ssh operation and techniques.v2.0

7/28/2019 SSH Operation and Techniques.v2.0

1/27


2/27

SSH Operation and Techniques - 2001-2006 William Stearns 2

Overview

SSH Introduction and Basic Use

Copying files

Port and X Windows forwardingSSH Keys and installation

Ssh-agent

Fanout and Fanterm


3/27


SSH Features

Command line terminal connection toolReplacement for rsh, rcp, telnet, and othersAll traffic encryptedBoth ends authenticate themselves to the otherendAbility to carry and encrypt non-terminal traffic


4/27


Brief History

SSH.com's SSH1, originally completely free withsource code, then license changed with version1.2.13

SSH.com's SSH2, originally only commercial, butnow free for some uses.

OpenSSH team took the last free SSH1 release,refixed bugs, added features, and added support

for the SSH2 protocol.


5/27


Installation

OpenSSH is included with a number of Linuxdistributions, and available for a large number ofUnices

On RPM-based Linuxes:

rpm -Uvh openssh*.rpm


6/27


Basic use

ssh SshServerName

ssh -l UserName SshServerName

ssh SshServerName CommandToRunssh -v SshServerName

Server Host Key checks

Uses same login passwordAnd if we need to encrypt other traffic?


7/27SSH Operation and Techniques - 2001-2006 William Stearns 7

Securely copying files

scpscp -p localfile remotemachine:/remotepath/filePrompts for authentication if neededAll traffic encryptedReplaces ftp, rcp, file sharing



File synchronization - Rsync

Rsync copies a tree of files from a master out toa copy on another machine.Can use ssh as its transport.rsync -azv -e ssh /home/wstearns/webtree/mirror.stearns.org/home/web/



Port Forwarding - real server onremote machine

I want to listen on port 5110 on this machine; allpackets arriving here get sent to mailserver, port110:

ssh -L 5110:mailserver:110 mailserver



Port Forwarding - real server on thismachine

All web traffic to my firewall should be redirectedto the web server running on port 8000 on mymachine instead:

ssh -R 80:MyMachine:8000 firewall



X Windows forwarding

No setup - already done!Run the X Windows application in the terminalwindow:

xclock &The screen display shows up on yourcomputer, and any keystrokes and mousemovements are sent back, all encrypted.


12/27


Packet forwarding VPNs

Tunnel packets over the SSH connection

Connects to a virtual network device on both

ends Openssh 4.3 and higher


13/27


SSH key background

Old way: password stored on server, usersupplied password compared to stored version

New way: private key kept on client, public keystored on server.


14/27


SSH key creation

General command:ssh-keygen -b 1024 -c 'Comment' -f~/.ssh/identity_file

Different forms for each of the SSH flavorsAssign a hard-to-guess passphrase to the privatekey during creation.Key can be used for multiple servers


15/27


SSH key installation

3 versions of ssh: interoperability is good, butpoorly documented

ssh-keyinstall utility automates the creation andinstallation

'ssh-keyinstall -s SshServerName' createskeys, if needed, and installs them on the

remote serverNeed password during key install only


16/27


Using SSH keys

ssh SshServerName

Ssh -l UserName SshServerName

ssh SshServerName CommandToRunSsh -v SshServerName


17/27


ssh-agent

Remembers your private key(s)Other applications can ask ssh-agent toauthenticate you automatically.

Unattended remote sessions.Should already be running in the backgroundssh-add [KeyName]


18/27


Fanout

Runs command on multiple machines by openingseparate ssh session to each

fanout 'machine1 machine2 user@machine3''command params'

Gives organized output from each machine


19/27


Fanterm live control of multiplemachines

Fanterm provides interactivecontrol of multipleremote systems.

Initial window receives keystrokes.Keystrokes sent to each remote system.

Output from each system shows up in a seperateterminal.


20/27



21/27


Fanqueue the nextgeneration

Queue commands to be run on a group ofmachines

Handles case where a machine is unavailable Allows new machines to be added later


22/27


Rsync-backup

Rsync-backup automates the process of backingup machines with rsync and ssh.Features:

Only changed data shippedAll permissions preservedAll communication encryptedUnlimited snapshots

Use


23/27


Rsync-backup client install

Install ssh, rsync, and rsync-backup-client rpms(see http://www.stearns.org )

Install ssh-keyinstall on client to create a backupkey with

ssh-keyinstall -s backupserver -u root -c/usr/sbin/rsync-backup-server


24/27


Rsync-backup server install

Install ssh, freedups, rsync-static, and rsync-backup-server rpms

Turn off password authentication in/etc/ssh/sshd_config


25/27


Rsync-backup examples

Examples of backup commands:

rsync-backup-client / root@backupserver:/

rsync-backup-client /usr /home/gbkroot@backupserver:/


26/27


Links and references

http://www.vandyke.com

http://www.ssh.com

http://www.openssh.org SSH, The Secure Shell, The Definitive Guide

ssh-keyinstall, fanout, rsync-backup, freedupsand other apps at http://www.stearns.org


27/27


More links

Docs at http://www.stearns.org/doc/http://www.employees.org/~satch/ssh/faq/ssh-faq.html

http://htp://rsync.samba.orgWilliam Stearns [email protected]

ssh operation and techniques.v2.0

Documents