Another neat thing I noticed while playing with it just now: there's an option to enter ~ twice to send a literal ~, but usually you don't have to do this when typing something like 'ls ~' in a regular session. Not only does the ~ have to be the first character on a line to start an escape sequence, but typing on a line, backspacing all the way to the start and then typing ~ also sends a literal tilde. It only triggers the escape sequence if the ~ is the chronologically first character after a newline (or first in the session), which is an unlikely thing to type into a shell in a normal session. Good choice of UI, both the character and the state machine.
for the younger readers, yes, because in terminal echo mode, "backspacing" does not clear your terminal line buffer, those characters backspaced are already sent on the line. if you ever seen a misconfigured terminal, it hints what's going on, like:
user@host$ ls ~/^?^?^?^?^?~/a.out
^? is backspace's control char.
that is ssh watches what you type, not what is on the screen (terminal).
If you are interested there are a few ways you can fix this:
Easiest is to use a VPN, because the VPN's exit node becomes the effective NAT they usually have normal TCP timeouts due to being less resource constrained. Another nice benefit of this method is you can move between physical networks and your connection doesn't die... If you use Tailscale then you already have this in a more direct way.
Another is to tune the tcp_keepalive kernel parameters. Lowering the keepalive timeout to be less than the CGNAT timeout will cause keepalive probes to prevent CGNAT from dropping the connection even while your SSH connection is technically idle. For Linux I pop these into /etc/sysctl.d/z.conf, I have no idea for Windows or Mac:
# Keepalive frequently to survive CGNAT
net.ipv4.tcp_keepalive_time = 240
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 120
_time=240 will send a probe after 4 mins of idle connection instead of the default 2 hours, undercutting the CGNAT timeout. _intvl=60 and _probes=120 mean it will send 120 probes 60 seconds apart (2 hours worth) before considering the connection dead. This will keep it alive for at least 2 hours, but also allows us to have the best of both worlds so that under a nice NAT it keeps the old behaviour, e.g if I temporarily lose my network the SSH connection is still valid after 2 hours, but under CGNAT it will at least not drop the connection after 5 mins so long as I keep my computer on and don't lose the network.
There are also some SSH client keepalive settings but I'm less familiar with them.
Depends on whether your sockets survive that, though. Especially on Wi-Fi, many implementations will reset your interface when sleeping, and sockets usually don't survive that.
Even if they do, if the remote side has heartbeats/keepalive enabled (at the TCP or SSH level), your connection might be torn down from the server side.
But if you throw up a default Linux install for your SSH box and have a not-horrible wifi router with a not-horrible internet provider then IME you can sleep your machine and keep an SSH connection alive for quite some time... I appreciate that might be too many "not-horrible" requirements for the real world today though.
CGNAT is for access to legacy IPv4 only.
For some reason, OpenSSH devs refuse to fix this issue, so I have to patch it myself:
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -26,6 +26,7 @@
#include <net/if.h>
#include <netinet/in.h>
#include <arpa/inet.h>
+#include <linux/ipv6.h>
#include <ctype.h>
#include <errno.h>
@@ -370,6 +371,11 @@ ssh_create_socket(struct addrinfo *ai)
if (options.ip_qos_interactive != INT_MAX)
set_sock_tos(sock, options.ip_qos_interactive);
+ if (ai->ai_family == AF_INET6 && options.bind_address == NULL) {
+ int val = IPV6_PREFER_SRC_PUBLIC;
+ setsockopt(sock, IPPROTO_IPV6, IPV6_ADDR_PREFERENCES, &val, sizeof(val));
+ }
+
/* Bind the socket to an alternative local IP address */
if (options.bind_address == NULL && options.bind_interface == NULL)
return sock;Because if the connection/socket gets lost either way, I don't really care if the IP changes too.
It boilds down to using a Linux-specific API, though it's really BSD that is lacking support for a standard (RFC 5014).
The largest IPv6 deployments in the world are mobile carriers, which are full of stateful firewalls, DPI, and mid-path translation. The difference is that when connections drop it gets blamed on the wireless rather than the network infrastructure.
Also, fun fact: net.ipv4.tcp_keepalive_* applies to IPv6 too. The "ipv4" is just a naming artifact.
The constrained resource there is only firewall-side memory, though, as opposed to that plus (IP, port) tuples for CG-NAT.
I highly doubt you get "random" data over ipv6. There are more ipv6 addresses than there are atoms on the planet.
For example, receiving traffic from a given address is a pretty good indicator that there's somebody there possibly worth port scanning.
And where there has once been somebody, there or in the same neighborhood (subnet) might be somebody else, now or in the future.
I think a default policy of "no inbound connections" does makes sense for most mobile users. It should obviously be configurable.
My other favourite is I very often SSH with -v to figure out why the connection is hanging, you rapidly figure out if DNS is failing, the TCP connection doesn't open, it does open but no traffic flows at all or it opens and SSH negotiation starts but never finishes. You can learn a lot just from this about what is wrong.
That lets you `ssh -vvvv` to a host then once you've figured out the issue use ~V to decrease verbosity so that debug messages don't clutter your shell.
Edit: it's already explained in the OP
You can also just kill the ssh process (say from another terminal). That way you get to keep your terminal window. And this works with everything "blocking" your terminal, not just ssh.
Anyway, if you try it from shell prompt it is likely will not work as pressing ENTER shows the next prompt. Try `cat` followed by ENTER and then ~?
Host *
EnableEscapeCommandline yesThe reason that is disabled in current OpenSSH by default is OpenBSD `pledge` support:
https://security.stackexchange.com/questions/280793/what-att...
On my Linux,
cat<Enter>~.
The point of the return is to prime it to accept the start of a new escape sequence. Presumably the idea is that `~.` is not completely unlikely to occur as part of text entered remotely, but less so at the beginning of a new line.
I wonder if anyone still remembers the ctrl-[ sequence in telnet. I think I only ever used the quit command in that though.
I guess you could call it a "secret" or at least "not super-well known (to people who aren't Linux 'experts')."
I put new in quotes because I use another little-known feature, "ControlMaster". Multiplexes multiple connections into one, it makes making " new" sessions instant (can also be configured to persist a bit after disconnecting). Also useful for tab-completing remote paths. It does not prompt for authentication again, though. And it's a bit annoying when the connection hands (can be solved with ssh -o close, IIRC).
Is this what secureCRT used as well? I remember this being all the rage back when I used windows, and it allowed this spawn new session by reusing the main one.
this here is something that's pretty useful to most ssh users, yet seldom spoken of
a better analogy would be comparing it to calling a very good, but not well-known restaurant a secret place - using the word to mean a hidden gem rather than an intentionally hidden secret
Host *
ControlMaster auto
ControlPath ~/.ssh/sockets/%r@%h:%p
ControlPersist 10m
This pairs well with the ~C escape discussed here: adding a port forward mid-session via ~C -L 8080:localhost:8080 doesn't require a new connection or re-authentication when a ControlMaster is already running. Useful for those "I need to tunnel something I didn't anticipate" moments.
What I now have: ~B
What I really need: a way to stop long-running SSH connections from freezing
~.
I really hate it when people just rename terms. It made it harder to search properly for better answers.
I use it when I need to crash a kernel on purpose to test kdump over the network.
You can also send commands to the simulated console of a VM under libvirt with "virsh connect". But I don't think you can send a break to the kernel with that.
I find it convenient not to have to worry about accidentally entering escape characters. YMMV.
$ man sshJackpot if they're just a pointer to an 'info' page.
Case in point: the jq man page is incredible and everyone I know instead runs off to google or stackoverflow or Claude to answer simple questions
man -Tpdf bash | zathura -
Replace zathura with any PDF viewer reading from stdin or just save the PDF. Hope that can be useful to someone!
https://wiki.archlinux.org/title/Neovim#Use_as_a_pager
https://neovim.io/doc/user/filetype/#_man
I've also been running (neo)vim as a manpager. You get the same features as with vim (like easily copying text or opening referenced files/other manpages without using the mouse), but neovim also parses the page and creates a table of contents, which can be used for navigation within the page. It doesn't always work perfectly, but is usually better than nothing.
With many years of insight, I think I probably never updated the database.
See "escape characters" under man ssh.
Now I am dismayed with juniors who can't even be bothered to use google (or llms) to look up stuff on their first hiccup.
#include <old-man-shouting-at-clouds>
ProxyCommand is fun
It's really great for ops teams where you want to give ssh access and manage it from github teams without needing a complex system.
https://www.freedesktop.org/software/systemd/man/257/systemd...
ProxyJump is a special case of `ProxyCommand ssh -p <port> <user>@<host>`. Can't replace the `ssh` in there when using ProxyJump.
[0]: https://developers.cloudflare.com/cloudflare-one/networks/co...
Here's 15-year old HN link about it: http://grack.com/blog/2011/02/23/ssh-escape-sequences-or-don...
https://die.net and https://ss64.com are sites I’ve been recommending for years.
"It's easier to ask an AI" can be true without implying that manpages are bad.
However, "man" the tool does have issues, and one of them bit me just now.
So, I didn't know about openssh client escapes like ~?. I thought, "surely that's in the manpage?" I opened the manpage (in less) and searched for "\~\?". No hits.
Of course, escape characters are documented in the manpage, and the string "~?" does appear. Why didn't search find it? Because man, in its infinite wisdom, decided to render every instance of "~" as some bizarre unicode not-tilde, which is visually similar but totally impossible to grep for.
This has also bitten me in the past with dash. DASH. A character that is critically important when documenting invocation options. man loves to convert it into something that looks like dash, prints like dash, but doesn't come up in search.
I'm sure there is a way to turn this "feature" off, and I'm about to spend a bunch of time figuring out what it is. But this is documentation for command-line tools. Silently destroying our ability to grep it should NOT be the default.
I miss most.
It sounds like some distributions do have this fixed in their default settings. I'm on Cygwin 3.6.6; maybe it's mostly a Cygwin thing.
You'll be happiest.
though you have to be aware of the escapes for regex, so \~?