e-mail   
 Menu
  Home
  Download
  Top 10 Downloads
  Last 15 New Files
  Web Links
  Tips
  Last 15 New Tips
  NLM Programming
  Admins Club





Installation and Administration






Polish Forum SUSE




Novell Connection Magazine


 
Who's Online

 There are currently,
5 guest(s)
that is (are) online.
 


Technical Information

Back to List of Categories

Technical Information about
  A Little YaST Magic
  A Slideshow for Your KDE Wallpaper
  Add Novell Support to Your Firefox Search Engine
  Adding To The Panels In Gnome.
  Akregator - RSS News Reader
  An Introduction to WBEM and OpenWBEM in SUSE LINUX
  Authenticating SUSE LINUX to eDirectory via LDAP
  Basic Mounting Differences between Windows and Linux
  Beginner's Guide to Using Novell SUSE LINUX's Build Utility
  Browsing Files
  Card Readers on SUSE LINUX 9.2 Professional?
  Changing the Default Browser in Gnome
  Developing Perl CGI scripts on SUSE LINUX
  Do I Have Permission?
  Double SYNC -- Using RSYNC Simultaneously With and Without Branch Office for Data Backup
  Dumb Question: Mounting Linux CDs
  Easy Command-Line Introduction
  Easy Way to Debug SSL Connections
  Enabling an Interactive Startup in Novell/SUSE LINUX
  Exploring MySQL 4.1 and PHP 5 on SUSE LINUX
  Extend Your Panels Using Gnome Drawers.
  Firefox Speed Tip
  Fix Java Errors With ConsoleOne On Linux
  Fix Your Mouse Wheel...
  Gimp -- Closing In on Photoshop...
  Gimp Tips Part 1: Resizing Images
  Gimp Tips Part 2: Rounding Corners
  Gimp Tips Part 3: Fading Photography Edges
  Gimp Tips Part 4: Selective Colorization
  Gimp Tips Part 5: Plugins a Plenty - Adding Light
  Gimp Tips Part 6: Using The Clone Tool
  Google Auto-fill Replica for Linux
  How a Corrupted USB Drive Was Saved by GNU/Linux
  How to Implement Login Scripts into a Pure Linux Environment
  How to install and connect an External Modem on a Linux PC
  How to Install the Novell Client for Linux on SUSE Linux 10.0
  How to launch applications at login in Gnome
  How to Remote Control Linux
  How to setup a Linux application to automatically startup when you login.
  How to share Files and Printers Between Linux and MS Windows with Samba
  How to uninstall the Novell Client for Linux
  How to upgrade the Novell Client for Linux
  How to use SMB without turning off the firewall
  How's the Weather?
  HTML Development Tools in Linux
  Informative Bash Prompt
  Install and Use QEMU on SUSE 9.2
  Install Linux Frequently, Without the Hassle
  Installing Apache, PHP, and MySQL on SUSE LINUX Professional
  Installing RPM Files
  Integrating Novell Linux Desktop into a Novell NetWare network
  Introduction to Oracle 10g R1 (10.1.0.3) on SUSE LINUX Professional 9.3
  iPrint Printers on Novell Linux Desktop
  Linux Scheduling Priorities Explained
  Make a Misbehaving Program Quit
  Manually Mounting a USB Flash Drive in Linux
  Migrating To Linux, Advantages Over Windows 9.x And XP
  Minimize Your Maximizing with Multiple Desktops
  Mounting NetWare Volumes On NLD Illustrated
  Move Your /home to Another Computer
  Mozilla Mail Review
  Need a Backup?
  Novell Client Settings with Windows Terminal Server
  Novell Linux Desktop Equivalents of Windows Software - New and Improved
  Novell Linux Desktop System Upgrade How-To
  Partitioning Hard Drive for Linux Install
  Perform Remote SuSE Installations With Virtual Network Computing
  Quick Intro to Klipper
  Quick Shortcuts in The Gimp
  Reset Your Lost Root Password
  Resizing Your Gnome / KDE Panels
  Runlevels in SUSE LINUX
  Running Existing Win32 Applications on SUSE LINUX
  Service Command in /etc/init.d/
  Setting Shortcut Keys
  Setting up a Linux NFS Install Source for Your LAN
  Should I choose Novell Linux Desktop or SUSE LINUX Professional as my desktop?
  Starting Services From the Command Line On SuSE LINUX
  Sticky Notes for Gnome
  SUSE LINUX 9.3 Professional Review
  Sync Up The Taskbar and the Desktop in Gnome
  System Upgrade How-To
  Taking Screenshots in Linux
  The Basics of Messaging in the Cross-Platform GroupWise Client
  The Novell Client for Linux (beta).
  Transparent Panels in Gnome
  Trick Out Your KDE Desktop
  Understanding the YAST Software Module Options
  Updating Your Software with Red Carpet
  Using dsbk on Linux and Unix
  Using iFolder to Synchronize Firefox Bookmarks
  Using Multiple Swap Partitions In 2.4
  Using openSSH to Securely Access Remote Systems
  What FTP client should I use on Linux?
  What Is Logical Volume Management?
  What is so great about Firefox?
  Which Graphic Formats For What?
  Windows Shortcuts for Firefox Tabs on Linux
  Windows to Linux: A Beginner's Guide
  Windows Users Can Feel at Home Exploring Files in Linux
  WLAN interface as the Default
  Work With User Selection Icons In KDM
  YAST Online Update De-Mystified

Technical Information
 Using openSSH to Securely Access Remote Systems

Printer-friendly version

Posted: 21 Jun 2005

Using openSSH to Securely Access Remote Systems

Applies To:

  • Novell Linux Desktop

  • Open Enterprise Server

  • SUSE LINUX Enterprise Server

  • SUSE LINUX Professional

What is openSSH?

If you are new to Linux, you may not be familiar with Secure Shell (SSH). SSH provides a secure method to access a remote host in the styles of telnet, rlogin, ftp, and others. With SSH, all communication between host and client computers is encrypted, reducing the risk of having passwords or data intercepted.

SSH in SUSE Linux is provided via the openSSH package, which is installed by default on all Novell/SUSE products. openSSH provides a daemon, sshd, as well as three clients: ssh, sftp, and scp. The ssh client works much like telnet and rlogin---it allows for remote login and execution of commands on a host system. The sftp client is functionally similar to most command-line FTP clients. Lastly, scp allows files to be copied to and from a remote host by using syntax similar to the cp command.


Using openSSH

Installation

openSSH should be installed and active by default on most Novell/SUSE Linux systems. The exception is SUSE Professional 9.3, where, for added security, the SSH daemon is disabled by default with SuSEfirewall2. You can enable the SSH daemon in two ways: during system installation or by editing the firewall settings later. Enabling SSH during system installation is done in the “Network Configuration” screen. Click on “disabled” to toggle SSH to “enabled” as shown in Figure 1. To modify the firewall settings later, enter the Security and Users>Firewall module in YaST and enable SSH under Allowed Services as shown in Figure 2.


Figure 1: Enabling SSH Server During Installation


Figure 2: Enabling SSH Server After Installation

If you did a custom install and openSSH was not included, install it by performing the following steps:

  1. Install the openSSH package in YaST. If you only want the clients (ssh, sftp, and scp), you can stop here.

  2. If you want a SSH daemon, enable the service by using the System Services (Runlevel) module in YaST, or type the following as root:

      # insserv /etc/init.d/sshd; rcsshd start

  3. Ensure that the SuSEfirewall2 allows SSH connections as shown above.


RSA Keys

In order to implement encryption, each computer running the SSH daemon must be uniquely identified. This is accomplished with RSA keys. When the sshd daemon is started for the first time it generates a random key pair to identify the host. The key pair is stored in /etc/ssh/. This key has a public and private component. Together they allow data to be encrypted and decrypted. When connecting to a host for the first time, the host's public key is given to the client computer. SSH issues a message similar to the following:

The authenticity of host 'computer.site (137.23.43.12)' can't be established.

RSA key fingerprint is 3f:20:b2:bb:d1:74:c3:35:f8:2e:99:e5:74:56:12:4c.

Are you sure you want to continue connecting (yes/no)?

Typing yes causes the hosts public key to be placed in ~/.ssh/known_hosts on the client. The next time the client connects, the key is read from this file and the message is not displayed. Because the client now has the public key for the host, encrypted communication is now possible.

If the public key for the host changes (i.e. if a new key is generated or if the system is re-installed), SSH will issue a message stating that the key has changed, which may be a sign of a security breach, and will not let you connect. If you are certain everything is all right, simply remove the old key from ~/.ssh/known_hosts on the client and try again.


The openSSH clients

The openSSH clients are very flexible and have many options. For basic usage, however, they are relatively simple.

ssh

The ssh client has the following general syntax:

ssh [options] [user@]hostname

For example, to login to host 137.23.43.12 as user jdoe, type:

ssh jdoe@137.23.43.12

This can be simplified further. SSH automatically uses the user name of the current user on the client if none is specified. This applies to all the openSSH clients. For example, if the user is logged in as jdoe on the client, and wishes to log in as jdoe on the host the command is:

ssh 137.23.43.12

If the key authentication goes successfully, you are prompted to enter your password and are then presented with a console-login to the remote server (see Figure 3). To close the connection, simply type 'exit.'


Figure 3: Sample ssh Session

ssh has two important flags to remember: -X and -C. Using -X opens an x-tunnel with the host. If an x-based application is launched on the host, it appears on the client computer. The -C option causes all communication to be compressed with the gzip algorithm. This increases the processor load of both the client and host, but speeds communication. For example:

ssh -XC jdoe@137.23.43.12

sftp

The sftp client works much like any other command-line FTP client. It has the basic syntax:

sftp [options] [user@]hostname

Once connected, use the standard get, put, etc. used with ftp. To exit your session, type exit. Figure 4 shows a sample sftp session.


Figure 4: Sample sftp Session

scp

The scp client allows for seamlessly copying files between a client and a host computer. scp resembles the cp command in many ways. Its general syntax is:

scp [options] [[user@]host1:]file1 [...] [[user@]host2:]file2

For example, to copy the file foo from the home directory of the client user to the root directory of the host execute:

scp ~/foo root@foo:/root/

or to do the opposite:

scp root@foo:/root/foo ~/

scp also takes the options -r and -v for recursive and verbose operation. For example, to copy the contents of /tmp/files on the host to /home/jdoe/files on the client, and display all debugging information, type:

scp -rv jdoe@137.23.43.12:/tmp/files/* /home/jdoe/files/


Configuring password-less Connections

Warning: The steps described in this section introduce security risks.

At times it is desirable to establish connections between two computers that do not require a password. With SSH, these connections are possible.

To establish password-less connections, one simply needs to notify the host that their computer is a trusted client. This is done by generating a public/private key pair on the client, and then giving the public key to the host.

To do this, perform the following steps:

  1. On the client computer, generate a public/private key. Type the following as the user you intend to connect from:

    ssh-keygen -t rsa -b 1024

    1. You are prompted for a location to save the key to. Press enter to accept the default location (~/.ssh/id_rsa).

    2. You are prompted for a passphrase. Press enter twice for none.

    3. Your private key is saved to ~/.ssh/id_rsa, and your public key is saved to ~/.ssh/id_rsa.pub.

  2. Type the following to copy your public key to the host computer:

    ssh-copy-id -i ~/.ssh/id_rsa.pub user@hostcomputer

    You are prompted for a password, the client's public key is copied to ~/.ssh/authorized_keys on the host. You are then logged out.

    You can add the client's public key to any user you wish on the host. The current user on the client can then connect as any user on the host which has this public key.

  1. Now, ssh into the host computer again. You are immediately be presented with the command prompt, without being prompted for a password. If your client's key is ever changed, you will need to replace the old public key in .ssh/authorized_keys on the host with new key from the client.






Portal posiada akceptację firmy Novell Polska
Wszystkie materiały dotyczące produktów firmy Novell umieszczono za zgodą Novell Polska
Portal has been accepted by the Novell Polska
All materials concerning products of Novell firm are placed with Novell Polska consent.
NetWare is a registered trademark of Novell Inc. in the United States and other countries.
Windows is a trademark or a registered trademark of Microsoft Corporation in the United States and other countries.
Sybase is a registered trademark of Sybase Inc. in the United States of America.
Other company and product names are trademarks or registered trademarks of their respective owners.