\input{gl2.slide-header-beamer} \errorcontextlines=99 %% Subtopic Number = '1.113.7' %% Title from filename: 'Set up secure shell (OpenSSH)' %% Weight: 4 %% Description: %% The candidate should be able to obtain and configure %% OpenSSH. This objective includes basic OpenSSH installation and %% troubleshooting, as well as configuring sshd to start at system boot.. %% Key files, terms, and utilities include: %% /etc/hosts.allow %% /etc/hosts.deny %% /etc/nologin %% /etc/ssh/sshd_config %% /etc/ssh_known_hosts %% /etc/sshrc %% sshd %% ssh-keygen \title{1.113.7\\Set up secure shell (OpenSSH)\\Weight 4} \author[Geoff Robertson]{Geoffrey Robertson \texttt{ge@ffrey.com} \and Nick Urbanik \texttt{nicku@nicku.org}\\ {\tiny This document Licensed under GPL---see section~\ref{sec:license}}}% \subtitle{Linux Professional Institute Certification --- 102}% \mode
{\chead{1.113.7}}% % TODO Nick. % Include my pictures of ssh keys % Explain how to avoid being hijacked % Include this and other material from my own notes on ssh. \begin{document} \maketitle \mode
{\thispagestyle{empty}} \begin{frame} \frametitle{Outline} \mode {% %\footnotesize \begin{multicols}{2} \tableofcontents \end{multicols} % You might wish to add the option [pausesections] }% \mode
{% \tableofcontents }% \end{frame} \section{Context} \label{sec:context} \begin{frame} \frametitle{Topic 113 Networking Services [24]}% \framesubtitle{Where we are up to}% \begin{description} \item[1.113.1] Configure and manage inetd, xinetd, and related services [4] \item[1.113.2] Operate and perform basic configuration of sendmail [4] \item[1.113.3] Operate and perform basic configuration of Apache [4] \item[1.113.4] Properly manage the NFS, smb, and nmb daemons [4] \item[1.113.5] Setup and configure basic DNS services [4] % \uline depends on \usepackage[normalem]{ulem}: \item[1.113.7] \textbf{\uline{Set up secure shell (OpenSSH) [4]}} \end{description} \end{frame} \section{Objectives} \label{sec:objectives} \begin{frame} \frametitle{Description of Objective}% \framesubtitle{1.113.7\ \ Set up secure shell (OpenSSH)}% \mode{\Large}% The candidate should be able to obtain and configure OpenSSH. This objective includes basic OpenSSH installation and troubleshooting, as well as configuring \texttt{sshd} to start at system boot. \end{frame} \begin{frame} \frametitle{Key files, terms, and utilities include:}% %\mode{\large}% \begin{description} \item[\texttt{/etc/hosts.allow}] --- TCP Wrappers file: sshd is linked against TCP Wrappers \item[\texttt{/etc/hosts.deny}] --- TCP Wrappers file: sshd is linked against TCP Wrappers \item[\texttt{/etc/nologin}] --- if present, only \texttt{root} can log in; others shown content of this file \item[\texttt{/etc/ssh/sshd\_config}] --- \texttt{sshd} configuration \item[\texttt{/etc/ssh\_known\_hosts}] --- holds public host keys of hosts to verify their identity when connect to them \item[\texttt{/etc/sshrc}] --- global login script for SSH \item[\texttt{sshd}] --- SSH server program \item[\texttt{ssh-keygen}] --- Generates public/provate key pairs for host keys, user keys \end{description} \end{frame} % \begin{frame}[fragile] % %ghr % \frametitle{Set up Secure Shell (OpenSSH)} % \framesubtitle{Resources of Interest} % \begin{description} % \item[TBA] % \begin{semiverbatim} % \end{semiverbatim} % \end{description} % \end{frame} \section{What is SSH?} \label{sec:what-is-ssh} \begin{frame} \frametitle{``Secure SHell''}% A functional replacement of the ancient \texttt{rsh} command, except with encryption and authentication. \end{frame} \section{Versions of SSH} \label{sec:versions} \begin{frame}[fragile] \frametitle{Versions}% \begin{description} \item[Commercial SSH] Finnish company. Original authors of SSH. \item[OpenSSH] Split from last free version of commercial SSH. Development led by OpenBSD team. \end{description} Draft ``secsh'' RFC.\par Alternative implementations exist (Putty, \texttt{Net::SSH::Perl}, etc.) \end{frame} \section{SSH commands and utilities} \label{sec:commands-and-utilities} \begin{frame} \frametitle{Commands} \begin{description} \item[\texttt{ssh}] Run a shell command on a remote host \item[\texttt{sshd}] SSH server daemon \item[\texttt{scp}] Copy files using SSH \item[\texttt{sftp}] An ftp-like interface into \texttt{scp} \item[\texttt{ssh-keygen}] Generate an SSH key pair \item[\texttt{ssh-agent}, \texttt{ssh-add}] SSH key forwarding \end{description} \end{frame} \subsection{\texttt{ssh}} \label{sec:ssh} \begin{frame}[fragile] \frametitle{Commands}% \framesubtitle{ssh}% \begin{verbatim} ssh [options] host [command] \end{verbatim} Run a shell command on a remote host.\par Acts like a normal shell command. ie: \textsc{STDIN}, \textsc{STDOUT} work as normal.\par Without a \textit{command}, ssh runs an interactive login. \end{frame} \subsection{\texttt{scp}} \label{sec:scp} \begin{frame}[fragile] \frametitle{Commands}% \framesubtitle{scp}% \begin{verbatim} scp user@host:path/file user2@host2:path/file2 \end{verbatim} Copy a file over ssh.\par \textit{user} defaults to current login, \textit{user@host} maybe omitted for local files, \textit{path} is relative to \$HOME\par \end{frame} \subsection{sftp} \label{sec:sftp} \begin{frame}[fragile] \frametitle{Commands}% \framesubtitle{sftp}% \begin{verbatim} sftp user@host:path \end{verbatim} \par% \texttt{ftp}-like command line interface to scp. \par% Only provided with more recent ssh versions. \end{frame} \section{Advanced usage} \label{sec:advanced} \subsection{Redirecting stdin and stdout} \label{sec:redirecting-stdin-stdout} \begin{frame}[fragile] \framesubtitle{Advanced Usage}% \frametitle{Redirecting stdin and stdout}% Remember that \textsc{STDIN} and \textsc{STDOUT} still work as normal (unlike \texttt{telnet}): \begin{verbatim} ssh remote tar zcf - /remotepath > localfile.tar.gz \end{verbatim} \end{frame} \subsection{X forwarding} \label{sec:x-forwarding} \begin{frame}[fragile] \frametitle{Advanced Usage}% \framesubtitle{X Forwarding}% \begin{verbatim} ssh -X host \end{verbatim} \par Login to \textit{host} and ``forward'' X11 connections back to the local Xserver. \par% A ``fake'' \$DISPLAY and \texttt{xauth} environment are created, and the X11 data is passed back over the same SSH connection. \end{frame} \begin{frame}[fragile] \frametitle{Advanced Usage}% \framesubtitle{X Forwarding \textit{ctd\ldots}}% \begin{itemize} \item Forwarding X over SSH is secure and easy, but slower than not doing it. \item On a local LAN, the encryption is probably unnecessary---use normal X methods such as \texttt{rstart} instead (\texttt{rstart} can use ssh for authentication anyway). \item Specialised X11 caching methods (eg: LBX) can get better performance than ssh compression over slow links. \item There are concerns over connecting to a hostile remote machine and forwarding X back again, so don't forward X by default. A hostile remote site may forward damaging commands back down the link to your X server (ie your screen and keyboard). \end{itemize} \end{frame} \subsection{Port Forwarding} \label{sec:port-forwarding} \begin{frame}[fragile] \frametitle{Advanced Usage}% \framesubtitle{Port Forwarding}% Arbitrary ports can also be forwarded over the SSH connection, to add security to other protocols (or bypass poor firewall policies\dots) \par% \begin{verbatim} # .fetchmailrc example poll localhost protocol pop3 port 11110: preconnect "ssh -C -f user@host.com \ -L 11110:host.com:110 sleep 10" \end{verbatim} \end{frame} \section{Authenticating with User Keys} \label{sec:authenticating-with-user-keys} \begin{frame}[fragile] \frametitle{Advanced Usage}% \framesubtitle{SSH Keys}% \begin{itemize} \item Public key authentication. More secure alternative to password login. \item Generate a public/private ``key pair'' with \texttt{ssh-keygen}. \item \textbf{Keep the private key secret}. \item Append the public key into your (remote) \url{~/.ssh/authorized_keys} to allow access. \par% \cmd{cat identity.pub >> $\sim$/.ssh/authorized\_keys} \item More powerful automation (scripting) possibilities. \end{itemize} \end{frame} \subsection{ssh-agent} \label{sec:ssh-agent} \begin{frame}[fragile] \frametitle{Advanced Usage}% \framesubtitle{SSH Authentication Agent}% \begin{itemize} \item \texttt{ssh-agent} allows key information to be ``forwarded'' between its child processes---even across nested ssh sessions. \item Start \texttt{ssh-agent} in your X-session or login scripts, and run \texttt{ssh-add} to add keys. \item \texttt{ssh-askpass} is (basically) an X11 version of \texttt{ssh-add}. \end{itemize} \end{frame} \section{SSH from Windows} \label{sec:ssh-from-windows} \begin{frame}[fragile] \frametitle{Advanced Usage}% \framesubtitle{SSH from win32}% \begin{description} \item[Putty] Includes command line \texttt{pscp.exe} \texttt{scp} clone too. \par% {\mode{\small} \url{http://www.chiark.greenend.org.uk/~sgtatham/putty/}} \item[Winscp] Graphical SCP client. \par \url{http://winscp.vse.cz/eng} \end{description} \end{frame} \section{Other frontends} \label{sec:other-frontends} \begin{frame}[fragile] \frametitle{Advanced Usage}% \framesubtitle{Other ``frontends''}% \begin{description} \item[KDE kio\_fish] Provides \url{ssh://} konquerer paths. \item[tramp.el] Transparent access to remote files for emacs. \item[rsh-compatible] Anything that can use rsh (eg: CVS) \end{description} \end{frame} \mode {% \begin{frame} \frametitle{Topics Covered} %\footnotesize %\begin{multicols}{2} \tableofcontents[pausesections,pausesubsections] %\end{multicols} % You might wish to add the option [pausesections] \end{frame} } \section{License Of This Document} \label{sec:license} \begin{frame} \frametitle{License Of This Document}% \raggedright% Copyright \copyright\ 2005, 2003 Geoffrey Robertson and Nick Urbanik . \par Permission is granted to make and distribute verbatim copies or modified versions of this document provided that this copyright notice and this permission notice are preserved on all copies under the terms of the GNU General Public License as published by the Free Software Foundation---either version 2 of the License or (at your option) any later version. \end{frame} \end{document}