CT320

CT320: Network and System Administration

Fall 2015

Secure Shell

See this page as a slide show

Secure Shell

Overview

  1. The Before Times
  2. Compatibility
  3. ssh & scp
  4. The ~/.ssh Directory
  5. System Configuration
  6. Asymmetric Encryption
  7. Generating a Key Pair
  8. Port Forwarding

The Before Times

These protocols were in common use, back in the day:

ftp, rcp
Copy files between hosts
telnet, rlogin
Log in remotely
rsh
Execute a remote command

They transmit information in plain text (unencrypted) over the internet. This is bad. Don’t use them. Disable ftpd, rlogind, and rshd, or uninstall the packages.

Compatibility

Some systems, such as Ubuntu 15.10, provide symlinks for backward compatibility:

    % type rlogin
    rlogin is /usr/bin/rlogin

    % ls -log /usr/bin/rlogin
    lrwxrwxrwx 1 24 Nov 21 21:09 /usr/bin/rlogin -> /etc/alternatives/rlogin

    % ls -log /etc/alternatives/rlogin
    lrwxrwxrwx 1 15 Nov 21 21:09 /etc/alternatives/rlogin -> /usr/bin/slogin

    % ls -log /usr/bin/slogin 
    lrwxrwxrwx 1  3 Nov 21 21:09 /usr/bin/slogin -> ssh

ssh & scp

Use of ssh

Execute a remote command:

    ssh applin@denver.cs.colostate.edu id

Start a interactive remote session:

    ssh applin@denver.cs.colostate.edu

Quoting

What’s the difference between these two commands?

    ssh applin@denver cat a*b

    ssh applin@denver "cat a*b"

How about these?

    ssh applin@denver date; pwd

    ssh applin@denver "date; pwd"

Use of scp

As does cp, scp supports using a directory as a destination, or renaming the file.

    scp alpha denver:
    scp beta applin@denver:
    scp gamma applin@denver:delta
    scp epsilon applin@denver:/tmp
    scp zeta applin@denver:/tmp/iota

Either the source, the destination, both, or neither can be a remote system:

    scp denver:kappa lambda
    scp denver:omicron lansing:pi
    scp sigma tau

scp also supports the -p and -r options from cp.

The ~/.ssh Directory

~/.ssh/authorized_keys

~/.ssh/authorized_keys contains a list of authorized public keys. That is, it’s a list of “people” given permission to log in without a password, or to copy files to/from this account without a password.

~/.ssh/known_hosts

~/.ssh/known_hosts contains the host keys for the hosts that we’ve connected to previously. If anybody tries to impersonate a host, they won’t have the same host key.

~/.ssh/config

See the ssh_config man page for tons more information.

Sample ~/.ssh/config

    # Share the control circuit for multiple connections:
    ControlMaster auto

    # Put the control circuit socket in MY directory, for safety:
    ControlPath ~/tmp/ssh·mux·%h·%p·%r

    # Keep the control circuit for a while after we stop using it:
    ControlPersist 10m

    # Global options:
    Host *
        Compression yes
        ForwardX11 yes
        Protocol 2

    # Jack’s office at CSU:
    Host applin Applin csu CSU
        User applin
        HostName Greybull.CS.ColoState.Edu

System Configuration

/etc/ssh/sshd_config can make things more difficult for miscreants:

    # Permit only certain users:
    AllowUsers cindy belle aurora snow

    # Don’t allow root login via ssh.  One can use sudo, however:
    PermitRootLogin no

    # Empty password?  You can’t use ssh, then:
    PermitEmptyPasswords no

    # Don’t allow password authentication at all:
    PasswordAuthentication no

    # Don’t permit obsolete ssh protocol 1:
    Protocol 2

    # Everybody expects port 22, therefore:
    Port 13579

~/.ssh/id_*

Asymmetric Encryption

Generating a Key Pair

To generate a public/private key pair:

    ssh-keygen -b 4096 -t RSA -C "Jack’s home desktop"

This will create an 4096-bit RSA keypair in ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub. Other key types can be used, but RSA has the best combination of security and availability, as of 2015.

Ed25519 is recommended as having better security, but requires up-to-date servers & clients. I use ed25519 for my Linux laptops and CSU machines, but I can’t use it with PuTTY.

    ssh-keygen -t ed25519 -C "Jack’s CSU Macbook"

Passphrase

Port Forwarding

    ssh -f -N -Llocal-port:host:host-port user@remote-host

Port Forwarding Example

% wget -q -O- http://icanhazip.com/
203.0.113.123

% wget -q -O- http://localhost:12345/

% wget -O- http://localhost:12345/
--2015-11-28 14:41:36--  http://localhost:12345/
Resolving localhost (localhost)... 127.0.0.1
Connecting to localhost (localhost)|127.0.0.1|:12345... failed: Connection refused.

% ssh -f -N -L12345:icanhazip.com:80 applin@denver.cs.colostate.edu

% wget -q -O- http://localhost:12345/
129.82.46.205

% host 129.82.46.205
205.46.82.129.in-addr.arpa domain name pointer denver.cs.colostate.edu.

Cryptography ain’t Everything

Modified: 2015-12-11T22:34

User: Guest

Check: HTML CSS
Edit History Source
Apply to CSU | Contact CSU | Disclaimer | Equal Opportunity
Colorado State University, Fort Collins, CO 80523 USA
© 2015 Colorado State University
CS Building