OpenSSH: Secure Shell

Remote console access

Campus-Booster ID : **XXXXX

www.supinfo.com

Copyright © SUPINFO. All rights reserved

OpenSSH: Secure

Shell

Your trainer

…

Title: **Enter title or job role.

Accomplishments: **What

makes the presenter qualified to present this course.

Education: **List degrees if important.

Publications: **Writings by the presenter on the subject of the course or presentation.

Contact:

**Campus-Booster ID: [email protected]

Presenter’s Name

Course objectives

n  Connect to a remote server.

Secure shell access.

n  Setup pubkey authentication.

No more passwords to remember.

n  Configure a ssh server. Control

server settings.

n  Run a X11 application through a tunnel. Protect your privacy.

n  Forward ports. And secure the

communication channel.

By completing this course, you will:

Course topics

n  Remote connection. Shell

access and file transfert.

n  Public key authentication. No

more passwords !

n  Configuration. Client side and

server side.

n  X Forwarding. And this is the

rest of the item.

n  Port Forwarding.

Course’_{s plan:}

Remote connection

Shell access and file transfert

Open a shell

Remote connection

ssh

-p 22

user@

hostname

command

user

Host

Connect to a remote host Remote user you’re connecting as. Hostname or address to connect to

The ssh command syntax:

port

Port number (optional)

Copy files

Remote connection

Secure Copy : Send file through the ssh tunnel.

Options :

-C Enable gzip compression

-P port Connect on port

-2 / -1 Force protocol version $ scp [options] source destination

Copy files

Remote connection

scp

file

user@

hostname:

/path/to/file

command

username

Host

Remote login Hostname or address to connect to

Local to remote scp syntax:

filename

Local file to send

Remote file path

Copy files

Remote connection

scp

user@

hostname:

/path/to/file

file

command

username

Host

remote login Hostname or address to connect to

Remote to local scp syntax:

Path to remote file

file

filename

Copy the

remote file to this file / path

Copy files

Remote connection

sftp [-P] user@machine

FTP-like interactive session.

Options :

-P port Connect to port

[root@localhost ~]#sftp bob@chaise

sftp>cd / sftp>pwd

Remote working directory : / sftp>get /etc/passwd

/etc/passwd 100% 1989 1.9KB/s 00:00

Stop-and-think

Remote connection

Stop-and-think

Remote connection -p -C -l -P -e

You want to copy a file from a remote server to the local machine. The remote ssh server is listening on port 110. Which scp switch are you going to use?

Stop-and-think

Remote connection -p -C -l -P -e

You want to copy a file from a remote server to the local machine. The remote ssh server is listening on port 110. Which scp switch are you going to use?

Generate key pair

Remote connection

n  Public-Key cryptography

n  RSA or DSA

n  Bullet list item 1B

n  Create key pair in ~/.ssh/

n  id_rsa (private)

n  id_rsa.pub (public)

n  Manually point (symlink) _{~/.ssh/identity.pub} to your pubkey

Pubkey authentication

No more passwords !

Why ?

Pubkey authentication n  Passwords n  Hard to remember n  Long to type n  Insecure n  Pubkey n  Nothing to remember n  Nothing to type n  Secure as long as priv key is safe

How it works ?

Pubkey authentication Pubkey lookup Challenge cyphered with pubkey Uncypher challenge with private key login request + pubkey Send challenge md5 footprint Received MD5 == MD5(challenge ) ? Client Server

Setup

Pubkey authentication

n  Generate your key pair

n  Copy your pubkey to the server

n  ~/.ssh/authorized_keys

n  Manual procedure

n  scp && ssh

n  Automatic procedure

n  ssh-copy-id

§  Need to have your id set

Generate key pair

Pubkey authentication

n  Public-key cryptography

n  RSA or DSA

n  Bullet list item 1B

n  Create key pair in ~/.ssh/

n  id_rsa (private)

n  id_rsa.pub (public)

n  Manually point (symlink) _{~/.ssh/identity.pub} to your pubkey

Copy your public key

Pubkey authentication

ssh-copy-id: Your friendly script.

Options :

-I file Use file as pubkey, instead of the default. $ ssh-copy-id [options] user@machine

Stop-and-think

Pubkey authentication

Stop-and-think

Pubkey authentication

[bob@linux ~]$ ssh-copy-id [email protected]

True False

You can now connect to 10.1.40.2 as bob without a password

Stop-and-think

Pubkey authentication

[bob@linux ~]$ ssh-copy-id [email protected]

True False

You can now connect to 10.1.40.2 as bob without a password

Configuration

Client side and server side

Server Config

Configuration n  /etc/ssh/sshd_config n  Port n  Protocols n  Interfaces n  Server keys n  Authentication n  Allowed/Denied users n  X Fowarding n  …

Server Config

Configuration Config example: Port 22 Protocol 2 ListenAddress 0.0.0.0 KeepAlive Yes HostKey ssh_host_dsa.key HostKey ssh_host_rsa.key PermitRootLogin no PasswordAuthentication yes PubkeyAuthentication yes PermitEmptyPasswords no X11Forwarding yes

#order: DenyUsers, AllowUsers, DenyGroups, AllowGroups DenyUsers bob john

Match User bill

Client Config

Configuration

n  System wide

n  /etc/ssh/ssh_config

§  Default config

§  Per host features – Port

– Keys

– …

n  Per-User

n  ~/.ssh/config

Client config

Configuration

Client config: /etc/ssh/ssh_config or ~/.ssh/config. Host * IdentifyFile ~/.ssh/id_rsa Host 192.168.1.1 Port 53 Host 192.168.1.10 Port 110 ForwardX11 no

Stop-and-think

Configuration

Stop-and-think

Configuration Host Port Listen ~/.ssh/config /etc/ssh/sshd_config

You’re working with a server running ssh on port 437. You don’t want to specify each time you use any ssh-based tool. Which file will you modify ? Which

Stop-and-think

Configuration Host Port Listen ~/.ssh/config /etc/ssh/sshd_config

You’re working with a server running ssh on port 437. You don’t want to specify each time you use any ssh-based tool. Which file will you modify ? Which

X Forwarding

Secure X transport

About X Forwarding

X Forwarding n  Native X feature, ssh-tunneled n  Run remotely n  Display locally n  Have to be enabled n  Server side n  Client side n  Ssh creates a DISPLAY proxy.

n  Nothing more to do than adding -X

Run a remote application

X Forwarding

Run firefox remotely, display on your screen: [user@localhost]$ ssh –X bob@baracuda

Stop-and-think

X Forwarding

Stop-and-think

X Forwarding

True False

Port Forwarding

Secure tunneling

About port forwarding

Port Forwarding

n  Forward data through the ssh tunnel

n  Local port forwarding

n  Input on local port transported to

remote port

n  Remote port forwarding

n  Incoming data on remote port is

brought to the local port, courtesy of ssh.

Local port forwarding

Port Forwarding

Remote port forwarding

Port Forwarding

ssh -R 80:localhost:80 login@server

n  Data incoming on port 80 on server will be available on on port 80 on localhost

Stop-and-think

Port Forwarding

Stop-and-think

Port Forwarding

Local Remote

You want to redirect localhost:8080 port to

192.168.1.1:80. Which type of port forwarding will you use?

Stop-and-think

Port Forwarding

Local Remote

You want to redirect localhost:8080 port to

192.168.1.1:80. Which type of port forwarding will you use?

Client

configuration

Pubkey auth

Secure shell

access

X Forwarding

and TCP

forwading

Course summary

File transfet

For more

OpenSSH: Secure Shell

If you want to go into these subjects more deeply, …

Courses Publications

Web sites

www.labo-linux.com

www.blackbeltfactory.com

Linux Technologies: Edge Computing

Conferences

FOSDEM RMLL

Solutions Linux

If you want to go into these subjects more deeply, …

www.supinfo.com

Congratulations

You have successfully completed

the SUPINFO course module n°21

The end

n  Stop bothering with passwords: Use Pubkey auth.

n  Protected pubkeys ? Use an agent