Академический Документы
Профессиональный Документы
Культура Документы
One of the most popular file transfer and remote login Linux applications is OpenSSH,
which provides a number of ways to create encrypted remote terminal and file transfer
connections between clients and servers. The OpenSSH Secure Copy (SCP) and Secure
FTP (SFTP) programs are secure replacements for FTP, and Secure Shell (SSH) is often
used as a stealthy alternative to TELNET. OpenSSH isn't limited to Linux; SSH and SCP
clients are available for most operating systems including Windows.
SSH uses the concept of randomly generated private and public keys to do its encryption.
The keys are usually created only once, but you have the option of regenerating them
should they become compromised.
A successful exchange of encrypted data requires the receiver to have a copy of the
sender's public key beforehand. Here's how it's done with SSH.
When you log into an SSH server, you are prompted as to whether you want to accept the
download of the server's public key before you can proceed. The SSH client's key is
uploaded to the server at the same time. This creates a situation in which the computers at
each end of the SSH connection have each other's keys and are able to decrypt the data
sent from the other end of the encrypted link or "tunnel".
All the public keys that an SSH client's Linux user encounters are stored in a file named
~/.ssh/known_hosts along with the IP address that provided it. If a key and IP address no
longer match, then SSH knows that something is wrong. For example, reinstalling the
operating system or upgrading the SSH application might regenerate the keys. Of course,
keys changes can be caused by someone trying some sort of cyber attack, as well. Always
investigate changes to be safe. Your server's own public and private SSH keys are stored
in the /etc/ssh/ directory.
Note: The .ssh directory is a hidden directory, as are all files and directories whose
names begin with a period. The ls -a command lists all normal and hidden files in a
directory. The ~/ notation is a universally accepted way of referring to your home
directory and is recognized by all Linux commands.
Linux uses other key files also to provide the capability of password-less logins and file
copying to remote servers using SSH and SCP. In this case, the SSH connection is
established, then the client automatically sends its public key which the server uses to
match against a predefined list in the user's directory. If there is a match then the login is
authorized. These files are also stored in your ~/.ssh directory and need to be specially
generated. The id_dsa and id_dsa.pub files are your private and public keys respectively,
and authorized_keys stores all the authorized public keys from remote hosts that may log
into your account without the need for passwords (more on this later).
Starting OpenSSH
OpenSSH is installed by default during Linux installations. With Ubuntu / Debian, this
may not be the case and it will have to be installed after the initial installation. The apt-
get install ssh command will be sufficient to activate SSH using these latter
mentioned distributions.
Because SSH and SCP are part of the same application, they share the same configuration
file and are governed by the same /etc/init.d/sshd startup script.
You can configure SSH to start at boot by using the chkconfig command when running
Fedora / Redhat or with the sysv-rc-conf command with Debian / Ubuntu.
You can also start, stop, and restart SSH after booting by running the sshd initialization
script.
Remember to restart the SSH process every time you make a change to the configuration
files for the changes to take effect on the running process.
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
#
# File: /etc/ssh/sshd_config
#
Protocol 2
1) Use the netstat command to make sure your system isn't listening on port 435, using
grep to filter out everything that doesn't have the string "435":
Port 435
3) Restart SSH:
If you are user root and you want to log in to smallfry as yourself, use the command
User root can also log in to Smallfry as user peter via the default port 22:
The key is stored in your ~/.ssh/known_hosts file and you should never be prompted for
this again.
If you are confident that the error is due to a reinstallation, then edit your
~/.ssh/known_hosts text file, removing the entry for the offending remote server. When
you try connecting via SSH again, you'll be prompted to add the new key to your
~/.ssh/known_hosts file and the login session should proceed as normal after that.
By default, the TELNET server isn't installed with Fedora Linux. If you do decide to
deactivate an active TELNET server, then use procedures detailed in Chapter 16, "Telnet,
TFTP, and xinetd".
Executing Remote Commands on
Demand with SSH
A nice feature of SSH is that it is capable of logging in and executing single commands
on a remote system. You just have to place the remote command, enclosed in quotes, at
the end of the ssh command of the local server. In the example below, a user on server
smallfry who needs to know the version of the kernel running on server bigboy
(192.168.1.100) remotely runs the uname -a command. The command returns the version
of 2.6.8-1.521 and the server's name, bigboy.
This feature can be very useful. You can combine it with password-free login, explained
later in this chapter, to get the status of a remote server whenever you need it. More
comprehensive monitoring may best be left to such purpose built programs as MRTG,
which is covered in Chapter 22, " Monitoring Server Performance".
SSH Tunneling
You already know that SSH creates an encrypted data session between a client and
server. With SSH tunneling the server computer can also receive data from other
computers on the client's network over the very same session. The client is configured to
listen on a specified TCP port and all data received on that port will be automatically
SSH encrypted and relayed to the remote server. It is for this reason that SSH tunneling is
also called SSH port forwarding.
Local Forwarding: Forwards traffic coming to a local port to a specified remote port.
This is also known as outgoing tunneling, as the tunnel is established to the remote
server.
Remote Forwarding: Forwards traffic coming to a remote port to a specified local port.
This is also known as incoming tunneling, as the tunnel is established from the remote
server.
Local Forwarding
The syntax for local forwarding relies on the -L SSH command line qualifier which is
configured like this:
-L bind-address:bind-port:remote-server-address:remote-port
Where the bind-address and bind-port are the IP address and TCP port on which the local
computer will listen for connections from its neighbors. If the bind-address isn't listed,
then the server will only accept connections from localhost. The remote-server-address
and remote-port specify the same options for the remote server.
Note: Sometimes an intermediary relay host for the data can be used. In this case
the data passes through an encrypted SSH connection for the part of the journey
between the local server and the intermediary. The connection between the
intermediary and remote host is not. This is not a security issue when forwarding
SSH traffic, which is already encrypted, but it can be so when forwarding
unencrypted data such as POP mail, SMTP mail or, telnet.
Intermediaries can be useful especially when the intermediary host is the only
host on the local network with access to the remote host.
Example 1: The local computer forwards any connection to its NIC IP address on a
specified port to a remote host.
Here server bigboy is configured to forward any connections its NIC IP address of
192.168.1.100 receives on port 9999 to port 22 on server 216.10.135.26.
This can easily be tested. Using SSH to connect to bigboy on port 9999 actually logs you
into the remote server web-003.
Example 2: The local computer forwards any connection to localhost on a specified port,
to a remote host via an intermediary server. Connection's to the local computer's NIC on
the specified port is not allowed.
Here server smallfry is configured to local forward any connections its localhost IP
address receives on port 9999 to port 22 on a remote server with an IP address of
216.10.135.26. Server bigboy is used as the intermediary.
You can use the netstat command on smallfry and bigboy to verify that connections have
been established between bigboy and web-003, and smallfry and bigboy.
In this case an SSH connection is created to mailserver using a shell process owned by
user root. The server mailserver then creates an unencrypted POP session (TCP port 110)
to itself. The advantage of this configuration is that POP data never leaves the POP server
unencrypted.
POP mail users on smallfry can then get their mail over the encrypted link by configuring
localhost as the POP mail server in their mail client, and not mailserver.
Remote Forwarding
The syntax for local forwarding relies on the -R SSH command line qualifier which is
configured like this:
-R bind-address:bind-port:remote-server-address:remote-port
The syntax is similar to that of the -L option. The bind-address and bind-port are the IP
address and TCP port on which the local computer will listen for connections from its
neighbors. If the bind-address isn't listed, then the server will only accept connections
from localhost. The remote-server-address and remote-port specify the same options for
the remote server and are from the remote server's perspective. If you specify localhost as
the remote-server-address, SSH will be interpret it to mean the Internet IP address of the
remote server.
This can be useful in a number of scenarios. For example, you cannot connect to your
office workstation via VPN due to network maintenance, but during this time your
workstation still has access to the Internet. Remote forwarding could provide you with
access.
Here's another scenario. You are moving into a new Internet data center, all the network
gear has been configured, but the installation of the data circuits has been delayed. This
has caused the configuration of the servers to be delayed. If one server wired to your
network can get access to a server on the Internet, via a wireless card, or otherwise, then
remote access to the data center could be achieved using remote forwarding.
Example 1: The local computer forwards any connection to localhost on a specified port
to a remote host. Forwarding occurs over a previously established connection from the
remote host. If we revisit our scenario where VPN access will be down due to
maintenance, the first thing to be done is to configure your workstation at work to
establish a remote forwarding SSH session to your home server.
Here workstation work-001 creates an SSH session to server bigboy at home. It also tells
bigboy to use this session to forward data to work-001 when bigboy receives SSH
connections to localhost on port 9999. Remember, the remote-server-address of the -R
option is from the remote server's perspective (work-001). If you specify localhost as the
remote-server-address, SSH will be interpret it to mean the Internet IP address of the
remote server.
We have setup a ping session to ensure that there is constant traffic between bigboy and
work-001 over the connection so that any intermediary firewall doesn't kill it due to
inactivity.
When you arrive home, all you have to do is SSH to localhost on your home system to
gain access to your workstation at work.
As you can see, remote forwarding can be both useful, convenient and productivity
enhancing.
Example 2: The local computer forwards any connection to it's NIC on a specified port
to a remote host. Forwarding occurs over a previously established connection from the
remote host.
This is more fitting for our limited connectivity data center scenario. In this case the local
computer can be accessed by anyone on the Internet and it will forward any SSH
connections it receives on the specified port to the server in the data center with the
wireless access. Here's how it's done:
• Your local computer may be configured to only accept SSH connections for
remote forwarding on the loopback localhost interface. Edit your sshd_config file
and make sure the GatewayPorts setting is set to yes.
#
# File: /etc/ssh/sshd_config
#
GatewayPorts yes
Restart the SSH daemon to activate the setting.
[root@netserver-001 ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@netserver-001 ~]#
• The next step is to establish the remote port forwarding session. Set up a ping if
you need constant activity on the link. In this case Internet server is netserver-
001.my-web-site.org.
• Now it's time to test it. From our home server bigboy, we can SSH into server
netserver-001 on port 9999 and get access to the data center.
Most GUI clients will have SSH forwarding capabilities and it will be configurable on
each of your saved connections, not globally. The options to do this should be found
under the advanced properties or equivalent tab and with your new Linux command line
knowledge, the setup should be relatively easy.
Troubleshooting SSH Port Forwarding
There can be many complications with SSH port forwarding, and they are mostly related
to typographical errors. Here are a few symptoms that are easy to overcome:
• If remote forwarding doesn't work from a remote server, but works from
localhost, then make sure you have activated the GatewayPorts setting on your
computer. If not, change it, restart the SSH daemon and try again.
• If you get a message like this stating that the address is already in use, then you
may have another port forwarding session already started on the port or the port
you intend to use for forwarding is already in use by another application.
• If you are attempting remote forwarding using your server's NIC IP address and
get this message, then it could be because the GatewayPorts setting has been
disabled. With local forwarding, it could be caused by specifying an incorrect port
on which the server should listen.
SSH port forwarding is a very useful tool that can provide you with a great deal of
versatility when administering your servers. It's always a good thing to remember.
The Linux scp command for copying files has a format similar to that of the regular
Linux cp command. The first argument is the source file and the second is the destination
file. When copying to or from a remote server, SCP logs in to the server to transfer the
data and this therefore requires you to supply a remote server name, username, and
password to successfully execute the command. The remote filename is therefore
preceded by a prefix of the remote username and server name separated by an @ symbol.
The remote filename or directory then follows separated by a colon. The format therefore
looks like this:
username@servername:filename
username@servername:directoryname
For example, file /etc/syslog.conf on a server with IP address 192.168.1.100 that needs to
be retrieved as user peter would have the format peter@192.168.1.000:/etc/syslog.conf,
the entire /etc directory would be peter@192.168.1.000:/etc/.
Note: You can download an easy-to-use Windows SCP client called WinSCP from
http://winscp.vse.cz/eng/
To copy the file /tmp/software.rpm on the remote machine to the local directory /usr/rpm
using TCP port 435, use the commands
To copy file /etc/hosts on the local machine to directory /tmp on the remote server via
TCP port 435, use the commands
Here is a sample login sequence that logs in, gets help on the available commands and
downloads a file to the local server.
SCP has a feature that allows you to do this. You no longer have to worry about prying
eyes seeing your passwords nor worrying about your script breaking when someone
changes the password. You can configure SSH to do this by generating and installing
data transfer encryption keys that are tied to the IP addresses of the two servers. The
servers then use these pre-installed keys to authenticate one another for each file transfer.
As you may expect, this feature doesn't work well with computers with IP addresses that
periodically change, such as those obtained via DHCP.
There are some security risks though. The feature is automatically applied to SSH as
well. Someone could use your account to log in to the target server by entering the
username alone. It is therefore best to implement this using unprivileged accounts on both
the source and target servers.
The example that follows enables this feature in one direction (from server bigboy to
server smallfry) and only uses the unprivileged account called filecopy.
1) Generate your SSH encryption key pair for the filecopy account. Press the Enter key
each time you are prompted for a password to be associated with the keys. (Do not enter a
password.)
2) These keyfiles are stored in the.ssh subdirectory of your home directory. View the
contents of that directory. The file named id_dsa is your private key, and id_dsa.pub is
the public key that you will be sharing with your target server. Versions other than
RedHat/Fedora may use different filenames, use the SSH man pages to verify this.
3) Copy only the public key to the home directory of the account to which you will be
sending the file.
1) Log into smallfry as user filecopy. Create an .ssh subdirectory in your home directory
and then go to it with cd.
[filecopy@smallfry filecopy]# ls
public-key.tmp
[filecopy@smallfry filecopy]# mkdir .ssh
[filecopy@smallfry filecopy]# chmod 700 .ssh
[filecopy@smallfry filecopy]# cd .ssh
2) Append the public-key.tmp file to the end of the authorized_keys file using the >>
append redirector with the cat command. The authorized_keys file contains a listing of all
the public keys from machines that are allowed to connect to your Smallfry account
without a password. Versions other than RedHat/Fedora may use different filenames, use
the SSH man pages to verify this.
From now on you can use ssh and scp as user filecopy from server bigboy to smallfry
without being prompted for a password.
Conclusion
Most Linux security books strongly recommend using SSH and SCP over TELNET and
FTP because of their encryption capabilities. Despite this, there is still a place for FTP in
the world thanks to its convenience in providing simple global access to files and
TELNET, which is much easier to implement in price-sensitive network appliances than
SSH. Consider all options when choosing your file transfer and remote login programs
and select improved security whenever possible as the long term benefits eventually
outweigh the additional cost over time.