333 lines
12 KiB
HTML
333 lines
12 KiB
HTML
<!--startcut ==============================================-->
|
|
<!-- *** BEGIN HTML header *** -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML><HEAD>
|
|
<title>Using ssh LG #61</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
|
ALINK="#FF0000">
|
|
<!-- *** END HTML header *** -->
|
|
|
|
<CENTER>
|
|
<A HREF="http://www.linuxgazette.com/">
|
|
<H1><IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.jpg"
|
|
WIDTH="600" HEIGHT="124" border="0"></H1></A>
|
|
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="collinge.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue61/dellomodarme.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="evans.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
<P>
|
|
</CENTER>
|
|
|
|
<!--endcut ============================================================-->
|
|
|
|
<H4 ALIGN="center">
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
|
|
<center>
|
|
<H1><font color="maroon">Using ssh</font></H1>
|
|
<H4>By <a href="mailto:dellomodarme">Matteo Dell'Omodarme</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
|
|
<!-- END header -->
|
|
|
|
|
|
|
|
|
|
<P>Every time we telnet into a remote machine the
|
|
connection data will cross the local network, giving an eventual
|
|
intruder the possibility to spy the connection and eventually insert
|
|
some malicious commands into the data flux. The use of some strong
|
|
cryptography systems will allow an enormous improvement in the security
|
|
of the net.
|
|
|
|
<P>From the manual page of ssh we can learn that: "Ssh
|
|
(Secure Shell) is a program for logging into a remote machine and
|
|
executing commands in a remote machine. It is intended to replace
|
|
rlogin and rsh, and provide secure encrypted communications between
|
|
two untrusted hosts over an insecure network. X11 connections and
|
|
arbitrary TCP/IP ports can also be forwarded over the secure
|
|
channel". It is a powerful, very easy-to-use program that uses
|
|
strong cryptography for protecting all transmitted confidential data,
|
|
including passwords.
|
|
|
|
<P> At present time there are two SSH protocol, referred
|
|
as SSH2 and SSH1, the first one being an improvement of the SSH1
|
|
protocol. SSH2 now supports other key-exchange methods besides
|
|
double-encrypting RSA key exchange. The current distribution comes
|
|
with Diffie-Hellman key exchange and has support for DSA and other
|
|
public key algorithms besides RSA.
|
|
|
|
<P>SSH2 can be compatible with SSH1, but it is not
|
|
compatible by default; the SSH2 server alone can't manage a SSH1
|
|
connection and a SSH1 server must be in place in order to do that.
|
|
|
|
<h1 align=center>Obtaining and installing SSH</h1>
|
|
|
|
<P>You can obtain SSH2 & SSH1 clients and servers from
|
|
the <a href="http://www.ssh.com"> master FTP server</a>, or from its
|
|
mirrors. The last version of SSH1 protocol is ssh-1.2.30.tar.gz,
|
|
while for SSH2 you can download ssh-2.3.0.tar.gz.
|
|
|
|
<P>The installation process is really easy. The first
|
|
step is unpack your SSH1 sources:
|
|
|
|
<pre>
|
|
tar -zxf ssh-1.2.30.tar.gz
|
|
</pre>
|
|
|
|
<P>This will create a directory ssh-1.2.30. Now go into
|
|
that directory and start the configuration process:
|
|
|
|
<pre>
|
|
cd ssh-1.2.30
|
|
./configure
|
|
</pre>
|
|
|
|
<P>The <em>configure</em> script carries out all the
|
|
configuration needed in the compiling stage, searching the system for
|
|
the required library and programs. When the scripts end its job you
|
|
can start the compilation:
|
|
|
|
<pre>
|
|
make
|
|
</pre>
|
|
|
|
<P>After the compilation stage, become super-user and
|
|
install binaries, configuration files, and hostkey by typing:
|
|
|
|
<pre>
|
|
make install
|
|
</pre>
|
|
|
|
<P>This will normally install clients (scp1, ssh-add1,
|
|
ssh-agent1, ssh-askpass1, ssh-keygen1, ssh1) to /usr/local/bin, and a
|
|
server (sshd1) to /usr/local/sbin. Notice that, in /usr/local/bin
|
|
there are also symbolic link (without the trailing "1") to the real
|
|
executables.
|
|
|
|
<P>The next step is to install SSH2. The operations
|
|
needed are the same required by SSH1:
|
|
|
|
<pre>
|
|
tar -zxf ssh-2.3.0.tar.gz cd ssh-2.3.0 ./configure make
|
|
</pre>
|
|
|
|
and as a super-user:
|
|
|
|
<pre>
|
|
make install
|
|
</pre>
|
|
|
|
<h3 align=center>Compatibility SSH1 - SSH2</h3>
|
|
|
|
<P>In the following part we suppose you have either SSH1
|
|
and SSH2 installed.<br> In order to make the SSH2 server able to
|
|
manage a SSH1 connection you should edit SSH2's configuration files,
|
|
which are normally placed in the directory /etc/ssh2/.<br> In that
|
|
directory edit the file <em>sshd2_config</em>, the configuration file
|
|
for sshd2 (Secure Shell Daemon) which is the daemon program for
|
|
ssh2. Add the lines:
|
|
|
|
<pre>
|
|
Ssh1Compatibility yes Sshd1Path /usr/local/sbin/sshd1
|
|
</pre>
|
|
|
|
<P>Obviously modify the information
|
|
/usr/local/sbin/sshd1 to agree with your sshd1 installation directory.
|
|
With this configuration, sshd2 server will forward requests from SSH1
|
|
client to sshd1.
|
|
|
|
<P>Then add two lines to the file <em>ssh2_config</em>,
|
|
placed in the same directory:
|
|
|
|
<pre>
|
|
Ssh1Compatibility yes Ssh1Path /usr/local/bin/ssh1
|
|
</pre>
|
|
|
|
<P>now ssh2 client will invoke ssh1 client when
|
|
contacting a SSH1 server.
|
|
|
|
<h1 align=center>Starting SSH</h1>
|
|
|
|
<P>There are mainly two different techniques to start
|
|
sshd at boot time.
|
|
|
|
<ul>
|
|
<li ><P> Go into /etc/rc.d directory, and edit the file
|
|
<em>rc.local</em>. At its end add the lines:
|
|
|
|
<pre>
|
|
echo "Starting sshd ...." /usr/local/sbin/sshd
|
|
</pre>
|
|
|
|
<P>In such a way, at the end of your next computer
|
|
reboot, sshd is invoked and the message <em>Starting sshd ....</em> is
|
|
printed on the screen. To start sshd without rebooting the machine
|
|
type from the command line:
|
|
|
|
<pre>
|
|
/usr/local/sbin/sshd
|
|
</pre>
|
|
|
|
<li> Alternatively, in systems using System V
|
|
initialization, you can put the <em>sshd2.startup</em> script,
|
|
which came with this distribution, to /etc/rc.d/init.d, naming it
|
|
sshd2. Then go to rc$number.d directory, where $number is your
|
|
default runlevel. If you don't know your runlevel search in the
|
|
file /etc/inittab the line specifying it:
|
|
|
|
<pre>
|
|
id:5:initdefault
|
|
</pre>
|
|
|
|
or
|
|
|
|
<pre>
|
|
id:3:initdefault
|
|
</pre>
|
|
|
|
In the first case your runlevel is 5, in the second one it is 3.
|
|
|
|
<P>In the directory rc$number.d issue the command:
|
|
|
|
<pre>
|
|
ln -s ../init.d/sshd2 S90sshd2
|
|
</pre>
|
|
|
|
Then change directory to /etc/rc.d/rc0.d and run the command:
|
|
|
|
<pre>
|
|
ln -s ../init.d/sshd2 K90sshd2
|
|
</pre>
|
|
|
|
Repeat the operation in the directory /etc/rc.d/rc6.d.
|
|
|
|
<P>After doing that you can start sshd2 with out
|
|
rebooting the machine, simply running the script:
|
|
|
|
<pre>
|
|
/etc/rc.d/init.d/sshd2 start
|
|
</pre>
|
|
</ul>
|
|
|
|
<h1 align=center>Establish a SSH connection</h1>
|
|
|
|
<P>Once sshd is running on your machine you can test
|
|
your configuration trying to login into it using the ssh client. Let's
|
|
suppose that you machine is named <em>host1</em> and your login name
|
|
is <em>myname</em>. To start a ssh connection use the command:
|
|
|
|
<pre>
|
|
ssh -l myname host1
|
|
</pre>
|
|
|
|
<P>In such a way ssh2 client (default client) tries to
|
|
connect to <em>host1</em> port 22 (default port). sshd2 daemon,
|
|
running on <em>host1</em>, catches the request and asks for the
|
|
<em>myname</em> password. If the password is correct it allows the
|
|
login and open a shell.
|
|
|
|
<h3 align=center>Generating and managing ssh keys</h3>
|
|
|
|
<P>Ssh allows another authentication mechanism, based
|
|
upon <em>authentication keys</em>, a public key cryptography
|
|
method. Each user wishing to use ssh with public key authentication
|
|
must runs <em>ssh-keygen</em> command (without any option) to create
|
|
authentication keys. The command starts the generation of the keys
|
|
pair (public and private) and ask for a passphrase in order to protect
|
|
them.<br> Two file are created in the $HOME/.ssh2/
|
|
directory: <em>id_dsa_1024_a</em> and <em>id_dsa_1024_a.pub</em>, the
|
|
user private and public key.
|
|
|
|
<P>Let's suppose that we have two accounts, <em>myname1</em> on
|
|
<em>host1</em> and <em>myname2</em> on <em>host2</em>. We want to login
|
|
from host1 to host2 using ssh public key authentication. In order to do that
|
|
four steps are required:
|
|
|
|
<ol type=1>
|
|
<li> On host1 generate the key pair using ssh-keygen
|
|
command, and choose a passphrase to protect it.<p>
|
|
|
|
<li> Login into host2, using ssh password
|
|
authentication, and repeat the previous operation. Then change
|
|
directory to $HOME/.ssh2 and create a file, named
|
|
<em>identification</em>, containing the following lines:
|
|
|
|
<pre>
|
|
# identification
|
|
IdKey id_dsa_1024_a
|
|
</pre>
|
|
|
|
<P>This file is used by sshd to identify the key pair to
|
|
be used during connections.<p>
|
|
|
|
<li> <P>From host2, get the ssh host1 public key and
|
|
rename it in a suitable way (e.g. <em>host1.pub</em>):
|
|
|
|
<pre>
|
|
ftp host1
|
|
[...]
|
|
cd .ssh2
|
|
get id_dsa_1024_a.pub host1.pub
|
|
</pre>
|
|
|
|
<P>At the end of ftp process a copy of host1 public key,
|
|
named <em>host1.pub</em>, resides in host2 $HOME/.ssh2 directory.<p>
|
|
|
|
<li> Create the file <em>authorization</em>
|
|
containing the following lines:
|
|
|
|
<pre>
|
|
# authorization
|
|
Key host1.pub
|
|
</pre>
|
|
|
|
<P>This file lists all trusted ssh public keys placed in
|
|
$HOME/.ssh2 directory. When a ssh connection is started from a user
|
|
whom public key matches one of the entry of <em>authorization</em>
|
|
file the public key authentication scheme starts.
|
|
</ol>
|
|
|
|
<P>In order to test the previous configuration, you
|
|
could try to connect from host1 to host2 using ssh. Sshd must reply
|
|
asking for a passphrase, otherwise, if password is requested, some
|
|
mistakes occurred in the configuration process and you must check
|
|
carefully steps 1 to 4.<br>
|
|
The passphrase required is your LOCAL passphrase (i.e. passphrase
|
|
protecting host1 public key).
|
|
|
|
<h1 align=center>Coming next...</h1>
|
|
|
|
<P>The next article will present other programs and facilities
|
|
from ssh suite: ssh-agent and ssh-add (two useful
|
|
passphrase management programs), and sftp and scp (a secure
|
|
way to transfer files across the net).
|
|
|
|
|
|
|
|
|
|
<!-- *** BEGIN copyright *** -->
|
|
<P> <hr> <!-- P -->
|
|
<H5 ALIGN=center>
|
|
|
|
Copyright © 2000, Matteo Dell'Omodarme.<BR>
|
|
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
|
|
Published in Issue 61 of <i>Linux Gazette</i>, January 2001</H5>
|
|
<!-- *** END copyright *** -->
|
|
|
|
<!--startcut ==========================================================-->
|
|
<HR><P>
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="collinge.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue61/dellomodarme.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="evans.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</BODY></HTML>
|
|
<!--endcut ============================================================-->
|