Problem: Now that the OpenSSH software is installed, we need to learn how to utilize it for invoking remote interactive connections and transferring files. We also need some way to verify that our connections are truly encrypted.
The ssh command is used to make secure, remote, interactive connections. This command can be used as the replacement for the unencrypted telnet , rsh and rlogin programs.
The format of the ssh command is as follows :
ssh [ -l login_name ] hostname user @hostname [ command ]
where:
The following is an example where the local system is trying to connect to remote system server.example.com with account sshuser to run the ls ˆ’ l command:
$ ssh -l sshuser server.example.com ls -l The authenticity of host 'server.example.com (172.16.121.6)' can't be established. RSA key fingerprint is a4:f0:02:eb:11:84:70:c2:c3:24:18:61:89:49:ac:4b. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added server.example.com,172.16.121.6' (RSA) to the list of known hosts total 3188 -rw-r--r-- 1 sshuser admin 0 Feb 24 14:31 a drwxr-xr-x 10 sshuser admin 512 Dec 19 10:48 etc drwx------ 2 root other 512 Jun 26 2000 nsmail -rw-r--r-- 1 sshuser admin 1620193 May 15 2002 openssh31.zip $
The first several lines of output are normal for the first time you connect to a particular system running an sshd daemon “ after the first successful connection, you should not see these messages. However, prior to accepting this fingerprint and storing it in the list of known hosts, you will have to verify through a secure means that this is the correct fingerprint for the system to which you are attempting to connect.
In order to do this, somebody on the target machine will have to execute
$ ssh-keygen -l -f file
where file is the name of the host's public SSH key, such as /etc/ssh/ssh_host_key.pub . The result will look similar to the following and should match the key fingerprint previously given:
a4:f0:02:eb:11:84:70:c2:c3:24:18:61:89:49:ac:4b
Keep in mind that the fingerprint must be transmitted in a secure way (i.e. by a phone call to the administrator of the remote system), since SSH relies on these keys and the fingerprint is the simple proof for a valid key. For obvious reasons, SSH does not provide a way to fetch such fingerprints remotely from an SSH server.
Here is the second attempt using the same command:
$ ssh -l sshuser server.example.com ls sshuser@server.example.com's password: nsmail openssh31.zip $
If you wish to connect to the remote system and receive a shell (as opposed to running a command and then exiting), then omit the optional "command string". For example:
$ ssh -l sshuser server.example.com sshuser@server.example.com's password: Last login: Fri Nov 15 16:12:22 2002 from KII-1QZ7611 Sun Microsystems Inc. SunOS 5.8 Generic February 2000 $
You can now proceed just as if you had connected via "telnet" and nothing should appear different to you. The only difference is that all the communication between the local and remote systems are now encrypted.
The sftp command is used to perform file transfers to/from remote connections. This command can be used as the replacement for the unencrypted FTP program. This document assumes that you are familiar with FTP; sftp is very similar in that an initial command is issued to connect to an sftp server and if the authentication is successful, the client is placed into sftp interactive mode.
Although there are many options, the basic format of the sftp command is as follows :
sftp [ user @]hostname
where:
The following is an example where the local system connects via sftp to remote system server.example.com with account sshuser, then transfers a file from the remote /tmp filesystem:
$ sftp server.example.com Connecting to server.example.com... sshuser@server.example.com's password: ******** sftp> cd /tmp sftp> ls . .. .X11-pipe .X11-unix .pcmcia .removable .s.PGSQL.5432 dtdbcache_172.16.124 dtdbcache_KII-1QZ7611:0 openssh-3.4p1 openssh-3.4p1.tar openssl-0.9.6g openssl-0.9.6g.tar perl-5.8.0-sol8-sparc-local ps_data snoop.txt sftp> lcd /tmp sftp> get snoop.txt Fetching /tmp/snoop.txt to snoop.txt sftp> bye $
If this sftp attempt is the first SSH connection attempted to the remote system, you will also receive an authenticity warning and a prompt similar to the following:
The authenticity of host 'server.example.com (172.16.121.6)' can't be established. RSA key fingerprint is a4:f0:02:eb:11:84:70:c2:c3:24:18:61:89:49:ac:4b. Are you sure you want to continue connecting (yes/no)? yes
Note |
Once you enter "yes" to the prompt, the host will be added to the SSH "known hosts " file and you shouldn't be prompted with this information for subsequent attempts: |
Warning: Permanently added 'server.example.com,172.16.121.6' (RSA) to the list of known hosts
Note |
It is strongly recommended that the host key be verified the first time it is used to prevent potential risk of man-in-the-middle attacks. See Action 2.1.1 for instructions to verify the host's fingerprint. |
You can also specify the user name as part of the sftp connection command, as shown below:
$ sftp sshuser@server.example.com Connecting to server.example.com... sshuser@server.example.com's password: ********* sftp>
There are many command line options to sftp, too numerous to cover in this document. As always, use the man command to get the details, as shown below:
$ man sftp Reformatting page. Please Wait... done User Commands SFTP(1) NAME sftp - Secure file transfer program SYNOPSIS sftp [-vC1] [-b batchfile] [-o ssh_option] [-s subsystem sftp_server] [-B buffer_size] [-F ssh_config] [-P sftp_server path] [-R num_requests] [-S program] host sftp [[user@]host[:file [file]]] sftp [[user@]host[:dir[/]]] DESCRIPTION sftp is an interactive file transfer program, similar to ftp(1), which performs all operations over an encrypted ssh(1) transport. It may also use many features of ssh, such as public key authentication and compression. sftp connects and logs into the specified host, then enters an interactive command mode. The second usage format will retrieve files automatically if --More--(13%)
You can use the Solaris snoop utility to verify that FTP does not encrypt communication and that sftp does encrypt “ see Action 2.1.5 for examples of using the snoop utility.
The scp (secure copy) command is used to copy files and directories to and from remote servers. This command can be used as the replacement for the unencrypted rcp program. The scp command can also be used as a substitute for sftp , although there are some key differences.
One difference is that scp does not have an "interactive" mode as sftp does and therefore doesn't have as many capabilities, although it is still a quite powerful utility. One advantage of scp over sftp is that directory and recursive copies are much easier. Additionally, the scp command can be used in conjunction with an .shosts file to bypass interactive authentication “ this is strongly discouraged since it provides yet another avenue for attackers . See Action 2.1.4 for more detail regarding host-based authentication with .shosts files.
So, if you have a need to copy directory entries in addition to files and/or you need to copy a directory structure recursively, scp is probably what you should use. If you're copying files only and they exist in multiple directories, or if you prefer interactivity, sftp is probably the better choice.
Although there are many options, the basic format of the scp command is as follows :
scp [options] [[ user @]host1:] path -to-source [ ] [[ user2@]host2: ] path-to-destination
Where:
The following example uses scp to duplicate the FTP file transfer from the last example (host is server.example.com , account is sshuser , file is /tmp/snoop.txt ):
$ scp sshuser@server.example.com:/tmp/snoop.txt . sshuser@server.example.com's password: ******** snoop.txt 100% ***************************** 7956 00:00 $ ls -l total 24 drwxr-xr-x 2 root root 512 May 20 1999 103346-22 drwxr-xr-x 3 sshuser 150 512 Nov 10 09:39 ns_imap drwx------ 2 sshuser 150 512 Nov 10 09:39 nsmail -rw-r--r-- 1 sshuser 150 7956 Dec 18 14:30 snoop.txt drwxrwxr-x 3 root other 512 Jul 10 1999 upgrade $
Besides the obvious advantage of encrypting communication, note that another advantage of scp over rcp is the verification of completion and the reporting of the number of bytes transferred.
You can also omit the user name as part of the command; if you do so, then the current user name will be assumed, as shown below:
$ scp server.example.com:/tmp/snoop.txt . sshuser@server.example.com's password: ******* snoop.txt 100% ***************************** 7956 00:00 $
In this example, we use the command line options -r to recursively copy a directory structure and -p to keep the original permissions of all files and directories:
$ scp -pr sshuser@server.example.com:/tmp/patches /tmp sshuser@server.example.com's password: ******** 105395-09.tar.Z 100% ***************************** 537 KB 00:00 107684-09.zip 100% ***************************** 851 KB 00:00 110615-09.zip 100% ***************************** 868 KB 00:01 dsmerror.log 100% ***************************** 150 00:00
The source directory is /tmp/patches , which is a directory with three subdirectories. The destination directory on the local machine is /tmp , so this command completely duplicates the /tmp/patches directory from host server.example.com to the local host, assuming your account has read permissions for all the files and directories in this structure. A quick way to verify that everything was copied is to use the du -sk command on both systems and compare the byte count, as shown below:
$ du -sk /tmp/patches 2284 /tmp/patches
Both systems should now report the same or roughly the same byte total. A more thorough method for verifying byte totals is to take checksums of files that were copied via scp. See the man pages for cksum, sum or other checksum utilities, depending on the flavor of UNIX you are using. Here's an example of using the cksum command:
$ find . -type f xargs cksum 2795861523 550601 ./2.6/105395-09.tar.Z 405161581 872202 ./7/107684-09.zip 2165853569 889286 ./8/110615-09.zip 3510532143 150 ./8/dsmerror.log
Note that since we used the "-p" command line option to perform the copy, all permissions of the /tmp/patches and child sub-directories and files should be as they exist on the source system.
It should be noted that both sftp and scp can be utilized for "puts" as well as "gets" ” all of the previous examples have demonstrated "gets". A "put" would be initiated from the machine where the data to be copied exists. The following example does the previous transfer in reverse, using "put" rather than "get":
$ scp -pr /tmp/patches sshuser@server.example.com:/tmp sshuser@server.example.com's password: ******** 105395-09.tar.Z 100% ***************************** 537 KB 00:00 107684-09.zip 100% ***************************** 851 KB 00:00 110615-09.zip 100% ***************************** 868 KB 00:00 dsmerror.log 100% ***************************** 150 00:00 $ uname -a SunOS client.example.com 5.8 Generic_108528-16 sun4m sparc SUNW,SPARCstation-20
scp has many other command line options - to see them, issues scp with on options:
$ scp usage: scp [-pqrvBC46] [-F config] [-S program] [-P port] [-c cipher] [-i identity] [-o option] [[user@]host1:]file1 [...] [[user@]host2:]file2
For more detail of each option, refer to the scp man page.
Host-based authentication, with or without SSH, is considered a security danger in that it does not require interactive authentication (such as a password or passphrase). Host-based authentication is configured with various files to allow automatic (i.e. non-interactive) connections from one UNIX system to another. Since the use of UNIX host-based authentication is strongly discouraged from a security standpoint, the authors initially decided to simply mention the dangers of OpenSSH host-based authentication but not cover details for how to use it. However, we realized that in most environments, improving security via tools such as OpenSSH is rarely an "overnight" endeavor and therefore it is unrealistic to think that one can instantly eliminate the use of host-based authentication. We realize that while few will argue that host-based authentication is dangerous, it is also reality. Therefore, this section will briefly demonstrate OpenSSH's version of host-based authentication, although it is important to note that utilizing OpenSSH with host-based authentication only improves security from the encrypted channel standpoint ” it does not improve the authentication weakness inherent with host-based authentication .
Normal UNIX host-based authentication is performed via the /etc/ hosts .equiv file and .rhosts files. The /etc/hosts.equiv file should be considered the most dangerous and most easily abused method and should never be used ” it performs authentication via client hostnames (or IP addresses) only. The .rhosts file performs authentication on a client hostname AND account name basis. OpenSSH can utilize existing /etc/hosts.equiv and .rhosts files as they exist for host-based authentication. OpenSSH can also utilize the .shosts file - which is simply an optional alternate name for .rhosts files. If you are currently utilizing an .rhosts file for host-based authentication, OpenSSH will also use that file once the host-based authentication is configured properly. You are not required to rename the .rhosts file to .shosts , although it may be a good idea to do so from the standpoint of users taking note of .shosts files and therefore realizing that SSH is in use on your server system.
OpenSSH host-based authentication requires configuration settings on both the SSH client machine (the one initiating the connection) and the server machine (the machine running the "sshd" daemon and performing the authentication).
Tech Tip |
Each account on the SSH client can override settings in the OpenSSH system-wide configuration file (e.g. /usr/local/etc/ssh_config ) by creating his/her own settings file in $HOME/.ssh/config . If a setting is not found in $HOME/.ssh/config , OpenSSH will then check the system-wide file. Configuration settings can also be specified on the command line. For example: $ ssh -o "ForwardX11 yes" -o "Compression yes" server.example.com Enter passphrase for key '/export/home/user_a/.ssh/id_rsa': command line options always override configuration file settings. |
The following configuration option must be set as below in the /usr/local/etc/ssh_config file ( assuming that OpenSSH was installed into /usr/local and that you are using SSHv2):
HostbasedAuthentication yes
(The corresponding setting for SSHv1 is "RhostsAuthentication")
HostbasedAuthentication yes IgnoreRhosts no
(The corresponding setting for host-based authentication for SSHv1 is "RhostsAuthentication")
Note that the comments in the sshd_config file say to not use Host-based authentication - use at your own risk!
myclient user_a myclient.example.com user_a
Both entries here actually refer to the same machine/account - one is just fully qualified. This practice helps to eliminate problems with name resolution and host-based authentication.
172.16.121.16 myclient myclient.example.com
Next, you may need to modify the SSH server's hostname lookup order, i.e., to search the local /etc/host file for hostname lookups BEFORE searching DNS, so that the non-qualified hostname will be returned. For many Unix versions, the file which controls this is /etc/nsswitch.conf . Following is a portion of that file modified for this example:
passwd: files group: files hosts: files dns ipnodes: files
OR
myclient.example.com ,172.16.121.16 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAr7HxNPFUK2zWaLUSyi/ROby VPESK9X17HKLaiCKFsxEfvAc6fsLNfRVosQRLeuep/qR7ghbwscUB7PbRE1hK58aohXQUV/VXKlF4G4v P6wGNCfdwH9BjTrftDrEbzWprvaAD12fI1l+cjwydrp24+EQsIfHkcrwSP1ZRdk+3TDk=
Now that you've made all required host-based authentication configuration changes, you should be able to connect from the SSH client to the SSH server without having to enter a passphrase or password:
$ ssh -l sshuser server.example.com Last login: Fri Apr 25 11:03:47 2003 from openv3 $ uname -a SunOS kfs16 5.8 Generic_108528-06 sun4m sparc SUNW,SPARCstation-20 $
Here's another example, where a single host-based authenticated command is issued from the SSH client to the SSH server:
$ ssh -l sshuser server.example.com "ls -l" total 3188 drwxr-xr-x 10 sshuser admin 512 Dec 19 10:48 etc -rw-r--r-- 1 sshuser admin 1620193 May 15 2002 openssh31.zip
How can one be sure that the SSH session is indeed encrypted? UNIX/Linux systems provide various network packet inspection utilities which verify ” to a certain extent ” that the transmitted data is encrypted. Following are two examples of connections that are "sniffed" by the Solaris snoop utility “ the first shows a clear-text telnet session while the second shows an encrypted SSH session. TCPDUMP and Ethereal are functionally similar open -source tools which you might also consider for this purpose.
$ su - Password: ******** # snoop -o /tmp/snoop.txt port 23 client.example.com Using device /dev/le (promiscuous mode) 0
This command saves all the snoop output into a file for later viewing. In the next step, we'll connect from the client via telnet and the packet counter (the 0 shown above) should start increasing to reflect that packets are being captured.
$ telnet server.example.com Trying 172.16.121.6... Connected to server.example.com Escape character is '^]'. SunOS 5.8 login: sshuser Password: ******* Last login: Sat Apr 12 19:03:52 from 172.16.122.159 $ exit
# snoop -i /tmp/snoop.txt more (some output cut for brevity) 3 0.00078 client.example.com -> server.example.com TELNET C port=33861 4 0.02125 client.example.com -> server.example.com TELNET C port=33861 5 0.00008 server.example.com -> client.example.com TELNET R port=33861 6 0.28402 server.example.com -> client.example.com TELNET R port=33861 7 0.00069 client.example.com -> server.example.com TELNET C port=33861 8 0.00043 server.example.com -> client.example.com TELNET R port=33861 9 0.00028 client.example.com -> server.example.com TELNET C port=33861 10 0.09378 server.example.com -> client.example.com TELNET R port=33861 11 0.00028 client.example.com -> server.example.com TELNET C port=33861 12 0.00008 server.example.com -> client.example.com TELNET R port=33861 13 0.00386 client.example.com -> server.example.com TELNET C port=33861 7 72
# snoop -i /tmp/snoop.txt more (some output cut for brevity) 3 0.00078 client.example.com -> server.example.com TELNET C port=33861 4 0.02125 client.example.com -> server.example.com TELNET C port=33861 5 0.00008 server.example.com -> client.example.com TELNET R port=33861 6 0.28402 server.example.com -> client.example.com TELNET R port=33861 7 0.00069 client.example.com -> server.example.com TELNET C port=33861 8 0.00043 server.example.com -> client.example.com TELNET R port=33861 9 0.00028 client.example.com -> server.example.com TELNET C port=33861 10 0.09378 server.example.com -> client.example.com TELNET R port=33861 11 0.00028 client.example.com -> server.example.com TELNET C port=33861 12 0.00008 server.example.com -> client.example.com TELNET R port=33861 13 0.00386 client.example.com -> server.example.com TELNET C port=33861 3773 7230 VT320377360377372# openv 14 0.02279 server.example.com -> client.example.com TELNET R port=33861 15 0.09331 client.example.com -> server.example.com TELNET C port=33861 16 0.00014 server.example.com -> client.example.com TELNET R port=33861 17 0.00158 client.example.com -> server.example.com TELNET C port=33861 18 0.00048 server.example.com -> client.example.com TELNET R port=33861 19 0.09758 client.example.com -> server.example.com TELNET C port=33861 20 4.28797 server.example.com -> client.example.com TELNET R port=33861 ****** ************** 21 0.09277 client.example.com -> server.example.com TELNET C port=33861 22 0.00027 server.example.com -> client.example.com TELNET R port=33861 23 0.09940 client.example.com -> server.example.com TELNET C port=33861 24 0.78898 client.example.com -> server.example.com TELNET C port=33861 s 25 0.00031 server.example.com -> client.example.com TELNET R port=33861 s 26 0.10070 client.example.com -> server.example.com TELNET C port=33861 27 0.19873 client.example.com -> server.example.com TELNET C port=33861 s 28 0.00037 server.example.com -> client.example.com TELNET R port=33861 s 29 0.01794 client.example.com -> server.example.com TELNET C port=33861 h 30 0.00024 server.example.com -> client.example.com TELNET R port=33861 h 31 0.09264 client.example.com -> server.example.com TELNET C port=33861 32 0.18913 client.example.com -> server.example.com TELNET C port=33861 u 33 0.00033 server.example.com -> client.example.com TELNET R port=33861 u 34 0.03462 client.example.com -> server.example.com TELNET C port=33861 s 35 0.00026 server.example.com -> client.example.com TELNET R port=33861 s 36 0.09568 client.example.com -> server.example.com TELNET C port=33861 37 0.17001 client.example.com -> server.example.com TELNET C port=33861 e 38 0.00035 server.example.com -> client.example.com TELNET R port=33861 e 39 0.07298 client.example.com -> server.example.com TELNET C port=33861 r 40 0.00047 server.example.com -> client.example.com TELNET R port=33861 r 41 0.09634 client.example.com -> server.example.com TELNET C port=33861 42 0.00008 server.example.com -> client.example.com TELNET R port=33861 Password: 43 0.09982 client.example.com -> server.example.com TELNET C port=33861 44 1.47820 client.example.com -> server.example.com TELNET C port=33861 B 45 0.09170 server.example.com -> client.example.com TELNET R port=33861 46 0.14235 client.example.com -> server.example.com TELNET C port=33861 ony 47 0.09765 server.example.com -> client.example.com TELNET R port=33861 48 0.19136 client.example.com -> server.example.com TELNET C port=33861 9t 49 0.09859 server.example.com -> client.example.com TELNET R port=33861 50 0.23350 client.example.com -> server.example.com TELNET C port=33861 o 51 0.09662 server.example.com -> client.example.com TELNET R port=33861 52 0.01480 client.example.com -> server.example.com TELNET C port=33861 e 53 0.09507 server.example.com -> client.example.com TELNET R port=33861VT3207072#
# snoop -i /tmp/snoop.txt more (some output cut for brevity) 3 0.00078 client.example.com -> server.example.com TELNET C port=33861 4 0.02125 client.example.com -> server.example.com TELNET C port=33861 5 0.00008 server.example.com -> client.example.com TELNET R port=33861 6 0.28402 server.example.com -> client.example.com TELNET R port=33861 7 0.00069 client.example.com -> server.example.com TELNET C port=33861 8 0.00043 server.example.com -> client.example.com TELNET R port=33861 9 0.00028 client.example.com -> server.example.com TELNET C port=33861 10 0.09378 server.example.com -> client.example.com TELNET R port=33861 11 0.00028 client.example.com -> server.example.com TELNET C port=33861 12 0.00008 server.example.com -> client.example.com TELNET R port=33861 13 0.00386 client.example.com -> server.example.com TELNET C port=33861 3773 7230 VT320377360377372# openv 14 0.02279 server.example.com -> client.example.com TELNET R port=33861 15 0.09331 client.example.com -> server.example.com TELNET C port=33861 16 0.00014 server.example.com -> client.example.com TELNET R port=33861 17 0.00158 client.example.com -> server.example.com TELNET C port=33861 18 0.00048 server.example.com -> client.example.com TELNET R port=33861 19 0.09758 client.example.com -> server.example.com TELNET C port=33861 20 4.28797 server.example.com -> client.example.com TELNET R port=33861 ****** ************** 21 0.09277 client.example.com -> server.example.com TELNET C port=33861 22 0.00027 server.example.com -> client.example.com TELNET R port=33861 23 0.09940 client.example.com -> server.example.com TELNET C port=33861 24 0.78898 client.example.com -> server.example.com TELNET C port=33861 s 25 0.00031 server.example.com -> client.example.com TELNET R port=33861 s 26 0.10070 client.example.com -> server.example.com TELNET C port=33861 27 0.19873 client.example.com -> server.example.com TELNET C port=33861 s 28 0.00037 server.example.com -> client.example.com TELNET R port=33861 s 29 0.01794 client.example.com -> server.example.com TELNET C port=33861 h 30 0.00024 server.example.com -> client.example.com TELNET R port=33861 h 31 0.09264 client.example.com -> server.example.com TELNET C port=33861 32 0.18913 client.example.com -> server.example.com TELNET C port=33861 u 33 0.00033 server.example.com -> client.example.com TELNET R port=33861 u 34 0.03462 client.example.com -> server.example.com TELNET C port=33861 s 35 0.00026 server.example.com -> client.example.com TELNET R port=33861 s 36 0.09568 client.example.com -> server.example.com TELNET C port=33861 37 0.17001 client.example.com -> server.example.com TELNET C port=33861 e 38 0.00035 server.example.com -> client.example.com TELNET R port=33861 e 39 0.07298 client.example.com -> server.example.com TELNET C port=33861 r 40 0.00047 server.example.com -> client.example.com TELNET R port=33861 r 41 0.09634 client.example.com -> server.example.com TELNET C port=33861 42 0.00008 server.example.com -> client.example.com TELNET R port=33861 Password: 43 0.09982 client.example.com -> server.example.com TELNET C port=33861 44 1.47820 client.example.com -> server.example.com TELNET C port=33861 B 45 0.09170 server.example.com -> client.example.com TELNET R port=33861 46 0.14235 client.example.com -> server.example.com TELNET C port=33861 ony 47 0.09765 server.example.com -> client.example.com TELNET R port=33861 48 0.19136 client.example.com -> server.example.com TELNET C port=33861 9t 49 0.09859 server.example.com -> client.example.com TELNET R port=33861 50 0.23350 client.example.com -> server.example.com TELNET C port=33861 o 51 0.09662 server.example.com -> client.example.com TELNET R port=33861 52 0.01480 client.example.com -> server.example.com TELNET C port=33861 e 53 0.09507 server.example.com -> client.example.com TELNET R port=33861openv 14 0.02279 server.example.com -> client.example.com TELNET R port=33861 15 0.09331 client.example.com -> server.example.com TELNET C port=33861 16 0.00014 server.example.com -> client.example.com TELNET R port=33861 17 0.00158 client.example.com -> server.example.com TELNET C port=33861 18 0.00048 server.example.com -> client.example.com TELNET R port=33861 19 0.09758 client.example.com -> server.example.com TELNET C port=33861 20 4.28797 server.example.com -> client.example.com TELNET R port=33861 ****** ************** 21 0.09277 client.example.com -> server.example.com TELNET C port=33861 22 0.00027 server.example.com -> client.example.com TELNET R port=33861 23 0.09940 client.example.com -> server.example.com TELNET C port=33861 24 0.78898 client.example.com -> server.example.com TELNET C port=33861 s 25 0.00031 server.example.com -> client.example.com TELNET R port=33861 s 26 0.10070 client.example.com -> server.example.com TELNET C port=33861 27 0.19873 client.example.com -> server.example.com TELNET C port=33861 s 28 0.00037 server.example.com -> client.example.com TELNET R port=33861 s 29 0.01794 client.example.com -> server.example.com TELNET C port=33861 h 30 0.00024 server.example.com -> client.example.com TELNET R port=33861 h 31 0.09264 client.example.com -> server.example.com TELNET C port=33861 32 0.18913 client.example.com -> server.example.com TELNET C port=33861 u 33 0.00033 server.example.com -> client.example.com TELNET R port=33861 u 34 0.03462 client.example.com -> server.example.com TELNET C port=33861 s 35 0.00026 server.example.com -> client.example.com TELNET R port=33861 s 36 0.09568 client.example.com -> server.example.com TELNET C port=33861 37 0.17001 client.example.com -> server.example.com TELNET C port=33861 e 38 0.00035 server.example.com -> client.example.com TELNET R port=33861 e 39 0.07298 client.example.com -> server.example.com TELNET C port=33861 r 40 0.00047 server.example.com -> client.example.com TELNET R port=33861 r 41 0.09634 client.example.com -> server.example.com TELNET C port=33861 42 0.00008 server.example.com -> client.example.com TELNET R port=33861 Password: 43 0.09982 client.example.com -> server.example.com TELNET C port=33861 44 1.47820 client.example.com -> server.example.com TELNET C port=33861 B 45 0.09170 server.example.com -> client.example.com TELNET R port=33861 46 0.14235 client.example.com -> server.example.com TELNET C port=33861 ony 47 0.09765 server.example.com -> client.example.com TELNET R port=33861 48 0.19136 client.example.com -> server.example.com TELNET C port=33861 9t 49 0.09859 server.example.com -> client.example.com TELNET R port=33861 50 0.23350 client.example.com -> server.example.com TELNET C port=33861 o 51 0.09662 server.example.com -> client.example.com TELNET R port=33861 52 0.01480 client.example.com -> server.example.com TELNET C port=33861 e 53 0.09507 server.example.com -> client.example.com TELNET R port=33861
Note the ASCII representation of the dialogue in the far right column. You can see that in this example, the account name and password are in clear-text and easy to detect! This is why telnet and FTP are called "clear-text" utilities “ all communication is sent over the network in clear-text.
# snoop -o /tmp/snoop.txt port 22 client.example.com Using device /dev/le (promiscuous mode 0
$ ssh -l sshuser server.example.com sshuser@server.example.com's password: Last login: Mon Apr 14 11:13:12 2003 from client.example.com. $ ls a etc nsmail openssh31.zip $
# snoop -i /tmp/snoop.txt more (some output cut for brevity) 1 0.00000 client.example.com -> server.example.com TCP D=22 S=33874 Syn Seq=1 61238050 Len=0 Win=24820 Options= 2 0.00003 server.example.com -> client.example.com TCP D=33874 S=22 Syn Ack=1 61238051 Seq=3683871110 Len=0 Win=24820 Options= 3 0.00097 client.example.com -> server.example.com TCP D=22 S=33874 Ack=3 683871111 Seq=161238051 Len=0 Win=24820 4 0.07606 server.example.com -> client.example.com TCP D=33874 S=22 Ack=1 61238051 Seq=3683871111 Len=22 Win=24820 5 0.00067 client.example.com -> server.example.com TCP D=22 S=33874 Ack=3 683871133 Seq=161238051 Len=0 Win=24820 6 0.19015 client.example.com -> server.example.com TCP D=22 S=33874 Ack=3 683871133 Seq=161238051 Len=22 Win=24820 7 0.00007 server.example.com -> client.example.com TCP D=33874 S=22 Ack=1 61238073 Seq=3683871133 Len=0 Win=24820 8 0.01781 client.example.com -> server.example.com TCP D=22 S=33874 Ack=3 683871133 Seq=161238073 Len=544 Win=24820 9 0.07882 server.example.com -> client.example.com TCP D=33874 S=22 Ack=1 61238617 Seq=3683871133 Len=544 Win=24820 10 0.01344 client.example.com -> server.example.com TCP D=22 S=33874 Ack=3 683871677 Seq=161238617 Len=24 Win=24820 11 0.09352 server.example.com -> client.example.com TCP D=33874 S=22 Ack=1 61238641 Seq=3683871677 Len=0 Win=24820 12 0.05308 server.example.com -> client.example.com TCP D=33874 S=22 Ack=1 61238641 Seq=3683871677 Len=424 Win=24820 13 0.09536 client.example.com -> server.example.com TCP D=22 S=33874 Ack=3 683872101 Seq=161238641 Len=0 Win=24820 14 0.74769 client.example.com -> server.example.com TCP D=22 S=33874 Ack=3 683872101 Seq=161238641 Len=416 Win=24820 15 0.09385 server.example.com -> client.example.com TCP D=33874 S=22 Ack=1 61239057 Seq=3683872101 Len=0 Win=24820 16 1.00661 server.example.com -> client.example.com TCP D=33874 S=22 Ack=1 61239057 Seq=3683872101 Len=736 Win=24820 17 0.10202 client.example.com -> server.example.com TCP D=22 S=33874 Ack=3 683872837 Seq=161239057 Len=0 Win=24820 18 0.96630 client.example.com -> server.example.com TCP D=22 S=33874 Ack=3 683872837 Seq=161239057 Len=16 Win=24820 19 0.09513 server.example.com -> client.example.com TCP D=33874 S=22 Ack=1 61239073 Seq=3683872837 Len=0 Win=24820 20 0.00081 client.example.com -> server.example.com TCP D=22 S=33874 Ack=3 683872837 Seq=161239073 Len=48 Win=24820 21 0.04351 server.example.com -> client.example.com TCP D=33874 S=22 Ack=1 61239121 Seq=3683872837 Len=48 Win=24820
Note that in this snoop output, there is no readable data in the far right-hand column, since all the data is encrypted.
# snoop -i /tmp/snoop.txt -x 0 more (some output cut for brevity) 0: 0800 2077 0121 0800 207a 6ae5 0800 4500 .. w.!.. zj...E. 16: 0028 d071 4000 4006 2027 ac10 7906 ac10 .(.q@.@. '..y... 32: 7910 0016 8452 db93 699d 099c 4c39 5010 y....R..i...L9P. 48: 60f4 e539 0000 '..9.. 8 0.01781 client.example.com -> server.example.com TCP D=22 S=33874 Ack=3 683871133 Seq=161238073 Len=544 Win=24820 0: 0800 207a 6ae5 0800 2077 0121 0800 4500 .. zj... w.!..E. 16: 0248 684f 4000 4006 8629 ac10 7910 ac10 .HhO@.@..)..y... 32: 7906 8452 0016 099c 4c39 db93 699d 5018 y..R....L9..i.P. 48: 60f4 8725 0000 0000 021c 0914 b507 d790 '..%............ 64: 8d12 568c 6627 7c75 9487 347b 0000 003d ..V.f'u..4{...= 80: 6469 6666 6965 2d68 656c 6c6d 616e 2d67 diffie-hellman-g 96: 726f 7570 2d65 7863 6861 6e67 652d 7368 roup-exchange-sh 112: 6131 2c64 6966 6669 652d 6865 6c6c 6d61 a1,diffie-hellma 128: 6e2d 6772 6f75 7031 2d73 6861 3100 0000 n-group1-sha1... 144: 0f73 7368 2d72 7361 2c73 7368 2d64 7373 .ssh-rsa,ssh-dss 160: 0000 0066 6165 7331 3238 2d63 6263 2c33 ...faes128-cbc,3 176: 6465 732d 6362 632c 626c 6f77 6669 7368 des-cbc,blowfish 192: 2d63 6263 2c63 6173 7431 3238 2d63 6263 -cbc,cast128-cbc 208: 2c61 7263 666f 7572 2c61 6573 3139 322d ,arcfour,aes192- 224: 6362 632c 6165 7332 3536 2d63 6263 2c72 cbc,aes256-cbc,r 240: 696a 6e64 6165 6c2d 6362 6340 6c79 7361 ijndael-cbc@lysa 256: 746f 722e 6c69 752e 7365 0000 0066 6165 tor.liu.se...fae 272: 7331 3238 2d63 6263 2c33 6465 732d 6362 s128-cbc,3des-cb 288: 632c 626c 6f77 6669 7368 2d63 6263 2c63 c,blowfish-cbc,c 304: 6173 7431 3238 2d63 6263 2c61 7263 666f ast128-cbc,arcfo 320: 7572 2c61 6573 3139 322d 6362 632c 6165 ur,aes192-cbc,ae 336: 7332 3536 2d63 6263 2c72 696a 6e64 6165 s256-cbc,rijndae 352: 6c2d 6362 6340 6c79 7361 746f 722e 6c69 l-cbc@lysator.li 368: 752e 7365 0000 0055 686d 6163 2d6d 6435 u.se...Uhmac-md5 384: 2c68 6d61 632d 7368 6131 2c68 6d61 632d ,hmac-sha1,hmac- 400: 7269 7065 6d64 3136 302c 686d 6163 2d72 ripemd160,hmac-r 416: 6970 656d 6431 3630 406f 7065 6e73 7368 ipemd160@openssh
SECTION I - Obtaining, Compiling and Installing OpenSSH
SECTION II - How to Use OpenSSH Clients for Unix-to-Unix Connectivity
SECTION III - How To Use PuTTY/WinSCP For PC-To-Unix Connectivity
SECTION IV - Using Public Key Authentication
SECTION V - Troubleshooting SSH Connections
SECTION VI - Advanced SSH Topics
Conclusion
Appendix - Sample sshd_config File