Section 7.1. SSH


7.1. SSH

SSH , the Secure Shell, is a way of running commands on a remote computer. Using SSH in its most basic mode to connect to a remote machine across a network is essentially the same as being seated at that machine and opening a GNOME Terminal window. SSH is deliberately engineered to stop malicious parties intercepting or altering your computer's communication with the remote server, which makes it a much better choice than older protocols that are not secure, such as telnet or RSH (Remote Shell).


Note: SSH is both the name of a protocol and the name of a Linux command line program that makes use of that protocol. When we're referring to the Secure Shell protocol we use SSH (all uppercase); the command line program is called ssh (all lowercase).

7.1.1. Using the PuTTY SSH Client

PuTTY is a Windows program that you can use to connect to Linux boxes using SSH. You can download the installer from the PuTTY Websitethe "windows-style installer" listed on the downloads page is the file you want to grab. Once you install the program and launch it, you'll be presented with the PuTTY Configuration dialog shown in Figure 7-1. Don't be scared by the number of options available to you; for now, all you're interested in is the Host Name (or IP address) field. Enter your Linux server's name or IP address into this field, and click Open.

Figure 7-1. The PuTTY Configuration dialog.



Tip: To avoid entering your username, enter username@servername in the Host Name (or IP address) field.

When you first connect to your server, you'll see the PuTTY Security Alert dialog illustrated in Figure 7-2. This is PuTTY's somewhat convoluted way of asking you to confirm that this is the server key you're expecting.

Figure 7-2. The PuTTY Security Alert.


7.1.2.1. Host Keys

Each SSH server has a unique host key . When you attempt to connect to a machine, PuTTY (or whichever SSH client you're using) checks that the host key of that machine is the same as it was the last time you connected to it. This provides excellent protection against malicious parties pretending to be your server, but also poses a problem: how does the SSH client know what the server's host key is the first time it connects? The answer is that it doesn't. The first time you connect to a machine, the SSH client will notice that it doesn't have a host key for that machine; it will ask you (usually a little cryptically) whether it's okay to connect.

Part of this message will include a key fingerprint , which is an abbreviated version of the host key. To find out what a server's key fingerprint is, run the command ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key on that server.

[kermit@swinetrek ~]$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key 1024 43:75:4b:9b:93:63:15:47:c7:94:95:e5:42:0f:4e:cc       /etc/ssh/ssh_host_rsa_key.pub

The part highlighted in bold is the key fingerprint. You must confirm that this key fingerprint is exactly the same as the key fingerprint that's displayed when you try to connect to the server for the first time. If the key fingerprints aren't the same, something is wrong: the machine you're trying to connect to is not the machine you're actually connecting to. If the key fingerprints agree, you can safely click Yes on this dialog. PuTTY will remember this verified host key for future connections, and will not ask again.


Warning: You should avoid changing the SSH server's host key, which can happen if you reinstall the SSH server software, or delete files in /etc/ssh. If this happens, the key that SSH clients remember for the server will differ from the server's new key, and the SSH client will display a warning message. PuTTY's message is depicted in Figure 7-3.
7.1.2.2. Logging in with a Password

Once you've verified the host key, you'll be asked to log in: just enter your username and password at the prompts. After this, you'll be presented with the familiar command prompt:

login as: kermit kermit@swinetrek's password: Last login: Mon Oct 10 05:45:39 2005 from 192.168.69.33 [kermit@swinetrek ~]$  

Note: Connecting to an SSH server is often described as "SSHing into the server."
7.1.2.3. Logging in with a Private Key

It's possible to use PuTTY (or any other SSH client) to connect to a machine without entering a username or password at all. In such cases, we connect using a public and private key pair. First, we need to generate the keys with the PuTTYgen tool, shown in Figure 7-4, which you can launch by clicking Start > All Programs > PuTTY > PuTTYgen .

Figure 7-3. The PuTTY Security Alert displaying after the host key changes.


Figure 7-4. The PuTTYgen tool.


Click Generate to have PuTTYgen generate the key pair; you'll need to move your mouse about a bit, as PuTTYgen's algorithm uses your mouse movements to generate the keys. Once the keys are generated, you must save the public key on the server.


Tip: There are many ways to move files from Windows to Linux, but the easiest method is probably to use Samba to gain access to part of the filesystem as a Windows file share. To quickly get Samba sharing a user's home directory, follow these steps:From Windows, you should now be able to access the Samba file share, as shown in Figure 7-6. Note that you should ensure that the Show hidden files and folders option is enabled in the File Explorer's Folder Options (Tools > Folder Options…).

On the Linux server, create a directory named .ssh if it doesn't already exist. We can't create this directory from Windows as Windows' file naming rules forbid directory names starting with a period. This directory also needs to have very specific permissions: read, write, and execute permissions must be disabled for everyone but the file's owner.

[kermit@swinetrek ~]$ mkdir .ssh [kermit@swinetrek ~]$ chmod go-rwx .ssh [kermit@swinetrek ~]$ 

Next, copy the text in the Public key field, open Notepad and paste the text into a new file. Save this file as \\servername\sharename\.ssh\authorized_keys, a shown in Figure 7-7. Be sure to surround the filename in quotation marks, otherwise Notepad will add a .txt extension to the filename.

Figure 7-7. Saving \\servername\sharename\.ssh\authorized_keys


Now we need to save our private key. At this point, it's recommended that you enter a key passphrase to keep the private key secure. Click the Save private key button, and save it somewhere on your local hard disk.

To make use of this public and private key pair, launch PuTTY and enter the server name as you did previously. From the Category list on the left of the PuTTY Configuration window, select Auth. In the Private key file for authentication field, select the private key file you saved from PuTTYgen, as illustrated in Figure 7-8.

Figure 7-8. Selecting the private key.


Click Open, and if you secured your private key with a password, you'll be prompted for it. Enter the password, and you're logged in.

Using username "kermit". Authenticating with public key "rsa-key-20051013" Passphrase for key "rsa-key-20051013": Last login: Wed Oct 12 23:34:51 2005 from 192.168.69.36 [kermit@swinetrek ~]$

7.1.2. Using the ssh Client

The ssh command line client comes standard on just about every Linux distribution, and is equally prevalent on other Unix-like systems, including Mac OS X . To use it, enter ssh username@servername at the command prompt:

 mymac:~ kfrog$ ssh kermit@swinetrek The authenticity of host 'swinetrek (192.168.69.33)' can't be  established. RSA key fingerprint is 43:75:4b:9b:93:63:15:47:c7:94:95:e5:42:0f:4e:cc. Are you sure you want to continue connecting (yes/no)?  

As with PuTTY, ssh asks you to verify that this is the key fingerprint you're expecting. Compare the listed fingerprint with the output of ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key: if they match, enter yes:

Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'swinetrek' (RSA) to the list of known hosts. kermit@swinetrek's password:

Once you enter your password, you'll be connected to the server.

kermit@swinetrek's password: Last login: Mon Oct 10 05:45:39 2005 from 192.168.69.33 [kermit@swinetrek ~]$ 

To logout from the ssh server, enter logout.

[kermit@swinetrek ~]$ logout Connection to swinetrek closed. mymac:~ kfrog$ 
7.1.3.4. Remote Command Execution

A handy and powerful feature of the ssh client is that it gives us the ability to specify a command that ssh will execute, before disconnecting immediately.

 mymac:~ kfrog$ ssh root@swinetrek passwd kermit root@swinetrek's password: New UNIX password: password Retype new UNIX password: password Changing password for user kermit. passwd: all authentication tokens updated successfully. mymac:~ kfrog$  

Notice that, this time, ssh does not display the "login banner" that shows when you last connected to the server.

7.1.3.5. Logging in with a Private Key

As with PuTTY, we can use ssh to log in with a private and public key pair. To generate the keys, we use the ssh-keygen tool:

mymac:~ kfrog$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/Users/kfrog/.ssh/id_rsa):  Created directory '/Users/kfrog/.ssh'. Enter passphrase (empty for no passphrase):  Enter same passphrase again:  Your identification has been saved in /Users/kfrog/.ssh/id_rsa. Your public key has been saved in /Users/kfrog/.ssh/id_rsa.pub. The key fingerprint is: f5:4e:a6:d9:9f:42:fa:24:5e:d7:30:68:04:3f:67:60 kfrog@mymac.lan mymac:~ kfrog$ 

After the command is run, you're prompted for a location at which you want to save the private key; hit Enter to accept the default. You are then prompted for a passphrase for the key; you'll need to enter the passphrase twice. The key will then be generated.

Now, we need to add the public key to the ~/.ssh/authorized_keys file on the server. The following command uses the cat command to read the key from ~/.ssh/id_rsa.pub, ssh to log in to the SSH server, and cat to add the key to ~/.ssh/authorized_keys on the server.

 mymac:~ kfrog$ cat ~/.ssh/id_rsa.pub | ssh kermit@swinetrek \ ? 'sh -c "cat - >> ~/.ssh/authorized_keys"' kermit@swinetrek's password:  mymac:~ kfrog$  

Now we're able to log in to our server, using the private and public key pair for authentication:

mymac:~ kfrog$ ssh kermit@swinetrek Enter passphrase for key '/Users/kfrog/.ssh/id_rsa': Last login: Wed Oct 12 23:56:16 2005 from 192.168.69.36 [kermit@swinetrek ~]$ 



Run Your Own Web Server Using Linux & Apache
Run Your Own Web Server Using Linux & Apache
ISBN: 0975240226
EAN: 2147483647
Year: 2006
Pages: 92

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net