LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue64/dellomodarme.html

341 lines
13 KiB
HTML
Raw Permalink Blame History

<!--startcut ==============================================-->
<!-- *** BEGIN HTML header *** -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML><HEAD>
<title>ssh suite: Sftp, scp and ssh-agent LG #63</title>
</HEAD>
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
ALINK="#FF0000">
<!-- *** END HTML header *** -->
<CENTER>
<A HREF="http://www.linuxgazette.com/">
<H1><IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.png"
WIDTH="600" HEIGHT="124" border="0"></H1></A>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="collinge.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue64/dellomodarme.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="evans.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
<P>
</CENTER>
<!--endcut ============================================================-->
<H4 ALIGN="center">
"Linux Gazette...<I>making Linux just a little more fun!</I>"
</H4>
<P> <HR> <P>
<!--===================================================================-->
<center>
<H1><font color="maroon">ssh suite: Sftp, scp and ssh-agent</font></H1>
<H4>By <a href="mailto:matt@martine2.difi.unipi.it">Matteo Dell'Omodarme</a></H4>
</center>
<P> <HR> <P>
<!-- END header -->
<P> The aim of this article is to provide an introduction to some useful
programs in the SSH suite, i.e. sftp, scp, ssh-agent and ssh-add.
In the following we suppose that sshd2 daemon is well configured and
running. <p>
<h1 align=center>Sftp and scp overview</h1>
Let's focus our attention on sftp and scp.<br>
The first one (Secure
File Transfer) is a ftp-like client that can
be used in file transfer over the network.<br>
It does not use the FTP daemon (ftpd or wu-ftpd) for connections,
allowing a significant improvement in the system security. In fact,
monitoring some logs file of our systems, we noted that
about 80% of attacks in last month was against ftpd daemon. The use of
sftp prevents all these tries since it permits to stop the
potentially dangerous wu-ftpd.<p>
The second (Secure Copy) is used to copy files over the network
securely. It is a replacement for rcp insecure command.<p>
Sftp and scp do not
require any dedicated daemon since the two programs connect
to sshd servers.
In order to use sftp and scp you have to insert the following
line in the configuration file <em>/etc/ssh2/sshd2_config</em>:
<pre>
subsystem-sftp sftp-server
</pre>
after this modification you must restart sshd.<br>
So you could use sftp and scp only to
connect to hosts where sshd is running.
<h3 align=center>Sftp</h3>
Sftp uses ssh2 in data connections,
so the file transport is as secure as possible.<br>
There are two main advantages in using sftp instead of ftp:
<ol type=1>
<li> Password are never transferred in clear text, preventing any
sniffer attack.
<li> Data are encrypted during the transfer, making difficult to spy or modify
the connection.
</ol>
The use of sftp2 is really simple. Let's suppose that
you would connect via sftp to your account <em>myname</em> on
<em>host1</em>. In order to do that use the command:
<pre>
sftp myname@host1
</pre>
some options could be specified from the command line (see the sftp
manual page for a complete report).<p>
When the sftp2 is ready to accept commands,
it will display a prompt <b>sftp&gt;</b>.
In the sftp manual page there are a complete list of the commands
which the user can use; among them there are:
<ul>
<li> quit:<br>
Quits from the application.
<li> cd directory:<br>
Changes the current remote working directory.
<li>lcd directory:<br>
Changes the current local working directory.
<li> ls [ -R ] [ -l ] [ file ... ]:<br>
Lists the names of the files on the remote server.
For directories, the contents of the directory are
listed. When the -R option is specified, the directory
trees are listed recursively. (By default,
the subdirectories of the argument directories are
not visited). When the -l option is specified,
permissions, owners, sizes and modification times are
also shown. When no arguments are given, it is
assumed that the contents of . are being listed.
Currently the options -R and -l are mutually incompatible.
<li>lls [ -R ] [ -l ] [ file ... ]:<br>
Same as ls, but operates on the local files.
<li>get [ file ... ]:<br>
Transfers the specified files from the remote end
to the local end. Directories are recursively
copied with their contents.
<li>put [ file ... ]:<br>
Transfers the specified files from the local end to
the remote end. Directories are recursively copied
with their contents.
<li>mkdir dir (rmdir dir):<br>
Tries to create (destroy) the directory specified in dir.
</ul>
sftp2 supports glob patterns (wildcards) given to commands
ls, lls, get, and put. The format is described in the man
page sshregex.<p>
Since sftp use encryption there is drawback: the connection is slower
(about a factor of 2-3 to my experience), but this point is of
marginal interest considering the great security benefits. <br>
In a test conduced on our local network a Network Sniffer was able to
catch a mean of 4 password by hour, from ftp connections. The
introduction of sftp as standard protocol for transfer file across the
network could eliminate this security problem.
<h3 align=center>Scp</h3>
Scp2 (Secure Copy) is used to copy files over the network securely.
It uses ssh2 for data transfer: it uses the same authentication and
provides the same security as ssh2.<br>
It is probably the simplest way to copy a file into a remote machine.
Let's suppose you want to copy the file <em>filename</em> contained in the
directory <em>local_dir</em> to your account <em>myname</em> on the
directory <em>remote_dir</em> on host <em>host1</em>. Using scp you
could enter from the command line:
<pre>
scp local_dir/filename myname@host1:remote_dir
</pre>
In such a way the file <em>filename</em> is copied with the same name.
Wildcards can be used (read more about those from sshregex man
page).
The command:
<pre>
scp local_dir/* myname@host1:remote_dir
</pre>
copies all files from directory <em>local_dir</em> into the directory
<em>remote_dir</em> of <em>host1</em>. <br>
The command:
<pre>
scp myname@host1:remote_dir/filename .
</pre>
copies the file <em>filename</em> from <em>remote_dir</em> on
<em>host1</em> to the local directory.<br>
Scp supports many options and allows copies between two remote
systems as in the following example:
<pre>
scp myname@host1:remote_dir/filename myname@host2:another_dir
</pre>
See its manual page for a complete presentation.<p>
Obviously, using scp, you must know the exact directory tree of the
remote machine, so in practice sftp is often preferred.
<h1 align=center>ssh key management</h1>
SSH suite contains two programs useful to manage authentications
keys, allowing the user to connect to a remote system without
specifying a password or even a passphrase. These programs are
ssh-agent and ssh-add.
<h3 align=center>ssh-agent</h3>
>From the manual page of ssh-agent we can read:
"ssh-agent2 is a program to hold authentication private
keys. The idea is that ssh-agent2 is started in the
beginning of an X-session or a login session, and all
other windows or programs are started as children of the
ssh-agent2 program (the command normally starts X or is
the user shell). The programs started under the agent
inherit a connection to the agent, and the agent is
automatically used for public key authentication when logging
to other machines using ssh".<p>
There are two way to use ssh-agent depending on that you are running
xdm or not.<br>
In the first case you should edit <em>.xsession</em> file, placed in the $HOME
directory. There are two possible procedures:<br>
Copy <em>.xsession</em> to <em>.xsession-stuff</em> and modify
<em>.xession</em> in such a way it contains only the line:
<pre>
exec ssh-agent ./.xsession-stuff
</pre>
Alternatively you could edit <em>.xsession</em> file and search for each
line containing the expression "exec <em>program</em>". Modify
these lines to the form "exec ssh-agent <em>program</em>".<p>
Log out from your X-session and restart it.
ssh-agent will start the
X-session as its own children and wait for ssh key to insert in
its database.<p>
If xdm is not running the procedure to use ssh-agent is simpler
because you can start your X session using the command:
<pre>
ssh-agent startx
</pre>
In such a way you have ssh-agent properly running.
<h3 align=center>ssh-add</h3>
Once ssh-agent is correctly in place you could add identities in its
database using the command ssh-add.
You could add identities only from processes which are children of a ssh-agent
ancestor otherwise the following error message is displayed:
<pre>
Failed to connect to authentication agent - agent not running?
</pre>
The use of ssh-add is simple: from the command line issue the command:
<pre>
ssh-add
</pre>
ssh-add scans the file $HOME/.ssh2/identification
which contains names of the private keys that are to be
used in authentication. If this file doesn't exist, the standard name
for the private key is assumed (i.e. $HOME/.ssh2/id_dsa_1024_a).<br>
If any public key file requires a passphrase, ssh-add asks
for the passphrase from the user as in the following example:
<pre>
Adding identity: /home/matt/.ssh2/id_dsa_1024_a.pub
Need passphrase for /home/matt/.ssh2/id_dsa_1024_a (..)
Enter passphrase:
</pre>
You could obtain a list of all identities currently represented by the
agent using the command <em>ssh-add -l</em>:
<pre>
Listing identities.
The authorization agent has one key:
id_dsa_1024_a: 1024-bit dsa, (...)
</pre>
<h1 align=center>Conclusions and useful links</h1>
Many users of telnet, rlogin, ftp might not
realize that their password is transmitted across the net unencrypted, but it is.
The use of some secure protocols could allow a secure transmission
over an insecure network. <br>
SSH, encrypting all traffic, effectively
eliminates eavesdropping, connection hijacking, and other network attacks.<p>
These articles are only an introduction to the SSH
suite; more about this topic could be found in the manual pages of ssh,
sshd and sftp. <p>
You could get SSH suite from:<br>
<A
HREF="http://www.ssh.com/products/ssh/">www.ssh.com/products/ssh/</a>,
SSH master site or
from
<a href="http://www.ssh.com/products/ssh/download.html">a mirror
site</a>.<br>
Here you could also find some very interesting information about SSH
technology and cryptography in general in the <a
href="http://www.ssh.com/tech/">Tech corner</a>.<p>
Otherwise you could check
<a href="http://www.openssh.com/">www.openssh.com</a> where you could
download openssh implementation of SSH protocol. The portable version
is at <a
href="http://www.openssh.com/portable.html">www.openssh.com/portable.html</a>.<br>
You could also read the openssh FAQ: <a
href="http://www.openssh.com/faq.html">www.openssh.com/faq.html</a>.
<!-- *** BEGIN copyright *** -->
<P> <hr> <!-- P -->
<H5 ALIGN=center>
Copyright &copy; 2001, Matteo Dell'Omodarme.<BR>
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
Published in Issue 63 of <i>Linux Gazette</i>, Mid-February (EXTRA) 2001</H5>
<!-- *** END copyright *** -->
<!--startcut ==========================================================-->
<HR><P>
<CENTER>
<!-- *** BEGIN navbar *** -->
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="collinge.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue64/dellomodarme.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="evans.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
<!-- *** END navbar *** -->
</CENTER>
</BODY></HTML>
<!--endcut ============================================================-->
Reference in New Issue View Git Blame Copy Permalink