Experimental Techniques 8 Remotely Logging into a Linux Workstation JinJie Jiang, Ph.D, Ralph T. Weber, Ph.D. Bruker BioSpin Corporation EPR Division 19 Fortune Drive Billerica, MA USA 1. Introduction The Linux workstation delivered with your Elexsys EPR spectrometer offers you several options to login remotely or transfer files. The most commonly-used tools have been Telnet or rlogin for remote login and FTP or rcp for data transfer. Computer experts discourage the use of these tools because they do not offer the security required to protect your system and information from mischief. For this reason, many versions of Red Hat Linux disable FTP and Telnet by default. We encourage using alternative tools such as SSH (Secure SHell) and SFTP (Secure FTP) that give you similar functionality with added security. This note describes SSH and SFTP from either a Linux or MS Windows platform. It also describes how to activate and heighten the security of your Linux workstation should you still choose to use FTP and Telnet. 2. SSH, A Secured Way to Telnet 2.1. What is SSH? SSH (Secure SHell) is an internet protocol that allows a user to connect to a remote host via an encrypted link by: 1) an authentication process with a special key, and 2) encrypting information including passwords that may be intercepted by hackers. To use SSH you need: 1) an sshd daemon running on the server; 2) an SSH program on the client computer; 3) a user s account and password on the server. To check whether sshd is running on the server you can use the ps -ax grep sshd command on the server. If not, start the daemon by typing /usr/sbin/sshd (n.b. you must be root to use this command). The Red Hat Linux operating system provides an SSH program for both the server and client. For the SGI O2 IRIX operating system and MS Windows operating system, there are free and commercial SSH or SSH-like software available for client and server computers. Special regulations may apply to encryption software depending on your country. Make sure you do not violate these regulations. Experimental Techniques 8
SSH, A Secured Way to Telnet 2.2. SSH from a Linux workstation 2.3. SSH from MS Windows It is easy to use SSH to connect a computer with Red Hat Linux to a Red Hat Linux workstation since the sshd daemon is running by default. Simply open a shell window and type ssh <server s IP address> under the prompt sign. You can also use the server s hostname if it is listed in the client computer s /etc/hosts file or DNS (Domain Name Server) is available. You will be prompted for user account and password. The first time you try to connect to the remote host you will be asked whether the host is a trusted host. If your answer is Yes, a so-called magic key (authentication) will be generated for you and then you can proceed just as you would with Telnet. If you activated remote display by the command xhost + <host IP address> before you launch SSH, you can launch the Xepr program after you log in remotely. A Microsoft Windows operating system does not provide SSH support. You need to install an SSH program. Several web sites provide SSH software either for free or commercially. You can find them at: http://www.freessh.org. A particularly useful web site is http://www.openssh.com. It provides a free MS Windows -based client program called PuTTY that offers SSH connections. Read the instructions and manuals posted on the above web site before you install. 2
SSH, A Secured Way to Telnet Enter hostname or IP address Select SSH Name the session Figure 2-1 Configuring and launching PuTTY (SSH) from a MS Windows -based computer. Double click the putty.exe icon to launch the program. A configuration dialog window opens. (See Figure 2-1.) Enter the IP address or hostname of the SSH server, e.g. the Linux workstation. Select SSH as the protocol. You can give a session name and Save it so that you can Load it the next time. Click the Open button to start the connection. A DOS window opens prompting for a login account and password. Enter the user account name and password and you will be connected to the host. The first time you establish the connection you need to answer yes to the question of whether the remote host is a trusted host. Figure 2-2 Login to a remote host using the SSH program. Experimental Techniques 8 3
SFTP, A Secure Way to FTP 3. SFTP, A Secure Way to FTP 3.1. What is SFTP? Similar to SSH, SFTP (Secure FTP) is a secure means to transfer files. It utilizes SSH s authentication feature and encrypts the transactions. 3.2. SFTP from a Linux System To SFTP between computers with Linux operating systems you can simply enter sftp <IP address (or hostname)> in a shell window. The authentication and login process are the same as SSH. 3.3. SFTP from a MS Windows System You can find SFTP freeware for MS Windows -based systems from the web site: http://www.openssh.com/windows.html. Among these programs ixplore is particular convenient and easy to use since it has a graphical user interface. Download and install this software package onto your MS Window -based PC following the instructions on its web site. Launch the ixplore program. In the opened window, right-mouse-click SSH Hosts > New SSH Host. (See Figure 3-3.) Figure 3-3 Setting up a New SSH Host. 4
SFTP, A Secure Way to FTP A pop-up window of the Remote SSH Host Properties opens. In the Remote SSH Host Properties window enter the Host Display Name, Host (IP address or complete hostname), Username, and other optional information. Click OK. Figure 3-4 Entering Remote SSH Host Properties. Experimental Techniques 8 5
SFTP, A Secure Way to FTP You need to confirm that the remote host is a trusted host as part of the authentication process. You will not be able to type in the text box. Click the Yes button instead. You may need to scroll down to see the Yes button. Figure 3-5 Confirming the remote host. If your New SSH Host was configured properly you will be prompted for the password. Enter the password and click OK. Figure 3-6 Entering the password. 6
SFTP, A Secure Way to FTP Now you are logged in. From the window you can upload or download files or folders. The nice thing about this program is that you can drag and drop. Local site Remote site Figure 3-7 SFTP window After you finish the transaction you can log out by right clicking the remote host icon and then clicking Log Off. (See Figure 3-8.) Figure 3-8 Logout from the remote host. If you save this session you will find the icon in the SSH Hosts list. You can can click the icon and then Open to start an SFTP session or click Properties to modify the configurations. You can reestablish a connection to an SSH Experimental Techniques 8 7
What If I Still Want to Use Telnet or FTP? host, simply by clicking its icon to start an SFTP session. A right mouse click allows you to modify the settings. 4. What If I Still Want to Use Telnet or FTP? 4.1. How to activate Telnet and FTP 4.2. Make it a little safer It is not recommended that you increase the security by editing the hosts.allow and hosts.deny files since that might cause booting problem of the acquisition server. By default, Red Hat Linux (7.1 or above) disables Telnet and FTP. You can activate them in a server by modifying their configuration files. You need to be root to edit these files. Use a text editor to open the /etc/xinetd.d/telnet file. Find the entry disable = yes and change it to disable = no. Save the modified file. Edit the /etc/xinetd.d/wu-ftp file the same way. In a shell window enter service network restart. The new settings will then be active. You will be able to remotely login with Telnet or FTP. You can limit the Telnet and FTP services to trusted hosts only if you know their IP addresses. In the /etc/xinetd.d/telnet file add a line: only_from = <IP address(es)>. You can separate the IP addresses by a coma if there is more than one IP address. You can also enter a subnet address to allow all the hosts from this subnet to access the service. The format is <subnet address>/<number of bits for network and subnet>. For example, if you add only_from = 192.168.99.0/24, all 254 hosts in the subnet 192.168.99.0 can access your Telnet service. The number 24 indicates that 24 bits of the 32 bit IP address are used for the network/subnet address. If you change to only_from = 192.168.99.16/28 it means that the first 28 bits of the total 32 bits are used for network/subnet address. All 14 hosts from 192.168.99.17 to 192.168.99.30 of the subnet 192.168.99.16 are allowed to login remotely with Telnet. Ask your local network administrator for the subnet address and network mask if you plan to allow all your local subnet users to use Telnet. You can set the same restriction on FTP via the /etc/xinitd.d/wu-ftp file. 8
Glossary 5. Glossary rcp rlogin rsh ssh sshd ssh-agent ssh-add sftp scp ssh-keygen sftp-server ssh-keyscan Remote CoPy. Remote LOGIN. Remote SHell. Secure SHell, a basic rlogin/rsh-like client program. The ssh daemon that permits you to login. An authentication agent that can store private keys. Tool which adds keys to the above agent. FTP-like program that works over SSH1 and SSH2 protocols. Secure CoPy, a file copy program that acts like rcp. Key generation tool. SFTP server subsystem (started automatically by sshd in a Linux system). Utility for gathering public host keys from a number of hosts. Experimental Techniques 8 9
Notes 10