SSH Operation The Swiss Army Knife of encryption tools…
SSH Features • Command line terminal connection tool • Replacement for rsh, rcp, telnet, and others • All traffic encrypted • Both ends authenticate themselves to the other end • Ability to carry and encrypt non-terminal traffic
Brief History • SSH.com's SSH1, originally completely free with source code, then license changed with version 1.2.13 • SSH.com's SSH2, originally only commercial, but now free for some uses. • OpenSSH team took the last free SSH1 release, refixed bugs, added features, and added support for the SSH2 protocol.
Installation • OpenSSH is included with a number of Linux distributions, and available for a large number of Unices • On RPM-based Linuxes: • rpm -Uvh openssh*.rpm
Basic use • ssh SshServerName • ssh -l UserName SshServerName • ssh SshServerName CommandToRun • ssh -v SshServerName • Server Host Key checks • Uses same login password • And if we need to encrypt other traffic?
Port Forwarding - real server on remote machine • I want to listen on port 5110 on this machine; all packets arriving here get sent to mailserver, port 110: • ssh -L 5110:mailserver:110 mailserver
Port Forwarding - real server on this machine • All web traffic to my firewall should be redirected to the web server running on port 8000 on my machine instead: • ssh -R 80:MyMachine:8000 firewall
X Windows forwarding • No setup - already done! • Run the X Windows application in the terminal window: • xclock & • The screen display shows up on your computer, and any keystrokes and mouse movements are sent back, all encrypted.
Securely copying files • scp • scp -p localfile remotemachine:/remotepath/file • Prompts for authentication if needed • All traffic encrypted • Replaces ftp, rcp, file sharing
SSH key background • Old way: password stored on server, user supplied password compared to stored version • New way: private key kept on client, public key stored on server.
SSH key creation • General command: • ssh-keygen -b 1024 -c 'Comment' -f ~/.ssh/identity_file • Different forms for each of the SSH flavors • Assign a hard-to-guess passphrase to the private key during creation. • Key can be used for multiple servers
SSH key installation • 3 versions of ssh: interoperability is good, but poorly documented • ssh-keyinstall utility automates the creation and installation • 'ssh-keyinstall -s SshServerName' creates keys, if needed, and installs them on the remote server • Need password during key install only
Using SSH keys • ssh SshServerName • Ssh -l UserName SshServerName • ssh SshServerName CommandToRun • Ssh -v SshServerName
ssh-agent • Remembers your private key(s) • Other applications can ask ssh-agent to authenticate you automatically. • Unattended remote sessions. • ssh-agent bash • ssh-agent startx • eval `ssh-agent` #Less preferred • ssh-add [KeyName]
Fanout • Runs command on multiple machines by opening separate ssh session to each • fanout 'machine1 machine2 user@machine3' 'command params' • Gives organized output from each machine
Fanterm – live control of multiple machines • Fanterm provides interactive control of multiple remote systems. • Initial window receives keystrokes. • Keystrokes sent to each remote system. • Output from each system shows up in a seperate terminal.
File synchronization - Rsync • Rsync copies a tree of files from a master out to a copy on another machine. • Can use ssh as its transport. • rsync -azv -e ssh /home/wstearns/webtree/ mirror.stearns.org/home/web/
Rsync-backup • Rsync-backup automates the process of backing up machines with rsync and ssh. • Features: • Only changed data shipped • All permissions preserved • All communication encrypted • Unlimited snapshots • Use <= 2X-4X combined client capacity
Rsync-backup client install • Install ssh, rsync, and rsync-backup-client rpms (see http://www.stearns.org ) • Install ssh-keyinstall on client to create a backup key with • ssh-keyinstall -s backupserver -u root -c /usr/sbin/rsync-backup-server
Rsync-backup server install • Install ssh, freedups, rsync-static, and rsync-backup-server rpms • Turn off password authentication in /etc/ssh/sshd_config
Rsync-backup examples • Examples of backup commands: • rsync-backup-client / root@backupserver:/ • rsync-backup-client /usr /home/gbk root@backupserver:/
Links and references • http://www.ssh.com • http://www.openssh.org • SSH, The Secure Shell, The Definitive Guide • ssh-keyinstall, fanout, rsync-backup, freedups and other apps at http://www.stearns.org/
More links • Docs at http://www.stearns.org/doc/ • http://www.employees.org/~satch/ssh/faq/ssh-faq.html • http://rsync.samba.org • William Stearns email@example.com