Feb 22 2008
SSH connection mastering
While I get back into the swing of blogging from a fairly long hiatus, I thought I’d start with something useful I discovered a while back, but that has recently shown just how really cool and useful it is.
With ssh connection mastering, you can open multiple sessions to a single host. Once you have satisfied all the authentication / authorization requirements of the host to log in the first time, as long as you have a master connection open, logging in additional times not only doesn’t require going through authentication again, it’s much, much faster.
For example, where I work, we SSH to a single server, we’ll call it jupiter, a “bastion host” if you will, from whence we can make ssh connections to any of our client’s servers. All our client’s servers have our public key in the root authroized_keys file, and all technicians on jupiter can ssh using the private key associated with that public key. To log into jupiter the technician must enter his RSA SecureID pin and rolling key.
If you’ve never used SecureID, it is a “two factor” authentication system. Two factor authentication basically means to log in, you must present both something you know (thus it can’t be taken away from you by force, though you can be coerced into revealing it) as well as something on your person. In this case the “something you know” is your PIN, which doesn’t change. The “something on your person” is the 6 digit number displayed on the SecureID token. This is more secure than a simple password or PIN in that you must have both that and a physical device that displays a constantly changing number. Either one by itself is insufficient authentication to log in.
So getting back to jupiter, to ssh to this server we use SecureID authentication. This means we must ssh to the server, wait while ssh negotiates keys and does any DNS foo the server wants to do, type our PIN, then dig out our token and enter the displayed number, then wait while jupiter checks with our SecureID server to verify the numbers entered.
Using the ssh connection mastering technique I’ve linked to, you only have to do this once. As long as that original connection is open, you can open another terminal window, or even a virtual terminal, and ssh to the server and be in, instantly. No delays for ssh key exchanges, DNS lookups SecureID. You don’t have to enter your PIN and token again. You’re just in. This is very useful if you have to log into multiple client servers at once.
Just don’t tell the security admin.
For some reason the trackback link isn’t showing up in the blog. The link referred to above is
http://www.newartisans.com/blog_files/ssh.connection.mastering.php
