OpenSSH: Secure Shell Remote console access Campus-Booster ID : **XXXXX www.supinfo.com Copyright SUPINFO. All rights reserved
OpenSSH: Secure Shell Your trainer Presenter s Name Title: **Enter title or job role. Accomplishments: **What makes the presenter qualified to present this course. Education: **List degrees if important. Publications: **Writings by the presenter on the subject of the course or presentation. Contact: **Campus-Booster ID: presenter@supinfo.com
OpenSSH: Secure Shell Course objectives By completing this course, you will: n Connect to a remote server. Secure shell access. n Setup pubkey authentication. No more passwords to remember. n Configure a ssh server. Control server settings. n Run a X11 application through a tunnel. Protect your privacy. n Forward ports. And secure the communication channel.
OpenSSH: Secure Shell Course topics Course s plan: n Remote connection. Shell access and file transfert. n Public key authentication. No more passwords! n Configuration. Client side and server side. n X Forwarding. And this is the rest of the item. n Port Forwarding.
OpenSSH: Secure Shell Remote connection Shell access and file transfert
Remote connection Open a shell The ssh command syntax: Connect to a remote host command Hostname or address to connect to Host ssh -p 22 user@hostname port Port number (optional) user Remote user you re connecting as.
Remote connection Copy files Secure Copy : Send file through the ssh tunnel. $ scp [options] source destination Options : -C Enable gzip compression -P port Connect on port -2 / -1 Force protocol version
Remote connection Copy files Local to remote scp syntax: Hostname or address to connect to command Host scp file user@hostname:/path/to/file filename Local file to send username Remote login file Remote file path
Remote connection Copy files Remote to local scp syntax: Hostname or address to connect to command Host scp user@hostname:/path/to/file file username remote login file Path to remote file filename Copy the remote file to this file / path
Remote connection Copy files FTP-like interactive session. sftp [-P] user@machine Options : -P port Connect to port Example : [root@localhost ~]#sftp bob@chaise sftp>cd / sftp>pwd Remote working directory : / sftp>get /etc/passwd /etc/passwd 100% 1989 1.9KB/s 00:00
Remote connection Stop-and-think Do you have any questions?
Remote connection Stop-and-think You want to copy a file from a remote server to the local machine. The remote ssh server is listening on port 110. Which scp switch are you going to use? -p -C -l -P -e
Remote connection Stop-and-think You want to copy a file from a remote server to the local machine. The remote ssh server is listening on port 110. Which scp switch are you going to use? -p -C -l -P -e
Remote connection Generate key pair n Public-Key cryptography n RSA or DSA n Bullet list item 1B $ ssh-keygen t rsa b 1024 f id_rsa n Create key pair in ~/.ssh/ n id_rsa (private) n id_rsa.pub (public) n Manually point (symlink) ~/.ssh/identity.pub to your pubkey
OpenSSH: Secure Shell Pubkey authentication No more passwords!
Pubkey authentication Why? Why setting using public keys? n Passwords n Hard to remember n Long to type n Insecure n Pubkey n Nothing to remember n Nothing to type n Secure as long as priv key is safe
Pubkey authentication How it works? Client login request + pubkey Server Pubkey lookup Uncypher challenge with private key Challenge cyphered with pubkey Send challenge md5 footprint Received MD5 == MD5(challenge )?
Pubkey authentication Setup Client side configuration. n Generate your key pair n Copy your pubkey to the server n ~/.ssh/authorized_keys n Manual procedure n scp && ssh n Automatic procedure n ssh-copy-id Need to have your id set
Pubkey authentication Generate key pair n Public-key cryptography n RSA or DSA n Bullet list item 1B $ ssh-keygen t rsa b 1024 f id_rsa n Create key pair in ~/.ssh/ n id_rsa (private) n id_rsa.pub (public) n Manually point (symlink) ~/.ssh/identity.pub to your pubkey
Pubkey authentication Copy your public key ssh-copy-id: Your friendly script. $ ssh-copy-id [options] user@machine Options : -I file Use file as pubkey, instead of the default.
Pubkey authentication Stop-and-think Do you have any questions?
Pubkey authentication Stop-and-think [bob@linux ~]$ ssh-copy-id john@10.1.40.2 You can now connect to 10.1.40.2 as bob without a password True False
Pubkey authentication Stop-and-think [bob@linux ~]$ ssh-copy-id john@10.1.40.2 You can now connect to 10.1.40.2 as bob without a password True False
OpenSSH: Secure Shell Configuration Client side and server side
Configuration Server Config Settings server parameters n /etc/ssh/sshd_config n Port n Protocols n Interfaces n Server keys n Authentication n Allowed/Denied users n X Fowarding n
Configuration Server Config Config example: Port 22 Protocol 2 ListenAddress 0.0.0.0 KeepAlive Yes HostKey ssh_host_dsa.key HostKey ssh_host_rsa.key PermitRootLogin no PasswordAuthentication yes PubkeyAuthentication yes PermitEmptyPasswords no X11Forwarding yes #order: DenyUsers, AllowUsers, DenyGroups, AllowGroups DenyUsers bob john Match User bill X11Forwarding no
Configuration Client Config Settings client parameters n System wide n /etc/ssh/ssh_config Default config Per host features Port Keys n Per-User n ~/.ssh/config
Configuration Client config Client config: /etc/ssh/ssh_config or ~/.ssh/config. Host * IdentifyFile ~/.ssh/id_rsa Host 192.168.1.1 Port 53 Host 192.168.1.10 Port 110 ForwardX11 no
Configuration Stop-and-think Do you have any questions?
Configuration Stop-and-think You re working with a server running ssh on port 437. You don t want to specify each time you use any sshbased tool. Which file will you modify? Which directives will you use? Host Port Listen ~/.ssh/config /etc/ssh/sshd_config
Configuration Stop-and-think You re working with a server running ssh on port 437. You don t want to specify each time you use any sshbased tool. Which file will you modify? Which directives will you use? Host Port Listen ~/.ssh/config /etc/ssh/sshd_config
OpenSSH: Secure Shell X Forwarding Secure X transport
X Forwarding About X Forwarding What s that? How to use it? n Native X feature, sshtunneled n Run remotely n Display locally n Have to be enabled n Server side n Client side n Ssh creates a DISPLAY proxy. n Nothing more to do than adding -X
X Forwarding Run a remote application Run firefox remotely, display on your screen: [user@localhost]$ ssh X bob@baracuda [bob@baracuda]$ firefox &
X Forwarding Stop-and-think Do you have any questions?
X Forwarding Stop-and-think Run remotely, display locally is a ssh feature. True False
OpenSSH: Secure Shell Port Forwarding Secure tunneling
Port Forwarding About port forwarding Network plumbing co. n Forward data through the ssh tunnel n Local port forwarding n Input on local port transported to remote port n Remote port forwarding n Incoming data on remote port is brought to the local port, courtesy of ssh.
Port Forwarding Local port forwarding ssh -L 1234:ircserver:6667 login@server
Port Forwarding Remote port forwarding ssh -R 80:localhost:80 login@server n Data incoming on port 80 on server will be available on on port 80 on localhost
Port Forwarding Stop-and-think Do you have any questions?
Port Forwarding Stop-and-think You want to redirect localhost:8080 port to 192.168.1.1:80. Which type of port forwarding will you use? Local Remote
Port Forwarding Stop-and-think You want to redirect localhost:8080 port to 192.168.1.1:80. Which type of port forwarding will you use? Local Remote
OpenSSH: Secure Shell Course summary Pubkey auth Secure shell access X Forwarding and TCP forwading File transfet Client configuration
OpenSSH: Secure Shell For more If you want to go into these subjects more deeply, Publications Courses Linux Technologies: Edge Computing SSH The Secure Shell Web sites www.supinfo.com www.labo-linux.com www.blackbeltfactory.com Conferences FOSDEM RMLL Solutions Linux
Congratulations You have successfully completed the SUPINFO course module n 21 OpenSSH: Secure Shell
OpenSSH: Secure Shell The end n Stop bothering with passwords: Use Pubkey auth. n Protected pubkeys? Use an agent