SSH
SSH, or Secure SHell, is a secure alternative to telnet. SSH can be used to securely copy files, access CVS or SVN, cron jobs and other DreamHost services via standard unix command line also known as shell. All SSH traffic travels over a secured connection rather than in the plain text like in telnet. It is strongly recommended that you use SSH rather than telnet.
Note: Before being able to log into SSH, one must enable SSH on that account. It's a fairly easy process that's detailed in the Enabling Shell Access article. After enabling, your SSH login will be: ssh username@server.dreamhost.com
Contents
|
DreamHost SSH Server Software
DreamHost uses OpenSSH software on the server end. It allows some great features how to manage user rights and access as described in this sample chapter of O'Reilly's guide to SSH.
SSH Client Software
Windows is the only commonly-used operating system that does not include a native SSH client. Windows users need to download SSH software separately (see below). Mac OS X and UNIX/Linux users can run the SSH client from any terminal application. To do this, open your terminal, enter ssh in the command line and hit enter.
Mac OS X
Mac OS X users can find Terminal at /Applications/Utilities/Terminal.app. Once in a terminal session, follow the instructions under Unix/Linux to initiate a secure shell.
Unix/Linux
Most distributions of UNIX/Linux come with the OpenSSH package. Any terminal application (xterm, Konsole, etc.) can be used to initiate a secure shell:
ssh username@yourdomain.com
Windows
Every windows SSH client has its own way to be installed and launched, different from unix ssh command, but once you've set it up, there is no difference in further operations. However, each client is suited to specific (or general needs); you might like to try them all to see what suits your fancy. Take your pick:
- Free: PuTTY
- Free: WinSCP is an open source free SFTP client for Windows using SSH
Quite easy to use with shell like interface and can be scripted
- Commerical: CWRSYNC is a packaging of rsync and the ssh client with the required cygwin libraries for Windows. It runs on all versions of Windows. Very easy to set up & doesn't need a full cygwin setup.
- Commercial: SmartFTP
- Commercial: SecureCRT
- Commercial: SftpDrive adds SFTP support to Windows Explorer and all Windows applications.
- Commercial: ZOC Terminal (also available for OS X).
And from LinuxMafia.com we have a very thorough list of most of the SSH clients for the Win32 platform:
- Other: SSH Clients for Win32 (excellent list, really.)
Note: some of the SSH-based (SSH.com) clients have problems with and Backspace and Delete (and sometimes Home and End) keys.
This seems to be a Linux anomaly more than anything else (in bash, xterm, and vt100), but the workaround is as follows (note that PuTTY isn't affected, but SecureCRT, F-Secure, and SSH, etc. are):
1. Once installed, configure your settings as you like, then locate the key mapping feature of your client.
2) Map your delete, home, and end keys as strings, using the following values (no quotes):
- Delete:
\033[3~ - Home:
\033[1~ - End:
\033[4~
Keep in mind that this is universal for all sites through that particular client - remote access or using another client won't be affected. However, for remote access, use something like PuTTY and your worries are gone.
--Lordkelmain 01:10, 26 Oct 2006 (PDT)
Another method you can use to get your SSH terminal behaving as you want it to is to create a .inputrc file in your home folder (E.G. "cd ~" will take you to your home folder). The .inputrc can hold definitions of standard key mappings. I use the following in mine to enable functionality for the home, end, page up, page down, del, and other keys:
"\e[1~": beginning-of-line "\e[4~": end-of-line "\e[5~": beginning-of-history "\e[6~": end-of-history "\e[3~": delete-char "\e[2~": quoted-insert "\e[5C": forward-word "\e[5D": backward-word "\e\e[C": forward-word "\e\e[D": backward-word
This configuration will be specific to your login user and will work from any machine you SSH into the box from without requiring you to configure your client.
Gaarai 12:21, 10 September 2007 (PDT)
Chrome
Secure Shell is an xterm-compatible terminal emulator and stand-alone ssh client for Chrome. It uses Native-Client to connect directly to ssh servers without the need for external proxies.
Secure Shell is a Beta release and has known bugs.
JHeckman (talk) 19:36, 4 January 2013 (PST)
Java
Mindterm from Appgate is a java based SSH client that can be embedded into your site. This will enable you to have shell access to any ssh host from any PC with a web browser that is java capable. Mindterm is free for personal use and can be downloaded from here
iPhone
An excellent SSH app for iPhone and iPad is Prompt, by Panic. All the functionality of Prompt is also included in their iPad app for making quick edits to websites, Diet Coda.
Android
ConnectBot is an SSH application available for free on the Android Market. You can use it to access SSH, Telnet, and local protocols. It should probably work for FTP as well.
If you use ConnectBot, it is highly recommended that your device have a keyboard and a trackball. The T-Mobile G1 is idea, but the Motorola Droid is perfect for this application since it has a control pad instead of a trackball.
There are a few things you may want to remember when inputing data on ConnectBot.
To input some keys, you need to use the following commands.
| Key | Command |
|---|---|
| CTRL | Press the track ball once. The cursor will indicate this state with a < symbol. Follow up this command with the key you plan on using with the CTRL character. |
| ESC | Press the track ball twice. |
| SHIFT | Press the Shift key. The triangle outline will appear on the top part of the cursor indicating it has been pressed. |
| CAPS LOCK (a.k.a. Shift Lock) | Press the Shift key twice. The solid triangle will appear on the top part of the cursor indicating it has been pressed. Pressing Shift again disables it. |
| ALT | Press the Alt key. The triangle outline will appear on the bottom part of the cursor indicating it has been pressed. |
| ALT LOCK | Press the Alt key twice. The solid triangle will appear on the bottom part of the cursor indicating it has been pressed. Pressing Alt again disables it. |
| TAB | CTRL+I |
| Function keys (F1 through F10) | Hold down the shift key and press numbers 1 through 0 to send F1 through F10 respectively |
| Page Up and Page Down | Using screen gestures, swipe up and down on the screen respectively. |
| Arrow Keys | Move the trackball in the proper direction or press the appropriate directional key on the control pad. |
| Backslash (\) | SHIFT+ALT+/ |
| Backtick/Accent Mark (`) | SHIFT+ALT+1 if you put it over a character. SHIFT+ALT+L for the character itself.</tt> |
| Square Brackets ([ ]) | SHIFT+ALT+O and SHIFT+ALT+P, respectively. |
| Curly Braces ({ }) | SHIFT+ALT+H and SHIFT+ALT+J, respectively. |
| Vertical Pipe (|) | SHIFT+ALT+, (comma) |
| Tidle (~) | SHIFT+ALT+N if you put it over a character. SHIFT+ALT+K for the character |
The best way to find out where the other characters are is to experiment with the SHIFT+ALT command. YMMV.
Passwordless Login
Unix, Linux, Mac OS X, and Cygwin
Users can set up SSH so that they have passwordless ssh access to DreamHost servers. (Please read 'Single Password Logon' for security concerns.)
On your home computer, you must generate an RSA private key (or DSA), using ssh-keygen (unless you already have one):
ssh-keygen -t rsa
It will prompt you for three things, hit enter to accept the default on all three.
Next, you must copy your public key to DreamHost's server; easiest is to use ssh-copy-id. Replace user and example.com with your username and domain name, respectively.
ssh-copy-id -i ~/.ssh/id_rsa.pub user@example.com
You will then be prompted for your SSH password. This will copy your key to user@example.com:~/.ssh/authorized_keys automatically.
Note: Mac OS X does not support ssh-copy-id. If your home computer does not support ssh-copy-id, then the following will do the same thing by hand.
This one-line command should get everything all set up in one go:
([ -f ~/.ssh/id_rsa.pub ] || ssh-keygen -t rsa ) && (ssh user@example.com "([ -d ~/.ssh ]||mkdir -m 700 ~/.ssh) && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys" < ~/.ssh/id_rsa.pub)
By hand
Copy your security certificate generated using ssh-keygen (see above)
scp ~/.ssh/id_rsa.pub user@example.com:~/
SSH to the machine you wish to connect to.
ssh user@example.com
Now append the public key to your authorized keys file and delete the file you uploaded:
mkdir .ssh cat id_rsa.pub >> .ssh/authorized_keys rm id_rsa.pub
Now make sure permissions are set properly for all necessary files and directories:
chmod go-w ~ chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
If everything is configured properly, you should be able to access your DreamHost account through SSH without a password now!
For more information, see the man pages for ssh, ssh-keygen, ssh-copy-id, and sshd. “Getting started with SSH” is a step-by-step tutorial which you may find helpful.
Note that permissions on your home directory may get messed up if you use rsync with the home directory itself as a target, which is not uncommon for Personal Backup user – see Personal Backup#Automated Backups on how to fix this.
Single Password Logon
For the security minded, when you run ssh-keygen -t rsa it asks for a password. If you provide one, you will be asked for it in the future. Add the following lines to your .bash_profile or .profile. It will only ask you for the password once per logon-session on the local machine, and subsequent SSH connections will be 'free'.
for cygwin:
#use existing ssh-agent if possible
if [ -f ${HOME}/.ssh-agent ]; then
. ${HOME}/.ssh-agent > /dev/null
fi
if [ -z "$SSH_AGENT_PID" -o -z "`/usr/bin/ps -a|/usr/bin/egrep \"^[ ]+$SSH_AGENT
_PID\"`" ]; then
/usr/bin/ssh-agent > ${HOME}/.ssh-agent
. ${HOME}/.ssh-agent > /dev/null
fi
for unix or linux try the scripts on this site: Using SSH-Agent
Some systems come with this pre-configured for you!
Please note: The above block only starts the ssh-agent, it will not use a key or store the passphrase until you type
ssh-add ~/.ssh/id_rsa
You will then be prompted for the passphrase, which will be remembered for the rest of your session. I just added the line above to the block within my .bash_profile. That way when I first open my cygwin console I am asked for the password, but never again!
Windows PuTTY
Good instructions on how to setup PuTTY can be found at:
- Secure Linux/Unix access with PuTTY and OpenSSH - Steve Friedl
- Configuring PuTTY - HTML Manual Chapter 4 (sgtatham)
Generate a new key with the PuTTYgen app:
- Select the SSH2-RSA option (Although SSH2-DSA will work, it has an intrinsic weakness.)
- Save both the public and the private key somewhere on your computer where you can find them (named key.pub and key.ppk, for instance)
Upload the public key to your Dreamhost home directory. After you've generated the key and copied it to the server, you'll need to import and append the key to authorized_keys with the following command. Use >> instead of > to append to the file instead of overwriting the contents. (If the directory ~/.ssh does not already exist use an FTP program, such as FileZilla, to create it. Make sure to enable FileZilla to show hidden files (Server > Force showing hidden files)).
ssh-keygen -i -f key.pub >> ~/.ssh/authorized_keys chmod go-rwx ~/.ssh ~/.ssh/authorized_keys rm key.pub
Now the keys sit on the server (protected from access by others), you can log out, and start PuTTY. Make a new connection:
- In Connection/Data, add your Dreamhost username
- Connection/SSH/Auth, browse to your private key file (key.ppk)
- Go back to Sessions, give your Dreamhost machine host name (abc.dreamhost.com), name the session, and click Save to save it
Now, we are going to tell Pageant to authenticate automatically. The PuTTY manual says: "Pageant is an SSH authentication agent. It holds your private keys in memory, already decoded, so that you can use them often without needing to type a passphrase.". Fire up Pageant, and:
- Click Add Key
- Select your private key file
Now you can double-click the new PuTTY entry it to login, and since Pageant authenticates you in the background, you'll see something like:
Using username "olleolleolle". Authenticating with public key "dsa-key-20060719" from agent Linux rossmore 2.4.32-grsec+f6b+gr217+nfs+a32+fuse23+++opt+c6+gr2b-v6.192 #1 SMP Wed Dec 14 17:06:16 PST 2005 i686 GNU/Linux
NOTE: If the Putty console responds with "Server Refused Our Key," this may indicate the public key Putty generated is not in a form the remote system recognizes or can use to authenticate your access. Refer to: www.walkernews.net/2009/03/22/how-to-fix-server-refused-our-key-error-that-caused-by-putty-generated-rsa-public-key/ for instructions on how to edit the public key file to a format the remote server recognizes.
Common Tasks in SSH
Decompress ZIP Archives - Upload a gazillion files at once - Mini Windows/SSH/Putty tutorial
I won't pretend to be an expert, but I thought I'd save the next person the grief of going through the dramas again. Those who are not entirely comfortable with the *nix world may be a bit intimidated by the 'features' of dreamhost;) Hopefully this will be of help to someone.
With a combination of your favourite FTP client, any tool that can create ZIP files, and Putty, you can upload your entire site in ZIP format and decompress it using Putty. I'm writing this from a Windows mindset but this will also work with other OSs using comparable tools.
First, ZIP up your site, maintaining the directory structure you want, and FTP it to the directory (the sub/domain you've set up in panel) you want the site decompressed to. Using a GUI FTP client so you can see the structure I find to be the easiest. So you don't get lost, keep the FTP client window open to use as a road map.
Now run Putty, enter the domain and use your FTP login and password to get in.
You will now have the [server]$ prompt, with [server] being the name of your server eg [goober]$. Now type the following.
[server]$ ls
You should see a list of your directory/sub/domains.
Now type
[server]$ cd subdomain.name.com
to [C]hange [D]irectory, except obviously use the name of the directory you want rather than 'subdomain.name.com' :P
Now do...
[server]$ ls
again. You should see the name of the ZIP file you uploaded
[server]$ ls filename.zip
Type
[server]$ unzip filename.zip
(again, use your OWN file name)
The cursor will drop to the next line and depending on how many files are in the zip, it might take a while to pop up the [server]$ prompt again. Be patient. When it does you will have all your files beautifully decompressed, exactly where you want them ;)
You can use your FTP client to check.
Just as a note: depending on what you have done prior to this you might get some warnings. I'll leave these to your creativity. Use your noodle. Try typing unzip -h to get the list of switches. Hopefully you'll get around it.
Good Luck and Enjoy!
Check if your files are correctly uploaded (check for file integrity)
If you have to upload some large files to the server you might want to check they are correctly uploaded with no errors. To do that, just create a MD5 file and upload it to the server, in the same folder as the files you want to check (a MD5 file is a plain text file that contains checksums of your files so their integrity can be verified afterwards; to create it you can use any MD5 tool, like wxChecksums).
Once you have your MD5 file uploaded, go to your directory with "cd":
cd xxxxxxx.yourdomain.com/yourdirectory
Then type this to verify all files with the uploaded MD5:
md5sum -v -c yourfile.md5
After a few seconds, you'll start seeing a list of the files with an "OK" mark at the end of each line if the file is correct, or "FAILED" if the file is not correct (the upload went wrong).
-- OMA
ZIP All Files In A Folder
Let's imagine that you have a Folder named "Images" and that you want all the files and subfolders and files within subfolders to be zipped up in a single file for whatever purpose.
zip -r images_backup Images
This will create a file named "images_backup.zip" in the current folder containing everything that was in the "Images" folder.
You can use the maximum compression setting in tandem with this by using:
zip -9 -r images_backup Images
Troubleshooting
Directory/filenames which contain non-english/Asian characters show up as ?????? or are corrupt
If you have problems with your filenames not showing up correctly which would also prevent you from creating new files/directories with their correct names via shell then you will want to add the following to your .bash_profile file to enable UTF support:
export LC_ALL=en_US.UTF-8 export LANG=en_US.UTF-8 export LANGUAGE=en_US.UTF-8 export G_FILENAME_ENCODING=UTF-8
Server unexpectedly closed network connection
If you get this error when attempting to SSH (or SFTP/SCP), this can mean your IP has been blocked due to an excessive number of failed login attempts. You will get no notice that this has happened. Contact support and they will remove the block and whitelist your IP address. If you don't know your IP, visit whatismyipaddress.com.
[User] is not in the sudoers group.
Dreamhost does not allow sudo access on shared servers for security purposes, so the sudo command is not available. While many tasks can be accomplished without the use of sudo, if you do need sudo access, you may wish to check out DreamHost PS, where you get full root access!
Idle connections are getting dropped
Dreamhost and other ISPs may kill ssh connections that remain idle longer than a certain number of minutes. The fix is simple: set up keep-alive by editing /etc/ssh/ssh_config or ~/.ssh/config and adding this:
Host *
ServerAliveInterval 15
ServerAliveCountMax 4
Now the ssh client will ask the server for a sign of life every 15 seconds thus keeping the connection open. As an added bonus, if the server fails to respond 4 times in a row the client gives up and closes the connection itself.
(credit: [1] )
Killed
Running processes via SSH that consume large quantities of memory and/or processor power may lead them to be "Killed" - See Killed
Slow SSH Login
Try to login with:
ssh yourusername@yourdomain.com -v
If the connection is delaying on "debug1: SSH2_MSG_SERVICE_ACCEPT received", add this on your /etc/ssh/sshd_config as root
UseDNS no
And restart the service:
/etc/init.d/ssh restart
Problem resolved!
(credit: [2] )
External Links
- Using ssh-agent with ssh
- The OpenSSH Project
- SSH entry at Wikipedia
- An A-Z Index of Linux BASH commands at Simon Sheppard's website
- UNIX
- Getting Started
- Shell
