| SSH | ||
|---|---|---|
 |
Chapter 8. Networking |  |
| SSH | ||
|---|---|---|
| |
Chapter 8. Networking | |
Secure Shell is used to connect via Ethernet to an other computer using the console. It is similar to telnet and rsh but more safe. Using telnet is easy, but the password required to login will be sent unencrypted. This might be acceptable on a local lan but is obviously too dangerous over Internet.
Login is possible via password or/and keys. Login via password takes place after having a encrypted connection, so password and username can not be seen.
An other authentication method that does not require manual typing in user name and password for authentication makes use of two keys the public and the private. However it ends up often that you have to type in manually a passphrase instead. The private is kept hidden, whereas the public must be given to the clients.
ssh-keygen
creates the keys and stores them in ~/.ssh additionally a passphrase needs to
be entered,
Later during use, some pop up window ask for the password, but mean the passphrase
The public key is ~/.ssh/id_rsa.pub and the private key is
~/.ssh/id_rsa
To login at the ssh server without password the public key id_rsa.pub must be known by the ssh server. This depends on the ssh server implementation but is usually done by appending the servers public key file to the clients authorized_keys file as:
cat id_rsa.pub >> ~/.ssh/authorized_keys obviously the file needs somehow be transferred from server to the client machine. In the simplest case this is done via an USB stick. A more elegant way is using a authorized SSH connection.
After the a connection has been done the first time
~/.ssh/known_host will get an
entry holding the address and the public key.
There is the client program ssh whereas on the other end the sshd server daemon has to run.
Under gentoo, the server ssh daemon sshd is already installed on the computer
/etc/init.d/sshd start
brings it alive and generates the first time the keys
* Generating
Hostkey...
Generating public/private
rsa1 key pair.
Your identification has been
saved in /etc/ssh/ssh_host_key.
Your public key has been
saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint
is:
09:30:4b:8c:7c:b6:c9:57:da:d4:73:35:98:f2:a4:ab
root@geode
* Generating
DSA-Hostkey...
Generating public/private dsa
key pair.
Your identification has been
saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been
saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint
is:
54:84:b5:06:16:c2:c1:6f:e7:ae:ad:25:a1:00:24:ec
root@geode
* Generating
RSA-Hostkey...
Generating public/private rsa
key pair.
Your identification has been
saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been
saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint
is:
aa:30:45:f3:86:22:15:a3:2d:d6:ac:7e:21:23:6d:a9
root@geode
* Starting sshd
...
or to bring it each time alive type rc-update add sshd default.
To copy a file from the local machine to a remote machine
you can type scp<path and file on the local
machine><user
or root>@<ip
address or host name of remote
machine>:<path on the remote
machine>.
.
There are different authentication possibilities in ssh, that have a different level of security:
Secure password authentication (default)
RSA (Rivest, Samir, Ademan = 3 mathematicians) authentication (ssh version 1)
DSA (Digital Signature Algorithm) (ssh version 2)
RSA and DSA use two keys:
a public key to encrypt the local message before sent
a private key to decrypt the message on the remote machine
The private key has to get stored secretly and might be stored encrypted on the local machines hard disk. A passphrase is used to encrypt it.
The public key will be copied to the remote machine.
Many of the following including the keys is done by the command /etc/init.d/sshd start
or at boot when rc-update add sshd default got made.
~/.ssh/known_hosts holds the
fingerprints
/etc/ssh holds the
configuration data
On the remote machine type into console:
ssh 192.168.1.34
or
ssh <username>@192.168.1.34
then the keys are exchanged and you have to login.
To copy a file from a remote machine to the local machine
you can type scp<user or
root>@<ip
address or host name of remote
machine>:<path on the remote
machine><path
and file on the local
machine>The console changes
its prompt and it is ready to go.
The command exit quits.
sftp is the ssh ftp version
ssh username@machine makes it running
scp ~/.ssh/identity.pub username@machine copies over the public key in a safe way
ssh username@machine opens the console from the remote machine
If next time ssh username@machine asks for the passphrase RSA authentication is enabled.
The ssh_agent daemon and the keychain program make authentication easier.
The sshd
(daemon) can be added to the boot scripts using rc-update. The
configuration files are in /etc/ssh and the init script is in
/etc/init.d.
If you get @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone
could be eavesdropping on you right now (man-in-the-middle
attack)! It is also possible that a host key has just been
changed. The fingerprint for the ECDSA key sent by the remote
host is SHA256:xst06A5oYmr2KleaFzpE8rCVQ672301cYJ6blFoYN0E.
Please contact your system administrator. Add correct host
key in /home/lindegur/.ssh/known_hosts to get rid of this
message. Offending ECDSA key in
/home/lindegur/.ssh/known_hosts:6 ECDSA host key for
192.168.1.131 has changed and you have requested strict
checking. Host key verification failed.
and you are sure that nothing is wrong then delete the
entry in ~/.ssh/known_hosts
| |
 |
|
| Telnet |  |
FTP |
