LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue61/dellomodarme.html

333 lines
12 KiB
HTML
Raw Permalink Blame History

<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>Using ssh LG #61</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<CENTER>
<A HREF="http://www.linuxgazette.com/">
<H1><IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.jpg"
WIDTH="600" HEIGHT="124" border="0"></H1></A>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="collinge.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue61/dellomodarme.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="evans.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
<P>
</CENTER>
<!--endcut ============================================================-->
<H4 ALIGN="center">
"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>
<P> <HR> <P>
<!--===================================================================-->
<center>
<H1><font color="maroon">Using ssh</font></H1>
<H4>By <a href="mailto:dellomodarme">Matteo Dell'Omodarme</a></H4>
</center>
<P> <HR> <P>
<!-- END header -->
<P>Every time we telnet into a remote machine the
connection data will cross the local network, giving an eventual
intruder the possibility to spy the connection and eventually insert
some malicious commands into the data flux. The use of some strong
cryptography systems will allow an enormous improvement in the security
of the net.
<P>From the manual page of ssh we can learn that: "Ssh
(Secure Shell) is a program for logging into a remote machine and
executing commands in a remote machine. It is intended to replace
rlogin and rsh, and provide secure encrypted communications between
two untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure
channel". It is a powerful, very easy-to-use program that uses
strong cryptography for protecting all transmitted confidential data,
including passwords.
<P> At present time there are two SSH protocol, referred
as SSH2 and SSH1, the first one being an improvement of the SSH1
protocol. SSH2 now supports other key-exchange methods besides
double-encrypting RSA key exchange. The current distribution comes
with Diffie-Hellman key exchange and has support for DSA and other
public key algorithms besides RSA.
<P>SSH2 can be compatible with SSH1, but it is not
compatible by default; the SSH2 server alone can't manage a SSH1
connection and a SSH1 server must be in place in order to do that.
<h1 align=center>Obtaining and installing SSH</h1>
<P>You can obtain SSH2 & SSH1 clients and servers from
the <a href="http://www.ssh.com"> master FTP server</a>, or from its
mirrors. The last version of SSH1 protocol is ssh-1.2.30.tar.gz,
while for SSH2 you can download ssh-2.3.0.tar.gz.
<P>The installation process is really easy. The first
step is unpack your SSH1 sources:
<pre>
tar -zxf ssh-1.2.30.tar.gz
</pre>
<P>This will create a directory ssh-1.2.30. Now go into
that directory and start the configuration process:
<pre>
cd ssh-1.2.30
./configure
</pre>
<P>The <em>configure</em> script carries out all the
configuration needed in the compiling stage, searching the system for
the required library and programs. When the scripts end its job you
can start the compilation:
<pre>
make
</pre>
<P>After the compilation stage, become super-user and
install binaries, configuration files, and hostkey by typing:
<pre>
make install
</pre>
<P>This will normally install clients (scp1, ssh-add1,
ssh-agent1, ssh-askpass1, ssh-keygen1, ssh1) to /usr/local/bin, and a
server (sshd1) to /usr/local/sbin. Notice that, in /usr/local/bin
there are also symbolic link (without the trailing "1") to the real
executables.
<P>The next step is to install SSH2. The operations
needed are the same required by SSH1:
<pre>
tar -zxf ssh-2.3.0.tar.gz cd ssh-2.3.0 ./configure make
</pre>
and as a super-user:
<pre>
make install
</pre>
<h3 align=center>Compatibility SSH1 - SSH2</h3>
<P>In the following part we suppose you have either SSH1
and SSH2 installed.<br> In order to make the SSH2 server able to
manage a SSH1 connection you should edit SSH2's configuration files,
which are normally placed in the directory /etc/ssh2/.<br> In that
directory edit the file <em>sshd2_config</em>, the configuration file
for sshd2 (Secure Shell Daemon) which is the daemon program for
ssh2. Add the lines:
<pre>
Ssh1Compatibility yes Sshd1Path /usr/local/sbin/sshd1
</pre>
<P>Obviously modify the information
/usr/local/sbin/sshd1 to agree with your sshd1 installation directory.
With this configuration, sshd2 server will forward requests from SSH1
client to sshd1.
<P>Then add two lines to the file <em>ssh2_config</em>,
placed in the same directory:
<pre>
Ssh1Compatibility yes Ssh1Path /usr/local/bin/ssh1
</pre>
<P>now ssh2 client will invoke ssh1 client when
contacting a SSH1 server.
<h1 align=center>Starting SSH</h1>
<P>There are mainly two different techniques to start
sshd at boot time.
<ul>
<li ><P> Go into /etc/rc.d directory, and edit the file
<em>rc.local</em>. At its end add the lines:
<pre>
echo "Starting sshd ...." /usr/local/sbin/sshd
</pre>
<P>In such a way, at the end of your next computer
reboot, sshd is invoked and the message <em>Starting sshd ....</em> is
printed on the screen. To start sshd without rebooting the machine
type from the command line:
<pre>
/usr/local/sbin/sshd
</pre>
<li> Alternatively, in systems using System V
initialization, you can put the <em>sshd2.startup</em> script,
which came with this distribution, to /etc/rc.d/init.d, naming it
sshd2. Then go to rc$number.d directory, where $number is your
default runlevel. If you don't know your runlevel search in the
file /etc/inittab the line specifying it:
<pre>
id:5:initdefault
</pre>
or
<pre>
id:3:initdefault
</pre>
In the first case your runlevel is 5, in the second one it is 3.
<P>In the directory rc$number.d issue the command:
<pre>
ln -s ../init.d/sshd2 S90sshd2
</pre>
Then change directory to /etc/rc.d/rc0.d and run the command:
<pre>
ln -s ../init.d/sshd2 K90sshd2
</pre>
Repeat the operation in the directory /etc/rc.d/rc6.d.
<P>After doing that you can start sshd2 with out
rebooting the machine, simply running the script:
<pre>
/etc/rc.d/init.d/sshd2 start
</pre>
</ul>
<h1 align=center>Establish a SSH connection</h1>
<P>Once sshd is running on your machine you can test
your configuration trying to login into it using the ssh client. Let's
suppose that you machine is named <em>host1</em> and your login name
is <em>myname</em>. To start a ssh connection use the command:
<pre>
ssh -l myname host1
</pre>
<P>In such a way ssh2 client (default client) tries to
connect to <em>host1</em> port 22 (default port). sshd2 daemon,
running on <em>host1</em>, catches the request and asks for the
<em>myname</em> password. If the password is correct it allows the
login and open a shell.
<h3 align=center>Generating and managing ssh keys</h3>
<P>Ssh allows another authentication mechanism, based
upon <em>authentication keys</em>, a public key cryptography
method. Each user wishing to use ssh with public key authentication
must runs <em>ssh-keygen</em> command (without any option) to create
authentication keys. The command starts the generation of the keys
pair (public and private) and ask for a passphrase in order to protect
them.<br> Two file are created in the $HOME/.ssh2/
directory: <em>id_dsa_1024_a</em> and <em>id_dsa_1024_a.pub</em>, the
user private and public key.
<P>Let's suppose that we have two accounts, <em>myname1</em> on
<em>host1</em> and <em>myname2</em> on <em>host2</em>. We want to login
from host1 to host2 using ssh public key authentication. In order to do that
four steps are required:
<ol type=1>
<li> On host1 generate the key pair using ssh-keygen
command, and choose a passphrase to protect it.<p>
<li> Login into host2, using ssh password
authentication, and repeat the previous operation. Then change
directory to $HOME/.ssh2 and create a file, named
<em>identification</em>, containing the following lines:
<pre>
# identification
IdKey id_dsa_1024_a
</pre>
<P>This file is used by sshd to identify the key pair to
be used during connections.<p>
<li> <P>From host2, get the ssh host1 public key and
rename it in a suitable way (e.g. <em>host1.pub</em>):
<pre>
ftp host1
[...]
cd .ssh2
get id_dsa_1024_a.pub host1.pub
</pre>
<P>At the end of ftp process a copy of host1 public key,
named <em>host1.pub</em>, resides in host2 $HOME/.ssh2 directory.<p>
<li> Create the file <em>authorization</em>
containing the following lines:
<pre>
# authorization
Key host1.pub
</pre>
<P>This file lists all trusted ssh public keys placed in
$HOME/.ssh2 directory. When a ssh connection is started from a user
whom public key matches one of the entry of <em>authorization</em>
file the public key authentication scheme starts.
</ol>
<P>In order to test the previous configuration, you
could try to connect from host1 to host2 using ssh. Sshd must reply
asking for a passphrase, otherwise, if password is requested, some
mistakes occurred in the configuration process and you must check
carefully steps 1 to 4.<br>
The passphrase required is your LOCAL passphrase (i.e. passphrase
protecting host1 public key).
<h1 align=center>Coming next...</h1>
<P>The next article will present other programs and facilities
from ssh suite: ssh-agent and ssh-add (two useful
passphrase management programs), and sftp and scp (a secure
way to transfer files across the net).
<!-- *** BEGIN copyright *** -->
<P> <hr> <!-- P -->
<H5 ALIGN=center>
Copyright &copy; 2000, Matteo Dell'Omodarme.<BR>
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
Published in Issue 61 of <i>Linux Gazette</i>, January 2001</H5>
<!-- *** END copyright *** -->
<!--startcut ==========================================================-->
<HR><P>
<CENTER>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="collinge.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue61/dellomodarme.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="evans.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
Reference in New Issue View Git Blame Copy Permalink