CT320

CT320: Network and System Administration

Fall 2017

Secure Shell

See this page as a slide show

Secure Shell

Overview

  1. The Before Times
  2. Compatibility
  3. ssh & scp
  4. The ~/.ssh Directory
  5. System Configuration
  6. Asymmetric Encryption
  7. Generating a Key Pair
  8. Port Forwarding

The Before Times

These protocols were in common use, back in the day:

ftp, rcp
Copy files between hosts
telnet, rlogin
Log in remotely
rsh
Execute a remote command

They transmit information (including passwords!) in plain text over the internet. Ack! Don’t use them. Disable (chmod a-x) ftpd, rlogind, and rshd, or uninstall the packages.

Compatibility

Some systems, such as Ubuntu 15.10, provide symlinks for backward compatibility:

    % type rlogin
    rlogin is /usr/bin/rlogin

    % ls -log /usr/bin/rlogin
    lrwxrwxrwx 1 24 Nov 21 21:09 /usr/bin/rlogin -> /etc/alternatives/rlogin

    % ls -log /etc/alternatives/rlogin
    lrwxrwxrwx 1 15 Nov 21 21:09 /etc/alternatives/rlogin -> /usr/bin/slogin

    % ls -log /usr/bin/slogin
    lrwxrwxrwx 1  3 Nov 21 21:09 /usr/bin/slogin -> ssh

That’s adorable. Just avoid them.

Clients

ssh & scp

Use of ssh

Execute a remote command:

    ssh applin@denver.cs.colostate.edu id

Start a interactive remote session:

    ssh applin@denver.cs.colostate.edu

Quoting

What’s the difference between these two commands?

    ssh applin@denver cat a*b

    ssh applin@denver "cat a*b"

How about these?

    ssh applin@denver date; pwd

    ssh applin@denver "date; pwd"

Use of scp

As does cp, scp supports using a directory as a destination, or renaming the file.

    scp alpha denver:
    scp beta applin@denver:
    scp gamma applin@denver:delta
    scp epsilon applin@denver:/tmp
    scp zeta applin@denver:/tmp/iota

Either the source, the destination, both, or neither can be a remote system:

    scp denver:kappa lambda
    scp denver:omicron lansing:pi
    scp sigma tau

scp also supports the -p and -r options from cp.

The ~/.ssh Directory

~/.ssh/authorized_keys

~/.ssh/known_hosts

~/.ssh/known_hosts contains the host keys for the hosts that we’ve connected to previously. If anybody tries to impersonate a host, they won’t have the same host key.

~/.ssh/config

See the ssh_config man page for tons more information.

Sample ~/.ssh/config

    # Share the control circuit for multiple connections:
    ControlMaster auto

    # Put the control circuit socket in MY directory, for safety:
    ControlPath ~/tmp/ssh·mux·%h·%p·%r

    # Keep the control circuit for a while after we stop using it:
    ControlPersist 10m

    # Global options:
    Host *
        Compression yes
        ForwardX11 yes
        Protocol 2

    # Jack’s office at CSU:
    Host applin Applin csu CSU
        User applin
        HostName Greybull.CS.ColoState.Edu

System Configuration

/etc/ssh/sshd_config can make things more difficult for miscreants:

    # Permit only certain users:
    AllowUsers cindy belle aurora snow

    # Don’t allow root login via ssh.  One can use sudo, however:
    PermitRootLogin no

    # Empty password?  You can’t use ssh, then:
    PermitEmptyPasswords no

    # Don’t allow password authentication at all:
    PasswordAuthentication no

    # Don’t permit obsolete ssh protocol 1:
    Protocol 2

    # Everybody expects port 22, therefore:
    Port 13579

~/.ssh/id_*

Asymmetric Encryption

Generating a Key Pair

To generate a public/private key pair:

    ssh-keygen -t ed25519 -C "Jack’s CSU Macbook"

This will create an ed25519 keypair in ~/.ssh/id_ed25519 and ~/.ssh/id_ed25519.pub.

If you’re using older software, you may have to resort to RSA keys. Make sure that they have a sufficiently long key.

    ssh-keygen -b 4096 -t RSA -C "Jack’s home desktop"

Ed25519 is recommended as having better security, but requires up-to-date servers & clients. I use ed25519 for all my keys.

Passphrase

Port Forwarding

Consider the following problem:

Port forwarding is your solution!

Port Forwarding

    ssh -f -N -Llocal-port:host:host-port user@remote-host

Port Forwarding Example

    % wget -q -O- http://icanhazip.com/
    203.0.113.123

    % wget -q -O- http://localhost:12345/

    % wget -O- http://localhost:12345/
    --2024-12-23 08:00:37 --  http://localhost:12345/
    Resolving localhost (localhost)... 127.0.0.1
    Connecting to localhost (localhost)|127.0.0.1|:12345... failed: Connection refused.

    % ssh -f -N -L12345:icanhazip.com:80 applin@denver.cs.colostate.edu

    % wget -q -O- http://localhost:12345/
    129.82.44.141

    % host 129.82.44.141
    205.46.82.129.in-addr.arpa domain name pointer denver.cs.colostate.edu.

Cryptography ain’t Everything

Modified: 2017-12-04T20:59

User: Guest

Check: HTML CSS
Edit History Source
Apply to CSU | Contact CSU | Disclaimer | Equal Opportunity
Colorado State University, Fort Collins, CO 80523 USA
© 2015 Colorado State University
CS Building