ssh
& scp
~/.ssh
Directory
These protocols were in common use, back in the day:
ftp
, rcp
telnet
, rlogin
rsh
They transmit information (including passwords!) in plain text over the
internet. Ack! Don’t use them. Disable (chmod a-x
)
ftpd
, rlogind
, and rshd
, or uninstall the packages.
Some systems, such as Ubuntu 15.10, provide symlinks for backward compatibility:
% type rlogin rlogin is /usr/bin/rlogin % ls -log /usr/bin/rlogin lrwxrwxrwx 1 24 Nov 21 21:09 /usr/bin/rlogin -> /etc/alternatives/rlogin % ls -log /etc/alternatives/rlogin lrwxrwxrwx 1 15 Nov 21 21:09 /etc/alternatives/rlogin -> /usr/bin/slogin % ls -log /usr/bin/slogin lrwxrwxrwx 1 3 Nov 21 21:09 /usr/bin/slogin -> ssh
That’s adorable. Just avoid them.
ssh
& scp
ssh
and scp
use the same encryption, configuration, etc.
scp
port or scp
daemon, just an ssh
port (22)
and an ssh
daemon (sshd
).
ssh
Execute a remote command:
ssh applin@denver.cs.colostate.edu id
Start a interactive remote session:
ssh applin@denver.cs.colostate.edu
@
is omitted, then the current username is used.
What’s the difference between these two commands?
ssh applin@denver cat a*b ssh applin@denver "cat a*b"
How about these?
ssh applin@denver date; pwd ssh applin@denver "date; pwd"
scp
As does cp
, scp
supports using a directory as a destination,
or renaming the file.
scp alpha denver: scp beta applin@denver: scp gamma applin@denver:delta scp epsilon applin@denver:/tmp scp zeta applin@denver:/tmp/iota
Either the source, the destination, both, or neither can be a remote system:
scp denver:kappa lambda scp denver:omicron lansing:pi scp sigma tau
scp
also supports the -p
and -r
options from cp
.
~/.ssh
Directory~/.ssh
directory contains a number of files, including:
authorized_keys
known_hosts
config
id_ed25519
id_ed25519.pub
id_rsa
id_rsa.pub
~/.ssh
directory is unreadable/unwritable/unexecutable
by anybody but me.
~/.ssh/authorized_keys
~/.ssh/authorized_keys
contains a list of authorized public keys.
~/.ssh/authorized_keys
file.
~/.ssh/known_hosts
~/.ssh/known_hosts
contains the host keys for the hosts
that we’ve connected to previously. If anybody tries to impersonate
a host, they won’t have the same host key.
~/.ssh/config
/etc/ssh/ssh_config
and ~/.ssh/config
contain configuration
information, including:
ControlMaster
ControlPath
ControlPersist
Compression
ForwardX11
Protocol
See the ssh_config man page for tons more information.
~/.ssh/config
# Share the control circuit for multiple connections: ControlMaster auto # Put the control circuit socket in MY directory, for safety: ControlPath ~/tmp/ssh·mux·%h·%p·%r # Keep the control circuit for a while after we stop using it: ControlPersist 10m # Global options: Host * Compression yes ForwardX11 yes Protocol 2 # Jack’s office at CSU: Host applin Applin csu CSU User applin HostName Greybull.CS.ColoState.Edu
/etc/ssh/sshd_config
can make things more difficult for miscreants:
# Permit only certain users: AllowUsers cindy belle aurora snow # Don’t allow root login via ssh. One can use sudo, however: PermitRootLogin no # Empty password? You can’t use ssh, then: PermitEmptyPasswords no # Don’t allow password authentication at all: PasswordAuthentication no # Don’t permit obsolete ssh protocol 1: Protocol 2 # Everybody expects port 22, therefore: Port 13579
~/.ssh/id_*
~/.ssh/id_ed25519
: private key
~/.ssh/id_ed25519.pub
: public key
~/.ssh/id_rsa
: private key
~/.ssh/id_rsa.pub
: public key
ssh
and scp
use a pair of keys: one public, one private.
~/.ssh/authorized_keys
contains the public keys for the
users authorized to log into this account (or copy files) without
giving a password.
ssh
& scp
.
To generate a public/private key pair:
ssh-keygen -t ed25519 -C "Jack’s CSU Macbook"
This will create an ed25519 keypair in ~/.ssh/id_ed25519
and
~/.ssh/id_ed25519.pub
.
If you’re using older software, you may have to resort to RSA keys. Make sure that they have a sufficiently long key.
ssh-keygen -b 4096 -t RSA -C "Jack’s home desktop"
Ed25519 is recommended as having better security, but requires up-to-date servers & clients. I use ed25519 for all my keys.
ssh-agent
will remember your passphrase for you.
Consider the following problem:
Port forwarding is your solution!
ssh -f -N -Llocal-port:host:host-port user@remote-host
-f
: run in the background
-N
: don’t run a command or start a shell on remote-host
-L
:
% wget -q -O- http://icanhazip.com/ 203.0.113.123 % wget -q -O- http://localhost:12345/ % wget -O- http://localhost:12345/ --2024-12-23 08:00:37 -- http://localhost:12345/ Resolving localhost (localhost)... 127.0.0.1 Connecting to localhost (localhost)|127.0.0.1|:12345... failed: Connection refused. % ssh -f -N -L12345:icanhazip.com:80 applin@denver.cs.colostate.edu % wget -q -O- http://localhost:12345/ 129.82.44.141 % host 129.82.44.141 205.46.82.129.in-addr.arpa domain name pointer denver.cs.colostate.edu.
Modified: 2017-12-04T20:59 User: Guest Check: HTML CSSEdit History Source |
Apply to CSU |
Contact CSU |
Disclaimer |
Equal Opportunity Colorado State University, Fort Collins, CO 80523 USA © 2015 Colorado State University |