Workflow magic (or so it seems :-)

A few days ago I came across the solution to a workflow issue I had been for long wishing could be done. Today I solved another one, and since they’re connected, I outline them below. Maybe they’ll make someone’s day! 🙂

I often work with remote servers that are almost always some flavor of Linux, most frequently Ubuntu/Debian, but also CentOS/Redhat. Despite of being a lifelong geek, I really dislike `vi`, finding it massively unintuitive. Maybe I haven’t figured out its intricacies, but I doubt it – it just doesn’t jive with me. In the 90’s I remembered most of Emacs’ chords by heart (or more likely by muscle memory), and really enjoyed using it, but for some reason I eventually stopped using it and only now am picking it up again. For now, however, my go-to editor in Linux is `joe`, which is handy enough (more so than `pico` or `nano`), but none of them still are as comfortable and flexible to use than a good GUI editor. In Windows & macOS my editor of choice is Sublime Text 3, and a few days ago I came across this answer in StackOverflow. Enter rmate/rsub! To make the magic happen, first install a small `rmate` script on your server (but call it `rsub` since you’re using Sublime Text rather than TextMate):

sudo curl -L --output /usr/local/bin/rsub
sudo chmod +x /usr/local/bin/rsub

Or perhaps like this (requires `git`, but makes it easier to keep rmate/rsub up-to-date by executing `git pull` in the cloned directory):

cd /opt
git clone
ln -s /opt/rmate/rmate /usr/local/bin/rsub

Then add a few lines in `~/.ssh/config` on your Mac (Windows users, keep reading, you haven’t been forgotten):

Host *
  RemoteForward 52698
  UseKeyChain no

To exclude some domains where you’ll never use `rsub`, like GitHub:

  User myUserName
  ForwardAgent no
  ClearAllForwardings yes
  IdentityFile ~/.ssh/myGitHubKey

(the significant line above is `ClearAllForwardings yes`)

Then install `rsub` package in Sublime (easiest done with Package Control), and now `rsub someFileName` command on the remote opens `someFileName` in Sublime on Mac! Like magic!! No need to mess with FTPS. Just one word of caution.. if you put the Mac to sleep, the “rsubbed” file may become disconnected from the remote, so when you make the first save after resuming work, verify that the changes are indeed saved, or close the file and reopen it from the remote.

`rsub` also works with Sublime Text in Windows. The only part of the above setup that differs on Windows is the SSH config since Microsoft’s effort to create a native OpenSSH port for Windows is slow going (“non-production ready pre-release v0.0.17.0” with 161 open issues as of writing of this post). I usually use the excellent commercial SSH client VanDyke’s SecureCRT as the SSH terminal in Windows. I initially thought reverse port forwarding would not be possible in it, but alas, I stand corrected! Van Dyke’s always helpful and knowledgeable technical support pointed out how to achieve the desired port forwarding in it (the config section in question was titled: “Port Forwarding – Remote/X11”, and that indeed meant “remote OR X11”, not “remote X11”, as I had read it. So regardless of whether you use PuTTY (or its derivatives like KiTTY) or SecureCRT, you setting up the port forwarding is a snap. I’ll outline below PuTTY’s setup first, then SecureCRT’s equivalent configuration.

Install and fire up PuTTY. Just to make sure you start from a clean slate, click on “Default Settings” and then “Load”:


Set the name (or IP) of the server you’ll be running `rsub` from:


If you’re not using PuTTY’s key agent Pageant to authenticate, enter the path for your private RSA key. Note that it must be in `PPK` format (if you have PEM format key, you need to convert it with PuTTYgen, another PuTTY utility program):


Add the remote listener port:


[OPTIONAL] If you’re NOT using this PuTTY session for the shell (i.e. if you’re using for that purpose some another program that lacks the reverse forwarding capability), disable the shell for this connection:


[OPTIONAL] Similarly, if you’re not using this PuTTY session for the shell, set the window size to a small value:


Finally, back in the Session tab, save the session: give it a name, then click on “Save”. If this is a shell-less RSUB session only, give a descriptive name:


Now you have configured a RSUB session in PuTTY. For convenience, you may want to create a desktop link to activate the [RSUB] session. If so, right click on the desktop and select “New > Shortcut”, then enter the path to `putty.exe`, followed by `-load`, and the name you gave the session in PuTTY:


Finally, give a descriptive name for the desktop link:


And now you have a link that opens the RSUB channel to your remote server:


Click on it, and it opens a small session window. As long as you keep it open, you can use the `rsub` command on the remote to open and edit remote files on your local Sublime Text!

And now, the same for SecureCRT:

Once you have configured a profile otherwise (set the hostname, username, and authentication information – [preferably] either a PEM format key, or a password [if allowed by your server]), head to Connection > Port Forwarding > Remote/X11, like so:


Click on “Add”, and enter a name for this tunnel, such as “RSUB” here, and the port 52698. When you enter it in the “Remote > Port” field, the “Local > Port” is automatically filled out for you:


And now you have the `rsub` port forwarding in place in SecureCRT!


Now when you open the session, you automatically have a `rsub` port open as well, and once you open Sublime Text on Windows, you can proceed to type `rsub someFileName` on the server, and it opens in Sublime.

So far so good (remote editing is working great!). Today I needed to diff an old configuration file against the new one, and the CLI `diff` output was too tedious to decipher. Then it occurred to me that maybe it would be possible to somehow use my favorite GUI diff utility, Beyond Compare with Sublime — and it is! The only thing to note is that when you open Beyond Compare from the files open in Sublime, you’ll need to save the completed diff first in Beyond Compare, and then in Sublime. Note that the file change indicator doesn’t light up in Sublime even when it has received the changes resulting from the diff reconciliation in Beyond Compare. The changes are received in Sublime when you save them in Beyond Compare, but not saved from Sublime [to the server over `rsub`] until you explicitly hit save in Sublime.

Now.. the files opened in Sublime from a remote using `rsub` can be diffed by this method with Beyond Compare! Working with remote files just became a lot more fun! 🙂

Update 2017-11-07: The article was updated with the latest `rsub` installation details, and PuTTY configuration instructions were added.

Update 2017-11-09: Van Dyke’s technical support pointed out to me that the reverse port forwarding can be accomplished in SecureCRT as well, so I corrected the article, and added the configuration details for SecureCRT.

Update 2017-11-24: I just noticed you can open two files from two different servers (using `rsub`), or one file from a server, and one file locally, and then compare them with Beyond Compare as described above. So cool!

Update 2018-01-17: Note that if you have a connection open from multiple machines, the first one that reverse-forwards the port `52698` receives the file when you run `rsub someFileName` on the remote. This can be confusing if you work on same remotes from multiple systems, so if you so choose, you can map a different port from different laptops/desktops, like so:

laptop – `RemoteForward 52698`
desktop – `RemoteForward 52699`

(NOTE: The first port value is the forwarded remote port; the second value is the local port which always remains at `52698` as it corresponds to the Sublime’s rsub extension port set in Sublime > Preferences > Package Settings > rsub > port)

Then on the remote system set up couple of aliases, respectively (here we assume the `rmate` repo was cloned in `/opt/rmate` rather than downloaded with `curl`):

alias rsubl='/opt/rmate/rmate --port 52698'
alias rsubd='/opt/rmate/rmate --port 52699'

If you set up multiple `rsub` alternatives like this, you may not want to copy/symlink the `rmate` executable to `/usr/local/bin/rsub` as that way you have to use the the port-specific aliased commands instead.

A Convenient AWS CLI Key Rotation Script for IAM Users

It’s a good practice to rotate your AWS CLI keys periodically. Recently I wrote a key rotation shell script to match a company policy where an IAM user is allowed to have the maximum of two concurrent keys. If both “slots” are taken when the script is triggered, it looks at the creation dates/times of the keys, which key is currently active (or if both are), and which one is currently configured in the users’s `~/.aws/config` file (and hence is being used for the rotation operation), and then allows the user to delete the key that is either older, or not currently in use, thus making space for a new key.

Once the new key is generated, the script activates the key, tests that it works, and then removes the key that the new key replaces.

The script was created and tested for use on macOS, but it will likely work on Linux as well (I will soon test it on Linux and make any portability changes if needed).

You can find script on GitHub.

Update 28 October 2017: An improved version of the script has been published.
See the details here!