Secure Shell is a means of logging in to a remote host providing a secure, encrypted communication channel over what is fundamentally an insecure network technology: TCP/IP. SSH is designed to replace the insecure rlogin and remsh commands. Consequently, we also have secure versions of ftp ( sftp ) and rcp ( scp ) that come as part of the SSH product. Based on OpenSSH 3.6p2, HP's Secure Shell offers support for SSH-1 and SSH-2 protocols as well as enhanced security by utilizing HP's Strong Random Number Generator (if installed). The product is free to download from http://software.hp.com Security and Manageability and is available for HP-UX 11.0 and 11i (version 1, 1.6, and 2.0). SSH doesn't require a reboot to install it, the Strong Random Number Generator software does. Once installed, one of the first tasks is to generate your public/private key pairs. This is normally performed on a user-by-user basis, because the resulting keys are stored under the user 's home directory, under a subdirectory called .ssh . For this example, I am going to use SSH-2 DSA encryption (the Digital Security Algorithm is at the heart of a U.S. federal- backed standard known as DSS ”Digital Security Standard). I am not going to use a passphrase , which is similar to an additional password: root@hpeos004[.root] ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/.root/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /.root/.ssh/id_dsa. Your public key has been saved in /.root/.ssh/id_dsa.pub. The key fingerprint is: c0:10:47:2e:5c:ce:3a:97:a9:3e:ec:09:53:c2:b2:40 root@hpeos004 root@hpeos004[.root] My public key is stored in the file id_dsa.pub : root@hpeos004[.ssh] ll total 6 -rw------- 1 root sys 668 Oct 13 16:36 id_dsa -rw-r--r-- 1 root sys 603 Oct 13 16:36 id_dsa.pub -rw------- 1 root sys 1024 Oct 12 09:22 prng_seed root@hpeos004[.ssh] cat id_dsa.pub ssh-dss AAAAB3NzaC1kc3MAAACBAOe+r+XkL/tCKh4aRc+uLx /BJaeKuNnQ+oTBnjeA9P1kzKDG190kbhltPurxLtpfH9VMQXQYXTCywkRcmXQBI4eLYVCHHUv92qaamrjqiCjnwP+gDJYEFsQl4OD/OO6Umoi7aZGJ9mCbW4QCkKQmSmRwooydY6LxstEegh9tSv5NAAAAFQCup39BkFqMWgooRFPaw78DV9JzgwAAAIAZbOkyPr7eLm5umgoS6ZLBv0FDxNGmWiM/ey/niPduGh0InQL+Sgc3xR9PI7IFUGl0v8fl6/9vBl+1f/4kPFAUt4We4KbaGn2JgM/MBs1Ptyyz42OOYIZ/7n5F90PxVmpabNW6qO6ysoZbXkvCQfDq9eiAF0mUCvCs0LxL/80GoAAAAIEAmwmdqSID0PO9JFaey7u5k3XQ3csOPPQSdyBBxjkRMdzaD8j47uE1DFcr/ueG2QDduEXgBOV0KonQA+8I34HAurEvww4a6We9d+IMiLYoslfUDhuOQuoGI9R05RY7iW/e9YhExA//U9auCXl1MGkNblufiTQCM9tsZTvcjEYv+Ms= root@hpeos004 root@hpeos004[.ssh] I need to create a file called authorized_keys in the .ssh directory of the public keys of all the machines I will communicate with at some time in the future. It's a good idea to do this now in one session, because it means that we don't need to worry about it in the future. If we add any nodes to our network that we will communicate with, we will need to update the authorized_keys file with the public key for that machine. To generate the public key for other machines, I will simply log in to those machines and go through the procedure as listed above. Unfortunately, for the SSH utilities to work, my home directory must have permissions of 755 ( rwxr-xr-x ): root@hpeos004[.ssh] chmod 755 /.root root@hpeos004[.ssh] We can now update the authorized_keys in the .ssh directory that contains the public keys of all other nodes on the network. I am simply using a terminal window on each node, and cutting and pasting to update the authorized_keys file. It's a good idea to create one file on one host, which you can then distribute to all nodes on the network. Here's my authorized_keys file for all nodes in my network with the appropriate permissions applied: root@hpeos004[.ssh] cat authorized_keys ssh-dss AAAAB3NzaC1kc3MAAACBAOe+r+XkL/tCKh4aRc+uLx /BJaeKuNnQ+oTBnjeA9P1kzKDG190kbhltPurxLtpfH9VMQXQYXTCywkRcmXQBI4eLYVCHHUv92qaamrjqiCjnwP+gDJYEFsQl4OD/ OO6Umoi7aZGJ9mCbW4QCkKQmSmRwooydY6LxstEegh9tSv5NAAAAFQCup39BkFqMWgooRFPaw78DV9JzgwAAAIAZbOkyPr7eLm5umgoS6ZLBv0FDxNGmWiM/ey/niPduGh0InQL+Sgc3xR9PI7IFUGl0v8fl6/9vBl+1f/4kPFAUt4We4KbaGn2JgM/MBs1Ptyyz42OOYIZ/7n5F90PxVmpabNW6qO6ysoZbXkvCQfDq9eiAF0mUCvCs0LxL/80GoAAAAIEAmwmdqSID0PO9JFaey7u5k3XQ3csOPPQSdyBBxjkRMdzaD8j47uE1DFcr/ueG2QDduEXgBOV0KonQA+8I34HAurEvww4a6We9d+IMiLYoslfUDhuOQuoGI9R05RY7iW/e9YhExA//U9auCXl1MGkNblufiTQCM9tsZTvcjEYv+Ms= root@hpeos004 ssh-dss AAAAB3NzaC1kc3MAAACBAK8ckZsgxDF8DKuw31dlLjKTKXqKO0lAXcT8hZvs5t2QbEsEKpLCCLQCcwLIKbE5SVxQLT3RtRIZ4BsJYMpwaEAFMQ4UIzzGvuPpkdO5JrKQ7FPKUEn5PSo6cn5KCAwv1ANSIzQaCyrz55DZg2iy5oJ4xQr0KviIAVN2mSlL64O5AAAAFQDYBg+NP8Bw/qQjkaXguU9jfPFjcQAAAIABmN2TUYKttBSPj0ZiO5wpPCEQzfMh6S2F+Gyo8EjyJdBEzp2SzieZejQVKX8tCn86o1OlQfPINR/XGQEL3RCHbEcO9EGtgnDKjT8qPCwtpf8Ri+pLqeqk7OAzypLPej1NZjC6FZstgDgtnVINVJjlMX53mTd3J+iFEYhODvuGvAAAAIA31JXgkALVtDIu9KQZD4L/wLhmAOGlGVhA3RmStIbCIuFkCwcehMjdCIO43STI73S3rnuh0CtAm4FnguMmuSXJnjJUAQ8xyhUbWpzy0ErnvH6MaPl9AxlGS2kiT9s/dRHHGEdbDeUetb2gID1cjvvT80fRj6P1Ym2QuV0Y02a00g== root@hpeos003 ssh-dss AAAAB3NzaC1kc3MAAACBAMwTvyquqKBRDbTgzmAdcW3kEamr3MXPQrOoI8F5xtdYnhcID9005Qo4vUH8KqMfjKwny+o7syW42OmlX2x9hv4s4oCHcdgIMo0h1PqgXsIG49m4zaz0Zlw/rqbNISL3J2YF5GWUIlNI+XBPBCXCXxZI6r6pxKAbwHSgd2VIfFbNAAAAFQCi+Hjn6XxMhxiBBVhhO16kGZc7DwAAAIBgSp2tA8yPs5fRU3EKgGCAVS4Ib10owVr70XAUBOlmQrKc91wp+a+dJ5eas1XHgAF/tEp3wqnCcpjuzO37LzStaiAsK1WTUANWd5nsUpeLreOWCmH9RzkX+HGk+A95L5U9PJYyxcG3LMto22y4Fz2uGreRmd7hefia6BZzHZ8o9wAAAIA5JbOnQnKlT30ueKkQBeqS7Xoew5149UPB24aUGtReYBA66v0tggHkywJfAk+UjFhEJ++yCKL8oEVJXe9ZDgLc9nGfU/HauD+GoWbR1VvSk7zaRvYHUraDfQPTuQIEYWyqTB7sSkzMl0Ibu/NEXkHAwdattUQJUwjw/BH7/0tg5A== root@hpeos002 ssh-dss AAAAB3NzaC1kc3MAAACBAI7AeX40a196y3MdKqrD/U+1ygoB1AM /twZRIkuGCfjoYETWpj5aDivVBf7Vc2e5xott/wpR4f0drB /bG0qMdyKxcb6jDKZZZUWJJouEH5qBudNR9jtX50OKGEJJVG+r8WYH9DbXRgB2ld /U3QmLoev9wVw+Tj0VyiLVYQqVVE7RAAAAFQDjiDWzzLdNkmLLGd6XkIMdY7e1PQAAAIBWfVIKH2cVowcx5fgxngToJig94ejZ8qWjivNPC+plBV7ySmpUJovjYJUzAMJO+0I88+AZblkdVsTrLrjcfdpgE8zg+XWqKS/ChbKqZUKfxg9IwIY8pKkU9GlbXV1VZDFXSIi0XvBQ+XHTp2tdyso63cOndWuGQbJ1Sk4BH+VmqgAAAIAi2nTy5cX6nKRTDE345JQ/a+y67mE9cwXzVebGOi406ClA1omm31UsnVbDN8eT70qIBZeqcQVT7UgkkFEowlnx0yPQ5V+2tFPoNq2St+UPIkukK5jS/NxL1sA3w3DcGsXyfywexidD1sSj8iiei8l7Hb8BDV2ownLw5a6Gir/VXw== root@hpeos001 root@hpeos004[.ssh] root@hpeos004[.ssh] chmod 644 authorized_keys root@hpeos004[.ssh] ll total 12 -rw-r--r-- 1 root sys 2413 Oct 13 17:19 authorized_keys -rw------- 1 root sys 668 Oct 13 16:36 id_dsa -rw-r--r-- 1 root sys 603 Oct 13 16:36 id_dsa.pub -rw------- 1 root sys 1024 Oct 12 09:22 prng_seed root@hpeos004[.ssh] After I have ensured that all nodes have the complete authorized_keys file, I can start to establish what is known as the known_hosts file. This will authenticate me on the remote host. Initially, we will be asked for our password, because we haven't been authenticated on that node previously. Once authenticated, we will no longer need to enter our password to log in to the remote machine. In effect, the known_hosts file is acting like the $HOME/.rhosts file. root@hpeos004[.ssh] ssh hpeos003 The authenticity of host 'hpeos003 (192.168.0.33)' can't be established. RSA key fingerprint is 15:a7:fe:35:55:01:6c:a1:da:c3:74:50:23:0d:94:62. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'hpeos003,192.168.0.33' (RSA) to the list of known hosts. root@hpeos003's password: Last login: Mon Oct 13 17:00:47 2003 from hpeos004 (c)Copyright 1983-2000 Hewlett-Packard Co., All Rights Reserved. (c)Copyright 1979, 1980, 1983, 1985-1993 The Regents of the Univ. of California (c)Copyright 1980, 1984, 1986 Novell, Inc. (c)Copyright 1986-1992 Sun Microsystems, Inc. (c)Copyright 1985, 1986, 1988 Massachusetts Institute of Technology (c)Copyright 1989-1993 The Open Software Foundation, Inc. (c)Copyright 1986 Digital Equipment Corp. (c)Copyright 1990 Motorola, Inc. (c)Copyright 1990, 1991, 1992 Cornell University (c)Copyright 1989-1991 The University of Maryland (c)Copyright 1988 Carnegie Mellon University (c)Copyright 1991-2000 Mentat Inc. (c)Copyright 1996 Morning Star Technologies, Inc. (c)Copyright 1996 Progressive Systems, Inc. (c)Copyright 1991-2000 Isogon Corporation, All Rights Reserved. RESTRICTED RIGHTS LEGEND Use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in sub-paragraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause in DFARS 252.227-7013. Hewlett-Packard Company 3000 Hanover Street Palo Alto, CA 94304 U.S.A. Rights for non-DOD U.S. Government Departments and Agencies are as set forth in FAR 52.227-19(c)(1,2). Value of TERM has been set to "dtterm". WARNING: YOU ARE SUPERUSER !! root@hpeos003[.root] At this stage, you might want to authenticate all other machines to get that task out of the way. As you can see from my system, I have taken the time to authenticate all nodes on my network: root@hpeos004[.ssh] cat known_hosts hpeos003,192.168.0.33 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA1aCVYoAt24zGbQMBSrlug5sfsg0tcVS8M2Me3Ies4chPW/4n /IDrhry8CBs8nGz8quRzW9WEYIZR+aJ0MxY5/ 3j6tDpkoq8aqGk7obb5NFkxiw+ktjgV3k2ovV83mLNE+cCYT90EFiIAIvZmIAN/+Yy3KwHBizdsG8HwULplGSE= hpeos001,192.168.0.67 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAm99WPPb265PJ /Ag4tMHZzV2RMCd+UAs5Lk96ekQH0s7RkDqpm4806yrt8f68ydYAgVts3cCiBD3dRjVSmRTOgrBPn2gEEIwjcTJ36MusnV4wRkD0iAclPx6slD3Ss7j1E0XRe7F8XcR4FHxtpar4JaWgqVgS3yLBikRR3ZN9be8= hpeos002,192.168.0.34 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAw2K2lMpLeSFxshgZ3oaAyGr2jy+YMiszkk2xTXBWJNAm2qeyU9Yq33QL7dtWDgjQwE9AYisecXZ8NnvrTIlFY24IDdxGwxafXKhWbHpM4GPiX8Y50q90O0vPbHn1WvbAdYvbv9+S3/WMP4KGU+JUY/CuE6xRuhvJjM5roCbFjnE= root@hpeos004[.ssh] I can now use ssh as I would have used rlogin and remsh : root@hpeos004[.ssh] ssh hpeos001 "netstat -i" Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll lan0 1500 192.168.0.64 hpeos001 2012 0 1754 0 0 lo0 4136 127.0.0.0 localhost 1829 0 1829 0 0 root@hpeos004[.ssh] The utilities scp and sftp work as you would expect rcp and ftp to work, except that we are not asked for usernames and passwords because we have already been authenticated: root@hpeos004[.ssh] sftp hpeos002 Connecting to hpeos002... sftp> dir . .. .ICEauthority .TTauthority .Xauthority .dt .dtprofile .profile .q4_history .sh_history .ssh .sw sftp> quit root@hpeos004[.ssh] scp hpeos003:/etc/hosts /tmp hosts 100% 2922 779.6KB/s 00:00 root@hpeos004[.ssh] ll /tmp/hosts -r--r--r-- 1 root sys 2922 Oct 13 17:45 /tmp/hosts root@hpeos004[.ssh] If you look at the .ssh directory on one of the other nodes, you will notice that we don't have a known_hosts file on those machines. root@hpeos003[.root] ll .ssh total 10 -rw-r--r-- 1 root sys 2413 Oct 13 17:25 authorized_keys -rw------- 1 root sys 668 Oct 13 17:01 id_dsa -rw-r--r-- 1 root sys 603 Oct 13 17:01 id_dsa.pub root@hpeos003[.root] In order to be able to use ssh/scp/sftp without supplying passwords all the time from any machine to any other machine, we will have to go through the steps above to authenticate each node from every other node. When you have many machines on your network, you might want to do those steps only for the machines you use regularly. Personally, I think users should be encouraged to use this system ASAP. It doesn't take long to set up, and it means that we are no longer sending unencrypted passwords over our networks. In time, we could even remove the telnet , ftp , login , and shell services from /etc/inetd.conf to ensure that no one used them. I think a period of education and familiarization would be appropriate before disabling the old services. |