| Using openSSH to Securely Access Remote Systems|
Posted: 21 Jun 2005
Using openSSH to Securely Access Remote Systems
What is openSSH?
If you are new to Linux, you may not be familiar with Secure Shell (SSH). SSH provides a secure method to access a remote host in the styles
of telnet, rlogin, ftp, and others. With SSH, all communication between host and
client computers is encrypted, reducing the risk of having passwords or data
SSH in SUSE Linux is provided via the
openSSH package, which is installed by default on all Novell/SUSE products.
openSSH provides a daemon, sshd, as well as three clients: ssh, sftp, and
client works much like telnet and rlogin---it allows
for remote login and execution of commands on a host system. The sftp client is
functionally similar to most command-line FTP clients. Lastly, scp allows files to
be copied to and from a remote host by using syntax similar to the cp
should be installed and active by default on most Novell/SUSE Linux systems. The
exception is SUSE Professional 9.3, where, for added security, the SSH daemon is
disabled by default with SuSEfirewall2. You can enable the SSH daemon in two
ways: during system installation or by editing the firewall settings later.
Enabling SSH during system installation is done in the “Network Configuration”
screen. Click on “disabled” to
toggle SSH to “enabled” as shown
in Figure 1. To modify the
firewall settings later, enter the Security and
Users>Firewall module in YaST and enable
SSH under Allowed Services as
shown in Figure 2.
Figure 1: Enabling SSH Server During
Figure 2: Enabling SSH Server After
If you did a custom install and openSSH was not
included, install it by performing the following steps:
the openSSH package in YaST. If you only want the clients (ssh, sftp, and
you can stop here.
want a SSH daemon, enable the service by using the System Services
(Runlevel) module in YaST, or type the
following as root:
# insserv /etc/init.d/sshd; rcsshd
Ensure that the SuSEfirewall2 allows SSH
connections as shown above.
order to implement encryption, each computer running the SSH daemon must be
uniquely identified. This is accomplished with RSA keys. When the
sshd daemon is
started for the first time it generates a random key pair to identify the host.
The key pair is stored in /etc/ssh/. This key
has a public and private component. Together they allow data to be encrypted and
decrypted. When connecting to a host for the first time, the host's public key
is given to the client computer. SSH issues a message similar to the following:
The authenticity of host 'computer.site
(220.127.116.11)' can't be established.
RSA key fingerprint is
Are you sure you want to continue connecting
yes causes the hosts public key
to be placed in ~/.ssh/known_hosts
on the client. The next time the client connects, the key is read from this file
and the message is not displayed. Because the client now has the public key for
the host, encrypted communication is now possible.
If the public key for the host changes (i.e. if a
new key is generated or if the system is re-installed), SSH will issue a message
stating that the key has changed, which may be a sign of a security breach, and
will not let you connect. If you are certain everything is all right, simply
remove the old key from ~/.ssh/known_hosts on the client and try
The openSSH clients
The openSSH clients are very flexible and have
many options. For basic usage, however, they are relatively simple.
client has the following general syntax:
ssh [options] [user@]hostname
For example, to login to host 18.104.22.168 as user
This can be simplified further. SSH automatically
uses the user name of the current user on the client if none is specified. This
applies to all the openSSH clients. For example, if the user is logged in as
jdoe on the client, and wishes to log in as jdoe on the host the command is:
If the key authentication goes successfully, you
are prompted to enter your password and are then presented with a console-login
to the remote server (see Figure 3). To close the connection, simply type
Figure 3: Sample ssh Session
ssh has two
important flags to remember: -X and -C. Using -X opens an x-tunnel with the
host. If an x-based application is launched on the host, it appears on the
client computer. The -C option causes all communication to be compressed with
the gzip algorithm. This increases the processor load of both the client and
host, but speeds communication. For example:
ssh -XC email@example.com
client works much like any other command-line FTP client. It has the basic
sftp [options] [user@]hostname
Once connected, use the standard get, put, etc.
used with ftp. To exit your session, type
exit. Figure 4 shows a sample sftp session.
Figure 4: Sample sftp Session
client allows for seamlessly copying files between a client and a host computer.
scp resembles the cp command in many
ways. Its general syntax is:
scp [options] [[user@]host1:]file1 [...]
For example, to copy the file foo from the
home directory of the client user to the root directory of the host
or to do the opposite:
scp root@foo:/root/foo ~/
takes the options -r and -v for recursive and verbose operation. For example, to
copy the contents of /tmp/files on the host to /home/jdoe/files on
the client, and display all debugging information, type:
Warning: The steps
described in this section introduce security risks.
At times it is desirable to establish connections between two computers that
do not require a password. With SSH, these connections are possible.
To establish password-less connections, one simply needs to notify the host
that their computer is a trusted client. This is done by generating a
public/private key pair on the client, and then giving the public key to the
To do this, perform the following steps:
On the client computer, generate a public/private key. Type the following
as the user you intend to connect from:
ssh-keygen -t rsa -b 1024
You are prompted for a location to
save the key to. Press enter
to accept the default location (~/.ssh/id_rsa).
You are prompted for a passphrase.
Press enter twice for
Your private key is saved to ~/.ssh/id_rsa, and your public key is saved
Type the following to copy your public key to the host computer:
ssh-copy-id -i ~/.ssh/id_rsa.pub
You are prompted for a password, the client's public key is copied to ~/.ssh/authorized_keys on the host. You are
then logged out.
You can add the client's public key to any user you wish on the host. The
current user on the client can then connect as any user on the host which has
this public key.
Now, ssh into the host computer
again. You are immediately be presented with the command prompt, without being
prompted for a password. If your client's key is ever changed, you will need
to replace the old public key in .ssh/authorized_keys on the host with new key
from the client.