341 lines
13 KiB
HTML
341 lines
13 KiB
HTML
<!--startcut ==============================================-->
|
|
<!-- *** BEGIN HTML header *** -->
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
|
|
<HTML><HEAD>
|
|
<title>ssh suite: Sftp, scp and ssh-agent LG #63</title>
|
|
</HEAD>
|
|
<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#0000FF" VLINK="#0000AF"
|
|
ALINK="#FF0000">
|
|
<!-- *** END HTML header *** -->
|
|
|
|
<CENTER>
|
|
<A HREF="http://www.linuxgazette.com/">
|
|
<H1><IMG ALT="LINUX GAZETTE" SRC="../gx/lglogo.png"
|
|
WIDTH="600" HEIGHT="124" border="0"></H1></A>
|
|
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="collinge.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue64/dellomodarme.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="evans.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
<P>
|
|
</CENTER>
|
|
|
|
<!--endcut ============================================================-->
|
|
|
|
<H4 ALIGN="center">
|
|
"Linux Gazette...<I>making Linux just a little more fun!</I>"
|
|
</H4>
|
|
|
|
<P> <HR> <P>
|
|
<!--===================================================================-->
|
|
|
|
<center>
|
|
<H1><font color="maroon">ssh suite: Sftp, scp and ssh-agent</font></H1>
|
|
<H4>By <a href="mailto:matt@martine2.difi.unipi.it">Matteo Dell'Omodarme</a></H4>
|
|
</center>
|
|
<P> <HR> <P>
|
|
|
|
<!-- END header -->
|
|
|
|
|
|
|
|
|
|
<P> The aim of this article is to provide an introduction to some useful
|
|
programs in the SSH suite, i.e. sftp, scp, ssh-agent and ssh-add.
|
|
In the following we suppose that sshd2 daemon is well configured and
|
|
running. <p>
|
|
|
|
|
|
|
|
<h1 align=center>Sftp and scp overview</h1>
|
|
|
|
Let's focus our attention on sftp and scp.<br>
|
|
The first one (Secure
|
|
File Transfer) is a ftp-like client that can
|
|
be used in file transfer over the network.<br>
|
|
It does not use the FTP daemon (ftpd or wu-ftpd) for connections,
|
|
allowing a significant improvement in the system security. In fact,
|
|
monitoring some logs file of our systems, we noted that
|
|
about 80% of attacks in last month was against ftpd daemon. The use of
|
|
sftp prevents all these tries since it permits to stop the
|
|
potentially dangerous wu-ftpd.<p>
|
|
The second (Secure Copy) is used to copy files over the network
|
|
securely. It is a replacement for rcp insecure command.<p>
|
|
|
|
Sftp and scp do not
|
|
require any dedicated daemon since the two programs connect
|
|
to sshd servers.
|
|
In order to use sftp and scp you have to insert the following
|
|
line in the configuration file <em>/etc/ssh2/sshd2_config</em>:
|
|
|
|
<pre>
|
|
subsystem-sftp sftp-server
|
|
</pre>
|
|
|
|
after this modification you must restart sshd.<br>
|
|
So you could use sftp and scp only to
|
|
connect to hosts where sshd is running.
|
|
|
|
<h3 align=center>Sftp</h3>
|
|
|
|
Sftp uses ssh2 in data connections,
|
|
so the file transport is as secure as possible.<br>
|
|
There are two main advantages in using sftp instead of ftp:
|
|
|
|
<ol type=1>
|
|
<li> Password are never transferred in clear text, preventing any
|
|
sniffer attack.
|
|
<li> Data are encrypted during the transfer, making difficult to spy or modify
|
|
the connection.
|
|
</ol>
|
|
|
|
The use of sftp2 is really simple. Let's suppose that
|
|
you would connect via sftp to your account <em>myname</em> on
|
|
<em>host1</em>. In order to do that use the command:
|
|
|
|
<pre>
|
|
sftp myname@host1
|
|
</pre>
|
|
|
|
some options could be specified from the command line (see the sftp
|
|
manual page for a complete report).<p>
|
|
|
|
When the sftp2 is ready to accept commands,
|
|
it will display a prompt <b>sftp></b>.
|
|
In the sftp manual page there are a complete list of the commands
|
|
which the user can use; among them there are:
|
|
|
|
<ul>
|
|
<li> quit:<br>
|
|
Quits from the application.
|
|
<li> cd directory:<br>
|
|
Changes the current remote working directory.
|
|
<li>lcd directory:<br>
|
|
Changes the current local working directory.
|
|
<li> ls [ -R ] [ -l ] [ file ... ]:<br>
|
|
Lists the names of the files on the remote server.
|
|
For directories, the contents of the directory are
|
|
listed. When the -R option is specified, the directory
|
|
trees are listed recursively. (By default,
|
|
the subdirectories of the argument directories are
|
|
not visited). When the -l option is specified,
|
|
permissions, owners, sizes and modification times are
|
|
also shown. When no arguments are given, it is
|
|
assumed that the contents of . are being listed.
|
|
Currently the options -R and -l are mutually incompatible.
|
|
<li>lls [ -R ] [ -l ] [ file ... ]:<br>
|
|
Same as ls, but operates on the local files.
|
|
<li>get [ file ... ]:<br>
|
|
Transfers the specified files from the remote end
|
|
to the local end. Directories are recursively
|
|
copied with their contents.
|
|
<li>put [ file ... ]:<br>
|
|
Transfers the specified files from the local end to
|
|
the remote end. Directories are recursively copied
|
|
with their contents.
|
|
<li>mkdir dir (rmdir dir):<br>
|
|
Tries to create (destroy) the directory specified in dir.
|
|
</ul>
|
|
|
|
sftp2 supports glob patterns (wildcards) given to commands
|
|
ls, lls, get, and put. The format is described in the man
|
|
page sshregex.<p>
|
|
|
|
|
|
Since sftp use encryption there is drawback: the connection is slower
|
|
(about a factor of 2-3 to my experience), but this point is of
|
|
marginal interest considering the great security benefits. <br>
|
|
In a test conduced on our local network a Network Sniffer was able to
|
|
catch a mean of 4 password by hour, from ftp connections. The
|
|
introduction of sftp as standard protocol for transfer file across the
|
|
network could eliminate this security problem.
|
|
|
|
<h3 align=center>Scp</h3>
|
|
|
|
Scp2 (Secure Copy) is used to copy files over the network securely.
|
|
It uses ssh2 for data transfer: it uses the same authentication and
|
|
provides the same security as ssh2.<br>
|
|
|
|
It is probably the simplest way to copy a file into a remote machine.
|
|
Let's suppose you want to copy the file <em>filename</em> contained in the
|
|
directory <em>local_dir</em> to your account <em>myname</em> on the
|
|
directory <em>remote_dir</em> on host <em>host1</em>. Using scp you
|
|
could enter from the command line:
|
|
|
|
<pre>
|
|
scp local_dir/filename myname@host1:remote_dir
|
|
</pre>
|
|
|
|
In such a way the file <em>filename</em> is copied with the same name.
|
|
Wildcards can be used (read more about those from sshregex man
|
|
page).
|
|
The command:
|
|
|
|
<pre>
|
|
scp local_dir/* myname@host1:remote_dir
|
|
</pre>
|
|
|
|
copies all files from directory <em>local_dir</em> into the directory
|
|
<em>remote_dir</em> of <em>host1</em>. <br>
|
|
The command:
|
|
|
|
<pre>
|
|
scp myname@host1:remote_dir/filename .
|
|
</pre>
|
|
|
|
copies the file <em>filename</em> from <em>remote_dir</em> on
|
|
<em>host1</em> to the local directory.<br>
|
|
Scp supports many options and allows copies between two remote
|
|
systems as in the following example:
|
|
|
|
<pre>
|
|
scp myname@host1:remote_dir/filename myname@host2:another_dir
|
|
</pre>
|
|
|
|
See its manual page for a complete presentation.<p>
|
|
|
|
Obviously, using scp, you must know the exact directory tree of the
|
|
remote machine, so in practice sftp is often preferred.
|
|
|
|
<h1 align=center>ssh key management</h1>
|
|
|
|
SSH suite contains two programs useful to manage authentications
|
|
keys, allowing the user to connect to a remote system without
|
|
specifying a password or even a passphrase. These programs are
|
|
ssh-agent and ssh-add.
|
|
|
|
<h3 align=center>ssh-agent</h3>
|
|
|
|
>From the manual page of ssh-agent we can read:
|
|
"ssh-agent2 is a program to hold authentication private
|
|
keys. The idea is that ssh-agent2 is started in the
|
|
beginning of an X-session or a login session, and all
|
|
other windows or programs are started as children of the
|
|
ssh-agent2 program (the command normally starts X or is
|
|
the user shell). The programs started under the agent
|
|
inherit a connection to the agent, and the agent is
|
|
automatically used for public key authentication when logging
|
|
to other machines using ssh".<p>
|
|
|
|
There are two way to use ssh-agent depending on that you are running
|
|
xdm or not.<br>
|
|
In the first case you should edit <em>.xsession</em> file, placed in the $HOME
|
|
directory. There are two possible procedures:<br>
|
|
|
|
Copy <em>.xsession</em> to <em>.xsession-stuff</em> and modify
|
|
<em>.xession</em> in such a way it contains only the line:
|
|
|
|
<pre>
|
|
exec ssh-agent ./.xsession-stuff
|
|
</pre>
|
|
|
|
Alternatively you could edit <em>.xsession</em> file and search for each
|
|
line containing the expression "exec <em>program</em>". Modify
|
|
these lines to the form "exec ssh-agent <em>program</em>".<p>
|
|
|
|
Log out from your X-session and restart it.
|
|
ssh-agent will start the
|
|
X-session as its own children and wait for ssh key to insert in
|
|
its database.<p>
|
|
|
|
If xdm is not running the procedure to use ssh-agent is simpler
|
|
because you can start your X session using the command:
|
|
|
|
<pre>
|
|
ssh-agent startx
|
|
</pre>
|
|
|
|
In such a way you have ssh-agent properly running.
|
|
|
|
<h3 align=center>ssh-add</h3>
|
|
|
|
Once ssh-agent is correctly in place you could add identities in its
|
|
database using the command ssh-add.
|
|
You could add identities only from processes which are children of a ssh-agent
|
|
ancestor otherwise the following error message is displayed:
|
|
|
|
<pre>
|
|
Failed to connect to authentication agent - agent not running?
|
|
</pre>
|
|
|
|
The use of ssh-add is simple: from the command line issue the command:
|
|
|
|
<pre>
|
|
ssh-add
|
|
</pre>
|
|
|
|
ssh-add scans the file $HOME/.ssh2/identification
|
|
which contains names of the private keys that are to be
|
|
used in authentication. If this file doesn't exist, the standard name
|
|
for the private key is assumed (i.e. $HOME/.ssh2/id_dsa_1024_a).<br>
|
|
If any public key file requires a passphrase, ssh-add asks
|
|
for the passphrase from the user as in the following example:
|
|
|
|
<pre>
|
|
Adding identity: /home/matt/.ssh2/id_dsa_1024_a.pub
|
|
Need passphrase for /home/matt/.ssh2/id_dsa_1024_a (..)
|
|
Enter passphrase:
|
|
</pre>
|
|
|
|
|
|
You could obtain a list of all identities currently represented by the
|
|
agent using the command <em>ssh-add -l</em>:
|
|
|
|
<pre>
|
|
Listing identities.
|
|
The authorization agent has one key:
|
|
id_dsa_1024_a: 1024-bit dsa, (...)
|
|
</pre>
|
|
|
|
<h1 align=center>Conclusions and useful links</h1>
|
|
|
|
Many users of telnet, rlogin, ftp might not
|
|
realize that their password is transmitted across the net unencrypted, but it is.
|
|
The use of some secure protocols could allow a secure transmission
|
|
over an insecure network. <br>
|
|
SSH, encrypting all traffic, effectively
|
|
eliminates eavesdropping, connection hijacking, and other network attacks.<p>
|
|
|
|
These articles are only an introduction to the SSH
|
|
suite; more about this topic could be found in the manual pages of ssh,
|
|
sshd and sftp. <p>
|
|
|
|
You could get SSH suite from:<br>
|
|
<A
|
|
HREF="http://www.ssh.com/products/ssh/">www.ssh.com/products/ssh/</a>,
|
|
SSH master site or
|
|
from
|
|
<a href="http://www.ssh.com/products/ssh/download.html">a mirror
|
|
site</a>.<br>
|
|
|
|
Here you could also find some very interesting information about SSH
|
|
technology and cryptography in general in the <a
|
|
href="http://www.ssh.com/tech/">Tech corner</a>.<p>
|
|
|
|
Otherwise you could check
|
|
<a href="http://www.openssh.com/">www.openssh.com</a> where you could
|
|
download openssh implementation of SSH protocol. The portable version
|
|
is at <a
|
|
href="http://www.openssh.com/portable.html">www.openssh.com/portable.html</a>.<br>
|
|
You could also read the openssh FAQ: <a
|
|
href="http://www.openssh.com/faq.html">www.openssh.com/faq.html</a>.
|
|
|
|
|
|
<!-- *** BEGIN copyright *** -->
|
|
<P> <hr> <!-- P -->
|
|
<H5 ALIGN=center>
|
|
|
|
Copyright © 2001, Matteo Dell'Omodarme.<BR>
|
|
Copying license <A HREF="../copying.html">http://www.linuxgazette.com/copying.html</A><BR>
|
|
Published in Issue 63 of <i>Linux Gazette</i>, Mid-February (EXTRA) 2001</H5>
|
|
<!-- *** END copyright *** -->
|
|
|
|
<!--startcut ==========================================================-->
|
|
<HR><P>
|
|
<CENTER>
|
|
<!-- *** BEGIN navbar *** -->
|
|
<IMG ALT="" SRC="../gx/navbar/left.jpg" WIDTH="14" HEIGHT="45" BORDER="0" ALIGN="bottom"><A HREF="collinge.html"><IMG ALT="[ Prev ]" SRC="../gx/navbar/prev.jpg" WIDTH="16" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="index.html"><IMG ALT="[ Table of Contents ]" SRC="../gx/navbar/toc.jpg" WIDTH="220" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../index.html"><IMG ALT="[ Front Page ]" SRC="../gx/navbar/frontpage.jpg" WIDTH="137" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="http://www.linuxgazette.com/cgi-bin/talkback/all.py?site=LG&article=http://www.linuxgazette.com/issue64/dellomodarme.html"><IMG ALT="[ Talkback ]" SRC="../gx/navbar/talkback.jpg" WIDTH="121" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><A HREF="../faq/index.html"><IMG ALT="[ FAQ ]" SRC="./../gx/navbar/faq.jpg"WIDTH="62" HEIGHT="45" BORDER="0" ALIGN="bottom"></A><A HREF="evans.html"><IMG ALT="[ Next ]" SRC="../gx/navbar/next.jpg" WIDTH="15" HEIGHT="45" BORDER="0" ALIGN="bottom" ></A><IMG ALT="" SRC="../gx/navbar/right.jpg" WIDTH="15" HEIGHT="45" ALIGN="bottom">
|
|
<!-- *** END navbar *** -->
|
|
</CENTER>
|
|
</BODY></HTML>
|
|
<!--endcut ============================================================-->
|