– General Linux 2 – Set up secure shell (OpenSSH) [] (Linux Professional Institute Certification) a .˜. /V\ // \\ @._.@ Based on a talk by Gus Lees geoffrey robertson geoffrey@zip.com.au $Id: gl2.113.7.slides.tex,v 1.4 2003/10/25 04:27:27 anguslees Exp $ c 2002 Geoffrey Robertson. Permission is granted to make and distribute verbatim copies or modified versions of this document provided that this copyright notice and this permission notice are preserved on all copies under the terms of the GNU General Public License as published by the Free Software Foundation—either version 2 of the License or (at your option) any later version. a Copyright 1 List of Slides 2 Networking Services 2.113.1 Configure and manage inetd, xinetd, and related services 2.113.2 Operate and perform basic configuration of sendmail 2.113.3 Operate and perform basic configuration of Apache 2.113.4 Properly manage the NFS, smb, and nmb daemons 2.113.5 Setup and configure basic DNS services [] 2.113.7 Set up Secure Shell (OpenSSH) 3 Set up Secure Shell (OpenSSH) Objective The candidate should be able to obtain and configure OpenSSH. This objective includes basic OpenSSH installation and troubleshooting, as well as configuring sshd to start at system boot. 4 Set up Secure Shell (OpenSSH) Key files, terms, and utilities /etc/hosts.allow /etc/hosts.deny /etc/nologin /etc/ssh/sshd_config /etc/ssh_known_hosts /etc/sshrc sshd ssh-keygen 5 Set up Secure Shell (OpenSSH) Resources of Interest TBA 6 “Secure SHell” A functional replacement of the ancient rsh command, except with encryption and authentication. 7 Versions Commercial SSH Finnish company. Original authors of SSH. OpenSSH Split from last free version of commercial SSH. Development led by OpenBSD team. Draft “secsh” RFC. Alternative implementations exist (Putty, Net::SSH::Perl, etc) 8 Commands ssh Run a shell command on a remote host sshd SSH server daemon scp Copy files using SSH sftp An ftp-like interface into scp ssh-keygen Generate an SSH key pair ssh-agent, ssh-add SSH key forwarding 9 Commands ssh ssh [options] host [command] Run a shell command on a remote host. Acts like a normal shell command. ie: STDIN, STDOUT work as normal. Without a command, ssh runs an interactive login. 10 Commands scp scp user@host:path/file user2@host2:path/file2 Copy a file over ssh. user defaults to current login, user@host maybe omitted for local files, path is relative to $HOME 11 Commands sftp sftp user@host:path ftp-like command line interface to scp. Only provided with more recent ssh versions. 12 Advanced Usage Remember that STDIN and STDOUT still work as normal (unlike telnet): ssh remote tar zcf - /remotepath > localfile.tar.gz 13 Advanced Usage X Forwarding ssh -X host Login to host and “forward” X11 connections back to the local Xserver. A “fake” $DISPLAY and xauth environment are created, and the X11 data is passed back over the same SSH connection. 14 Advanced Usage X Forwarding ctd. . . Forwarding X over SSH is secure and easy, but slower than not doing it. On a local LAN, the encryption is probably unnecessary—use normal X methods such as rstart instead (rstart can use ssh for authentication anyway). Specialised X11 caching methods (eg: LBX) can get better performance than ssh compression over slow links. There are concerns over connecting to a hostile remote machine and forwarding X back again, so don’t forward X by default. A hostile remote site may forward damaging commands back down the link to your X server (ie your screen and keyboard). 15 Advanced Usage Port Forwarding Arbitrary ports can also be forwarded over the SSH connection, to add security to other protocols (or bypass poor firewall policies. . . ) # .fetchmailrc example poll localhost protocol pop3 port 11110: preconnect "ssh -C -f user@host.com \ -L 11110:host.com:110 sleep 10" 16 Advanced Usage SSH Keys Public key authentication. More secure alternative to password login. Generate a public/private “key pair” with ssh-keygen. Keep the private key secret. Append the public key into your (remote) ˜/.ssh/authorized_keys to allow access. $ cat identity.pub >> ˜/.ssh/authorized keys ← More powerful automation (scripting) possibilities. 17 Advanced Usage SSH Authentication Agent ssh-agent allows key information to be “forwarded” between its child processes—even across nested ssh sessions. Start ssh-agent in your X-session or login scripts, and run ssh-add to add keys. ssh-askpass is (basically) an X11 version of ssh-add. 18 Advanced Usage SSH from win32 Putty Includes command line “pscp.exe” scp clone too. http://www.chiark.greenend.org.uk/˜sgtatham/putty/ Winscp Graphical SCP client. http://winscp.vse.cz/eng 19 Advanced Usage Other “frontends” KDE kio fish Provides ssh:// konquerer paths. tramp.el Transparent access to remote files for emacs. rsh-compatible Anything that can use rsh (eg: CVS) 20 The End 21