SSH

SSH provides strong authentication and secure communications over insecure channels. By encrypting everything sent and received it protects the user from illicit network snooping ("packet sniffing"). It is intended as a replacement for telnet, ftp, and the rcp/rsh/remsh programs - all of which send log-in names and passwords (and everything else) as clear text.

OpenSSH

Package includes:

ssh (think telnet)
scp (think ftp)
sftp (think ftp)
ssh-keygen
ssh-add

Everyday uses

Remote Login

Sullivan3:[~] ssh peter@pacshop.dca.net
peter@pacshop.dca.net's password: 
Last login: Mon Aug  8 13:33:58 2005 from flyrail.pacshop.dca.net

This is a private computer system.  Unauthorized access is pro-
hibited.  Information here is proprietary and confidential.  Your
identifying information and activities are being logged.  Viola-
tors will be prosecuted.

twofer: [~]

File Transfer

Sullivan3:[~] scp test.mpg peter@pacshop.dca.net:
peter@pacshop.dca.net's password: 
test.mpg                                        4%  144KB  67.4KB/s   00:43 ETA

Sullivan3:[~] scp peter@pacshop.dca.net:test.pl bin/
peter@pacshop.dca.net's password: 
test.pl                                       100%  968     1.0KB/s   00:00

Remote X

Sullivan3:[~] ssh peter@pacshop.dca.net
peter@pacshop.dca.net's password: 
Last login: Tue Aug  9 00:06:08 2005 from pool-71-242-52-203.phlapa.east.verizon.net

twofer: [~] firefox

Fun Tricks

tar cf - /home | ssh newbox 'tar xf -'
tar cf - /home | ssh root@newbox '(cd /; tar xf -)'
(a variant on the same theme)

Configuration

Self documenting text files:

/etc/ssh/ssh_config
/etc/ssh/sshd_config

.
.
X11Forwarding yes
.

Create sshd keys

Many Linux distros do the following during the OpenSSH install. It was needed on a Knoppix Live session.

Run these commands to create the host keypairs (you could also do this on bootup). Change the comment used in the -C option to your desired comment.

ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" -C "mycomment" ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" -C "mycomment" ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" -C "mycomment"

Windows Clients

Putty
SecureFX
Filezilla
WinSCP
SSH Secure Shell for Windows

Peter's Readme

From: baron@cattell.psych.upenn.edu (Jonathan Baron)
Newsgroups: upenn.linux
Subject: Re: ssh connections without typing a password
Date: 14 May 2001 17:47:22 GMT

The first thing you do is this:

ssh-keygen -x  (note the lowercase -x, that was my mistake in the last
message).

It will ask you for the file to use - usually that should be just the
default (.ssh/identity).

This did not work, because .ssh/identity was not the right kind of
file.  So I had to say

ssh-keygen -t dsa

first.  This generated a file called .ssh/id_dsa which was the one
that had to be used in place of .ssh/identity.  (In my case, I could
not replace the latter since I needed it for other connections.)

Type your passphrase if you have one.  And the trick here is to leave
this blank, if you want to connect without one.

Now you should have gotten something on standard output that looks
like this:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "1024-bit DSA, converted from OpenSSH by
cvogler@alster.upenn.edu"
<base64-encoded key>
---- END SSH2 PUBLIC KEY ----

Copy and paste this into a file. l call it "alster.pub" after the name
of my own computer. Or just redirect ssh-keygen's standard output to
that file.

Copy this file to the .ssh2 directory on the remote host and make
sure that both this file and the .ssh2 directory are world-readable.

As an example, and hopefully to clarify things, here are the contents
of my .ssh2 directory on gradient and graphics.

drwxr-xr-x   3 cvogler       512 Oct  5  2000 ./
drwxr-xr-x  20 cvogler      4096 May 13 13:38 ../
-rw-r--r--   1 cvogler       727 Oct  5  2000 alster.pub
-rw-r--r--   1 cvogler        15 Oct  5  2000 authorization
drwx------   2 cvogler       512 Oct  5  2000 hostkeys/
-rw-------   1 cvogler       512 Oct 10  2000 random_seed

So, now create the file "authorization" with world-readable
permissions.  Into this file, put the following contents:

--- snip ---
Key alster.pub
--- snip ---

(Adjust "alster.pub" according to what name you use.)

Finally, one word of warning. Only use DSA authentication if your
client operating system has a very good random number
generator. According towhat I've heard, DSA authentication has a flaw
in that a bad random number generator can compromise your private
key. Linux should be fine in that regard, but I'd be leery of using it
on Windows.

From: cvogler@gradient.cis.upenn.edu (Christian Vogler)
Newsgroups: upenn.linux
Subject: Re: ssh connections without typing a password
Date: 14 May 2001 18:21:24 GMT

Jonathan Baron (baron@cattell.psych.upenn.edu) wrote:       
: Christian Vogler's suggestion worked, but it required one change,   
: so I reprint the whole thing (removing the >'s so that I am         
: allowed to post it)
:  Glad I could help. I have one comment:  
: Type your passphrase if you have one. 
: And the trick here is to leave this blank, if you want to connect   
: without one.

I don't really recommend that, even if you absolutely trust your
client. If anyone ever gets access to your private key file(s), all
your accounts will be compromised. Nasty. The passphrase is there to
prevent this thing from happening.

Now, typing the passphrase every time you connect is annoying. But
there is a solution: You can set up ssh such that you have to type
the passphrase only once when you log in. This is what ssh-agent is
for. It runs a process that manages the private keys for you. ssh
will check if ssh-agent is running and defer private key authentication
to it if applicable.

Check man ssh-agent, man ssh-askpass, and man ssh-add for
details. This approach combines the best of both worlds (security and
convenience).

- Christian