SSHHowto
Index
attachment:IconsPage/IconExample48.png
SSH
OpenSSH is a FREE version of the SSH protocol suite of network connectivity tools that increasing numbers of people on the Internet are coming to rely on. Many users of telnet, rlogin, ftp, and other such programs might not realize that their password is transmitted across the Internet unencrypted, but it is. !OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods. -- From http://www.openssh.com/
Installing the ssh-server
If you want to securely connect to your machine from a remote computer, even a MS Windows machine using Putty, then you need to install a server that allows you to connect. Ubuntu uses the openssh-server. You can obtain it like so.
bash:~$ sudo apt-get install openssh-server
This will setup your ssh-server.
Copying Files Over ssh
To copy a file from your computer to another computer with ssh you will need to use the scp command. The command would look like this.
bash:~$ scp <file> <username>@<ipaddress>:<!DestinationDirectory>
Or in more layman's terms. If I was copying a file from one of my computers to another I would
bash:~$ scp file.txt hornbeck@192.168.1.103:/home/hornbeck
So you have to make sure you include the <file>, the <username> of the computer you are logging into and the <ipaddress> and <DestinationDirectory> for which the file is going to be moved to.
You may as well copy files from remote computers to your local disk::
bash:~$ scp hornbeck@192.168.1.103:/home/hornbeck/urls.txt .
The '.' means to copy the file to the current directory. You could as well call it **my.txt** and the file would be renamed during copying.
Important: you can not move files between two remote computers. Either the source or destination must be a local file.
Note that if your local userid is the same as the remote userid then the user@ part can be omitted.
bash:~$ scp 192.168.1.103:/home/hornbeck/urls.txt .
Browsing with Nautilus over ssh
Using nautilus you can also access remote sites via ssh for browsing, editing and copying. Open a nautilus file browser (e.g. via Computer -> Home Directory), then press CTRL-L. Enter the following url
ssh://<username>@<hostname>
(replace username and hostname accordingly)
Copying file is done with drag and dropping the file to an other nautilus window, just like within your local filesystem.
Logging in to a remote computer over ssh
To log in a remote computer running a ssh-server you have to enter something like this:
bash:~$ ssh <username>@<ipaddress>
example:
bash:~$ ssh phyrex@192.168.23.42
attachment:IconsPage/IconNote.png
Note:
- You can always use the hostname (if known to the system (![/etc/hosts])) instead of the ipaddress.
Public key authentication
Formerly everybody has used the typical username/password authentication. However if someone had guessed or sniffed your password then security was compromised. For quite some time SSH offers *public key authentication*. It uses private and public keys instead of simple passwords.
Unless you already have a private key you first need to create one. Enter::
- ssh-keygen -t dsa
You will then be asked where to save the private key (just accept the default location) and to choose a passphrase. The passphrase is used to encrypt your private key. Everybody that gets access to your (unprotected) private key will have your permissions on other computers. Please take a moment and think of a really good password. See ["ChoosingSecurePassword"] if you don't know what that means.
Now to gain access to other computers they need to *trust* your public key. Your public key was created along with the new private key. It is usually located at::
- ~/.ssh/id_dsa.pub
The target user needs to have this key (it is a line of ASCII characters) in its authorized key file located at::
- ~/.ssh/authorized_keys2
on the target system. So either you just copy and paste the line into the authorized_keys2 file or use the "ssh-copy-id" command like this::
- ssh-copy-id root@fileserver01
You would be asked for the root password of that computer. If password authentication is disabled then you need to copy and paste your key using another medium. After your public key has been added you are trusted. Run::
- ssh root@fileserver01
and you should no longer be asked for the password but for the *passphrase*. Please note that the password and the passphrase do different things. The password is saved in the /etc/passwd of the target system. The passphrase is used to decrypt your private key on your system.
To reiterate: the actual security of public key authentication over password authentication is that two things are needed to get access:
- your (encrypted) private key
- your passphrase (which is needed to decrypt the private key)
So if you would choose no password at all (which is possible - see the next section) you would have even less security than using a password alone.
attachment:IconsPage/IconNote.png
Note:
Password based authentication is disabled per default in Ubuntu. Users who wish to login remotely using passwords does therefore have to enable password authentication manually, by setting "PasswordAuthentication yes" in the file /etc/ssh/sshd_config. Don't forget to restart your ssh server after changing the configuration (/etc/init.d/ssh restart).
Restricting SSH access
When using SSH public key authentication there is another nifty feature. The target server can restrict which commands you are allowed to run. If you maintain a CVS repository you could use lines like this in the authorized_keys2 file::
- command="/usr/bin/cvs server" ssh-dss AAAAB3N....
This would allow only this very command to be run. Nothing else.
Automated access in batch scripts
Public key authentication (see above) can also be used to automate tasks that would usually require typing in a password. Imagine you want to copy a file from a remote computer every midnight. All you needed to do is establish the trust between those two computers. Create a service account on one computer, create a keypair (ssh-keygen -t dsa) and when asked for a passphrase just press 'ENTER'. This will leave the private key unprotected. Add the public key to the other computer's authorized_keys2 file (ssh-copy-id). Now you can SSH to that machine without being asked for a passphrase. Add an SSH call to your crontab and you are set.
attachment:IconsPage/IconWarning3.png
Be careful!
- Having an unprotected private key may be a security hole. Hackers would only need to get access to the private key and could access the target computer.
Using the ssh-agent
If you frequently need to copy files over SSH or access other computers in your network (which is a common task for administrators) you probably wonder if there is way to simplify entering the passphrase. Actually there is - it's called the *SSH agent*. You only need to enter your passphrase once using "ssh-add" and everything you start as a subprocess of the SSH agent will remember that passphrase.
Too much theory? Well, you won't need to worry about the agent. Your X session is already run in an ssh-agent session automatically. All you need to do is launch "ssh-add" and type in your passphrase. Next time you use *SSH* to access another computer you will not have to enter your passphrase again. Nice, huh? 
attachment:IconsPage/IconNote.png
Important:
- You should lock your screen if you leave your desktop. Other people could access computers from your computer without even knowing your passphrase.
If you like to be asked for the passphrase once after login you can add a call to "ssh-add" like this:
- Click on *Computer*
- Choose *Desktop Preferences*
- Choose *Sessions*
- Select the *Startup Programs* tab
- Click on *Add*
- Enter "ssh-add" as a command
After the next login you should be asked for the passphrase.
Security
User Log Ins and other data are stored in /var/log/auth.log (and auth.log.0, etc.). If you would like to see if anybody has attempted to log in to your system, you can examine the log files. The command
bash:~$ awk '/Invalid user/ {print $8}' /var/log/auth.log.0 | sort | uniq -cwill show you who (probably an automated attack) has attempted to login with an Invalid Username, preceded by the number of times that name was used.