SSH on Linux
TCP SYN-ACK 3-Way (SYNchronize and ACKnowledge) 1. Client sends a TCP SYN 2. Server sends SYN-ACK 3. Client sends ACk TCP socket ESTABLISHED. SESSION STEPS 1. Client initiates TCP handshake with the server, 2. They trade ssh version, 3. They negotiate a cipher, or fail 3. Server sends pub host key, which Client accepts, or fail 4. Symetric Session key generation Stage (Diffie-Hellman algorithm used) a. both agree on a Seed: large prime number b. both agree on a Cipher: AES c. Each choose a Secret: large prime number d. Each create a Generator Public key (using Seed, Cipher, and Secret) e. Each trade their Generator Public keys. f. A Symmetric Session Key is generated by each using 1) Their own Seed 2) Their own Generator private key 3) Others Generator Public key Symmetric Session Key is used, but never transferred Symmetric Session Key encrypts all session traffic 5. Begin authentication stage 1. Client Sends ID for the keypair 2. Server finds matching pub key for the ID 3. Server sends Number encrypted with public key 4. Client Decryptes message. 5. Client calculate md5 of Decrypted Number, with session key. 6. Client sends MD5 to the server 7. Server calculate md5 from the Number, with session key. If md5's match, client is authenticated

This is an absolutely bare-bones description, but it should work.

Get ssh.
Save it to your download directory. (i.e. /usr/local/download/)
Un-pack: type tar -zxvpf /usr/local/download/ssh.tgz cd into the new ssh dir.
Build SSH: ./configure make su make install exit
Start the deamon: /usr/local/sbin/sshd ps -ef |grep sshd Do you See sshd? If you see sshd, put it in your startup scripts. vi /etc/rc.d/init.d/sshd sample sshd ln -s /etc/rc.d/init.d/sshd /etc/rc.d/rc5.d/S70sshd
Make the keys for a user: login as a regular user ssh-keygen Press enter when prompted for passwd Press enter, accepting all default locations (/home/user/.ssh/identity.pub)
Make a directory to store remote users public keys mkdir /home/user/.ssh/pubkeys Do the same steps on a remote machine.
Setup SSH such that it does not ask for a password when you connect: Get the public key from the remote system. scp user@remote_hosts.com:/home/user/.ssh/identity.pub /home/user/.ssh/pubkeys/remote1.pub -v Enter remote user account passwd. Let remote user connect without a passwd by adding their identity.pub to your authorized_keys cat /home/user/.ssh/pubkeys/remote1.pub >> /home/user/.ssh/authorized_keys The .ssh directory and contents must not be group and other writable chmod -600 /home/user/.ssh/* chmod -644 /home/user/.ssh/identity.pub /home/user/.ssh/authorized_keys chmod -700 /home/user/.ssh/pubkeys Put the local user's public key in the remote user's pubkeys directory. scp /home/user/.ssh/identity.pub user@remote_hosts.com:/home/user/.ssh/pubkeys/remote2.pub -v SSH to the remote machine ssh remote_host.com -v Enter remote user account passwd. Let the local user connect to remote machine without a passwd cat /home/user/.ssh/pubkeys/remote2.pub >> /home/user/.ssh/authorized_keys exit The .ssh directory and contents must not be group and other writable chmod -600 /home/user/.ssh/* chmod -644 /home/user/.ssh/identity.pub /home/user/.ssh/authorized_keys chmod -700 /home/user/.ssh/pubkeys ls -laF /home/user/.ssh/ -rw-r--r-- 1 user user 1032 Jul 26 22:07 authorized_keys -rw------- 1 user user 542 Dec 7 1999 identity -rw-r--r-- 1 user user 347 Jul 6 13:49 identity.pub -rw------- 1 user user 666 Jul 28 00:34 known_hosts -rw------- 1 user user 512 Aug 9 20:59 random_seed drwx------ 1 user user 4096 Dec 7 1999 pubkeys/ Test if it worked ssh remote_host.com -v If all went well, you were not prompted for a passwd.
Use PAM to restrict ssh access on a per user basis Add this line to top of /etc/pam.d/sshd auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/ssh/pam.sshd onerr=fail Create the file /etc/ssh/pam.sshd # List of users that may log in via ssh daemon root joe_user
With this new ssh2 stuff I had to learn about the authorized_keys2, id_rsa, and id_dsa. Log into your workstation as joe_user, and generate your workstation keys. ssh-keygen -t dsa ssh-keygen -t rsa # make a repository for your pub-keys on the remote_server, and copy your workstation pub-keys over. ssh remote_server -t "mkdir ~/.ssh/pubkeys" scp ~/.ssh/id_rsa.pub joe_user@remote_server:~/.ssh/pubkeys/workstiaon.id_rsa.pub scp ~/.ssh/id_dsa.pub joe_user@remote_server:~/.ssh/pubkeys/workstiaon.id_dsa.pub # now perform the key exchange ssh remote_server -t "cat ~/.ssh/pubkeys/workstiaon.id_rsa.pub >> ~/.ssh/authorized_keys2" ssh remote_server -t "cat ~/.ssh/pubkeys/workstiaon.id_dsa.pub >> ~/.ssh/authorized_keys2" # If the permissions are not corect, the crypto will not work (ssh is strict) ssh remote_server -t "chmod 600 ~/.ssh/authorized_keys2" test it ssh remote_server -v
BLOCK SSH ROOT DICTIONARY ATTACK: Stop stupid script kitties from dictonary attcking your root password: You have 3 choices: 1. Block root login via sshd_config 2. Block root loging via PAM 3. Limit number of login attempts over a time range Limit Login Attempts via iptables rule: # SSH in from anywhere, limited to 1 per two minutes to prevent brut force attack iptables -A INPUT -p tcp -s $ANY -d $PUBIP --dport 22 --syn -m limit --limit 1/minute -j LOG --log-prefix ' SSH ATTEMPT: ' Block Root Login via sshd_config Uncomment or add line to /etc/ssh/sshd_config: PermitRootLogin no Block root loging via PAM Method 1: Make pam block specific list of users Add this line to top of /etc/pam.d/ssh auth required /lib/security/pam_listfile.so item=user sense=allow file=/etc/ssh/pam.sshd onerr=fail Method 2: Make pam allow specific list of users Add this line to top of /etc/pam.d/ssh auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ssh/pam.sshd onerr=succeed Both methods requrie file containg a list of users: /etc/ssh/pam.sshd
Tunnel vnc (or any other protocol) through a firewall with ssh: ----------- ---------- ------------------------- |--->vncserver1 | WinClient |--->(( internet ))-->| firewall accepting ssh |-->|--->vncserver2 ----------- ---------- ------------------------- |--->vncserver3 One must have: A computer with ssh and vncviewer at home, A ssh daemon on the remote firewall, A vncserver on system behind the firewall. The pc at home connects to the ssh daemon on the firewall, and uses tunnels are formed with -L LocalPort:host_behind_firewall:RemotePort to tunnel vnc connection to servers running vnc on your provate network. Run uservnc.bat, and then try to open the vnc connection to localhost:5901 through :5903. ssh -C -l firewall_user_account -L 5901:ip_of_vncserver1:5900 -L 5902:ip_of_vncserver2:5900 -L 5903:ip_of_vncserver3:5900 ip_of_the_firewall
Tunnel nfs over ssh via local ports: Reference On the server: Create a share that only local host can mount cat /etc/exports /date/music 192.168.0.10(rw,insecure,all_squash,anonuid=99,anongid=55) exportfs -a On the client: 1. Set nfs_server IP, 2. Get servr ports, 3. Create tunnel for nfs and mount, 4. Mount nfs_server=192.168.0.10 rpcinfo -p $nfs_server |egrep 'nfs|mount' # nfs ususally 2049, but mount port changes (mine is 958) ssh -l jstile -f -c blowfish -L 2818:$nfs_server:2049 -L 3045:$nfs_server:958 $nfs_server /bin/sleep 86400 mount -t nfs -o soft,timeo=6000,tcp,port=2818,mountport=3045,nfsvers=3 localhost:/data/music /home/jstile/tmp xmms /home/jstile/tmp/*.mp3 Stick this in the client's /etc/fstab: localhost:/opt/export/users /mnt/nfs/sshmount nfs tcp,rsize=8192,wsize=8192,intr,rw,bg,nosuid,port=2818,mountport=3045,noauto





-------------------------------------------------------

Extra Notes:

-------------------------------------------------------



SSHFS:

  Instead of nfs or smb, use ssh.  Don't need to copy a file locally before using it.

  See SSH Filesystem

  # add user to group fuse

  usermod -a -G fuse  

  sshfs root@ mount_my_server_name



KDE's fish:

  Open konqueror, and in the URL type fish://root@

  Transfering files is just a drag and drop over ssh, from a linux desktop.



Thank you Soren Curry for figuring out the permission problem.



Thank you Soren!!! Now the passwordless connection works!!!!

He found that permissions will make the passwordless connection fail

The .ssh directory and contents must not be group and other writable



Command syntax examples:

1. Copy the public_html directory your computer to your home directory on the server.

 scp -r c:\public_html remote_user_name@server_ip_or name:~/



2. Copy the public_html directory from the server to your local computer.

 scp -r remote_user_name@server_ip_or name:~/public_html C:\



3. Copy the public_html directory from one server to another server, from remote.

 scp -r remote_user_name@server1:~/public_html remote_user_name@server2:~/



Replacing the machine's keys:

(/etc/ssh_host_key and /etc/ssh_host_key.pub)

Type ssh-keygen -f /etc/ssh_host_key -N '' 

Remove any enteries from all users ~/.ssh/known_hosts



SSH for Windows:

Free SSHD1 for windows

See PUTTY 

Free, resizable window, ssh and scp, highlight texts then right click topaste, 

don't need to install to run it.

See Ixplorer: GUI for pscp

Thank you Chris Martial for telling me about ixplorer.

See WinSCP: GUI for pscp

See WebDAV module for Apache: enable secure ftp via DreamWeaver Client



SSH for Mac:

See SSH client for Mac

See NiftyTelnet 

Free xterminal that can ssh, now it can be used in the USA :)

Van Dyke has the next wave

GUI for Linux OpenSSH GUI





Net::SSH::Perl

 install rpm package 'gmp'

 perl -MCPAN -e 'install Net::SSH::Perl'

   --------

  Protocol

  --------

    [1] SSH1

    [2] SSH2

    [3] Both SSH1 and SSH2



    Which protocol(s) do you plan to use? [3] 3    

  --------

  cipher

  -------- 

    (Crypt::IDEA is the default).



    [1] IDEA

    [2] DES

    [3] DES3

    [4] Blowfish

    [5] RC4



   Enter your choices, separated by spaces: [1] 

  -----------

  Optional

  ----------- 

   Checking for optional modules