SSH

SSH Concept

Secure Shell is used to connect via Ethernet to an other computer using the console. It is similar to telnet and rsh but more safe. Using telnet is easy, but the password required to login will be sent unencrypted. This might be acceptable on a local lan but is obviously too dangerous over Internet.

Login is possible via password or/and keys. Login via password takes place after having a encrypted connection, so password and username can not be seen.

An other authentication method that does not require manual typing in user name and password for authentication makes use of two keys the public and the private. However it ends up often that you have to type in manually a passphrase instead. The private is kept hidden, whereas the public must be given to the clients.

ssh-keygen creates the keys and stores them in ~/.ssh additionally a passphrase needs to be entered,

Note

Later during use, some pop up window ask for the password, but mean the passphrase

The public key is ~/.ssh/id_rsa.pub and the private key is ~/.ssh/id_rsa

To login at the ssh server without password the public key id_rsa.pub must be known by the ssh server. This depends on the ssh server implementation but is usually done by appending the servers public key file to the clients authorized_keys file as:

cat id_rsa.pub >> ~/.ssh/authorized_keys obviously the file needs somehow be transferred from server to the client machine. In the simplest case this is done via an USB stick. A more elegant way is using a authorized SSH connection.

After the a connection has been done the first time ~/.ssh/known_host will get an entry holding the address and the public key.

There is the client program ssh whereas on the other end the sshd server daemon has to run.

SSH Server

Under gentoo, the server ssh daemon sshd is already installed on the computer

/etc/init.d/sshd start

brings it alive and generates the first time the keys

* Generating Hostkey...

Generating public/private rsa1 key pair.

Your identification has been saved in /etc/ssh/ssh_host_key.

Your public key has been saved in /etc/ssh/ssh_host_key.pub.

The key fingerprint is:

09:30:4b:8c:7c:b6:c9:57:da:d4:73:35:98:f2:a4:ab root@geode

* Generating DSA-Hostkey...

Generating public/private dsa key pair.

Your identification has been saved in /etc/ssh/ssh_host_dsa_key.

Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.

The key fingerprint is:

54:84:b5:06:16:c2:c1:6f:e7:ae:ad:25:a1:00:24:ec root@geode

* Generating RSA-Hostkey...

Generating public/private rsa key pair.

Your identification has been saved in /etc/ssh/ssh_host_rsa_key.

Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.

The key fingerprint is:

aa:30:45:f3:86:22:15:a3:2d:d6:ac:7e:21:23:6d:a9 root@geode

* Starting sshd ...

or to bring it each time alive type rc-update add sshd default.

To copy a file from the local machine to a remote machine you can type scp<path and file on the local machine><user or root>@<ip address or host name of remote machine>:<path on the remote machine>.

.

There are different authentication possibilities in ssh, that have a different level of security:

  1. Secure password authentication (default)

  2. RSA (Rivest, Samir, Ademan = 3 mathematicians) authentication (ssh version 1)

  3. DSA (Digital Signature Algorithm) (ssh version 2)

RSA and DSA use two keys:

  1. a public key to encrypt the local message before sent

  2. a private key to decrypt the message on the remote machine

The private key has to get stored secretly and might be stored encrypted on the local machines hard disk. A passphrase is used to encrypt it.

The public key will be copied to the remote machine.

Many of the following including the keys is done by the command /etc/init.d/sshd start

or at boot when rc-update add sshd default got made.

~/.ssh/known_hosts holds the fingerprints

/etc/ssh holds the configuration data

SSH Client

On the remote machine type into console:

ssh 192.168.1.34

or

ssh <username>@192.168.1.34

then the keys are exchanged and you have to login.

To copy a file from a remote machine to the local machine you can type scp<user or root>@<ip address or host name of remote machine>:<path on the remote machine><path and file on the local machine>The console changes its prompt and it is ready to go.

The command exit quits.

sftp is the ssh ftp version

ssh username@machine makes it running

scp ~/.ssh/identity.pub username@machine copies over the public key in a safe way

ssh username@machine opens the console from the remote machine

If next time ssh username@machine asks for the passphrase RSA authentication is enabled.

The ssh_agent daemon and the keychain program make authentication easier.

The sshd (daemon) can be added to the boot scripts using rc-update. The configuration files are in /etc/ssh and the init script is in /etc/init.d.

SSH troubles

If you get @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:xst06A5oYmr2KleaFzpE8rCVQ672301cYJ6blFoYN0E. Please contact your system administrator. Add correct host key in /home/lindegur/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/lindegur/.ssh/known_hosts:6 ECDSA host key for 192.168.1.131 has changed and you have requested strict checking. Host key verification failed.

and you are sure that nothing is wrong then delete the entry in ~/.ssh/known_hosts


Linurs Servernest startpage