf - -C /home {username} | ssh {remotehost} 'cat >/path/to/bak/{username}.tgz'

Speed up SSH

Try setting up ssh client with compression and use arcfour/blowfish encryption instead. Also avoid ipv6 lookup and reuse connections using

Add below to ~/.ssh/config

Host *
Ciphers arcfour,blowfish-cbc
Compression yes
AddressFamily inet
ControlMaster auto
ControlPath ~/.ssh/socket-%r@%h:%p

expect script for ssh password prompt

Below is a sample expect script to handle ssh password prompt should you not get the ssh keys to be working between hosts:

#!/usr/bin/expect -f

set host XXX
set user XXX
set password XXX
set remote_path XXX
set local_path XXX

# disables the timeout, so script waits as long as it takes for the transfer
set timeout -1

# call rsync
spawn rsync -av -e ssh $user@$host:$remote_path $local_path

# avoids that if the output is to large, the earlier bytes won't be fotgotten
match_max 100000

# we're expecting the password prompt, we use a pattern so it can be anything that contains password: or Password
expect  "*?assword:" { send "$password\r"}

# send a newline to make sure we get back to the command line
send -- "\r"

# wait for the end-of-file in the output
expect eof

Verifying SSH Key Fingerprint

If you've been given a public ssh host key and want to verify it before adding it permanently to your ssh known_hosts file:

Get the public ssh key:

$ ssh-keyscan -p 22 -t rsa,dsa {remote_host} > /tmp/

Get the ssh key fingerprint:

$ ssh-keygen -l -f /tmp/

Fix for SSH timeouts on LinkSys WRT54GS wireless router

A recent storm surge killed my Belkin wireless router and was quickly replaced by a LinkSys WRT54GS wireless router. But, for some reason my ssh clients would time out due to inactivity of just a couple minutes. A quick fix was to include the below line in "/etc/ssh/ssh_config":

ServerAliveInterval 60

Incremental snapshot backups via rsync and ssh

In follow-up to the previous post, I am compiling this as a separate post as this solution is been running very stable for a while with quite a few updates and changes...

I will be setting up a back-up of a remote web-host via rsync over ssh and creating the snapshot style backup on the local machine.

The backups are done incremental, only the files that have changed are backed up so there is very less bandwidth used during the backup and also does not cause any load on the server.

These are sliced backups, meaning that you get a full backup of the last 4 days, and the last 4 weeks. So data can be restored for upto a month of back date.

Below is an example listing of backups you would see.

Mar 11 - daily.0
Mar 10 - daily.1
Mar 9 - daily.2
Mar 8 - daily.3
Mar 5 - weekly.0
Feb 27 - weekly.1
Feb 20 - weekly.2
Feb 13 - weekly.3

Each of those is a full snapshot for the particular day/week. The files are all hard-linked and would only require 2 to 3 times the space used on the server. The backups should consist of web, database, email and some of the important server configuration files.

SSH Chroot in ISPConfig Centos-4.6

Below is reference of how I have setup chroot SSH jail for users in CentOS-4.6 with ISPConfig installed replacing the openssh rpm with the one from .

It's easy on ISPConfig as support for chroot SSH is now built in with the control panel, you simply need to get chrootSSH installed and then enable the ssh option located in the config file at "/home/admispconfig/ispconfig/lib/":

$go_info["server"]["ssh_chroot"] = 1;

If you need for the ssh chroot to access additional application, the file "/root/ispconfig/scripts/shell/" which builds the chroot needs to be edited. Also, check and edit the location of mysql socket file.