JMM’s notes on

SSH

Get the fingerprint of the current machine

Sometimes you get the following warning when trying to connect to a machine:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░.

If you have physical access to that machine, you may wonder, “What is the fingerprint of this machine?”. If it has a /etc/ssh/ssh_host_ed25519_key.pub (for example) you’d run:

$ ssh-keygen -E sha256 -lf /etc/ssh/ssh_host_ed25519_key.pub
256 SHA256:░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░ root@░░░░░ (ED25519)

SSH Agent

Add an identity, but only for 8 hours:

ssh-add -t 8h ~/.ssh/id_rsa

SSH agent things to check out

  • You can limit where SSH agent allows keys to be used, see the “-h” option in man ssh-add.

GNOME Keyring

GNOME Keyring loads its own SSH agent that automatically loads all files in ~/.ssh/ (see this article on GNOME Wiki). I kinda don’t like this behavior and would prefer only loading certain keys explicitly. The reason being I’ve got a lot of keys, and if SSH tries everything I end up getting authentication failures for trying too many keys.

I think SSH agent is getting split out of GNOME keyring in the future (a commit from October 2023 shows ssh agent being disabled by default in builds of gnome-keyring).

Running commands on remote host

Here’s an example of running pg_dump to make a backup of the data in a PostgreSQL table:

ssh somehost pg_dump --format=plain --table=public.sometable --dbname=somedb --data-only --inserts --on-conflict-do-nothing > mybackup.sql