SSH on Linux
TCP SYN-ACK 3-Way (SYNchronize and ACKnowledge)
1. Client sends a TCP SYN
2. Server sends SYN-ACK
3. Client sends ACk 
TCP socket ESTABLISHED.

SESSION STEPS
1. Client initiates TCP handshake with the server,
2. They trade ssh version,
3. They negotiate a cipher, or fail
3. Server sends pub host key, which Client accepts, or fail
4. Symetric Session key generation Stage
   (Diffie-Hellman algorithm used)
   a. both agree on a Seed: large prime number
   b. both agree on a Cipher: AES
   c. Each choose a Secret: large prime number
   d. Each create a Generator Public key (using Seed, Cipher, and Secret) 
   e. Each trade their Generator Public keys.
   f. A Symmetric Session Key is generated by each
  using 1) Their own Seed
        2) Their own Generator private key
        3) Others Generator Public key 
  Symmetric Session Key is used, but never transferred
  Symmetric Session Key encrypts all session traffic
5. Begin authentication stage
   1. Client Sends ID for the keypair
   2. Server finds matching pub key for the ID 
   3. Server sends Number encrypted with public key
   4. Client Decryptes message.
   5. Client calculate md5 of Decrypted Number, with session key.
   6. Client sends MD5 to the server
   7. Server calculate md5 from the Number, with session key.
  If md5's match, client is authenticated 


This is an absolutely bare-bones description, but it should work.
  1. Get ssh.
  2. Save it to your download directory.
    (i.e. /usr/local/download/)
  3. Un-pack:
      type tar -zxvpf /usr/local/download/ssh.tgz
      cd into the new ssh dir.
  4. Build SSH:
        ./configure
        make
        su
        make install
        exit
  5. Start the deamon:
        /usr/local/sbin/sshd
        ps -ef |grep sshd
      Do you See sshd?
      If you see sshd, put it in your startup scripts.
        vi /etc/rc.d/init.d/sshd
        sample sshd
        ln -s /etc/rc.d/init.d/sshd /etc/rc.d/rc5.d/S70sshd
  6. Make the keys for a user:
      login as a regular user
        ssh-keygen
      Press enter when prompted for passwd
      Press enter, accepting all default locations (/home/user/.ssh/identity.pub)
  7. Make a directory to store remote users public keys
        mkdir /home/user/.ssh/pubkeys

    Do the same steps on a remote machine.

  8. Setup SSH such that it does not ask for a password when you connect:
    1. Get the public key from the remote system.
        scp user@remote_hosts.com:/home/user/.ssh/identity.pub /home/user/.ssh/pubkeys/remote1.pub -v
        Enter remote user account passwd.
    2. Let remote user connect without a passwd by adding their identity.pub to your authorized_keys
        cat /home/user/.ssh/pubkeys/remote1.pub >> /home/user/.ssh/authorized_keys
    3. The .ssh directory and contents must not be group and other writable
        chmod -600 /home/user/.ssh/*
        chmod -644 /home/user/.ssh/identity.pub /home/user/.ssh/authorized_keys
        chmod -700 /home/user/.ssh/pubkeys
    4. Put the local user's public key in the remote user's pubkeys directory.
        scp /home/user/.ssh/identity.pub user@remote_hosts.com:/home/user/.ssh/pubkeys/remote2.pub -v
    5. SSH to the remote machine
        ssh remote_host.com -v
        Enter remote user account passwd.
    6. Let the local user connect to remote machine without a passwd
        cat /home/user/.ssh/pubkeys/remote2.pub >> /home/user/.ssh/authorized_keys
        exit
    7. The .ssh directory and contents must not be group and other writable
        chmod -600 /home/user/.ssh/*
        chmod -644 /home/user/.ssh/identity.pub /home/user/.ssh/authorized_keys
        chmod -700 /home/user/.ssh/pubkeys
        ls -laF /home/user/.ssh/
          -rw-r--r--    1 user  user  1032 Jul 26 22:07  authorized_keys
          -rw-------    1 user  user   542 Dec  7 1999  identity
          -rw-r--r--    1 user  user   347 Jul  6 13:49  identity.pub
          -rw-------    1 user  user   666 Jul 28 00:34  known_hosts
          -rw-------    1 user  user   512 Aug  9 20:59  random_seed
          drwx------    1 user  user  4096 Dec  7 1999  pubkeys/
    8. Test if it worked
        ssh remote_host.com -v
    If all went well, you were not prompted for a passwd.
  9. Use PAM to restrict ssh access on a per user basis
    1. Add this line to top of /etc/pam.d/sshd
        auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/ssh/pam.sshd onerr=fail
    2. Create the file /etc/ssh/pam.sshd
             # List of users that may log in via ssh daemon
             root
             joe_user
  10. With this new ssh2 stuff I had to learn about the authorized_keys2, id_rsa, and id_dsa.
    1. Log into your workstation as joe_user, and generate your workstation keys.
         ssh-keygen -t dsa
         ssh-keygen -t rsa
    2. # make a repository for your pub-keys on the remote_server, and copy your workstation pub-keys over.
        ssh remote_server -t "mkdir ~/.ssh/pubkeys"
        scp ~/.ssh/id_rsa.pub joe_user@remote_server:~/.ssh/pubkeys/workstiaon.id_rsa.pub
        scp ~/.ssh/id_dsa.pub joe_user@remote_server:~/.ssh/pubkeys/workstiaon.id_dsa.pub
    3. # now perform the key exchange
        ssh remote_server -t "cat ~/.ssh/pubkeys/workstiaon.id_rsa.pub >> ~/.ssh/authorized_keys2"
        ssh remote_server -t "cat ~/.ssh/pubkeys/workstiaon.id_dsa.pub >> ~/.ssh/authorized_keys2"
    4. # If the permissions are not corect, the crypto will not work (ssh is strict)
        ssh remote_server -t "chmod 600 ~/.ssh/authorized_keys2"
    5. test it
        ssh remote_server -v
  11. BLOCK SSH ROOT DICTIONARY ATTACK: Stop stupid script kitties from dictonary attcking your root password:
      You have 3 choices:
      1. Block root login via sshd_config
      2. Block root loging via PAM
      3. Limit number of login attempts over a time range
    1. Limit Login Attempts via iptables rule:
         # SSH in from anywhere, limited to 1 per two minutes to prevent brut force attack   
         iptables -A INPUT -p tcp -s $ANY -d $PUBIP --dport 22 --syn -m limit --limit 1/minute -j LOG --log-prefix ' SSH ATTEMPT: '
    2. Block Root Login via sshd_config
      Uncomment or add line to /etc/ssh/sshd_config:
         PermitRootLogin no
    3. Block root loging via PAM
      Method 1: Make pam block specific list of users
        Add this line to top of /etc/pam.d/ssh
        auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/ssh/pam.sshd onerr=fail
      Method 2: Make pam allow specific list of users
        Add this line to top of /etc/pam.d/ssh
        auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ssh/pam.sshd onerr=succeed
      Both methods requrie file containg a list of users:
        /etc/ssh/pam.sshd
  12. Tunnel vnc (or any other protocol) through a firewall with ssh:

       -----------       ----------     -------------------------    |--->vncserver1
      | WinClient |--->(( internet ))-->| firewall accepting ssh |-->|--->vncserver2
       -----------       ----------     -------------------------    |--->vncserver3
      One must have:
    1. A computer with ssh and vncviewer at home,
    2. A ssh daemon on the remote firewall,
    3. A vncserver on system behind the firewall.

      The pc at home connects to the ssh daemon on the firewall, and
      uses tunnels are formed with -L LocalPort:host_behind_firewall:RemotePort
      to tunnel vnc connection to servers running vnc on your provate network.

      Run uservnc.bat, and then try to open the vnc connection to localhost:5901 through :5903.
      ssh -C -l firewall_user_account -L 5901:ip_of_vncserver1:5900 -L 5902:ip_of_vncserver2:5900 -L 5903:ip_of_vncserver3:5900 ip_of_the_firewall
  13. Tunnel nfs over ssh via local ports: Reference

    1. On the server: Create a share that only local host can mount
      cat /etc/exports
      /date/music 192.168.0.10(rw,insecure,all_squash,anonuid=99,anongid=55)
      exportfs -a
    2. On the client: 1. Set nfs_server IP, 2. Get servr ports, 3. Create tunnel for nfs and mount, 4. Mount
      nfs_server=192.168.0.10
      rpcinfo -p $nfs_server |egrep 'nfs|mount' # nfs ususally 2049, but mount port changes (mine is 958)
      ssh -l jstile -f -c blowfish -L 2818:$nfs_server:2049 -L 3045:$nfs_server:958 $nfs_server /bin/sleep 86400
      mount -t nfs -o soft,timeo=6000,tcp,port=2818,mountport=3045,nfsvers=3 localhost:/data/music /home/jstile/tmp
      xmms /home/jstile/tmp/*.mp3
      Stick this in the client's /etc/fstab:
      localhost:/opt/export/users /mnt/nfs/sshmount nfs tcp,rsize=8192,wsize=8192,intr,rw,bg,nosuid,port=2818,mountport=3045,noauto

-------------------------------------------------------
Extra Notes:
-------------------------------------------------------

SSHFS:
Instead of nfs or smb, use ssh. Don't need to copy a file locally before using it.
See SSH Filesystem
# add user to group fuse
usermod -a -G fuse
sshfs root@ mount_my_server_name

KDE's fish:
Open konqueror, and in the URL type fish://root@
Transfering files is just a drag and drop over ssh, from a linux desktop.

Thank you Soren Curry for figuring out the permission problem.

Thank you Soren!!! Now the passwordless connection works!!!!
He found that permissions will make the passwordless connection fail
The .ssh directory and contents must not be group and other writable

Command syntax examples:
1. Copy the public_html directory your computer to your home directory on the server.
 scp -r c:\public_html remote_user_name@server_ip_or name:~/

2. Copy the public_html directory from the server to your local computer.
 scp -r remote_user_name@server_ip_or name:~/public_html C:\

3. Copy the public_html directory from one server to another server, from remote.
 scp -r remote_user_name@server1:~/public_html remote_user_name@server2:~/

Replacing the machine's keys:
(/etc/ssh_host_key and /etc/ssh_host_key.pub)
Type ssh-keygen -f /etc/ssh_host_key -N ''
Remove any enteries from all users ~/.ssh/known_hosts

SSH for Windows:
Free SSHD1 for windows
See PUTTY
Free, resizable window, ssh and scp, highlight texts then right click topaste,
don't need to install to run it.
See Ixplorer: GUI for pscp
Thank you Chris Martial for telling me about ixplorer.
See WinSCP: GUI for pscp
See WebDAV module for Apache: enable secure ftp via DreamWeaver Client

SSH for Mac:
See SSH client for Mac
See NiftyTelnet
Free xterminal that can ssh, now it can be used in the USA :)
Van Dyke has the next wave
GUI for Linux OpenSSH GUI


Net::SSH::Perl
install rpm package 'gmp'
perl -MCPAN -e 'install Net::SSH::Perl'
--------
Protocol
--------
[1] SSH1
[2] SSH2
[3] Both SSH1 and SSH2

Which protocol(s) do you plan to use? [3] 3
--------
cipher
--------
(Crypt::IDEA is the default).

[1] IDEA
[2] DES
[3] DES3
[4] Blowfish
[5] RC4

Enter your choices, separated by spaces: [1]
-----------
Optional
-----------
Checking for optional modules