This talks about port forwarding but does not mention using ssh as a socks proxy, with is extremely convenient. Also, although tricky to configure ssh can also be used as a VPN with tun/tap support (although a good /etc/network/interfaces on Debian can make it as easy as ifup/ifdown tunX)
Unfortunately this guide does not mention ssh-agent to have usable passphrased keys. Tip: Mac OS X Keychain integrates fantastically with ssh-agent.
My favorite trick is transparently bouncing via ProxyCommand+netcat:
Also, authorizing by key but restricting the (passwordless) key to certain commands, allowing for remote action automation. [0]
Ssh agent forwarding is also particularly awesome instead of naively scattering keys.
Ssh ControlMaster allowing to reuse connections can really improve responsiveness. Tip: start the master connection as a daemon (-f), so as not to mistakenly close the terminal which handles it, else you will close the channel for all other currently opened slave sessions. I wish ssh would fork and start the master on demand then close it when the last channel closes.
It gives you most of the benefits of VPN, without requiring tun/tap and without needing root on the remote box -- all you need is the ability to run python. Very useful if you're on an insecure network and you want to tunnel everything over a secure connection, or if you have SSH access to a box inside your firewall and want to access other resources without having to specify each port individually.
> Ssh ControlMaster allowing to reuse connections can really improve responsiveness. Tip: start the master connection as a daemon (-f), so as not to mistakenly close the terminal which handles it, else you will close the channel for all other currently opened slave sessions. I wish ssh would fork and start the master on demand then close it when the last channel closes.
Good news: as of OpenSSH 5.6p1, it can. Just set "ControlPersist 60" in ~/.ssh/config (in addition to setting ControlMaster auto and ControlPath), and ssh will automatically spawn an SSH master connection in the background, and close it 60 seconds after the last client exits. (You can obviously change the timeout to taste.)
I don't use rsnapshot but you can set up arguments you pass to ssh, in which case you can selectively disable ControlMaster. If you can't, maybe rsnapshot respects .ssh/config so you can set up a Host entry with the relevant config. If you want to also use ControlMaster the host you connect to with rsnapshot, you can set up a Host with a dummy name and set its Hostname option to the real host.
you don't mention whats awesome about the proxycommand to go through hosts:
here's what! it uses the intermediate hosts as a tunnel, which means no ssh agent is listening on the hosts (the regular way to do this is ssh -A hostx ssh -A hosty ssh finalhost)
This means no attacker can use your agent while connected.
Unfortunately this guide does not mention ssh-agent to have usable passphrased keys. Tip: Mac OS X Keychain integrates fantastically with ssh-agent.
My favorite trick is transparently bouncing via ProxyCommand+netcat:
Also, authorizing by key but restricting the (passwordless) key to certain commands, allowing for remote action automation. [0]Ssh agent forwarding is also particularly awesome instead of naively scattering keys.
Ssh ControlMaster allowing to reuse connections can really improve responsiveness. Tip: start the master connection as a daemon (-f), so as not to mistakenly close the terminal which handles it, else you will close the channel for all other currently opened slave sessions. I wish ssh would fork and start the master on demand then close it when the last channel closes.
[0] http://www.cmdln.org/2008/02/11/restricting-ssh-commands/