Rendered at 04:14:13 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
0xbadcafebee 4 hours ago [-]
Find the HIDDEN SECRETS that THEY DON'T WANT YOU TO KNOW!
$ man ssh
imwally 2 hours ago [-]
I blew a few minds a week ago when I told my younger coworkers about man pages. I hit ‘em with the `man man` and one dude was like “whoa!”
bombcar 2 hours ago [-]
Reminds me of the old canard of 'man woman'
2 hours ago [-]
saguntum 2 hours ago [-]
man ssh_config is even more interesting and hidden
ProxyCommand is fun
smoyer 3 hours ago [-]
HN as a tabloid ... After all enquiring minds want to know!
3 hours ago [-]
senectus1 3 hours ago [-]
hahaha made me laugh, thanks :-D
piccirello 4 hours ago [-]
I've been using SSH for ~15 years and never knew about these escape sequences. I'm eagerly awaiting my next hung session so that I can test `~.`. It's much nicer than my current approach of having to close that terminal window.
tomxor 2 hours ago [-]
If hung SSH connections are common it's likely due to CGNAT which use aggressively low TCP timeouts. e.g. I've found all UK mobile carriers set their TCP timeout as low as 5 minutes. The "default" is supposed to be 2 hours, you could literally sleep your computer, zero packets, and an SSH connection would continue to work an hour later, and generally speaking this is still true unless CGNAT is in the way.
If you are interested there are a few ways you can fix this:
Easiest is to use a VPN, because the VPN's exit node becomes the effective NAT they usually have normal TCP timeouts due to being less resource constrained. Another nice benefit of this method is you can move between physical networks and your connection doesn't die... If you use Tailscale then you already have this in a more direct way.
Another is to tune the tcp_keepalive kernel parameters. Lowering the keepalive timeout to be less than the CGNAT timeout will cause keepalive probes to prevent CGNAT from dropping the connection even while your SSH connection is technically idle. For Linux I pop these into /etc/sysctl.d/z.conf, I have no idea for Windows or Mac:
This is really a misuse of these settings, they are supposed to be for checking TCP connections are still alive and clearing them up from the local routing table. Instead the idea is to exploit the probes by sending them more frequently to force idle connections to stay alive in a CGNAT environment (dont worry the probes are tiny and still very infrequent).
_time=240 will send a probe after 4 mins of idle connection instead of the default 2 hours, undercutting the CGNAT timeout. _intvl=60 and _probes=120 mean it will send 120 probes 60 seconds apart (2 hours worth) before considering the connection dead. This will keep it alive for at least 2 hours, but also allows us to have the best of both worlds so that under a nice NAT it keeps the old behaviour, e.g if I temporarily lose my network the SSH connection is still valid after 2 hours, but under CGNAT it will at least not drop the connection after 5 mins so long as I keep my computer on and don't lose the network.
There are also some SSH client keepalive settings but I'm less familiar with them.
lathiat 3 hours ago [-]
Have been using that weekly since probably 20 years. Will change your life :)
My other favourite is I very often SSH with -v to figure out why the connection is hanging, you rapidly figure out if DNS is failing, the TCP connection doesn't open, it does open but no traffic flows at all or it opens and SSH negotiation starts but never finishes. You can learn a lot just from this about what is wrong.
Izkata 42 minutes ago [-]
Also helps with auth failures, I've used it several times with co-workers who can't figure out why their ssh key isn't working. It lists the keys out and some extra information.
sirfz 3 hours ago [-]
You can even chain them if you have deep ssh connections (i.e. ssh from one instance to another). I think it would be ~~. to terminate the 2nd hop.
Edit: it's already explained in the OP
fragmede 32 minutes ago [-]
Just ssh to funky.nondeterministic.computer to test it out!
TacticalCoder 3 hours ago [-]
> It's much nicer than my current approach of having to close that terminal window.
You can also just kill the ssh process (say from another terminal). That way you get to keep your terminal window. And this works with everything "blocking" your terminal, not just ssh.
wolvoleo 4 hours ago [-]
I use that every day but it's the only one I know by heart lol
shmerl 4 hours ago [-]
I've been using ~. on hung ssh connections for a while.
vzaliva 2 hours ago [-]
I've used ~. for a long time but did not know about others. I know, should have read man page.
Anyway, if you try it from shell prompt it is likely will not work as pressing ENTER shows the next prompt. Try `cat` followed by ENTER and then ~?
BenjiWiebe 2 hours ago [-]
It'll still work. OpenSSH doesn't care about output (for ~ stuff), only input, so if you type <enter>~. it will close the connection.
vzaliva 19 minutes ago [-]
It does not. open ssh linux to mac, typing ~ just types it on fish shell prompt. It works after`cat` followed by ENTER
pram 4 hours ago [-]
Yep the menu is handy for ssh tunneling. Maybe not a lot of people doing that these days though with stuff like dev tunnels and Tailscale.
MayeulC 3 hours ago [-]
I typically just create a "new" connection in a separate tab when I want to add tunneling.
I put new in quotes because I use another little-known feature, "ControlMaster". Multiplexes multiple connections into one, it makes making " new" sessions instant (can also be configured to persist a bit after disconnecting). Also useful for tab-completing remote paths. It does not prompt for authentication again, though. And it's a bit annoying when the connection hands (can be solved with ssh -o close, IIRC).
nyanchovy 2 hours ago [-]
TIL; thanks, that's interesting (and somehow escaped my 20+ years of using ssh)! As usual the gold is in the comments :-)
blueflow 4 hours ago [-]
As secret as the ssh manual.
bigstrat2003 2 hours ago [-]
"secret" not in the sense that it's hidden, but that most people won't know about it. Because approximately nobody actually reads man pages in their entirety, they just get in to find out how a specific flag works and then get out.
wrs 42 minutes ago [-]
Those aren’t “secret”, they’re obviously borrowed from rsh — oh that’s right, I’m old.
aidenn0 19 minutes ago [-]
And these days you need to pass "-O" to scp to have it behave like rcp.
_kst_ 4 hours ago [-]
That doesn't do much good if you set `EscapeChar` to `none` in `.ssh/config`.
I find it convenient not to have to worry about accidentally entering escape characters. YMMV.
MayeulC 4 hours ago [-]
Note that it only works after pressing enter, so the odds are slim. In practice, I don't think I ever hit it by accident.
greyface- 3 hours ago [-]
I have noticed it while running ~/bin/some_command. The ~ doesn't echo until I also type the /. It doesn't cause any misbehavior because there is no binding for ~/ but can be slightly surprising.
singlow 2 hours ago [-]
I find it odd that you would have commands in ~/bin but not have it be the highest priority in your PATH. I use ~/.local/bin, but would never type it because i wouldn't have bins that overlap shell commands and no other path would have priority.
wolvoleo 4 hours ago [-]
SSH does it pretty well though. Never once have I done it by mistake.
jasomill 1 hours ago [-]
I'd guess this is because it only works in ssh PTY sessions. So it would have no effect on tunneling or when piping arbitrary data through ssh to a non-interactive remote command (unless you use the -t switch to force PTY allocation even when stdin is not a TTY).
wolvoleo 1 hours ago [-]
No I don't think so. I mainly and pretty much constantly use SSH for logging in. I'm not one of those 'cattle not pets' guys lol.
And when I port forward I usually don't even tunnel it over SSH because all my stuff is on tailscale so it's also encrypted.
Lasang 2 hours ago [-]
Hidden or undocumented features like this always have a strange appeal. Part of it is nostalgia for older software where small Easter eggs or experimental features would sometimes ship in production builds.
joecool1029 2 hours ago [-]
FYI, you can kill forwarding tunnels with -KD portnum in that commandline too.
juancn 3 hours ago [-]
It's like Ctrl + ] on telnet.
The good old times!
nirui 1 hours ago [-]
Secret Menu -> Escape Characters
I really hate it when people just rename terms. It made it harder to search properly for better answers.
ProxyCommand is fun
If you are interested there are a few ways you can fix this:
Easiest is to use a VPN, because the VPN's exit node becomes the effective NAT they usually have normal TCP timeouts due to being less resource constrained. Another nice benefit of this method is you can move between physical networks and your connection doesn't die... If you use Tailscale then you already have this in a more direct way.
Another is to tune the tcp_keepalive kernel parameters. Lowering the keepalive timeout to be less than the CGNAT timeout will cause keepalive probes to prevent CGNAT from dropping the connection even while your SSH connection is technically idle. For Linux I pop these into /etc/sysctl.d/z.conf, I have no idea for Windows or Mac:
This is really a misuse of these settings, they are supposed to be for checking TCP connections are still alive and clearing them up from the local routing table. Instead the idea is to exploit the probes by sending them more frequently to force idle connections to stay alive in a CGNAT environment (dont worry the probes are tiny and still very infrequent)._time=240 will send a probe after 4 mins of idle connection instead of the default 2 hours, undercutting the CGNAT timeout. _intvl=60 and _probes=120 mean it will send 120 probes 60 seconds apart (2 hours worth) before considering the connection dead. This will keep it alive for at least 2 hours, but also allows us to have the best of both worlds so that under a nice NAT it keeps the old behaviour, e.g if I temporarily lose my network the SSH connection is still valid after 2 hours, but under CGNAT it will at least not drop the connection after 5 mins so long as I keep my computer on and don't lose the network.
There are also some SSH client keepalive settings but I'm less familiar with them.
My other favourite is I very often SSH with -v to figure out why the connection is hanging, you rapidly figure out if DNS is failing, the TCP connection doesn't open, it does open but no traffic flows at all or it opens and SSH negotiation starts but never finishes. You can learn a lot just from this about what is wrong.
Edit: it's already explained in the OP
You can also just kill the ssh process (say from another terminal). That way you get to keep your terminal window. And this works with everything "blocking" your terminal, not just ssh.
Anyway, if you try it from shell prompt it is likely will not work as pressing ENTER shows the next prompt. Try `cat` followed by ENTER and then ~?
I put new in quotes because I use another little-known feature, "ControlMaster". Multiplexes multiple connections into one, it makes making " new" sessions instant (can also be configured to persist a bit after disconnecting). Also useful for tab-completing remote paths. It does not prompt for authentication again, though. And it's a bit annoying when the connection hands (can be solved with ssh -o close, IIRC).
I find it convenient not to have to worry about accidentally entering escape characters. YMMV.
And when I port forward I usually don't even tunnel it over SSH because all my stuff is on tailscale so it's also encrypted.
The good old times!
I really hate it when people just rename terms. It made it harder to search properly for better answers.